2022-014: Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; SNAP Cluster - 10.551, 10.561; Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2205VA5MAP; 221VA407S2514; 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Agriculture; U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(d) Known Questioned Costs: $0 Benefit Programs does not oversee subrecipient monitoring activities to ensure monitoring activities are conducted in accordance with its monitoring plan. During the fiscal year, Benefit Programs disbursed approximately $312 million in subaward payments from the Supplemental Nutrition Assistance Program (SNAP) and Medicaid Clusters and the LIHEAP and TANF federal grant programs. During the audit, we noted the following deviations from Benefit Program's monitoring plan: ? Benefit Programs created a monitoring plan to comply with Social Services' Agency Monitoring Plan. Regional consultants, who perform subrecipient monitoring activities, created their own subrecipient monitoring schedules that were not consistent with Benefit Program's monitoring schedule. ? Benefit Programs did not confirm that fiscal year 2022 monitoring review records uploaded to its data repository were complete. Some of the missing records included the agency notification letter, case selection sample, and subrecipient monitoring checklist. ? At the beginning of audit fieldwork, the data repository did not contain all subrecipient monitoring reviews performed during the fiscal year. The Subrecipient Monitoring Coordinator subsequently obtained and uploaded the remaining subrecipient monitoring reviews to Benefit Programs' data repository. The data repository only included the following subrecipient monitoring reviews at the time of the audit: o 12 of 25 (48%) reviews performed for the LIHEAP federal grant program; o 22 of 73 (30%) reviews performed for the SNAP Cluster; o 13 of 62 (21%) reviews performed for the Medicaid Cluster; and nine of 62 (15%) reviews performed for the TANF federal grant program. Benefit Programs only completed 25 of the 67 (37%) scheduled reviews for the LIHEAP federal grant program. Benefit Programs did not identify these issues because its monitoring plan did not clearly delineate who was responsible for overseeing subrecipient monitoring activities. As a result, no one in Benefit Programs was overseeing subrecipient monitoring activities. Title 2 CFR ? 200.332(d) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the pass-through entity uses the subaward for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without confirming that program consultants conduct monitoring activities in accordance with the monitoring plan, Benefit Programs cannot provide assurance that it complied with 2 CFR ? 200.332(d). In March 2022, Benefit Programs created a Subrecipient Monitoring Coordinator position to oversee its monitoring activities. The Subrecipient Monitoring Coordinator is working with Benefit Program?s Associate Director for Operations and Support to confirm that Benefit Programs? monitoring plan meets federal requirements. Benefit Programs should continue its efforts to confirm that it conducts monitoring activities in accordance with its monitoring plan. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-016: Evaluate Subrecipients' Risk of Noncompliance in Accordance with Federal Regulations Applicable to: Department of Social Services Prior Year Finding Number: 2021-071 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; SNAP Cluster - 10.551, 10.561; Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2205VA5MAP; 221VA407S2514; 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Agriculture; U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(b) Known Questioned Costs: $0 Benefit Programs continues to not evaluate subrecipients' risk of noncompliance with federal regulations related to the administration of the SNAP and Medicaid Clusters and the TANF and LIHEAP federal grant programs. Benefit Programs develops its subrecipient monitoring approach using the size of the subrecipient; however, it does not perform any further risk assessment procedures to determine the monitoring approach. Social Services disbursed approximately $312 million to subrecipients from these federal programs during the fiscal year. Title 2 CFR ? 200.332(b) requires pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Further, 2 CFR ? 200.332(b) suggests that pass-through entities should consider the results of previous audits, subrecipient's prior experience with the same or similar subawards, and whether the subrecipient has new personnel or new or substantially changed systems. Benefit Programs developed a corrective action plan to perform risk assessment procedures to comply with 2 CFR ? 200.332(b); however, Benefit Programs was unable to implement corrective action due to staff turnover. Without performing the proper risk assessment procedures, Benefit Programs cannot demonstrate that it monitored the activities of the subrecipient as necessary to ensure that the pass-through entity used the subaward for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Benefit Programs should continue its corrective action efforts to implement a risk assessment process for subrecipients that is consistent with federal regulations and ensure that its monitoring efforts are consistent with the results of its risk assessment. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-089: Obtain, Review, and Document System and Organization Control Reports of Third- Party Service Providers Applicable to: Department of Social Services Prior Year Finding Number: 2021-019 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: SNAP Cluster - 10.551, 10.561 (COVID-19) Federal Award Number and Year: 221VA407S2514 - 2022 Name of Federal Agency: U.S. Department of Agriculture Type of Compliance Requirement - Criteria: Other - 7 CFR ? 274.1(i)(2) Known Questioned Costs: $0 Social Services continues to not have sufficient internal controls for obtaining, reviewing, and documenting System and Organization Control (SOC) reports of service providers. Social Services uses service providers to perform functions such as administering the Electronic Benefit Transfer (EBT) process for public assistance programs, processing public assistance program applications, and performing call center functions. SOC reports, specifically SOC 1, Type 2 reports, provide an independent description and evaluation of the operating effectiveness of a service provider's internal controls over financial processes and are a key tool in gaining an understanding of a service provider's internal control environment and maintaining oversight over outsourced operations. Social Services could not demonstrate that it reviewed service provider SOC reports to identify deficiencies or determined whether the reports provided adequate coverage over operations during the fiscal year. CAPP Manual Topic 10305 requires agencies to have adequate interaction with service providers to appropriately understand the service provider's internal control environment. Agencies must also maintain oversight over service providers to gain assurance over outsourced operations. Additionally, Section 1.1 of the Security Standard states that agency heads remain accountable for maintaining compliance with the Security Standard for information technology equipment, systems, and services procured from service providers, and that agencies must enforce the compliance requirements through documented agreements and oversight of the services provided. Finally, 2 CFR ? 200.303(a) requires non-federal entities to establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Social Services shares responsibilities for reviewing SOC reports with VITA's Enterprise Cloud Oversight Services (ECOS), based on the type of SOC report. The individuals responsible for obtaining and reviewing SOC 1, Type 2 reports misunderstood the services provided by ECOS, as ECOS does not review SOC 1, Type 2 reports, and did not have clear expectations as to what they should obtain, review, and document during their review of SOC 1, Type 2 reports. As a result, Social Services did not develop policies and procedures related to obtaining, reviewing, and documenting SOC 1, Type 2 reports in relation to our recommendation in the prior audit. Without adequate policies and procedures over service providers' operations, Social Services is unable to ensure its complementary controls are sufficient to support its reliance on the service providers' control design, implementation, and operating effectiveness. Additionally, Social Services is unable to address any internal control deficiencies and/or exceptions identified in the SOC reports. In effect, Social Services is increasing the risk that it will not detect a weakness in a service provider's environment by not obtaining the necessary SOC reports timely or properly documenting the review of the reports. Social Services should develop agency-wide policies and procedures that other divisions can use when obtaining, reviewing, and documenting SOC reports. Policies and procedures should comply with the requirements outlined in the CAPP Manual and Security Standard. These policies and procedures should include, at a minimum, the timeframes for obtaining SOC reports from the service provider, documentation requirements for user entity complementary controls, the steps needed to address internal control deficiencies and/or exceptions found in reviews, and the responsible staff for any corrective actions necessary to mitigate the risk to the Commonwealth until the service provider corrects the deficiency. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-101: Follow Eligibility Documentation Requirements for Women, Infants and Children Program Applicable to: Department of Health Prior Year Finding Number: 2021-061 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: WIC Special Supplemental Nutrition Program for Women, Infants, and Children - 10.557 (COVID-19) Federal Award Number and Year: 221VA707W1006 - 2022 Name of Federal Agency: U.S. Department of Agriculture Type of Compliance Requirement - Criteria: Eligibility - 7 CFR ? 246.7(c)(i) Known Questioned Costs: $0 Local health department eligibility staff did not complete required eligibility documentation for certain recipients under the Women, Infants and Children (WIC) program. For three of 25 (12%) cases, the local health department staff did not obtain acceptable forms of proof of identification or complete an affidavit confirming identity and residence requirements. While performance has significantly improved from the prior year, local health staff still did not follow policies and procedures in these instances. Local health department staff are primarily responsible for determining eligibility for the WIC program. As a result of the COVID-19 pandemic, the federal government waived the eligibility requirements related to physical presence and allowed states to adopt alternative procedures to verify identity and residence requirements. In June 2020, Health received additional guidance from the United States Department of Agriculture Food and Nutrition Services (FNS), requiring proof of identification through encrypted emails or other approved collection methods. If local health staff are unable to collect this proof of identification, Health's procedures require staff to complete an affidavit to verify identity and residency. Additionally, FNS communicated that Health should have recipients sign a statement as to why they are unable to provide proof of identification or residency. To address these policy changes, Health developed a Remote WIC Services policy in August 2020; however, the policy did not include the requirement for recipients to sign a statement in cases where the recipient could not provide proof of identification. In response to the prior year finding, Health revised the policy and provided training to local health department staff on the eligibility requirements. Health implemented the revised WIC Remote Services policy in January 2022 and although there has been improvement since the prior year, local health department staff are still adjusting to the revised policy. When local health department staff do not properly verify identification and residential eligibility for recipients, there is a risk that Health could pay WIC benefits to ineligible recipients. In addition, if local health staff do not complete and keep a record of an affidavit, Health cannot hold recipients accountable for their information. Health central office staff should continue working with local health department staff to ensure staff adhere to policies and procedures and maintain required documentation for WIC eligibility. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-101: Follow Eligibility Documentation Requirements for Women, Infants and Children Program Applicable to: Department of Health Prior Year Finding Number: 2021-061 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: WIC Special Supplemental Nutrition Program for Women, Infants, and Children - 10.557 (COVID-19) Federal Award Number and Year: 221VA707W1006 - 2022 Name of Federal Agency: U.S. Department of Agriculture Type of Compliance Requirement - Criteria: Eligibility - 7 CFR ? 246.7(c)(i) Known Questioned Costs: $0 Local health department eligibility staff did not complete required eligibility documentation for certain recipients under the Women, Infants and Children (WIC) program. For three of 25 (12%) cases, the local health department staff did not obtain acceptable forms of proof of identification or complete an affidavit confirming identity and residence requirements. While performance has significantly improved from the prior year, local health staff still did not follow policies and procedures in these instances. Local health department staff are primarily responsible for determining eligibility for the WIC program. As a result of the COVID-19 pandemic, the federal government waived the eligibility requirements related to physical presence and allowed states to adopt alternative procedures to verify identity and residence requirements. In June 2020, Health received additional guidance from the United States Department of Agriculture Food and Nutrition Services (FNS), requiring proof of identification through encrypted emails or other approved collection methods. If local health staff are unable to collect this proof of identification, Health's procedures require staff to complete an affidavit to verify identity and residency. Additionally, FNS communicated that Health should have recipients sign a statement as to why they are unable to provide proof of identification or residency. To address these policy changes, Health developed a Remote WIC Services policy in August 2020; however, the policy did not include the requirement for recipients to sign a statement in cases where the recipient could not provide proof of identification. In response to the prior year finding, Health revised the policy and provided training to local health department staff on the eligibility requirements. Health implemented the revised WIC Remote Services policy in January 2022 and although there has been improvement since the prior year, local health department staff are still adjusting to the revised policy. When local health department staff do not properly verify identification and residential eligibility for recipients, there is a risk that Health could pay WIC benefits to ineligible recipients. In addition, if local health staff do not complete and keep a record of an affidavit, Health cannot hold recipients accountable for their information. Health central office staff should continue working with local health department staff to ensure staff adhere to policies and procedures and maintain required documentation for WIC eligibility. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-014: Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; SNAP Cluster - 10.551, 10.561; Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2205VA5MAP; 221VA407S2514; 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Agriculture; U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(d) Known Questioned Costs: $0 Benefit Programs does not oversee subrecipient monitoring activities to ensure monitoring activities are conducted in accordance with its monitoring plan. During the fiscal year, Benefit Programs disbursed approximately $312 million in subaward payments from the Supplemental Nutrition Assistance Program (SNAP) and Medicaid Clusters and the LIHEAP and TANF federal grant programs. During the audit, we noted the following deviations from Benefit Program's monitoring plan: ? Benefit Programs created a monitoring plan to comply with Social Services' Agency Monitoring Plan. Regional consultants, who perform subrecipient monitoring activities, created their own subrecipient monitoring schedules that were not consistent with Benefit Program's monitoring schedule. ? Benefit Programs did not confirm that fiscal year 2022 monitoring review records uploaded to its data repository were complete. Some of the missing records included the agency notification letter, case selection sample, and subrecipient monitoring checklist. ? At the beginning of audit fieldwork, the data repository did not contain all subrecipient monitoring reviews performed during the fiscal year. The Subrecipient Monitoring Coordinator subsequently obtained and uploaded the remaining subrecipient monitoring reviews to Benefit Programs' data repository. The data repository only included the following subrecipient monitoring reviews at the time of the audit: o 12 of 25 (48%) reviews performed for the LIHEAP federal grant program; o 22 of 73 (30%) reviews performed for the SNAP Cluster; o 13 of 62 (21%) reviews performed for the Medicaid Cluster; and nine of 62 (15%) reviews performed for the TANF federal grant program. Benefit Programs only completed 25 of the 67 (37%) scheduled reviews for the LIHEAP federal grant program. Benefit Programs did not identify these issues because its monitoring plan did not clearly delineate who was responsible for overseeing subrecipient monitoring activities. As a result, no one in Benefit Programs was overseeing subrecipient monitoring activities. Title 2 CFR ? 200.332(d) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the pass-through entity uses the subaward for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without confirming that program consultants conduct monitoring activities in accordance with the monitoring plan, Benefit Programs cannot provide assurance that it complied with 2 CFR ? 200.332(d). In March 2022, Benefit Programs created a Subrecipient Monitoring Coordinator position to oversee its monitoring activities. The Subrecipient Monitoring Coordinator is working with Benefit Program?s Associate Director for Operations and Support to confirm that Benefit Programs? monitoring plan meets federal requirements. Benefit Programs should continue its efforts to confirm that it conducts monitoring activities in accordance with its monitoring plan. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-016: Evaluate Subrecipients' Risk of Noncompliance in Accordance with Federal Regulations Applicable to: Department of Social Services Prior Year Finding Number: 2021-071 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; SNAP Cluster - 10.551, 10.561; Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2205VA5MAP; 221VA407S2514; 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Agriculture; U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(b) Known Questioned Costs: $0 Benefit Programs continues to not evaluate subrecipients' risk of noncompliance with federal regulations related to the administration of the SNAP and Medicaid Clusters and the TANF and LIHEAP federal grant programs. Benefit Programs develops its subrecipient monitoring approach using the size of the subrecipient; however, it does not perform any further risk assessment procedures to determine the monitoring approach. Social Services disbursed approximately $312 million to subrecipients from these federal programs during the fiscal year. Title 2 CFR ? 200.332(b) requires pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Further, 2 CFR ? 200.332(b) suggests that pass-through entities should consider the results of previous audits, subrecipient's prior experience with the same or similar subawards, and whether the subrecipient has new personnel or new or substantially changed systems. Benefit Programs developed a corrective action plan to perform risk assessment procedures to comply with 2 CFR ? 200.332(b); however, Benefit Programs was unable to implement corrective action due to staff turnover. Without performing the proper risk assessment procedures, Benefit Programs cannot demonstrate that it monitored the activities of the subrecipient as necessary to ensure that the pass-through entity used the subaward for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Benefit Programs should continue its corrective action efforts to implement a risk assessment process for subrecipients that is consistent with federal regulations and ensure that its monitoring efforts are consistent with the results of its risk assessment. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-089: Obtain, Review, and Document System and Organization Control Reports of Third- Party Service Providers Applicable to: Department of Social Services Prior Year Finding Number: 2021-019 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: SNAP Cluster - 10.551, 10.561 (COVID-19) Federal Award Number and Year: 221VA407S2514 - 2022 Name of Federal Agency: U.S. Department of Agriculture Type of Compliance Requirement - Criteria: Other - 7 CFR ? 274.1(i)(2) Known Questioned Costs: $0 Social Services continues to not have sufficient internal controls for obtaining, reviewing, and documenting System and Organization Control (SOC) reports of service providers. Social Services uses service providers to perform functions such as administering the Electronic Benefit Transfer (EBT) process for public assistance programs, processing public assistance program applications, and performing call center functions. SOC reports, specifically SOC 1, Type 2 reports, provide an independent description and evaluation of the operating effectiveness of a service provider's internal controls over financial processes and are a key tool in gaining an understanding of a service provider's internal control environment and maintaining oversight over outsourced operations. Social Services could not demonstrate that it reviewed service provider SOC reports to identify deficiencies or determined whether the reports provided adequate coverage over operations during the fiscal year. CAPP Manual Topic 10305 requires agencies to have adequate interaction with service providers to appropriately understand the service provider's internal control environment. Agencies must also maintain oversight over service providers to gain assurance over outsourced operations. Additionally, Section 1.1 of the Security Standard states that agency heads remain accountable for maintaining compliance with the Security Standard for information technology equipment, systems, and services procured from service providers, and that agencies must enforce the compliance requirements through documented agreements and oversight of the services provided. Finally, 2 CFR ? 200.303(a) requires non-federal entities to establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Social Services shares responsibilities for reviewing SOC reports with VITA's Enterprise Cloud Oversight Services (ECOS), based on the type of SOC report. The individuals responsible for obtaining and reviewing SOC 1, Type 2 reports misunderstood the services provided by ECOS, as ECOS does not review SOC 1, Type 2 reports, and did not have clear expectations as to what they should obtain, review, and document during their review of SOC 1, Type 2 reports. As a result, Social Services did not develop policies and procedures related to obtaining, reviewing, and documenting SOC 1, Type 2 reports in relation to our recommendation in the prior audit. Without adequate policies and procedures over service providers' operations, Social Services is unable to ensure its complementary controls are sufficient to support its reliance on the service providers' control design, implementation, and operating effectiveness. Additionally, Social Services is unable to address any internal control deficiencies and/or exceptions identified in the SOC reports. In effect, Social Services is increasing the risk that it will not detect a weakness in a service provider's environment by not obtaining the necessary SOC reports timely or properly documenting the review of the reports. Social Services should develop agency-wide policies and procedures that other divisions can use when obtaining, reviewing, and documenting SOC reports. Policies and procedures should comply with the requirements outlined in the CAPP Manual and Security Standard. These policies and procedures should include, at a minimum, the timeframes for obtaining SOC reports from the service provider, documentation requirements for user entity complementary controls, the steps needed to address internal control deficiencies and/or exceptions found in reviews, and the responsible staff for any corrective actions necessary to mitigate the risk to the Commonwealth until the service provider corrects the deficiency. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-097: Monitor Internal Procedures to Ensure Compliance with the Conflict of Interests Act Applicable to: Department of Social Services Prior Year Finding Number: 2021-060 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Pandemic EBT - Admin Costs - 10.649 (COVID-19) Federal Award Number and Year: 221VA457S9007 - 2022 Name of Federal Agency: U.S. Department of Agriculture Type of Compliance Requirement - Criteria: Procurement and Suspension and Debarment - 2 CFR ? 200.317 Known Questioned Costs: $0 Human Resources is not monitoring compliance with its internal procedures to ensure individuals in positions of trust file the required SOEI disclosure form and complete the required COIA training. Of the 41 employees identified in positions of trust, nine employees (22%) did not file an SOEI form. Three of the nine individuals who did not file an SOEI form held positions with procurement responsibilities. Additionally, of nine randomly selected employees identified in positions of trust, Human Resources was unable to locate the training records for five employees (56%) to demonstrate they completed their required COIA training. Executive Order Number Eight (2018) requires that the head of each agency, institution, board, commission, council, and authority within the Executive Branch be responsible for ensuring that designated officers and employees file their SOEI form in accordance with ? 2.2- 3114 of the Code of Virginia. Additionally, ? 2.2-3114 and ? 2.2-3118.2 of the Code of Virginia state that persons occupying positions of trust within state government or non-salaried citizen members of policy and supervisory boards shall file a disclosure statement with the Commonwealth's Ethics Advisory Council of their personal interests, and such other information as is required on the form, on or before the day such office or position of employment is assumed, and thereafter shall file such a statement annually on or before February 1. Further, ? 2.2-3130 of the Code of Virginia states orientation training is required to be completed by filers within two months of their hire or appointment and at least once during each consecutive period of two calendar years. Finally, the Virginia Public Procurement Act requires state agencies to adopt the provisions of the COIA to promote ethics in public contracting, and 2 CFR ? 200.317 requires states to follow its procurement policies and procedures when procuring property and services with federal funds. While Human Resources has sufficient policies and procedures in place to ensure compliance with the COIA, it has not monitored compliance with its procedures to ensure all employees in positions of trust file their SOEI forms timely and complete the required training. Human Resources has not been able to monitor compliance with its policy because of turnover within its division. Without appropriately monitoring individuals in positions of trust, Human Resources cannot ensure that it is fully compliant with the provisions in the COIA. In effect, Social Services could be susceptible to actual or perceived conflicts of interest and limited in its ability to hold employees accountable. These actions could potentially lead to a violation of state or federal laws or regulations. Human Resources should dedicate the resources necessary to monitor all employees designated in a position of trust to ensure they file the required SOEI form and complete the required COIA training. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-097: Monitor Internal Procedures to Ensure Compliance with the Conflict of Interests Act Applicable to: Department of Social Services Prior Year Finding Number: 2021-060 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Pandemic EBT - Admin Costs - 10.649 (COVID-19) Federal Award Number and Year: 221VA457S9007 - 2022 Name of Federal Agency: U.S. Department of Agriculture Type of Compliance Requirement - Criteria: Procurement and Suspension and Debarment - 2 CFR ? 200.317 Known Questioned Costs: $0 Human Resources is not monitoring compliance with its internal procedures to ensure individuals in positions of trust file the required SOEI disclosure form and complete the required COIA training. Of the 41 employees identified in positions of trust, nine employees (22%) did not file an SOEI form. Three of the nine individuals who did not file an SOEI form held positions with procurement responsibilities. Additionally, of nine randomly selected employees identified in positions of trust, Human Resources was unable to locate the training records for five employees (56%) to demonstrate they completed their required COIA training. Executive Order Number Eight (2018) requires that the head of each agency, institution, board, commission, council, and authority within the Executive Branch be responsible for ensuring that designated officers and employees file their SOEI form in accordance with ? 2.2- 3114 of the Code of Virginia. Additionally, ? 2.2-3114 and ? 2.2-3118.2 of the Code of Virginia state that persons occupying positions of trust within state government or non-salaried citizen members of policy and supervisory boards shall file a disclosure statement with the Commonwealth's Ethics Advisory Council of their personal interests, and such other information as is required on the form, on or before the day such office or position of employment is assumed, and thereafter shall file such a statement annually on or before February 1. Further, ? 2.2-3130 of the Code of Virginia states orientation training is required to be completed by filers within two months of their hire or appointment and at least once during each consecutive period of two calendar years. Finally, the Virginia Public Procurement Act requires state agencies to adopt the provisions of the COIA to promote ethics in public contracting, and 2 CFR ? 200.317 requires states to follow its procurement policies and procedures when procuring property and services with federal funds. While Human Resources has sufficient policies and procedures in place to ensure compliance with the COIA, it has not monitored compliance with its procedures to ensure all employees in positions of trust file their SOEI forms timely and complete the required training. Human Resources has not been able to monitor compliance with its policy because of turnover within its division. Without appropriately monitoring individuals in positions of trust, Human Resources cannot ensure that it is fully compliant with the provisions in the COIA. In effect, Social Services could be susceptible to actual or perceived conflicts of interest and limited in its ability to hold employees accountable. These actions could potentially lead to a violation of state or federal laws or regulations. Human Resources should dedicate the resources necessary to monitor all employees designated in a position of trust to ensure they file the required SOEI form and complete the required COIA training. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-010: Comply with Federal Requirements for Review of Tax Performance System Applicable to: Virginia Employment Commission Prior Year Finding Number: 2021-064 Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness ALPT or Cluster Name and ALN: Unemployment Insurance - 17.225 (COVID-19) Federal Award Number and Year: UI233F2200 - 2022 Name of Federal Agency: U.S. Department of Labor Type of Compliance Requirement - Criteria: Special Tests and Provisions - 20 CFR ? 602 Known Questioned Costs: $0 The Virginia Employment Commission (Commission) did not comply with U.S. Department of Labor (Labor) Tax Performance System (TPS) review requirements. The TPS review is a quality assurance review that provides information on a state's compliance with Labor guidelines. The Commission did not follow TPS review requirements in the following areas: ?The Commission did not complete a sampling review for five of six (83%) areas requiring an annual review. ?The reviewer did not complete and/or retain the required checklist for three of 18 (17%) samples selected for review. ?The reviewer's "pass" decision was not reasonable for seven of 18 (39%) samples reviewed related to the benefit charging function. Title 20 U.S. Code of Federal Regulations (CFR) ? 602 requires states to operate a program to assess their Unemployment Insurance (UI) tax and benefit programs and includes specific procedures for the program. TPS provides a cost-effective means to assess the major internal UI tax functions and operations. The TPS review assists state administrators in improving their UI programs by providing objective information on the quality of existing revenue operations. TPS also serves to help Labor carry out its oversight, technical assistance, and policy development responsibilities. One of the primary goals of the system is to achieve continuous improvement of overall performance quality. Not performing the required reviews increases the risk that the Commission's tax system is not properly calculating employer tax rates. System errors could lead to employers paying less than required causing an unnecessary burden on the trust fund, or paying more than required, causing unnecessary burdens on employers and the need for the Commission to calculate and issue refunds. The lack of adherence to the review requirements was due to a new employee in this area who the Quality Assurance Manager had not yet fully trained. The Commission should ensure staff follow proper procedures for completion of the TPS report and required system reviews. Employees responsible for TPS reviews should have a comprehensive knowledge of the UI tax system, skills in planning and conducting systems reviews, and the ability to communicate effectively through presentation of findings and recommendations to line staff and management. The Quality Assurance Manager should ensure that the employee responsible for preparation of the TPS report receives the necessary training to fully understand the requirements of the annual review. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-026: Improve Database Security Applicable to: Virginia Employment Commission Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Access Control; Audit and Accountability; Configuration Management; Identification and Authentication; System and Information Integrity ALPT or Cluster Name and ALN: Unemployment Insurance - 17.225 (COVID-19) Federal Award Number and Year: UI233F2200 - 2022 Name of Federal Agency: U.S. Department of Labor Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 The Commission does not secure the database that supports its internal benefits system in accordance with its internal policies, the Security Standard, and industry best practices. We communicated four control weaknesses to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. The Commission's policies, the Security Standard, and industry best practices require the Commission to implement certain controls to reduce unnecessary risk to data confidentiality, integrity, and availability in systems processing or storing sensitive information. The Commission's dedication of resources to other higher priorities and lack of certain control processes caused the weaknesses to occur. The Commission should allocate the necessary resources to ensure database configurations, controls, and processes align with the requirements in its policies, the Security Standard, and industry best practices. Improving security of the database will help maintain the confidentiality, integrity, and availability of the Commission's sensitive data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-027: Upgrade End-of-Life Technology Applicable to: Virginia Employment Commission Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: System and Information Integrity; System and Services Acquisition ALPT or Cluster Name and ALN: Unemployment Insurance - 17.225 (COVID-19) Federal Award Number and Year: UI233F2200 - 2022 Name of Federal Agency: U.S. Department of Labor Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 The Commission uses end-of-life technology on one of its IT systems that processes mission-essential data without an approved exception. We communicated the control weakness to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia, due to it containing descriptions of security mechanisms. The Security Standard prohibits agencies from using software that is end-of-life and the vendor no longer supports to reduce unnecessary risk to the confidentiality, integrity, and availability of the Commission's information systems and data. If the Commission is not able to update its software to a supported version due to compatibility or other operational issues, the Security Standard requires the Agency Head to submit an exception request for approval to the Commonwealth's Chief ISO (Security Standard, Sections: SI-2-COV Flaw Remediation; SA-22 Unsupported System Components; 1.5 Exceptions to Security Requirements). The Commission began efforts to migrate to a new environment in June 2020; however, due to VITA supplier and infrastructure issues, the Commission abandoned the project and delayed upgrading its end-of-life technology. As of June 2022, the Commission began new efforts to migrate to a different infrastructure, which will allow the Commission to upgrade its end-of-life technology. The Commission should upgrade its systems running outdated and unsupported software. Additionally, while upgrade efforts are ongoing, the Commission should submit and receive an approved exception that includes a description of compensating controls that will reduce the software vulnerability risk. The exception request should also include the Commission's future plans to upgrade the systems running outdated and unsupported software. Upgrading systems from end-of-life software will increase the Commission's security posture and help protect the confidentiality, integrity, and availability of sensitive and mission-critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-028: Properly Update and Review System Access Applicable to: Virginia Employment Commission Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Access Control; Personnel Security ALPT or Cluster Name and ALN: Unemployment Insurance - 17.225 (COVID-19) Federal Award Number and Year: UI233F2200 - 2022 Name of Federal Agency: U.S. Department of Labor Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 The Commission's system access controls are not adequate to ensure compliance with the Commission's policies and the Security Standard. The Commission did not remove terminated employee system access timely, maintain proper documentation for new users; or perform an annual review of all user access, as follows: ? The Commission did not terminate system access to the financial management system for one of four (25%) employees until 54 days after termination. ? The Commission did not terminate system access to the benefits system for eight of 25 (32%) employees until three to ten days after termination. ? The Commission did not maintain proper documentation to support the approval of new user access roles in the benefits system for six of 40 (15%) employees. ? The Commission performed an annual system access review for the new benefits system which has over 4,500 users across the benefits, tax, and appeals modules. However, the Commission only reviewed benefits user roles and, as a result, excluded over half of the system's users from the review. ? The Commission's Access Control Policies and Procedures, Section A - Account Management (AC-2), subsection 11c, states that the system owner should deactivate user accounts for terminated employees within 24 hours of notification of the employee's separation from the agency. In addition, subsection 5b states that the system owner must maintain documented access approvals. Further, the Security Standard, Section PS-4, states an organization must disable information system access within 24 hours of employee separation and terminate any authenticators or credentials associated with the individual. Finally, the Security Standard, Section AC- 6, requires agencies to perform annual reviews of privileges assigned to all users to validate the need for such privileges. The lack of proper internal controls over system access increases the risk that terminated employees may retain unauthorized access to internal systems and sensitive information. In addition, for new or existing users the Commission could grant or maintain access that is inappropriate or unnecessary based on job responsibilities. Factors contributing to the untimely system access terminations and new access approval deficiencies include a lack of communication between supervisors and system administrators and the decentralized nature of access controls across the Commission's systems. Supervisors, as well as system owners and contractor designees, are not always following internal policies and procedures related to notification of the need for access removals, timely removal of access, and maintenance of approval documentation. In addition, we determined that the Commission performed an access review during the fiscal year when it transitioned users of the previous benefits system to the new system; however, the Commission did not perform a review for users already active in the new system. This review did not occur as the agency had not yet implemented a replacement access management application. The Commission is currently working to establish procedures over this application. The Commission should deactivate terminated employees' system access timely, in accordance with the Security Standard and the Commission's policies and procedures. In addition, the Commission should maintain documentation related to access approvals and modifications. Also, the Commission should perform and document a review of access for all systems' user accounts at least annually. Finally, the Commission should update its internal Access Control Policies and Procedures to reflect all access control requirements and processes. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-108: Submit Required Reports Timely Applicable to: Virginia Employment Commission Prior Year Finding Number: 2021-086; 2020-091 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Unemployment Insurance - 17.225 (COVID-19) Federal Award Number and Year: UI233F2200 - 2022 Name of Federal Agency: U.S. Department of Labor Type of Compliance Requirement - Criteria: Reporting - 2 CFR ? 200.300(b); Department of Labor Handbooks ETA 336 and 401 Known Questioned Costs: $0 The Commission did not submit monthly and quarterly Employment and Training Administration (ETA) Reports timely. There were multiple instances where the Commission did not submit reports by the required deadlines, including: ? Submitting one of twelve (8%) Unemployment Insurance Financial Transaction Summary (ETA 2112) reports seven days late; ? Submitting one of four (25%) Statement of Expenditures and Financial Adjustments of Federal Funds for Unemployment Compensation for Federal Employees and Ex- Service Members (ETA 191) reports 13 days late; ? Submitting one of four (25%) Overpayment Detection and Recovery Activities (ETA 227) reports 76 days late; ? Submitting one of four (25%) Quarterly Narrative Progress Reports (ETA 9178) four days late; ? Submitting one of twelve (8%) Time Lapse of All First Payments Except Workshare (ETA 9050) reports five days late; ? Not submitting one of four (25%) Reemployment Services and Eligibility Assessment Workload (ETA 9128) reports; and ? Not submitting four of four (100%) Reemployment Services and Eligibility Assessment Outcomes (ETA 9129) reports. Labor Handbook 401 requires specific filing dates for all reports. These reports provide information to Labor to measure the performance and effectiveness of various benefit programs. According to the grant agreement between the Commission and Labor, the Commission should submit its required reports to Labor in a timely manner and in accordance with Labor Handbook 401. Not submitting reports timely may cause delays in funding from Labor or suspension of funds needed for ongoing Commission operations. In addition, continued delays could result in additional federal oversight. The implementation of the new benefits system affected the Commission's ability to submit required ETA reports timely. Specifically, the Commission encountered errors when submitting several reports containing data from the internal benefits system, which the Commission was unable to resolve. Further, there are no specific policies and procedures outlining guidance for submission of specific reports. The Commission has continued to work with the system contractor to resolve any existing errors in order to successfully submit required federal reports. For reports not impacted by the internal benefits system implementation, management did not provide proper oversight to ensure timely filings due to competing work priorities. We encourage the Commission to continue working with the contractor to resolve any data issues in the benefits system. Also, management should exercise adequate oversight to ensure staff file all reports by the required due date. The Commission should also update internal policies and procedures for each required report to provide clear guidance for report submission and consequences for late filing. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-109: Submit Accurate Special Reports to Department of Labor Applicable to: Virginia Employment Commission Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Unemployment Insurance - 17.225 (COVID-19) Federal Award Number and Year: UI233F2200 - 2022 Name of Federal Agency: U.S. Department of Labor Type of Compliance Requirement - Criteria: Reporting - 2 CFR ? 200.300(b); Department of Labor Handbooks ETA 336 and 401 Known Questioned Costs: $0 The Commission did not accurately report activity on the Quarterly Unemployment Insurance Above-Base Report (ETA 2208A Report) for one of two (50%) quarters tested. The June 2022 quarterly report included amounts that were not in agreement with supporting documentation. Labor Handbook 336 requires that data reported must fairly and accurately represent the utilization of staff years and be traceable to supporting documentation. This special report provides information to Labor on the number of staff years worked and paid for various UI program categories to use in determining above-base entitlements. According to the grant agreement between the Commission and Labor, the Commission should submit its required reports to Labor in accordance with Labor Handbook 336. Submitting reports with inaccurate information may cause an incorrect determination of entitlements above employee base pay. The employee responsible for preparing the ETA 2208A Report identified typographical errors after submission of the report; however, the employee did not notify management of the errors. The employee incorrectly decided to revise and resubmit the report, without management's knowledge, based on the premise that the next quarterly report would reflect accurate year-to- date activity, resolving the error from the prior period. The Commission should properly train all employees responsible for report preparation. In addition, the Commission should update its policies and procedures to ensure employees notify management if they discover an error to determine if corrected reports require an updated submission. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-010: Comply with Federal Requirements for Review of Tax Performance System Applicable to: Virginia Employment Commission Prior Year Finding Number: 2021-064 Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness ALPT or Cluster Name and ALN: Unemployment Insurance - 17.225 (COVID-19) Federal Award Number and Year: UI233F2200 - 2022 Name of Federal Agency: U.S. Department of Labor Type of Compliance Requirement - Criteria: Special Tests and Provisions - 20 CFR ? 602 Known Questioned Costs: $0 The Virginia Employment Commission (Commission) did not comply with U.S. Department of Labor (Labor) Tax Performance System (TPS) review requirements. The TPS review is a quality assurance review that provides information on a state's compliance with Labor guidelines. The Commission did not follow TPS review requirements in the following areas: ?The Commission did not complete a sampling review for five of six (83%) areas requiring an annual review. ?The reviewer did not complete and/or retain the required checklist for three of 18 (17%) samples selected for review. ?The reviewer's "pass" decision was not reasonable for seven of 18 (39%) samples reviewed related to the benefit charging function. Title 20 U.S. Code of Federal Regulations (CFR) ? 602 requires states to operate a program to assess their Unemployment Insurance (UI) tax and benefit programs and includes specific procedures for the program. TPS provides a cost-effective means to assess the major internal UI tax functions and operations. The TPS review assists state administrators in improving their UI programs by providing objective information on the quality of existing revenue operations. TPS also serves to help Labor carry out its oversight, technical assistance, and policy development responsibilities. One of the primary goals of the system is to achieve continuous improvement of overall performance quality. Not performing the required reviews increases the risk that the Commission's tax system is not properly calculating employer tax rates. System errors could lead to employers paying less than required causing an unnecessary burden on the trust fund, or paying more than required, causing unnecessary burdens on employers and the need for the Commission to calculate and issue refunds. The lack of adherence to the review requirements was due to a new employee in this area who the Quality Assurance Manager had not yet fully trained. The Commission should ensure staff follow proper procedures for completion of the TPS report and required system reviews. Employees responsible for TPS reviews should have a comprehensive knowledge of the UI tax system, skills in planning and conducting systems reviews, and the ability to communicate effectively through presentation of findings and recommendations to line staff and management. The Quality Assurance Manager should ensure that the employee responsible for preparation of the TPS report receives the necessary training to fully understand the requirements of the annual review. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-026: Improve Database Security Applicable to: Virginia Employment Commission Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Access Control; Audit and Accountability; Configuration Management; Identification and Authentication; System and Information Integrity ALPT or Cluster Name and ALN: Unemployment Insurance - 17.225 (COVID-19) Federal Award Number and Year: UI233F2200 - 2022 Name of Federal Agency: U.S. Department of Labor Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 The Commission does not secure the database that supports its internal benefits system in accordance with its internal policies, the Security Standard, and industry best practices. We communicated four control weaknesses to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. The Commission's policies, the Security Standard, and industry best practices require the Commission to implement certain controls to reduce unnecessary risk to data confidentiality, integrity, and availability in systems processing or storing sensitive information. The Commission's dedication of resources to other higher priorities and lack of certain control processes caused the weaknesses to occur. The Commission should allocate the necessary resources to ensure database configurations, controls, and processes align with the requirements in its policies, the Security Standard, and industry best practices. Improving security of the database will help maintain the confidentiality, integrity, and availability of the Commission's sensitive data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-027: Upgrade End-of-Life Technology Applicable to: Virginia Employment Commission Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: System and Information Integrity; System and Services Acquisition ALPT or Cluster Name and ALN: Unemployment Insurance - 17.225 (COVID-19) Federal Award Number and Year: UI233F2200 - 2022 Name of Federal Agency: U.S. Department of Labor Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 The Commission uses end-of-life technology on one of its IT systems that processes mission-essential data without an approved exception. We communicated the control weakness to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia, due to it containing descriptions of security mechanisms. The Security Standard prohibits agencies from using software that is end-of-life and the vendor no longer supports to reduce unnecessary risk to the confidentiality, integrity, and availability of the Commission's information systems and data. If the Commission is not able to update its software to a supported version due to compatibility or other operational issues, the Security Standard requires the Agency Head to submit an exception request for approval to the Commonwealth's Chief ISO (Security Standard, Sections: SI-2-COV Flaw Remediation; SA-22 Unsupported System Components; 1.5 Exceptions to Security Requirements). The Commission began efforts to migrate to a new environment in June 2020; however, due to VITA supplier and infrastructure issues, the Commission abandoned the project and delayed upgrading its end-of-life technology. As of June 2022, the Commission began new efforts to migrate to a different infrastructure, which will allow the Commission to upgrade its end-of-life technology. The Commission should upgrade its systems running outdated and unsupported software. Additionally, while upgrade efforts are ongoing, the Commission should submit and receive an approved exception that includes a description of compensating controls that will reduce the software vulnerability risk. The exception request should also include the Commission's future plans to upgrade the systems running outdated and unsupported software. Upgrading systems from end-of-life software will increase the Commission's security posture and help protect the confidentiality, integrity, and availability of sensitive and mission-critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-028: Properly Update and Review System Access Applicable to: Virginia Employment Commission Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Access Control; Personnel Security ALPT or Cluster Name and ALN: Unemployment Insurance - 17.225 (COVID-19) Federal Award Number and Year: UI233F2200 - 2022 Name of Federal Agency: U.S. Department of Labor Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 The Commission's system access controls are not adequate to ensure compliance with the Commission's policies and the Security Standard. The Commission did not remove terminated employee system access timely, maintain proper documentation for new users; or perform an annual review of all user access, as follows: ? The Commission did not terminate system access to the financial management system for one of four (25%) employees until 54 days after termination. ? The Commission did not terminate system access to the benefits system for eight of 25 (32%) employees until three to ten days after termination. ? The Commission did not maintain proper documentation to support the approval of new user access roles in the benefits system for six of 40 (15%) employees. ? The Commission performed an annual system access review for the new benefits system which has over 4,500 users across the benefits, tax, and appeals modules. However, the Commission only reviewed benefits user roles and, as a result, excluded over half of the system's users from the review. ? The Commission's Access Control Policies and Procedures, Section A - Account Management (AC-2), subsection 11c, states that the system owner should deactivate user accounts for terminated employees within 24 hours of notification of the employee's separation from the agency. In addition, subsection 5b states that the system owner must maintain documented access approvals. Further, the Security Standard, Section PS-4, states an organization must disable information system access within 24 hours of employee separation and terminate any authenticators or credentials associated with the individual. Finally, the Security Standard, Section AC- 6, requires agencies to perform annual reviews of privileges assigned to all users to validate the need for such privileges. The lack of proper internal controls over system access increases the risk that terminated employees may retain unauthorized access to internal systems and sensitive information. In addition, for new or existing users the Commission could grant or maintain access that is inappropriate or unnecessary based on job responsibilities. Factors contributing to the untimely system access terminations and new access approval deficiencies include a lack of communication between supervisors and system administrators and the decentralized nature of access controls across the Commission's systems. Supervisors, as well as system owners and contractor designees, are not always following internal policies and procedures related to notification of the need for access removals, timely removal of access, and maintenance of approval documentation. In addition, we determined that the Commission performed an access review during the fiscal year when it transitioned users of the previous benefits system to the new system; however, the Commission did not perform a review for users already active in the new system. This review did not occur as the agency had not yet implemented a replacement access management application. The Commission is currently working to establish procedures over this application. The Commission should deactivate terminated employees' system access timely, in accordance with the Security Standard and the Commission's policies and procedures. In addition, the Commission should maintain documentation related to access approvals and modifications. Also, the Commission should perform and document a review of access for all systems' user accounts at least annually. Finally, the Commission should update its internal Access Control Policies and Procedures to reflect all access control requirements and processes. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-108: Submit Required Reports Timely Applicable to: Virginia Employment Commission Prior Year Finding Number: 2021-086; 2020-091 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Unemployment Insurance - 17.225 (COVID-19) Federal Award Number and Year: UI233F2200 - 2022 Name of Federal Agency: U.S. Department of Labor Type of Compliance Requirement - Criteria: Reporting - 2 CFR ? 200.300(b); Department of Labor Handbooks ETA 336 and 401 Known Questioned Costs: $0 The Commission did not submit monthly and quarterly Employment and Training Administration (ETA) Reports timely. There were multiple instances where the Commission did not submit reports by the required deadlines, including: ? Submitting one of twelve (8%) Unemployment Insurance Financial Transaction Summary (ETA 2112) reports seven days late; ? Submitting one of four (25%) Statement of Expenditures and Financial Adjustments of Federal Funds for Unemployment Compensation for Federal Employees and Ex- Service Members (ETA 191) reports 13 days late; ? Submitting one of four (25%) Overpayment Detection and Recovery Activities (ETA 227) reports 76 days late; ? Submitting one of four (25%) Quarterly Narrative Progress Reports (ETA 9178) four days late; ? Submitting one of twelve (8%) Time Lapse of All First Payments Except Workshare (ETA 9050) reports five days late; ? Not submitting one of four (25%) Reemployment Services and Eligibility Assessment Workload (ETA 9128) reports; and ? Not submitting four of four (100%) Reemployment Services and Eligibility Assessment Outcomes (ETA 9129) reports. Labor Handbook 401 requires specific filing dates for all reports. These reports provide information to Labor to measure the performance and effectiveness of various benefit programs. According to the grant agreement between the Commission and Labor, the Commission should submit its required reports to Labor in a timely manner and in accordance with Labor Handbook 401. Not submitting reports timely may cause delays in funding from Labor or suspension of funds needed for ongoing Commission operations. In addition, continued delays could result in additional federal oversight. The implementation of the new benefits system affected the Commission's ability to submit required ETA reports timely. Specifically, the Commission encountered errors when submitting several reports containing data from the internal benefits system, which the Commission was unable to resolve. Further, there are no specific policies and procedures outlining guidance for submission of specific reports. The Commission has continued to work with the system contractor to resolve any existing errors in order to successfully submit required federal reports. For reports not impacted by the internal benefits system implementation, management did not provide proper oversight to ensure timely filings due to competing work priorities. We encourage the Commission to continue working with the contractor to resolve any data issues in the benefits system. Also, management should exercise adequate oversight to ensure staff file all reports by the required due date. The Commission should also update internal policies and procedures for each required report to provide clear guidance for report submission and consequences for late filing. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-109: Submit Accurate Special Reports to Department of Labor Applicable to: Virginia Employment Commission Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Unemployment Insurance - 17.225 (COVID-19) Federal Award Number and Year: UI233F2200 - 2022 Name of Federal Agency: U.S. Department of Labor Type of Compliance Requirement - Criteria: Reporting - 2 CFR ? 200.300(b); Department of Labor Handbooks ETA 336 and 401 Known Questioned Costs: $0 The Commission did not accurately report activity on the Quarterly Unemployment Insurance Above-Base Report (ETA 2208A Report) for one of two (50%) quarters tested. The June 2022 quarterly report included amounts that were not in agreement with supporting documentation. Labor Handbook 336 requires that data reported must fairly and accurately represent the utilization of staff years and be traceable to supporting documentation. This special report provides information to Labor on the number of staff years worked and paid for various UI program categories to use in determining above-base entitlements. According to the grant agreement between the Commission and Labor, the Commission should submit its required reports to Labor in accordance with Labor Handbook 336. Submitting reports with inaccurate information may cause an incorrect determination of entitlements above employee base pay. The employee responsible for preparing the ETA 2208A Report identified typographical errors after submission of the report; however, the employee did not notify management of the errors. The employee incorrectly decided to revise and resubmit the report, without management's knowledge, based on the premise that the next quarterly report would reflect accurate year-to- date activity, resolving the error from the prior period. The Commission should properly train all employees responsible for report preparation. In addition, the Commission should update its policies and procedures to ensure employees notify management if they discover an error to determine if corrected reports require an updated submission. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-110: Develop and Implement Internal Controls to Obtain Reasonable Assurance over Contractor Compliance with Program Regulations Applicable to: Department of Housing and Community Development Prior Year Finding Number: 2021-088 Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness ALPT or Cluster Name and ALN: Emergency Rental Assistance Program - 21.023 (COVID-19) Federal Award Number and Year: ERA0402; ERAE070; ERA0451; ERAE0400 - 2022 Name of Federal Agency: U.S. Department of the Treasury Type of Compliance Requirement - Criteria: Eligibility - 2 CFR ? 200.303(a); 2 CFR ? 200.501(g) Known Questioned Costs: $0 The Department of Housing and Community Development (Housing and Community Development) cannot provide reasonable assurance that its contractors administered the Emergency Rental Assistance (ERA) federal grant program in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Because of resource limitations, Housing and Community Development partnered with two separate contractors to process applications and determine eligibility on its behalf. The main objective of the ERA federal grant program is to provide rent relief to eligible tenants to prevent eviction and homelessness. Since the ERA federal program's inception, Housing and Community Development has provided $571 million in rental assistance to beneficiaries based on eligibility determinations made by its contractors. The Code of Federal Regulations, 2 CFR ? 200.501(g) states that the auditee is responsible for reviewing the contractor's records to determine program compliance. Additionally, 2 CFR ? 200.303(a) states that non-federal entities must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Reasonable assurance is a high, but not absolute, level of assurance that the entity and its contractors have complied with federal laws and regulations. Housing and Community Development's contractual agreement with their contractors places ultimate responsibility for program compliance with Housing and Community Development. Housing and Community Development incorporated certain measures into its contractual agreements with its contractors related to compliance with 2 CFR ? 200.501(g) and 2 CFR ? 200.303(a). First, Housing and Community Development communicated program requirements to its contractors through a formalized document and received documentation as to how the contractor has designed its internal controls to ensure program compliance. Second, Housing and Community Development added a requirement to the contractual agreement that stipulates the contractor is to provide a daily payment file, listing beneficiaries qualifying to receive payments, that Housing and Community Development is to approve before the contractor processes payment to beneficiaries. While Housing and Community Development's contractual agreements contain important provisions related to program compliance, Housing and Community Development has not developed and implemented a systematic approach for obtaining reasonable assurance over the contractor's internal controls and compliance with federal program regulations. Although Housing and Community Development periodically verifies the contractor's internal controls and compliance when it receives a call from beneficiaries about their application, the agency has not included the periodic verification process in its official policies and procedures. Additionally, the periodic verification process is not sufficient to provide reasonable assurance over the contractor's internal controls or compliance with program operations as they are sporadic in nature. Finally, Housing and Community Development did not maintain appropriate evidence to demonstrate that it reviewed contractor records for program compliance prior to approving the daily payment file. Since management has not collected the evidence needed to provide reasonable assurance of federal program compliance, this has created a scope limitation for the audit and has led the Auditor of Public Accounts to disclaim an opinion for the ERA federal grant program. Housing and Community Development first received ERA federal grant program funding in January 2021 and had until September 2021 to obligate at least 65 percent of its funding or the funding would be subject to recapture from the federal government. Because of the fast- paced nature of this program, much of Housing and Community Development's focus has been on interpreting and implementing the legislation and providing financial assistance to applicants as quickly as possible. Additionally Housing and Community Development's Office of Eviction Prevention and Rental Assistance (Eviction Prevention and Rental Assistance) and Division of Administration (Administration) that are responsible for administering the ERA federal grant program have been unable to develop and implement a systematic process for obtaining reasonable assurance over the contractor's internal controls and compliance because of the lack of time and available resources. Close out for the first grant allotment (ERA1) for the ERA federal award will occur in April 2023. Eviction Prevention and Rental Assistance and Administration should work collaboratively to develop and implement a systematic approach for reviewing contractor records that provides reasonable assurance that it complied with federal statutes, regulations, and the terms and conditions of the federal award. Housing and Community Development should document this process and incorporate it into the agency's official policies and procedures. Further, Housing and Community Development should retain appropriate evidence to demonstrate its review of the contractor's records for program compliance. Finally, Housing and Community Development's executive leadership should oversee the implementation of this process to ensure the agency properly incorporates the policies and procedures into its operations. If Housing and Community Development does not believe it will complete corrective actions before ERA1 close-out, it should work collaboratively with the United States Department of the Treasury to find alternate solutions for ensuring program compliance. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-111: Perform Subrecipient Monitoring Activities Required by the Risk Assessment Applicable to: Department of Housing and Community Development Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness ALPT or Cluster Name and ALN: Emergency Rental Assistance Program - 21.023 (COVID-19) Federal Award Number and Year: ERA0402; ERAE070; ERA0451; ERAE0400 - 2022 Name of Federal Agency: U.S. Department of the Treasury Type of Compliance Requirement - Criteria: Eligibility - 2 CFR ? 200.332(d) Known Questioned Costs: $0 Housing and Community Development has not monitored subrecipient activities for the ERA federal grant program in accordance with its subrecipient monitoring policies and procedures. Since the prior audit, Housing and Community Development performed a risk assessment for its ERA subrecipient and determined that they were high risk. Housing and Community Development's Risk Evaluation and Assessment Core Tool Instructions states that for a high risk subrecipient, program personnel must perform monitoring procedures as soon as possible but no later than six months after the completion of the risk assessment procedures, or a total of nine months from entering the subaward agreement. As of the end of the fiscal year, Housing and Community Development has not conducted the monitoring activities its Risk Evaluation and Assessment Core Tool Instructions requires. Over the life of the ERA federal grant program, the subrecipient has determined eligibility for landlords, which has led to beneficiary payment amounts totaling approximately $255 million. Title 2 CFR ? 200.332(d) requires grantees to monitor the activities of the subrecipient as necessary to ensure that it uses the subaward for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward; and that the subrecipient achieved subaward performance goals. While Housing and Community Development was able to demonstrate that it established recurring meetings to discuss the performance of the program with its subrecipient, these monitoring activities alone are not adequate based on the subrecipient's risk level identified in the risk assessment. In effect, Housing and Community Development cannot provide reasonable assurance that it used the subaward for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward. Reasonable assurance is a high, but not absolute, level of assurance that the entity and its subrecipient have complied with federal laws and regulations. Housing and Community Development was unable to perform the required monitoring activities because of the lack of time and available resources. Since management has not performed the required monitoring activities outlined in 2 CFR ? 200.332(d), this has created a scope limitation for the audit and has led the Auditor of Public Accounts to disclaim an opinion for the ERA federal grant program. Close out for the ERA1 federal award will occur in April 2023. Housing and Community Development should perform the required monitoring activities before it closes out the ERA1 federal award. If Housing and Community Development does not believe it will complete these monitoring activities before the ERA1 federal award close-out, it should work collaboratively with the United States Department of the Treasury to discuss alternate solutions for ensuring program compliance. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-102: Ensure the Correct Award Year is Applied to Federal Reports Applicable to: Department of Education - Central Office Operations Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Title I Grants to Local Educational Agencies - 84.010 Federal Award Number and Year: S010A200046 - 2021-2022 Name of Federal Agency: U.S. Department of Education Type of Compliance Requirement - Criteria: Reporting - 2 CFR ? 170 Appendix A Known Questioned Costs: $0 Education included an incorrect award year to the federal government in its required Federal Funding Accountability and Transparency Act (FFATA) reporting. Specifically, since 2020, Education submitted information with the award year 2020, which made it appear that it made 846 subawards totaling $1.5 billion for its fiscal year 2020 Title I award. However, annually, Education only receives around $250 million in Title I funding and makes around 135 subawards. Title 2 U.S. Code of Federal Regulations Part 170 Appendix A, which the U.S. Department of Education included in the terms of the award for Title I, requires Education to report each obligating action exceeding $30,000 to the FFATA Subrecipient Reporting System. The incorrect submission by Education results in USASpending.gov reporting inaccurate information, which may cause users of this website to make improper conclusions about Education's Title I subawards. The manager's review of Education's FFATA submission did not detect that after 2020, subsequent Title I subaward information appended to the 2020 award. Education's management should ensure that it has an effective review of its future FFATA submissions and work with the federal government to determine if it can correct the award year in prior submissions. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-013: Review Non-Locality Subrecipient Single Audit Reports Applicable to: Department of Social Services Prior Year Finding Number: 2021-072; 2020-075; 2019-091; 2018-092 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(d)(3)(f) Known Questioned Costs: $0 Compliance continues to not review non-locality subrecipient Single Audit reports as established within its Agency Monitoring Plan. Non-locality subrecipients are subrecipients, who are not local governments, and are mainly comprised of non-profit organizations. During fiscal year 2022, Social Services disbursed approximately $80 million in federal funds to roughly 200 non-locality subrecipients. While reviewing the audit reports for the 27 non-locality subrecipients that received more than $750,000 in federal funds from Social Services, we noted the following: Five non-locality subrecipients (19%) did not have a current Single Audit report available in the Federal Audit Clearinghouse (Clearinghouse). Fiscal year 2022 federal disbursements to these non-locality subrecipients totaled approximately $6.5 million. Two non-locality subrecipients (7%) had audit findings that affected one or more of Social Services' federal grant programs. As a result of the lack of review over non- locality subrecipient Single Audit reports, Social Services did not issue management decision letters within six months of acceptance of the audit reports by the Clearinghouse to collaboratively resolve audit findings related to Social Services' federal programs. According to 2 CFR ? 200.332(f), all pass-through entities must verify their subrecipients are audited if it is expected that subrecipient's federal awards expended during the respective fiscal year equaled or exceeded $750,000. Additionally, 2 CFR ? 200.332(d)(3) requires pass- through entities to issue management decisions for applicable audit findings within six months of acceptance of the audit report by the Clearinghouse. Without verifying whether non-locality subrecipients received a Single Audit report, Compliance is unable to provide assurance that Social Services met the audit requirements set forth in 2 CFR ? 200.332(d)(3) and (f). Additionally, Compliance cannot provide Social Services' Executive Team with assurance that its subrecipient monitoring efforts are adequate without reviewing non-locality Single Audit reports. Compliance did not review non-locality subrecipient Single Audit reports because it did not dedicate the resources necessary to implement corrective action. In its corrective action plan, Compliance planned to procure a centralized system to support its subrecipient monitoring efforts. However, Compliance was unable to procure a centralized system to support its subrecipient monitoring efforts during the fiscal year and it did not implement an alternative solution to comply with the requirements in 2 CFR ? 200.332(d)(3) and (f). Compliance should determine what alternative solutions are available, if it is unable to procure a centralized system, and start reviewing non-locality Single Audit reports to comply with the federal regulations in 2 CFR ? 200.332(d)(3) and (f). Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-014: Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; SNAP Cluster - 10.551, 10.561; Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2205VA5MAP; 221VA407S2514; 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Agriculture; U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(d) Known Questioned Costs: $0 Benefit Programs does not oversee subrecipient monitoring activities to ensure monitoring activities are conducted in accordance with its monitoring plan. During the fiscal year, Benefit Programs disbursed approximately $312 million in subaward payments from the Supplemental Nutrition Assistance Program (SNAP) and Medicaid Clusters and the LIHEAP and TANF federal grant programs. During the audit, we noted the following deviations from Benefit Program's monitoring plan: ? Benefit Programs created a monitoring plan to comply with Social Services' Agency Monitoring Plan. Regional consultants, who perform subrecipient monitoring activities, created their own subrecipient monitoring schedules that were not consistent with Benefit Program's monitoring schedule. ? Benefit Programs did not confirm that fiscal year 2022 monitoring review records uploaded to its data repository were complete. Some of the missing records included the agency notification letter, case selection sample, and subrecipient monitoring checklist. ? At the beginning of audit fieldwork, the data repository did not contain all subrecipient monitoring reviews performed during the fiscal year. The Subrecipient Monitoring Coordinator subsequently obtained and uploaded the remaining subrecipient monitoring reviews to Benefit Programs' data repository. The data repository only included the following subrecipient monitoring reviews at the time of the audit: o 12 of 25 (48%) reviews performed for the LIHEAP federal grant program; o 22 of 73 (30%) reviews performed for the SNAP Cluster; o 13 of 62 (21%) reviews performed for the Medicaid Cluster; and nine of 62 (15%) reviews performed for the TANF federal grant program. Benefit Programs only completed 25 of the 67 (37%) scheduled reviews for the LIHEAP federal grant program. Benefit Programs did not identify these issues because its monitoring plan did not clearly delineate who was responsible for overseeing subrecipient monitoring activities. As a result, no one in Benefit Programs was overseeing subrecipient monitoring activities. Title 2 CFR ? 200.332(d) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the pass-through entity uses the subaward for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without confirming that program consultants conduct monitoring activities in accordance with the monitoring plan, Benefit Programs cannot provide assurance that it complied with 2 CFR ? 200.332(d). In March 2022, Benefit Programs created a Subrecipient Monitoring Coordinator position to oversee its monitoring activities. The Subrecipient Monitoring Coordinator is working with Benefit Program?s Associate Director for Operations and Support to confirm that Benefit Programs? monitoring plan meets federal requirements. Benefit Programs should continue its efforts to confirm that it conducts monitoring activities in accordance with its monitoring plan. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-015: Verify that Monitoring Plan Includes All Subrecipient Programmatic Activities Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(b)(d) Known Questioned Costs: $0 Benefit Programs' monitoring plan does not include all subrecipient programmatic activities for the TANF federal grant program. Benefit Programs' primary programmatic activity for the TANF federal grant program is eligibility determination functions performed by local agencies. However, Benefit Programs also awards various competitive grants to local governments and non-profit organizations to help TANF recipients become self-sufficient. Benefit Programs did not include these programmatic activities in its monitoring plan. During the fiscal year, Benefit Programs disbursed approximately $47 million in TANF competitive grants to roughly 160 organizations. Title 2 CFR ? 200.332(b) requires all pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Additionally, 2 CFR ? 200.332(d) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the pass-through entity uses the subaward for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward; and achieves subaward performance goals. When Benefit Programs developed its monitoring plan, it only focused on eligibility functions performed by local agencies but did not consider other programmatic activities for the TANF federal grant program. Without including the other programmatic activities in the monitoring plan, Benefit Programs cannot provide assurance that subrecipients used TANF federal grant funds for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Benefit Programs should update its monitoring plan to include all subrecipient programmatic activities for the TANF federal grant program and ensure each subrecipient is subject to the appropriate risk assessment procedures. Additionally, Benefit Programs should review its awards data for the federal grant programs under its purview to determine if it should include any other subrecipient programmatic activities in its monitoring plan. Benefit Programs' monitoring coordinators should then review the division's monitoring efforts to ensure program consultants conduct them in accordance with the risk assessment. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-016: Evaluate Subrecipients' Risk of Noncompliance in Accordance with Federal Regulations Applicable to: Department of Social Services Prior Year Finding Number: 2021-071 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; SNAP Cluster - 10.551, 10.561; Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2205VA5MAP; 221VA407S2514; 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Agriculture; U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(b) Known Questioned Costs: $0 Benefit Programs continues to not evaluate subrecipients' risk of noncompliance with federal regulations related to the administration of the SNAP and Medicaid Clusters and the TANF and LIHEAP federal grant programs. Benefit Programs develops its subrecipient monitoring approach using the size of the subrecipient; however, it does not perform any further risk assessment procedures to determine the monitoring approach. Social Services disbursed approximately $312 million to subrecipients from these federal programs during the fiscal year. Title 2 CFR ? 200.332(b) requires pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Further, 2 CFR ? 200.332(b) suggests that pass-through entities should consider the results of previous audits, subrecipient's prior experience with the same or similar subawards, and whether the subrecipient has new personnel or new or substantially changed systems. Benefit Programs developed a corrective action plan to perform risk assessment procedures to comply with 2 CFR ? 200.332(b); however, Benefit Programs was unable to implement corrective action due to staff turnover. Without performing the proper risk assessment procedures, Benefit Programs cannot demonstrate that it monitored the activities of the subrecipient as necessary to ensure that the pass-through entity used the subaward for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Benefit Programs should continue its corrective action efforts to implement a risk assessment process for subrecipients that is consistent with federal regulations and ensure that its monitoring efforts are consistent with the results of its risk assessment. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-017: Comply with TANF Requirement to Participate in the Income Eligibility and Verification System Applicable to: Department of Social Services Prior Year Finding Number: 2021-068; 2020-077; 2019-088; 2018-087 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Special Tests and Provisions - 45 CFR ? 264.10 Known Questioned Costs: $0 Social Services continues to work on implementing a process to comply with the Income Eligibility and Verification System (IEVS) requirement for the TANF federal grant program. In August 2020, Social Services completed and implemented the design for the new IEVS process to provide a defined process for working the IEVS matches. However, due to Internal Revenue Service (IRS) security requirements, Local Departments of Social Services (local agency) staff are unable to use IEVS. Title 45 CFR ? 264.10 requires states to meet the requirements of IEVS and request the following information: (1) IRS unearned income; (2) State Wage Information Collections Agency (SWICA) employer quarterly reports of income and unemployment insurance benefit payments; (3) IRS earned income maintained by the Social Security Administration; and (4) immigration status information maintained by the Immigration and Naturalization Service. IEVS requires local agency employees to have background investigations, including Federal Bureau of Investigation (FBI) fingerprinting for employees who can access IEVS, as it contains federal tax information. IRS Publication 1075, Section 2.C.3 Background Investigation Minimum Requirements, states background investigations for any individual granted access to federal tax information must include, at a minimum, FBI fingerprinting, a check of where the subject has lived, worked, and/or attended school within the last five years; and validation of citizenship/residency to ensure the individual is legally eligible to work in the United States. Virginia law does not require local agency employees to successfully pass a fingerprint background check; therefore, local agencies continue to determine eligibility for TANF participants by verifying income and other information using various state databases that do not contain data from the IRS. Social Services drafted a legislative proposal for a fingerprint background check requirement for local agency employees and presented the proposal to the Secretary of Health and Human Resources for consideration during the 2022 General Assembly session. However, the Secretary of Health and Human Resources did not approve this proposal to move forward to the General Assembly. By not using IEVS when verifying income for TANF participants, Social Services cannot verify that participants in the TANF program have met all eligibility requirements. As a result, per 45 CFR ? 264.11, the Commonwealth could incur a two-percent reduction of the adjusted State Family Assistance Grant payable for the immediately succeeding fiscal year, unless the state demonstrates that it had reasonable cause or achieved compliance under a corrective compliance plan. Social Services will not fully comply with the IEVS federal requirement until the Secretary of Health and Human Resources approves the legislative proposal to move forward to the General Assembly. Social Services should continue to work with the Secretary of Health and Human Resources to propose legislation to the General Assembly to require local agency employees to successfully pass a fingerprint background check. If the General Assembly passes legislation, Social Services should then implement a policy and procedure requiring background checks of local agency employees who access IEVS and ensure the local agencies processing TANF applications properly verify income using IEVS when determining eligibility for TANF. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-103: Implement Internal Controls over TANF Federal Performance Reporting Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Reporting - 45 CFR ? 265.7(b) Known Questioned Costs: $0 Benefit Programs does not have adequate internal controls in place to ensure accurate reporting for the Administration for Children and Families (ACF) 199 TANF Data Report (ACF-199) and 209 Separate State Programs-Maintenance-of-Effort (SSP-MOE) Data Report (ACF-209). Social Services submits these reports quarterly and creates them using a fully automated process that extracts data from Social Services' case management system. ACF uses the information in these reports to determine whether the Commonwealth met the minimum work participation requirements for the TANF federal grant program. Benefit Programs uses a third-party service provider (service provider) to produce the ACF-199 and ACF-209 reports and relies solely on the service provider's internal controls during the data extraction and data reporting process. During our review, we identified the following instances where the service provider did not report key line information accurately based on the information maintained in Social Services' case management system or the supporting data: ? Ten out of 50 (20%) cases included in the "Receives Subsidized Child Care" key line, four out of 50 (8%) cases included in the "Unsubsidized Employment" key line item, and two out of 50 (4%) cases included in the "Work Participation Status" key line item did not agree to Social Services' case management system. ? Three out of three (100%) of the "Total Number of TANF Families" key line item and three out of three (100%) of the "Total Number of SSP-MOE Families" key line items did not agree to the supporting data. Title 45 CFR ? 265.7(b) requires states to have complete and accurate reports, which means that the reported data accurately reflects information available in case records, are free of computational errors, and are internally consistent. Reporting potentially inaccurate or incomplete information prevents the ACF from adequately monitoring Social Services' work participation rates and the overall performance for the TANF program. In addition, ACF can impose a penalty if it finds Social Services to not be meeting statutory required work participation rates. Benefit Programs has not developed its own policies and procedures to identify how it obtains assurance over the accuracy of the data included within the submissions. Benefit Programs also relies on the error correction controls of the ACF, performed after report submission, with no secondary review or data validation processes performed within the agency prior to report submission to determine whether the TANF work participation information reported is accurate. Because of the scope of this matter, we consider it to be a material weakness in internal control. Benefit Programs should implement policies and procedures over the TANF performance reporting process and include a documented secondary review process. Benefit Programs should confirm completion of this review prior to the report submission to ensure accurate reporting of TANF work participation information to ACF in accordance with the ACF-199 and ACF-209 reporting instructions. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-106: Strengthen Internal Controls over FFATA Reporting Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19); Adoption Assistance - 93.659; Foster Care Title IV-E - 93.658; Social Services Block Grant - 93.667 Federal Award Number and Year: 2201VATANF; 2201VAADPT; 2201VAFOST; 2201VASOSR - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Reporting - 2 CFR Part 170 Appendix A Known Questioned Costs: $0 Finance is not maintaining proper internal controls over FFATA reporting. FFATA reporting helps to provide full disclosure for how entities and organizations obligate federal funding. During the fiscal year, Social Services disbursed approximately $588 million in federal funds from roughly 5,000 subawards. During our audit of the TANF, Adoption Assistance, Foster Care, and SSBG federal grant programs, we noted the following deviations from Finance's policy: ? Finance did not complete the required FFATA reporting submissions for the TANF and SSBG federal grant programs. ? Finance did not complete FFATA reporting submissions for three of five (60%) of the subawards sampled for the Adoption Assistance federal grant program. For the two reports tested, Finance could not provide documentation supporting entries into the FFATA Subaward Reporting System (FSRS). Additionally, Finance submitted these reports nearly three and one-half months after the due date. ? For the five subawards tested for the Foster Care federal grant program, Social Services was unable to provide documentation supporting entries into the FSRS for all subawards. Additionally, Finance submitted these reports nearly three and one-half months after the due date. Title 2 CFR Part 170 Appendix A requires the non-federal entity to report each obligating action exceeding $30,000 to the FSRS. Further, 2 CFR Part 170 Appendix A requires the non- federal entity to submit subaward information no later than the end of the month following the month in which it made the obligation. Finally, 2 CFR ? 200.303(a) states that the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Finance did not report this information to FSRS because program personnel did not submit the required information to Finance to report in FSRS. Additionally, Finance was not reviewing Social Services' financial records to ensure program personnel reported all required subaward information. Not uploading obligating actions to FSRS could result in a citizen or federal official having a distorted view as to how Social Services is obligating federal funds. Finance should remind program personnel to submit required FFATA subaward reporting information as required by its policy. Additionally, Finance should consider periodically checking Social Services' financial records to see if there are instances where program personnel are not submitting the required FFATA subaward reporting information. If so, Finance should collect this information from them promptly to comply with the FFATA reporting requirements. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-013: Review Non-Locality Subrecipient Single Audit Reports Applicable to: Department of Social Services Prior Year Finding Number: 2021-072; 2020-075; 2019-091; 2018-092 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(d)(3)(f) Known Questioned Costs: $0 Compliance continues to not review non-locality subrecipient Single Audit reports as established within its Agency Monitoring Plan. Non-locality subrecipients are subrecipients, who are not local governments, and are mainly comprised of non-profit organizations. During fiscal year 2022, Social Services disbursed approximately $80 million in federal funds to roughly 200 non-locality subrecipients. While reviewing the audit reports for the 27 non-locality subrecipients that received more than $750,000 in federal funds from Social Services, we noted the following: Five non-locality subrecipients (19%) did not have a current Single Audit report available in the Federal Audit Clearinghouse (Clearinghouse). Fiscal year 2022 federal disbursements to these non-locality subrecipients totaled approximately $6.5 million. Two non-locality subrecipients (7%) had audit findings that affected one or more of Social Services' federal grant programs. As a result of the lack of review over non- locality subrecipient Single Audit reports, Social Services did not issue management decision letters within six months of acceptance of the audit reports by the Clearinghouse to collaboratively resolve audit findings related to Social Services' federal programs. According to 2 CFR ? 200.332(f), all pass-through entities must verify their subrecipients are audited if it is expected that subrecipient's federal awards expended during the respective fiscal year equaled or exceeded $750,000. Additionally, 2 CFR ? 200.332(d)(3) requires pass- through entities to issue management decisions for applicable audit findings within six months of acceptance of the audit report by the Clearinghouse. Without verifying whether non-locality subrecipients received a Single Audit report, Compliance is unable to provide assurance that Social Services met the audit requirements set forth in 2 CFR ? 200.332(d)(3) and (f). Additionally, Compliance cannot provide Social Services' Executive Team with assurance that its subrecipient monitoring efforts are adequate without reviewing non-locality Single Audit reports. Compliance did not review non-locality subrecipient Single Audit reports because it did not dedicate the resources necessary to implement corrective action. In its corrective action plan, Compliance planned to procure a centralized system to support its subrecipient monitoring efforts. However, Compliance was unable to procure a centralized system to support its subrecipient monitoring efforts during the fiscal year and it did not implement an alternative solution to comply with the requirements in 2 CFR ? 200.332(d)(3) and (f). Compliance should determine what alternative solutions are available, if it is unable to procure a centralized system, and start reviewing non-locality Single Audit reports to comply with the federal regulations in 2 CFR ? 200.332(d)(3) and (f). Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-014: Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; SNAP Cluster - 10.551, 10.561; Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2205VA5MAP; 221VA407S2514; 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Agriculture; U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(d) Known Questioned Costs: $0 Benefit Programs does not oversee subrecipient monitoring activities to ensure monitoring activities are conducted in accordance with its monitoring plan. During the fiscal year, Benefit Programs disbursed approximately $312 million in subaward payments from the Supplemental Nutrition Assistance Program (SNAP) and Medicaid Clusters and the LIHEAP and TANF federal grant programs. During the audit, we noted the following deviations from Benefit Program's monitoring plan: ? Benefit Programs created a monitoring plan to comply with Social Services' Agency Monitoring Plan. Regional consultants, who perform subrecipient monitoring activities, created their own subrecipient monitoring schedules that were not consistent with Benefit Program's monitoring schedule. ? Benefit Programs did not confirm that fiscal year 2022 monitoring review records uploaded to its data repository were complete. Some of the missing records included the agency notification letter, case selection sample, and subrecipient monitoring checklist. ? At the beginning of audit fieldwork, the data repository did not contain all subrecipient monitoring reviews performed during the fiscal year. The Subrecipient Monitoring Coordinator subsequently obtained and uploaded the remaining subrecipient monitoring reviews to Benefit Programs' data repository. The data repository only included the following subrecipient monitoring reviews at the time of the audit: o 12 of 25 (48%) reviews performed for the LIHEAP federal grant program; o 22 of 73 (30%) reviews performed for the SNAP Cluster; o 13 of 62 (21%) reviews performed for the Medicaid Cluster; and nine of 62 (15%) reviews performed for the TANF federal grant program. Benefit Programs only completed 25 of the 67 (37%) scheduled reviews for the LIHEAP federal grant program. Benefit Programs did not identify these issues because its monitoring plan did not clearly delineate who was responsible for overseeing subrecipient monitoring activities. As a result, no one in Benefit Programs was overseeing subrecipient monitoring activities. Title 2 CFR ? 200.332(d) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the pass-through entity uses the subaward for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without confirming that program consultants conduct monitoring activities in accordance with the monitoring plan, Benefit Programs cannot provide assurance that it complied with 2 CFR ? 200.332(d). In March 2022, Benefit Programs created a Subrecipient Monitoring Coordinator position to oversee its monitoring activities. The Subrecipient Monitoring Coordinator is working with Benefit Program?s Associate Director for Operations and Support to confirm that Benefit Programs? monitoring plan meets federal requirements. Benefit Programs should continue its efforts to confirm that it conducts monitoring activities in accordance with its monitoring plan. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-015: Verify that Monitoring Plan Includes All Subrecipient Programmatic Activities Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(b)(d) Known Questioned Costs: $0 Benefit Programs' monitoring plan does not include all subrecipient programmatic activities for the TANF federal grant program. Benefit Programs' primary programmatic activity for the TANF federal grant program is eligibility determination functions performed by local agencies. However, Benefit Programs also awards various competitive grants to local governments and non-profit organizations to help TANF recipients become self-sufficient. Benefit Programs did not include these programmatic activities in its monitoring plan. During the fiscal year, Benefit Programs disbursed approximately $47 million in TANF competitive grants to roughly 160 organizations. Title 2 CFR ? 200.332(b) requires all pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Additionally, 2 CFR ? 200.332(d) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the pass-through entity uses the subaward for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward; and achieves subaward performance goals. When Benefit Programs developed its monitoring plan, it only focused on eligibility functions performed by local agencies but did not consider other programmatic activities for the TANF federal grant program. Without including the other programmatic activities in the monitoring plan, Benefit Programs cannot provide assurance that subrecipients used TANF federal grant funds for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Benefit Programs should update its monitoring plan to include all subrecipient programmatic activities for the TANF federal grant program and ensure each subrecipient is subject to the appropriate risk assessment procedures. Additionally, Benefit Programs should review its awards data for the federal grant programs under its purview to determine if it should include any other subrecipient programmatic activities in its monitoring plan. Benefit Programs' monitoring coordinators should then review the division's monitoring efforts to ensure program consultants conduct them in accordance with the risk assessment. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-016: Evaluate Subrecipients' Risk of Noncompliance in Accordance with Federal Regulations Applicable to: Department of Social Services Prior Year Finding Number: 2021-071 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; SNAP Cluster - 10.551, 10.561; Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2205VA5MAP; 221VA407S2514; 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Agriculture; U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(b) Known Questioned Costs: $0 Benefit Programs continues to not evaluate subrecipients' risk of noncompliance with federal regulations related to the administration of the SNAP and Medicaid Clusters and the TANF and LIHEAP federal grant programs. Benefit Programs develops its subrecipient monitoring approach using the size of the subrecipient; however, it does not perform any further risk assessment procedures to determine the monitoring approach. Social Services disbursed approximately $312 million to subrecipients from these federal programs during the fiscal year. Title 2 CFR ? 200.332(b) requires pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Further, 2 CFR ? 200.332(b) suggests that pass-through entities should consider the results of previous audits, subrecipient's prior experience with the same or similar subawards, and whether the subrecipient has new personnel or new or substantially changed systems. Benefit Programs developed a corrective action plan to perform risk assessment procedures to comply with 2 CFR ? 200.332(b); however, Benefit Programs was unable to implement corrective action due to staff turnover. Without performing the proper risk assessment procedures, Benefit Programs cannot demonstrate that it monitored the activities of the subrecipient as necessary to ensure that the pass-through entity used the subaward for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Benefit Programs should continue its corrective action efforts to implement a risk assessment process for subrecipients that is consistent with federal regulations and ensure that its monitoring efforts are consistent with the results of its risk assessment. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-017: Comply with TANF Requirement to Participate in the Income Eligibility and Verification System Applicable to: Department of Social Services Prior Year Finding Number: 2021-068; 2020-077; 2019-088; 2018-087 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Special Tests and Provisions - 45 CFR ? 264.10 Known Questioned Costs: $0 Social Services continues to work on implementing a process to comply with the Income Eligibility and Verification System (IEVS) requirement for the TANF federal grant program. In August 2020, Social Services completed and implemented the design for the new IEVS process to provide a defined process for working the IEVS matches. However, due to Internal Revenue Service (IRS) security requirements, Local Departments of Social Services (local agency) staff are unable to use IEVS. Title 45 CFR ? 264.10 requires states to meet the requirements of IEVS and request the following information: (1) IRS unearned income; (2) State Wage Information Collections Agency (SWICA) employer quarterly reports of income and unemployment insurance benefit payments; (3) IRS earned income maintained by the Social Security Administration; and (4) immigration status information maintained by the Immigration and Naturalization Service. IEVS requires local agency employees to have background investigations, including Federal Bureau of Investigation (FBI) fingerprinting for employees who can access IEVS, as it contains federal tax information. IRS Publication 1075, Section 2.C.3 Background Investigation Minimum Requirements, states background investigations for any individual granted access to federal tax information must include, at a minimum, FBI fingerprinting, a check of where the subject has lived, worked, and/or attended school within the last five years; and validation of citizenship/residency to ensure the individual is legally eligible to work in the United States. Virginia law does not require local agency employees to successfully pass a fingerprint background check; therefore, local agencies continue to determine eligibility for TANF participants by verifying income and other information using various state databases that do not contain data from the IRS. Social Services drafted a legislative proposal for a fingerprint background check requirement for local agency employees and presented the proposal to the Secretary of Health and Human Resources for consideration during the 2022 General Assembly session. However, the Secretary of Health and Human Resources did not approve this proposal to move forward to the General Assembly. By not using IEVS when verifying income for TANF participants, Social Services cannot verify that participants in the TANF program have met all eligibility requirements. As a result, per 45 CFR ? 264.11, the Commonwealth could incur a two-percent reduction of the adjusted State Family Assistance Grant payable for the immediately succeeding fiscal year, unless the state demonstrates that it had reasonable cause or achieved compliance under a corrective compliance plan. Social Services will not fully comply with the IEVS federal requirement until the Secretary of Health and Human Resources approves the legislative proposal to move forward to the General Assembly. Social Services should continue to work with the Secretary of Health and Human Resources to propose legislation to the General Assembly to require local agency employees to successfully pass a fingerprint background check. If the General Assembly passes legislation, Social Services should then implement a policy and procedure requiring background checks of local agency employees who access IEVS and ensure the local agencies processing TANF applications properly verify income using IEVS when determining eligibility for TANF. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-103: Implement Internal Controls over TANF Federal Performance Reporting Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Reporting - 45 CFR ? 265.7(b) Known Questioned Costs: $0 Benefit Programs does not have adequate internal controls in place to ensure accurate reporting for the Administration for Children and Families (ACF) 199 TANF Data Report (ACF-199) and 209 Separate State Programs-Maintenance-of-Effort (SSP-MOE) Data Report (ACF-209). Social Services submits these reports quarterly and creates them using a fully automated process that extracts data from Social Services' case management system. ACF uses the information in these reports to determine whether the Commonwealth met the minimum work participation requirements for the TANF federal grant program. Benefit Programs uses a third-party service provider (service provider) to produce the ACF-199 and ACF-209 reports and relies solely on the service provider's internal controls during the data extraction and data reporting process. During our review, we identified the following instances where the service provider did not report key line information accurately based on the information maintained in Social Services' case management system or the supporting data: ? Ten out of 50 (20%) cases included in the "Receives Subsidized Child Care" key line, four out of 50 (8%) cases included in the "Unsubsidized Employment" key line item, and two out of 50 (4%) cases included in the "Work Participation Status" key line item did not agree to Social Services' case management system. ? Three out of three (100%) of the "Total Number of TANF Families" key line item and three out of three (100%) of the "Total Number of SSP-MOE Families" key line items did not agree to the supporting data. Title 45 CFR ? 265.7(b) requires states to have complete and accurate reports, which means that the reported data accurately reflects information available in case records, are free of computational errors, and are internally consistent. Reporting potentially inaccurate or incomplete information prevents the ACF from adequately monitoring Social Services' work participation rates and the overall performance for the TANF program. In addition, ACF can impose a penalty if it finds Social Services to not be meeting statutory required work participation rates. Benefit Programs has not developed its own policies and procedures to identify how it obtains assurance over the accuracy of the data included within the submissions. Benefit Programs also relies on the error correction controls of the ACF, performed after report submission, with no secondary review or data validation processes performed within the agency prior to report submission to determine whether the TANF work participation information reported is accurate. Because of the scope of this matter, we consider it to be a material weakness in internal control. Benefit Programs should implement policies and procedures over the TANF performance reporting process and include a documented secondary review process. Benefit Programs should confirm completion of this review prior to the report submission to ensure accurate reporting of TANF work participation information to ACF in accordance with the ACF-199 and ACF-209 reporting instructions. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-106: Strengthen Internal Controls over FFATA Reporting Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19); Adoption Assistance - 93.659; Foster Care Title IV-E - 93.658; Social Services Block Grant - 93.667 Federal Award Number and Year: 2201VATANF; 2201VAADPT; 2201VAFOST; 2201VASOSR - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Reporting - 2 CFR Part 170 Appendix A Known Questioned Costs: $0 Finance is not maintaining proper internal controls over FFATA reporting. FFATA reporting helps to provide full disclosure for how entities and organizations obligate federal funding. During the fiscal year, Social Services disbursed approximately $588 million in federal funds from roughly 5,000 subawards. During our audit of the TANF, Adoption Assistance, Foster Care, and SSBG federal grant programs, we noted the following deviations from Finance's policy: ? Finance did not complete the required FFATA reporting submissions for the TANF and SSBG federal grant programs. ? Finance did not complete FFATA reporting submissions for three of five (60%) of the subawards sampled for the Adoption Assistance federal grant program. For the two reports tested, Finance could not provide documentation supporting entries into the FFATA Subaward Reporting System (FSRS). Additionally, Finance submitted these reports nearly three and one-half months after the due date. ? For the five subawards tested for the Foster Care federal grant program, Social Services was unable to provide documentation supporting entries into the FSRS for all subawards. Additionally, Finance submitted these reports nearly three and one-half months after the due date. Title 2 CFR Part 170 Appendix A requires the non-federal entity to report each obligating action exceeding $30,000 to the FSRS. Further, 2 CFR Part 170 Appendix A requires the non- federal entity to submit subaward information no later than the end of the month following the month in which it made the obligation. Finally, 2 CFR ? 200.303(a) states that the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Finance did not report this information to FSRS because program personnel did not submit the required information to Finance to report in FSRS. Additionally, Finance was not reviewing Social Services' financial records to ensure program personnel reported all required subaward information. Not uploading obligating actions to FSRS could result in a citizen or federal official having a distorted view as to how Social Services is obligating federal funds. Finance should remind program personnel to submit required FFATA subaward reporting information as required by its policy. Additionally, Finance should consider periodically checking Social Services' financial records to see if there are instances where program personnel are not submitting the required FFATA subaward reporting information. If so, Finance should collect this information from them promptly to comply with the FFATA reporting requirements. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-106: Strengthen Internal Controls over FFATA Reporting Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19); Adoption Assistance - 93.659; Foster Care Title IV-E - 93.658; Social Services Block Grant - 93.667 Federal Award Number and Year: 2201VATANF; 2201VAADPT; 2201VAFOST; 2201VASOSR - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Reporting - 2 CFR Part 170 Appendix A Known Questioned Costs: $0 Finance is not maintaining proper internal controls over FFATA reporting. FFATA reporting helps to provide full disclosure for how entities and organizations obligate federal funding. During the fiscal year, Social Services disbursed approximately $588 million in federal funds from roughly 5,000 subawards. During our audit of the TANF, Adoption Assistance, Foster Care, and SSBG federal grant programs, we noted the following deviations from Finance's policy: ? Finance did not complete the required FFATA reporting submissions for the TANF and SSBG federal grant programs. ? Finance did not complete FFATA reporting submissions for three of five (60%) of the subawards sampled for the Adoption Assistance federal grant program. For the two reports tested, Finance could not provide documentation supporting entries into the FFATA Subaward Reporting System (FSRS). Additionally, Finance submitted these reports nearly three and one-half months after the due date. ? For the five subawards tested for the Foster Care federal grant program, Social Services was unable to provide documentation supporting entries into the FSRS for all subawards. Additionally, Finance submitted these reports nearly three and one-half months after the due date. Title 2 CFR Part 170 Appendix A requires the non-federal entity to report each obligating action exceeding $30,000 to the FSRS. Further, 2 CFR Part 170 Appendix A requires the non- federal entity to submit subaward information no later than the end of the month following the month in which it made the obligation. Finally, 2 CFR ? 200.303(a) states that the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Finance did not report this information to FSRS because program personnel did not submit the required information to Finance to report in FSRS. Additionally, Finance was not reviewing Social Services' financial records to ensure program personnel reported all required subaward information. Not uploading obligating actions to FSRS could result in a citizen or federal official having a distorted view as to how Social Services is obligating federal funds. Finance should remind program personnel to submit required FFATA subaward reporting information as required by its policy. Additionally, Finance should consider periodically checking Social Services' financial records to see if there are instances where program personnel are not submitting the required FFATA subaward reporting information. If so, Finance should collect this information from them promptly to comply with the FFATA reporting requirements. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-106: Strengthen Internal Controls over FFATA Reporting Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19); Adoption Assistance - 93.659; Foster Care Title IV-E - 93.658; Social Services Block Grant - 93.667 Federal Award Number and Year: 2201VATANF; 2201VAADPT; 2201VAFOST; 2201VASOSR - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Reporting - 2 CFR Part 170 Appendix A Known Questioned Costs: $0 Finance is not maintaining proper internal controls over FFATA reporting. FFATA reporting helps to provide full disclosure for how entities and organizations obligate federal funding. During the fiscal year, Social Services disbursed approximately $588 million in federal funds from roughly 5,000 subawards. During our audit of the TANF, Adoption Assistance, Foster Care, and SSBG federal grant programs, we noted the following deviations from Finance's policy: ? Finance did not complete the required FFATA reporting submissions for the TANF and SSBG federal grant programs. ? Finance did not complete FFATA reporting submissions for three of five (60%) of the subawards sampled for the Adoption Assistance federal grant program. For the two reports tested, Finance could not provide documentation supporting entries into the FFATA Subaward Reporting System (FSRS). Additionally, Finance submitted these reports nearly three and one-half months after the due date. ? For the five subawards tested for the Foster Care federal grant program, Social Services was unable to provide documentation supporting entries into the FSRS for all subawards. Additionally, Finance submitted these reports nearly three and one-half months after the due date. Title 2 CFR Part 170 Appendix A requires the non-federal entity to report each obligating action exceeding $30,000 to the FSRS. Further, 2 CFR Part 170 Appendix A requires the non- federal entity to submit subaward information no later than the end of the month following the month in which it made the obligation. Finally, 2 CFR ? 200.303(a) states that the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Finance did not report this information to FSRS because program personnel did not submit the required information to Finance to report in FSRS. Additionally, Finance was not reviewing Social Services' financial records to ensure program personnel reported all required subaward information. Not uploading obligating actions to FSRS could result in a citizen or federal official having a distorted view as to how Social Services is obligating federal funds. Finance should remind program personnel to submit required FFATA subaward reporting information as required by its policy. Additionally, Finance should consider periodically checking Social Services' financial records to see if there are instances where program personnel are not submitting the required FFATA subaward reporting information. If so, Finance should collect this information from them promptly to comply with the FFATA reporting requirements. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-104: Perform Analysis to Identify Service Provider Agencies That Perform Significant Fiscal Processes Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Social Services Block Grant - 93.667 Federal Award Number and Year: 2201VASOSR - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(a) Known Questioned Costs: $0 Social Services is not performing a comprehensive analysis of service provider agencies during its Agency Risk Management and Internal Control Standards (ARMICS) review to determine if they perform significant fiscal processes. Significant fiscal processes include, but are not limited to, programs or activities that have a high degree of public visibility, represent areas of concern and high risk to mission-critical business processes for agency managers and stakeholders, or have a significant effect on general ledger account balances. Social Services transferred $90 million to other state agencies or institutions from various federal grant programs during the fiscal year to administer certain grants management functions on its behalf. CAPP Manual Topic 10305 states an agency (primary agency) may use another agency (service provider agency) to perform significant fiscal processes for the primary agency. ARMICS states that decisions about significance should consider not only quantitative, but also qualitative factors, and managers should define any fiscal process as significant if errors or misstatements in the process could have adverse consequences for legal or regulatory obligations. Further, CAPP Manual Topic 10305 states that if a primary agency identifies a service provider agency that performs significant fiscal processes, the primary agency must have adequate interaction with the service provider agency to gain an appropriate understanding of the service provider agency's control environment and obtain assurances from the service provider agency regarding the state of internal control applicable to the significant fiscal processes performed. Finally, 2 CFR ? 200.303(a) states that the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. During its analysis of service provider agencies, Social Services only considered service provider agencies that have a significant effect on general ledger account balances and not those that have a high degree of public visibility or represent areas of concern or high risk to mission- critical business processes. Without performing a comprehensive analysis of service provider agencies during its ARMICS review, Social Services cannot assure itself that it has obtained adequate coverage over service provider agency operations that are quantitatively or qualitatively significant to its operations. Social Services should identify all service provider agencies and determine which of them provide significant fiscal processes. Thereafter, Social Services should perform a comprehensive analysis to determine if it has an appropriate understanding of the service provider agency's control environment and obtain assurance from the service provider agency regarding the state of internal control applicable to the significant fiscal processes performed. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-105: Document Process to Collect and Retain Documentation Supporting the SSBG Post- Expenditure Report Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Social Services Block Grant - 93.667 Federal Award Number and Year: 2201VASOSR - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Reporting - 2 CFR ? 200.303(a) Known Questioned Costs: $0 Finance does not have a documented process in place to collect and retain documentation supporting the number of eligible individuals who received services paid for in part or in whole with federal funds under the Social Services Block Grant (SSBG), which it reported in its federal fiscal year 2021 SSBG Post-Expenditure Report submission to the ACF in March 2022. ACF requires that states submit an annual Post-Expenditure Report that describes how the state expended SSBG funds for the past year. ACF's Office of Community Services analyzes SSBG expenditure and recipient data reported through the Post-Expenditure Reports to develop the SSBG Annual Report and performance measures for the SSBG program. Title 45 CFR ? 96.74 requires states to report actual numbers of recipients and actual expenditures when this information is available. Additionally, 2 CFR ? 200.303(a) requires pass- through entities to establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Finance has a consistent process for obtaining and retaining supporting documentation for financial data reported to the federal government but has not yet documented a process for collecting and retaining performance data showing the number of eligible individuals who received services from SSBG. Without documenting its process and retaining supporting documentation, Finance cannot provide assurance that the data included in the SSBG Post- Expenditure Report is accurate. Finance should document a process to collect and retain all supporting documentation used to complete the SSBG Post-Expenditure Report submitted to ACF to provide assurance that the data included within the Report is accurate. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-106: Strengthen Internal Controls over FFATA Reporting Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19); Adoption Assistance - 93.659; Foster Care Title IV-E - 93.658; Social Services Block Grant - 93.667 Federal Award Number and Year: 2201VATANF; 2201VAADPT; 2201VAFOST; 2201VASOSR - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Reporting - 2 CFR Part 170 Appendix A Known Questioned Costs: $0 Finance is not maintaining proper internal controls over FFATA reporting. FFATA reporting helps to provide full disclosure for how entities and organizations obligate federal funding. During the fiscal year, Social Services disbursed approximately $588 million in federal funds from roughly 5,000 subawards. During our audit of the TANF, Adoption Assistance, Foster Care, and SSBG federal grant programs, we noted the following deviations from Finance's policy: ? Finance did not complete the required FFATA reporting submissions for the TANF and SSBG federal grant programs. ? Finance did not complete FFATA reporting submissions for three of five (60%) of the subawards sampled for the Adoption Assistance federal grant program. For the two reports tested, Finance could not provide documentation supporting entries into the FFATA Subaward Reporting System (FSRS). Additionally, Finance submitted these reports nearly three and one-half months after the due date. ? For the five subawards tested for the Foster Care federal grant program, Social Services was unable to provide documentation supporting entries into the FSRS for all subawards. Additionally, Finance submitted these reports nearly three and one-half months after the due date. Title 2 CFR Part 170 Appendix A requires the non-federal entity to report each obligating action exceeding $30,000 to the FSRS. Further, 2 CFR Part 170 Appendix A requires the non- federal entity to submit subaward information no later than the end of the month following the month in which it made the obligation. Finally, 2 CFR ? 200.303(a) states that the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Finance did not report this information to FSRS because program personnel did not submit the required information to Finance to report in FSRS. Additionally, Finance was not reviewing Social Services' financial records to ensure program personnel reported all required subaward information. Not uploading obligating actions to FSRS could result in a citizen or federal official having a distorted view as to how Social Services is obligating federal funds. Finance should remind program personnel to submit required FFATA subaward reporting information as required by its policy. Additionally, Finance should consider periodically checking Social Services' financial records to see if there are instances where program personnel are not submitting the required FFATA subaward reporting information. If so, Finance should collect this information from them promptly to comply with the FFATA reporting requirements. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-011: Perform Responsibilities Outlined in the Agency Monitoring Plan Applicable to: Department of Social Services Prior Year Finding Number: 2021-070; 2020-074; 2019-090; 2018-093 Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.303(a) Known Questioned Costs: $0 The Department of Social Services' (Social Service) Compliance Division (Compliance) continues to not adhere to its established approach to oversee the agency's subrecipient monitoring activities, as outlined in its Agency Monitoring Plan. During fiscal year 2022, Social Services disbursed approximately $588 million in federal funds from roughly 5,000 subawards. According to Social Services' Organizational Structure Report, Compliance is responsible for agency-wide compliance and risk mitigation that helps to ensure adherence to state and federal legal and regulatory standards, including subrecipient monitoring. During the audit, we noted the following deviations from the Agency Monitoring Plan: ? Compliance has not finalized the Agency Monitoring Plan and, as a result, has not communicated it to Subrecipient Monitoring Coordinators within each division of Social Services. Because of the lack of communication, there were deviations from the Agency Monitoring Plan at the division level. For example, the Agency Monitoring Plan requires each division to monitor subrecipients once every three years. However, the Local Review Team and Child Care Subsidy Program Monitoring Plans did not consider this requirement because the Subrecipient Monitoring Coordinators were unaware of this requirement. We communicated this matter to Social Services through the audit finding titled "Finalize the Agency Monitoring Plan and Communicate Responsibilities to Subrecipient Monitoring Coordinators," which we have included as a separate audit finding in this report. ? Compliance continues to not review division monitoring plans to ensure the divisions implemented a risk-based approach for monitoring subrecipients. The Agency Monitoring Plan states that Compliance will use a monitoring plan checklist to evaluate and determine if all the required elements for subrecipient monitoring are present in each division's plan. As a result of the lack of review, the Division of Benefit Programs' (Benefit Programs) monitoring plan continues to not meet all the requirements outlined in the Agency Monitoring Plan because it does not include a risk-based approach for subrecipient monitoring and does not consider all subrecipients who receive funding from the Temporary Assistance for Needy Families (TANF) federal grant program. We communicated these matters to Social Services through the audit findings titled "Verify that Monitoring Plan Includes All Subrecipient Programmatic Activities" and "Evaluate Subrecipients' Risk of Noncompliance in Accordance with Federal Regulations," which we have included as separate audit findings in this report. ?Compliance continues to not conduct an analysis of subrecipient monitoring review efforts performed by the divisions. As a result, Compliance has not produced quarterly reports of variances and noncompliance to brief Social Services' Executive Team on the agency's subrecipient monitoring activities. Because of the lack of analysis, Compliance was unaware of deviations from the Agency Monitoring Plan occurring at the divisions. For example, Benefit Programs only completed 25 of the 67 (37%) scheduled reviews for the Low-Income Home Energy Assistance Program (LIHEAP) federal grant program. Additionally, Benefit Programs did not upload its monitoring review records to Social Services' data repository timely for management review. As a result, Compliance was unaware that Regional Consultants were deviating from Benefit Programs' monitoring plan. We communicated this matter to Social Services through the audit finding titled "Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan," which we have included as a separate audit finding in this report. Without performing the responsibilities in the Agency Monitoring Plan, Compliance cannot provide Social Services' Executive Team with reasonable assurance that the agency complied with the pass-through entity federal requirements at 2 CFR ? 200.332. Title 2 CFR ? 200.303(a) requires pass through entities to establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Compliance planned to procure a centralized system to strengthen its monitoring activities but has been unsuccessful in its efforts and has not identified alternative approaches for carrying out the responsibilities in the Agency Monitoring Plan and discussed them with Social Services' Executive Team. Because of the scope of this matter, we consider it to be a material weakness in internal control. Social Services' Executive Team shapes strategies, develops objectives, and collectively resolves issues that are critical to the overall agency performance. Social Services' Executive Team and Compliance should work collaboratively to determine the best approach for carrying out the responsibilities in the Agency Monitoring Plan. Additionally, Social Services' Executive Team and Compliance should hold quarterly meetings to discuss the Agency Monitoring Plan and its activities. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-012: Finalize the Agency Monitoring Plan and Communicate Responsibilities to Subrecipient Monitoring Coordinators Applicable to: Department of Social Services Prior Year Finding Number: 2021-069; 2020-076 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(d) Known Questioned Costs: $0 Compliance has not finalized its Agency Monitoring Plan and communicated responsibilities to Subrecipient Monitoring Coordinators, as recommended during the fiscal year 2020 audit. The oversight of Social Services' subrecipient monitoring processes transitioned from the Division of Community and Volunteer Services (Community and Volunteer Services) to Compliance in fiscal year 2019. Community and Volunteer Services created the Agency Monitoring Plan, and it is now the responsibility of Compliance. However, Compliance has not updated the Agency Monitoring Plan to properly reflect agency operations over subrecipient monitoring. In effect, Compliance continues to not communicate the Agency Monitoring Plan to Subrecipient Monitoring Coordinators within each division of Social Services. During fiscal year 2022, Social Services disbursed approximately $588 million in federal funds from roughly 5,000 subawards. Title 2 CFR ? 200.332(d) requires pass-through entities to monitor the activities of subrecipients as necessary to ensure use of the subaward for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without clearly defining responsibilities and communicating federal requirements, Compliance cannot provide assurance that Social Services adequately monitors all its subrecipients to ensure they are achieving program objectives or complying with federal requirements. Compliance was unable to finalize the monitoring plan and communicate responsibilities to monitoring coordinators because it did not dedicate the resources necessary to implement corrective action. Compliance should allocate resources to finalize the Agency Monitoring Plan to properly address subrecipient monitoring responsibilities. Additionally, Compliance should communicate the Agency Monitoring Plan to Subrecipient Monitoring Coordinators within each division of Social Services. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-014: Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; SNAP Cluster - 10.551, 10.561; Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2205VA5MAP; 221VA407S2514; 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Agriculture; U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(d) Known Questioned Costs: $0 Benefit Programs does not oversee subrecipient monitoring activities to ensure monitoring activities are conducted in accordance with its monitoring plan. During the fiscal year, Benefit Programs disbursed approximately $312 million in subaward payments from the Supplemental Nutrition Assistance Program (SNAP) and Medicaid Clusters and the LIHEAP and TANF federal grant programs. During the audit, we noted the following deviations from Benefit Program's monitoring plan: ? Benefit Programs created a monitoring plan to comply with Social Services' Agency Monitoring Plan. Regional consultants, who perform subrecipient monitoring activities, created their own subrecipient monitoring schedules that were not consistent with Benefit Program's monitoring schedule. ? Benefit Programs did not confirm that fiscal year 2022 monitoring review records uploaded to its data repository were complete. Some of the missing records included the agency notification letter, case selection sample, and subrecipient monitoring checklist. ? At the beginning of audit fieldwork, the data repository did not contain all subrecipient monitoring reviews performed during the fiscal year. The Subrecipient Monitoring Coordinator subsequently obtained and uploaded the remaining subrecipient monitoring reviews to Benefit Programs' data repository. The data repository only included the following subrecipient monitoring reviews at the time of the audit: o 12 of 25 (48%) reviews performed for the LIHEAP federal grant program; o 22 of 73 (30%) reviews performed for the SNAP Cluster; o 13 of 62 (21%) reviews performed for the Medicaid Cluster; and nine of 62 (15%) reviews performed for the TANF federal grant program. Benefit Programs only completed 25 of the 67 (37%) scheduled reviews for the LIHEAP federal grant program. Benefit Programs did not identify these issues because its monitoring plan did not clearly delineate who was responsible for overseeing subrecipient monitoring activities. As a result, no one in Benefit Programs was overseeing subrecipient monitoring activities. Title 2 CFR ? 200.332(d) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the pass-through entity uses the subaward for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without confirming that program consultants conduct monitoring activities in accordance with the monitoring plan, Benefit Programs cannot provide assurance that it complied with 2 CFR ? 200.332(d). In March 2022, Benefit Programs created a Subrecipient Monitoring Coordinator position to oversee its monitoring activities. The Subrecipient Monitoring Coordinator is working with Benefit Program?s Associate Director for Operations and Support to confirm that Benefit Programs? monitoring plan meets federal requirements. Benefit Programs should continue its efforts to confirm that it conducts monitoring activities in accordance with its monitoring plan. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-016: Evaluate Subrecipients' Risk of Noncompliance in Accordance with Federal Regulations Applicable to: Department of Social Services Prior Year Finding Number: 2021-071 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; SNAP Cluster - 10.551, 10.561; Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2205VA5MAP; 221VA407S2514; 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Agriculture; U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(b) Known Questioned Costs: $0 Benefit Programs continues to not evaluate subrecipients' risk of noncompliance with federal regulations related to the administration of the SNAP and Medicaid Clusters and the TANF and LIHEAP federal grant programs. Benefit Programs develops its subrecipient monitoring approach using the size of the subrecipient; however, it does not perform any further risk assessment procedures to determine the monitoring approach. Social Services disbursed approximately $312 million to subrecipients from these federal programs during the fiscal year. Title 2 CFR ? 200.332(b) requires pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Further, 2 CFR ? 200.332(b) suggests that pass-through entities should consider the results of previous audits, subrecipient's prior experience with the same or similar subawards, and whether the subrecipient has new personnel or new or substantially changed systems. Benefit Programs developed a corrective action plan to perform risk assessment procedures to comply with 2 CFR ? 200.332(b); however, Benefit Programs was unable to implement corrective action due to staff turnover. Without performing the proper risk assessment procedures, Benefit Programs cannot demonstrate that it monitored the activities of the subrecipient as necessary to ensure that the pass-through entity used the subaward for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Benefit Programs should continue its corrective action efforts to implement a risk assessment process for subrecipients that is consistent with federal regulations and ensure that its monitoring efforts are consistent with the results of its risk assessment. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-018: Continue Strengthening Process over Medicaid Coverage Cancellations Applicable to: Department of Medical Assistance Services; Department of Social Services Prior Year Finding Number: 2021-067 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Eligibility - 42 CFR ? 433.400(d) Known Questioned Costs: $0 The Department of Medical Assistance Services (Medical Assistance Services) continues to oversee the review of individuals with an out of state address in the Medicaid claims processing module of the Medicaid management system who may no longer be eligible for Medicaid coverage. Based on data from our prior year finding, Medical Assistance Services, with assistance from Social Services, reviewed cases with an out of state address and subsequently closed approximately 6,700 cases and recouped $40.1 million in Managed Care Organization (MCO) payments. Medical Assistance Services further reviewed additional cases related to fiscal year 2022 and as of November 2022, Medical Assistance Services had identified an additional 8,500 cases for closure and recouped an additional $43.4 million in MCO payments. These efforts are ongoing as research is in progress for over approximately 4,700 cases; however, Medical Assistance Services anticipates completing the review of these cases by December 2022. Medicaid eligibility is based on several financial and non-financial requirements. Section 12VAC30-40-10 of the Virginia Administrative Code lays out the general conditions of eligibility that an individual must satisfy to enroll in the Medicaid program. One of the non-financial requirements is that the individual be a state resident. In Spring 2020, with the onset of the Public Health Emergency (PHE), the federal government modified the program requirements and based on the Families First Coronavirus Response Act ? 6008(b)(3), states cannot cancel Medicaid coverage during the PHE except in the following situations - an individual's death, an individual requests cancellation of coverage, or an individual relocates to another state. To ensure compliance with these requirements, Medical Assistance Services began reviewing coverage cancellation information monthly to ensure cancellations of coverage only occurred for allowable reasons during the PHE. Under the process, Medical Assistance Services reviewed cancellation codes in the eligibility system and reinstated coverage for those cases that did not meet certain cancellation reasons. For this process to be effective, Medical Assistance Services was relying on correct cancellation codes in the eligibility system; however, for the cases identified, the eligibility system produced a generic cancellation code causing Medical Assistance Services to reinstate the Medicaid coverage although the individual may have no longer been eligible for coverage. Medical Assistance Services has undertaken significant efforts to address this issue. Medical Assistance Services staff, along with Social Services and other contracted staff, have performed detailed eligibility reviews of over 17,000 individual cases. In addition to these reviews, Medical Assistance Services has worked with Social Services to ensure it correctly records future coverage cancellations related to relocations to another state in the eligibility system. As of June 2022, Social Services programmed the eligibility system to return a specific cancellation code for relocating out of Virginia instead of a generic cancellation code. While this system change should reduce the number of cases that Medical Assistance Services reinstates when an individual has moved out of state, Medical Assistance Services has also implemented a new quarterly review process to identify individuals who may have relocated out of state and may no longer be eligible for Medicaid coverage. We encourage Medical Assistance Services, along with Social Services, to continue with these efforts to ensure only eligible individuals are receiving Medicaid benefits. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-022: Improve Information Security Program and IT Governance Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness Information System Security Control Family: Information Security Roles and Responsibilities ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services has an insufficient governance structure to manage and maintain its information security program in accordance with the Commonwealth's Information Security Standard, SEC 501 (Security Standard). Specifically, Social Services does not assess information security requirements for its information technology (IT) projects and prioritize information security and IT resources to ensure its information security program effectively protects sensitive Commonwealth data in accordance with the Security Standard. Social Services uses numerous IT systems to carry out its mission and provide essential services to the public. The Security Standard, Section 2.4.2, requires the agency head to maintain an information security program that is sufficient to protect the agency's IT systems and to ensure the information security program is documented and effectively communicated. We communicated the internal control weaknesses to management in a separate document marked Freedom of Information Act (FOIAE) under ? 2.2-3705.2 of the Code of Virginia due to its sensitivity and description of security controls. The internal control weaknesses described in the communication marked FOIAE are the result of Social Services not assessing information security requirements prior to project implementation or prioritizing information security within the IT environment. Not prioritizing IT resources to properly manage its information security program can result in a data breach or unauthorized access to confidential and mission critical data, leading to data corruption, data loss, or system disruption if accessed by a malicious attacker, either internal or external. Additionally, not dedicating the necessary IT resources to information security has hindered Social Services' ability to remediate findings from management recommendations issued throughout prior audits consistently and timely and bring the information security program in compliance with the Security Standard. Because of the scope of this matter, we consider it to be a material weakness in internal control. Social Services should evaluate the most efficient and effective method to bring its IT and security program into compliance with the Security Standard. Social Services should also evaluate its IT resource levels to ensure sufficient resources are available and dedicated to prioritizing and implementing IT governance changes and address the internal control deficiencies discussed in the communication marked FOIAE. Implementing these recommendations will help to ensure Social Services protects the confidentiality, integrity, and availability of its sensitive and mission critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-024: Improve Information Security Program and Controls Applicable to: Department of Medical Assistance Services Prior Year Finding Number: 2021-024; 2020-024 Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness Information System Security Control Family: Access Control; Awareness and Training; Incident Response; Information Security Roles and Responsibilities; Personnel Security; Planning; Risk Assessment; Security Assessment and Authorization; System and Services Acquisition ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(a) Known Questioned Costs: $0 Medical Assistance Services continues to address weaknesses found during an audit of IT general controls. The audit performed by an external consultant during the period April 1, 2019, through March 31, 2020, resulted in 71 individual control weaknesses out of 100 controls tested, which the consultant grouped in ten findings. As of the end of fiscal year 2022, Medical Assistance Services resolved one of the ten findings and continues to make progress with nine remaining findings, which we communicated to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. Noncompliance with the required security controls increases the risk for unauthorized access to mission-critical systems and data in addition to weakening the agency's ability to respond to malicious attacks to its IT environment. Medical Assistance Services has experienced delays in addressing these findings due to staffing turnover and shortages as well as organizational changes that affected some of its processes. Medical Assistance Services updated its corrective action plan in June 2022, stating corrective actions are still ongoing for all nine findings and estimates it will complete corrective action for eight of the findings by the end of calendar year 2022 and the last finding by June 2023. Medical Assistance Services should continue to dedicate the necessary resources to ensure timely completion of its corrective action plans and to comply with the Security Standard. These actions will help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-029: Improve Web Application Security Applicable to: Department of Social Services Prior Year Finding Number: 2021-025; 2020-026; 2019-037 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Audit and Accountability; Configuration Management; Risk Assessment; System and Information Integrity ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services continues to not configure a sensitive web application in accordance with the Security Standard. Since the prior audit, Social Services has not remediated any of the previously identified weaknesses. We communicated the weaknesses to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. The Security Standard requires implementing certain internal controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services' information systems and data. Social Services cannot ensure adequate protection of its sensitive and mission- critical data without configuring its sensitive web application in accordance with the Security Standard. Lacking or insufficient procedures and processes to manage the web application contributed to the five weaknesses outlined in the separate FOIAE document. Social Services prioritization of other projects also contributed to the weaknesses persisting. Social Services should dedicate the necessary resources to remediate the weaknesses discussed in the communication marked FOIAE in accordance with the requirements in the Security Standard. Implementing required controls will help to ensure Social Services secures the web application to protect its sensitive and mission-critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-030: Continue Improving IT Risk Management Program Applicable to: Department of Social Services Prior Year Finding Number: 2021-026; 2020-027; 2019-063; 2018-025 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Contingency Planning; Planning; Risk Assessment ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services continues to not have a formal and effective IT risk management program that aligns with the requirements in the Security Standard. Since we first issued this finding during the fiscal year 2018 audit, Social Services remediated some risk management and contingency planning issues. However, Social Services continues to not: ? accurately verify and validate data and system sensitivity ratings; ? create risk assessments for 50 percent of its sensitive systems; ? create system security plans for 52 percent of its sensitive systems; ? perform annual reviews for 99 percent of its existing risk assessment documentation; ? perform annual reviews for 74 percent of its existing system security plan documentation; and ? implement corrective actions identified in risk assessments. We communicated the details of these weaknesses to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services' information systems and data. Due to the magnitude of the project, Social Services has not yet remediated all the weaknesses. Additionally, the requirements documented in the policy and the process documented in the procedure do not align, which contributed to Social Services not consistently completing risk management documentation due to conflicting roles and responsibilities. Without implementing a formal and effective IT risk management program, Social Services cannot assure itself that it is reducing unnecessary risk to the confidentiality, integrity, and availability to its information systems and data. Social Services should prioritize and dedicate the necessary resources to remediate the weaknesses discussed in the communication marked FOIAE in accordance with the requirements in the Security Standard. Completing its corrective action plan will help to ensure the confidentiality, integrity, and availability of the agency's sensitive systems and mission-essential functions. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-052: Continue Improving IT Change and Configuration Management Process Applicable to: Department of Social Services Prior Year Finding Number: 2021-049; 2020-044; 2019-038 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Configuration Management ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services continues to improve its IT change and configuration management process to align with the Security Standard. Change management is a key control to evaluate, approve, and verify configuration changes to security components. Two weaknesses remain since our last review, which we communicated to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. Social Services Change Management Process Guide details the process Social Services follows to manage changes but does not include all the required elements, which contributed to the weaknesses remaining. Additionally, the change request form does not have the necessary fields to document the required elements. The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services' information systems and data. Without doing such, Social Services cannot assure itself that it is reducing unnecessary risk to the confidentiality, integrity, and availability to its information systems and data. Social Services should resolve the remaining two weaknesses discussed in the communication marked FOIAE in accordance with the Security Standard. Continuing to improve Social Services' IT change and configuration management process will decrease the risk of unauthorized modifications to sensitive systems and help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-057: Improve Timely Removal of Critical System Access Applicable to: Department of Medical Assistance Services Prior Year Finding Number: 2021-037; 2020-049; 2019-024; 2018-040; 2017-016 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Personnel Security ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(a) Known Questioned Costs: $0 Medical Assistance Services did not remove access to the claims processing module or the eligibility system timely for individuals who separated from the agency and no longer needed access. For one out of eight (12.5%) users, Medical Assistance Services did not disable system access in the claims processing module within 24 hours of separation. The user retained their system access for 11 days after separation. For three out of 25 (12%) users, Medical Assistance Services did not disable system access in the eligibility system within 24 hours of separation. These three users were contract employees and retained their access to the system between 104 and 123 days after separation. Medical Assistance Services' Access Control Policy requires that "all user accounts must be disabled immediately upon separation or within 24 hours upon receipt by the Office of Compliance and Security" (Compliance and Security). Failing to disable access timely for web- based mission-critical systems threatens the data integrity of the systems. If separated users retain access to the claims processing module or the eligibility system, users are potentially able to view, copy, and edit sensitive information. There are several factors contributing to this issue. First, Medical Assistance Services' internal policy is not in compliance with the Security Standard. The Security Standard requires agencies disable access within 24 hours of separation, not within 24 hours of receipt of notification. Additionally, supervisors are not communicating information on separated employees timely. A separating employee's supervisor must initiate an exit clearance workflow for the system to automatically notify Compliance and Security for removal of system access. For the user of the claims processing module, the supervisor requested access termination more than 24 hours after the employee's separation. Finally, for the three users of the eligibility system, Compliance and Security received the access termination request timely but did not terminate access for more than 24 hours after receipt. In June 2022, Medical Assistance Services implemented several organizational changes, including dissolving Compliance and Security. The responsibility for system access management moved to the division responsible for the system and its applicable business function. Medical Assistance Services is currently updating its internal Access Control policy to ensure it is consistent with the Security Standard and organizational updates. Medical Assistance Services expects to complete the policy and process updates in December 2022. Medical Assistance Services should also train and educate supervisors on the importance of timely notification of separated employees. Finally, Medical Assistance Services should ensure compliance with the Security Standard by removing user access as required. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-059: Monitor Internal Controls to Ensure Timely Removal of System Access Applicable to: Department of Social Services Prior Year Finding Number: 2021-038; 2021-027; 2020-025; 2019-027; 2018-042 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Personnel Security ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services did not comply with the Security Standard requirements for removing system access for separated employees. For 13 of the 26 (50%) separations tested from fiscal year 2022, Social Services did not remove system access within 24 hours following each employee's separation date. Untimely removal of access ranged between two and 290 days after each employee's separation date. Section PS-4 of the Security Standard requires an organization to disable information system access within 24 hours of employment termination. To comply with the Security Standard, Social Services created a policy in Section 2.9 of its State/Local Security Officers Procedures Manual (Manual) that requires supervisors to complete the State Employee Separation and Transfer Checklist (Separation Checklist) at least 48 hours in advance of the employee's separation and submit it to the Division Security Officer. The Division Security Officer must then remove the separated employee from Social Services' access management system, which controls access to its internal systems, within 24 hours following the employee's separation date. Upon completion, the Division Security Officer is responsible for submitting the Separation Checklist to other Divisions, such as the Division of Human Resources (Human Resources) and the Central Security Office (Central Security), to make them aware of the separation. Social Services does not appear to monitor compliance with internal policies surrounding access removal for separated employees. Of the 13 employees with access removed more than 24 hours after their separation dates: ? We noted four instances where Social Services was unable to provide the Separation Checklist. As a result, Social Services was unable to demonstrate compliance with its internal policies surrounding access removal for separated employees. ? Of the remaining nine employees with completed Separation Checklists, we noted nine instances of untimely or inaccurate supervisor sign-offs. Specifically, there were seven instances where the supervisor did not submit the Separation Checklist to the Division Security Officer at least 48 hours in advance of the employee's date of separation and two instances where the supervisor did not properly sign off and date the Separation Checklist. Social Services administers numerous public assistance programs that collect personally identifiable information and other protected information from beneficiaries. Social Services places its data and reputation at risk by not removing access timely. Additionally, Social Services could incur a potential financial liability should its information become compromised. The Security Standard states that the Agency Head is responsible for security of the agency's IT systems and data. Since Human Resources, Central Security, and the Division Security Officers share ownership of the employee separation and access removal processes, Social Services' Executive Team should identify which division in the agency should be responsible for monitoring compliance with internal policies surrounding access removal for separated employees. Social Services' Executive Team should periodically review the monitoring results and take enforcement actions, as necessary, if the agency is not compliant. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-060: Upgrade End-of-Life Technology Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: System and Information Integrity ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services uses end-of-life technologies in its IT environment and maintains technologies that support mission-essential data on IT systems that its vendors no longer support. We communicated internal control weaknesses to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. The Security Standard prohibits using software that is end-of-life and which the vendor no longer supports to reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services' information systems and data. Social Services does not assign an individual or team with the responsibility to track end- of-life software dates and does not have a formal process to ensure that it upgrades software versions prior to the end-of-life date, which caused the end-of-life software to remain in the environment. Social Services use of the end-of-life software increases the risk that known vulnerabilities will persist in the system without the potential for patching or mitigation. These unpatched vulnerabilities increase the risk of successful cyberattack, exploit, and data breach by malicious parties. Further, vendors do not offer operational and technical support for end-of-life or end-of-support technology, which affects data availability by increasing the difficulty of restoring system functionality if a technical failure occurs. Social Services should dedicate the necessary resources to evaluate and implement the internal controls and recommendations discussed in the communication marked FOIAE in accordance with the Security Standard. Minimizing the use of end-of-life software will help to ensure that Social Services secures its IT environment and systems to protect its sensitive and mission-critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-064: Continue Developing Record Retention Requirements and Processes for Electronic Records Applicable to: Department of Social Services Prior Year Finding Number: 2021-047; 2020-041; 2019-049; 2018-054 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Contingency Planning ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services continues to operate without an adequate data retention process for its case management system. Social Services' case management system authorized over $10 billion in benefit payments from various public assistance programs to beneficiaries during fiscal year 2022. We communicated this weakness to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. Since fiscal year 2019, Social Services gathered retention requirements from the business divisions. During the fiscal year, Social Services finalized and documented policies with retention requirements. However, Social Services has not developed, documented, and implemented a policy, procedure, and process to operationalize the record retention requirements needed. Federal regulations require different record retention requirements for different federal programs. Additionally, the Virginia Public Records Act (? 42.1-91 of the Code of Virginia) requires each agency to be responsible for ensuring that it preserves, maintains, and makes accessible public-facing records throughout their lifecycle, including converting and migrating electronic records as often as necessary so that information is not lost due to hardware, software, or media obsolescence or deterioration. Further, the Security Standard, Section CP-9-COV, requires the agency implement backup and restoration plans for every IT system identified as sensitive relative to availability that address the retention of the data in accordance with the records retention policy. Without developing, documenting, and implementing a policy, procedure, and process to operationalize record retention requirements, Social Services increases data risk and increases potential exposure to fines, penalties, or other legal consequences. Additionally, Social Services may cause the Commonwealth to spend additional resources to maintain, back up, and protect the information. Social Services should develop and implement a records retention policy and procedure that defines its requirements and processes to ensure that consistent record retention processes can be operationalized across business divisions to ensure compliance with laws and regulations. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-066: Conduct Audits of Agency Sensitive Systems Timely Applicable to: Virginia Information Technologies Agency Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Audit and Accountability ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 VITA's Centralized IT Security Audit Service (Audit Services) conducts IT security audits for contracted agencies. The Commonwealth's Information Technology Security Audit Standard, SEC 502 (Security Audit Standard), Section 2.1, requires agencies to complete security audits for each sensitive system every three years from the last audit completion date. Based on our review of audit completion dates provided by Audit Services, we determined the following: ? During fiscal year 2022, Audit Services completed four of six agency IT security audits after the three-year audit deadline. ? As of June 30, 2022, Audit Services is currently engaged, or has not started, ten agency IT security audits that are past the three-year audit requirement. When an agency contracts with Audit Services, the agency head or designee signs a Memorandum of Understanding (MOU) which outlines the scope of work and pricing. It is the agency's responsibility to ensure the MOU includes all sensitive systems requiring a security audit. A properly defined MOU allows Audit Services to properly price and schedule the security audit. Audit Services audits all the systems in scope for an agency at the same time and issues one audit report covering all systems in scope per the MOU. Audit Services should consider adding information to the MOU related to audit deadlines or planned timeframe for the audit. This added communication will ensure all parties understand when Audit Services plans to complete the audits. Additionally, more information regarding audit timing will allow agencies to determine if they need to obtain a separate audit for specific systems to ensure those systems remain compliant with the Security Audit Standard between the date of the MOU and the anticipated deadline set by Audit Services. Of the four audits Audit Services completed late during fiscal year 2022, two of the delays are due to the agencies requesting postponements. Additionally, of the ten audits that were already late as of June 30, 2022, two are due to agency-requested postponements. The remaining late audits are primarily due to resource constraints within Audit Services. Audit Services should regularly monitor its audit workplan to ensure audit staff complete all IT security audits by the required deadlines. Additionally, Audit Services should evaluate its staffing levels and assess if VITA should contract with an outside audit firm to aid in completing IT security audits. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-090: Improve Third-Party Oversight Process Applicable to: Department of Medical Assistance Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(a) Known Questioned Costs: $0 Medical Assistance Services does not have a formal and consistent process for maintaining oversight for three of its IT third-party service providers (providers) that manage and support the Medicaid management system. As a result of an informal and inconsistent process, Medical Assistance Services did not verify or implement three controls required by the Hosted Environment Security Standard. We communicated the three weaknesses to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. Without a formal and consistent process to maintain oversight of its providers, Medical Assistance Services cannot validate whether its providers implement the security controls that meet the requirements in the Hosted Environment Security Standard to protect the agency's sensitive and mission-critical data. While Medical Assistance Services has a formal IT Third Party and Vendor Compliance Management Policy, effective as of December 31, 2021, the agency experienced turnover in its ISO position in June 2022 before the development of a formal procedure. As a result, Medical Assistance Services did not consistently maintain oversight of its providers in accordance with the Hosted Environment Security Standard. Medical Assistance Services should dedicate the necessary resources to develop a formal procedure to maintain oversight of its providers in accordance with its policy and the Hosted Environment Security Standard. Medical Assistance Services should also dedicate the necessary resources to implement and consistently perform the formal oversight process, which will help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-100: Continue to Ensure ITISP Suppliers Meet all Contractual Requirements Applicable to: Virginia Information Technologies Agency Prior Year Finding Number: 2021-023; 2020-070 Type of Finding: Internal Control Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Although VITA is monitoring and enforcing the contractual requirements each month, as of June 2022, there were still cases of Information Technology Infrastructure Services Program (ITISP) suppliers not meeting the minimum requirements. When ITISP suppliers do not meet all contractual requirements (e.g., key measures, critical service levels, deliverables), it impacts the ability of Commonwealth agencies that rely on the ITISP services to comply with the Security Standard. The Security Standard is a baseline for information security and risk management activities for Commonwealth agencies. Many agencies rely on services provided through the ITISP suppliers to ensure compliance with the Security Standard. For example, the Security Standard requires the installation of security-relevant software updates within 90 days of release (Security Standard Section: SI-2 Flaw Remediation). Commonwealth agencies rely on the ITISP suppliers for the installation of security patches in systems that support agencies' operations. Our audits at various agencies for fiscal year 2022 found critical and highly important security patches that were past the 90-day Security Standard requirement. The systems missing critical security updates are at an increased risk of successful cyberattack, exploit, and data breach by malicious parties. Additionally, the Security Standard requires agencies to review and analyze audit records at least every 30 days for indications of inappropriate or unusual activity (Security Standard Section: AU-6 Audit Review, Analysis, and Reporting). Our audits of various agencies for fiscal year 2022 found that agencies rely on the ITISP suppliers to provide access to a centralized monitoring tool that collects audit log information about activities in the IT environment. Certain agencies were unable to obtain access to the audit log information during fiscal year 2022, and thus were not able to comply with the Security Standard requirements related to audit log monitoring. Although the supplier was performing audit logging and monitoring, only a select few agencies have access to the monitoring tool while the supplier is pilot testing the tool. The Commonwealth's risk associated with data confidentiality, integrity and availability increases with agencies not being able to review and monitor their individual audit logs. During fiscal year 2022, VITA and the Multisource Service Integrator (MSI) evaluated the current service level measurements to ensure they align with the Commonwealth's needs. As of December 2022, VITA and the MSI are implementing changes to the service level related to security and vulnerability patching. The changes to this service level include establishing a Common Vulnerabilities and Exposures (CVE) threshold. The new security and vulnerability patching service level will require the ITISP suppliers to install any patch with a CVE score above the threshold within 90 days. VITA continues to work with the managed security supplier to address the agencies' inability to access the audit log information. The supplier replaced the original security incident and event management system with a new managed detection and response (MDR) platform. Currently, only a small number of agencies are piloting the new MDR system. VITA should document the rationale for all changes to the service levels, including the basis for the CVE score threshold selected, and continually reevaluate the service levels as risks change. To ensure all agencies that rely on the ITISP services can comply with the Security Standard, VITA should ensure ITISP suppliers meet all contractual requirements (e.g., key measures, critical service levels, deliverables). To aid in determining which requirements have Security Standard implications, VITA should crosswalk contractual requirements to the Security Standard. A crosswalk will help in identifying which requirements, if not met, could put an agency at risk per the Security Standard. If VITA determines an ITISP supplier is not meeting a contractual requirement that may have a Security Standard implication, VITA should communicate with the affected agencies and provide guidance on compensating controls and processes the agencies should implement to reduce risk while the suppliers work to meet the requirements of the contract. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-011: Perform Responsibilities Outlined in the Agency Monitoring Plan Applicable to: Department of Social Services Prior Year Finding Number: 2021-070; 2020-074; 2019-090; 2018-093 Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.303(a) Known Questioned Costs: $0 The Department of Social Services' (Social Service) Compliance Division (Compliance) continues to not adhere to its established approach to oversee the agency's subrecipient monitoring activities, as outlined in its Agency Monitoring Plan. During fiscal year 2022, Social Services disbursed approximately $588 million in federal funds from roughly 5,000 subawards. According to Social Services' Organizational Structure Report, Compliance is responsible for agency-wide compliance and risk mitigation that helps to ensure adherence to state and federal legal and regulatory standards, including subrecipient monitoring. During the audit, we noted the following deviations from the Agency Monitoring Plan: ? Compliance has not finalized the Agency Monitoring Plan and, as a result, has not communicated it to Subrecipient Monitoring Coordinators within each division of Social Services. Because of the lack of communication, there were deviations from the Agency Monitoring Plan at the division level. For example, the Agency Monitoring Plan requires each division to monitor subrecipients once every three years. However, the Local Review Team and Child Care Subsidy Program Monitoring Plans did not consider this requirement because the Subrecipient Monitoring Coordinators were unaware of this requirement. We communicated this matter to Social Services through the audit finding titled "Finalize the Agency Monitoring Plan and Communicate Responsibilities to Subrecipient Monitoring Coordinators," which we have included as a separate audit finding in this report. ? Compliance continues to not review division monitoring plans to ensure the divisions implemented a risk-based approach for monitoring subrecipients. The Agency Monitoring Plan states that Compliance will use a monitoring plan checklist to evaluate and determine if all the required elements for subrecipient monitoring are present in each division's plan. As a result of the lack of review, the Division of Benefit Programs' (Benefit Programs) monitoring plan continues to not meet all the requirements outlined in the Agency Monitoring Plan because it does not include a risk-based approach for subrecipient monitoring and does not consider all subrecipients who receive funding from the Temporary Assistance for Needy Families (TANF) federal grant program. We communicated these matters to Social Services through the audit findings titled "Verify that Monitoring Plan Includes All Subrecipient Programmatic Activities" and "Evaluate Subrecipients' Risk of Noncompliance in Accordance with Federal Regulations," which we have included as separate audit findings in this report. ?Compliance continues to not conduct an analysis of subrecipient monitoring review efforts performed by the divisions. As a result, Compliance has not produced quarterly reports of variances and noncompliance to brief Social Services' Executive Team on the agency's subrecipient monitoring activities. Because of the lack of analysis, Compliance was unaware of deviations from the Agency Monitoring Plan occurring at the divisions. For example, Benefit Programs only completed 25 of the 67 (37%) scheduled reviews for the Low-Income Home Energy Assistance Program (LIHEAP) federal grant program. Additionally, Benefit Programs did not upload its monitoring review records to Social Services' data repository timely for management review. As a result, Compliance was unaware that Regional Consultants were deviating from Benefit Programs' monitoring plan. We communicated this matter to Social Services through the audit finding titled "Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan," which we have included as a separate audit finding in this report. Without performing the responsibilities in the Agency Monitoring Plan, Compliance cannot provide Social Services' Executive Team with reasonable assurance that the agency complied with the pass-through entity federal requirements at 2 CFR ? 200.332. Title 2 CFR ? 200.303(a) requires pass through entities to establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Compliance planned to procure a centralized system to strengthen its monitoring activities but has been unsuccessful in its efforts and has not identified alternative approaches for carrying out the responsibilities in the Agency Monitoring Plan and discussed them with Social Services' Executive Team. Because of the scope of this matter, we consider it to be a material weakness in internal control. Social Services' Executive Team shapes strategies, develops objectives, and collectively resolves issues that are critical to the overall agency performance. Social Services' Executive Team and Compliance should work collaboratively to determine the best approach for carrying out the responsibilities in the Agency Monitoring Plan. Additionally, Social Services' Executive Team and Compliance should hold quarterly meetings to discuss the Agency Monitoring Plan and its activities. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-012: Finalize the Agency Monitoring Plan and Communicate Responsibilities to Subrecipient Monitoring Coordinators Applicable to: Department of Social Services Prior Year Finding Number: 2021-069; 2020-076 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(d) Known Questioned Costs: $0 Compliance has not finalized its Agency Monitoring Plan and communicated responsibilities to Subrecipient Monitoring Coordinators, as recommended during the fiscal year 2020 audit. The oversight of Social Services' subrecipient monitoring processes transitioned from the Division of Community and Volunteer Services (Community and Volunteer Services) to Compliance in fiscal year 2019. Community and Volunteer Services created the Agency Monitoring Plan, and it is now the responsibility of Compliance. However, Compliance has not updated the Agency Monitoring Plan to properly reflect agency operations over subrecipient monitoring. In effect, Compliance continues to not communicate the Agency Monitoring Plan to Subrecipient Monitoring Coordinators within each division of Social Services. During fiscal year 2022, Social Services disbursed approximately $588 million in federal funds from roughly 5,000 subawards. Title 2 CFR ? 200.332(d) requires pass-through entities to monitor the activities of subrecipients as necessary to ensure use of the subaward for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without clearly defining responsibilities and communicating federal requirements, Compliance cannot provide assurance that Social Services adequately monitors all its subrecipients to ensure they are achieving program objectives or complying with federal requirements. Compliance was unable to finalize the monitoring plan and communicate responsibilities to monitoring coordinators because it did not dedicate the resources necessary to implement corrective action. Compliance should allocate resources to finalize the Agency Monitoring Plan to properly address subrecipient monitoring responsibilities. Additionally, Compliance should communicate the Agency Monitoring Plan to Subrecipient Monitoring Coordinators within each division of Social Services. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-014: Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; SNAP Cluster - 10.551, 10.561; Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2205VA5MAP; 221VA407S2514; 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Agriculture; U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(d) Known Questioned Costs: $0 Benefit Programs does not oversee subrecipient monitoring activities to ensure monitoring activities are conducted in accordance with its monitoring plan. During the fiscal year, Benefit Programs disbursed approximately $312 million in subaward payments from the Supplemental Nutrition Assistance Program (SNAP) and Medicaid Clusters and the LIHEAP and TANF federal grant programs. During the audit, we noted the following deviations from Benefit Program's monitoring plan: ? Benefit Programs created a monitoring plan to comply with Social Services' Agency Monitoring Plan. Regional consultants, who perform subrecipient monitoring activities, created their own subrecipient monitoring schedules that were not consistent with Benefit Program's monitoring schedule. ? Benefit Programs did not confirm that fiscal year 2022 monitoring review records uploaded to its data repository were complete. Some of the missing records included the agency notification letter, case selection sample, and subrecipient monitoring checklist. ? At the beginning of audit fieldwork, the data repository did not contain all subrecipient monitoring reviews performed during the fiscal year. The Subrecipient Monitoring Coordinator subsequently obtained and uploaded the remaining subrecipient monitoring reviews to Benefit Programs' data repository. The data repository only included the following subrecipient monitoring reviews at the time of the audit: o 12 of 25 (48%) reviews performed for the LIHEAP federal grant program; o 22 of 73 (30%) reviews performed for the SNAP Cluster; o 13 of 62 (21%) reviews performed for the Medicaid Cluster; and nine of 62 (15%) reviews performed for the TANF federal grant program. Benefit Programs only completed 25 of the 67 (37%) scheduled reviews for the LIHEAP federal grant program. Benefit Programs did not identify these issues because its monitoring plan did not clearly delineate who was responsible for overseeing subrecipient monitoring activities. As a result, no one in Benefit Programs was overseeing subrecipient monitoring activities. Title 2 CFR ? 200.332(d) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the pass-through entity uses the subaward for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without confirming that program consultants conduct monitoring activities in accordance with the monitoring plan, Benefit Programs cannot provide assurance that it complied with 2 CFR ? 200.332(d). In March 2022, Benefit Programs created a Subrecipient Monitoring Coordinator position to oversee its monitoring activities. The Subrecipient Monitoring Coordinator is working with Benefit Program?s Associate Director for Operations and Support to confirm that Benefit Programs? monitoring plan meets federal requirements. Benefit Programs should continue its efforts to confirm that it conducts monitoring activities in accordance with its monitoring plan. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-016: Evaluate Subrecipients' Risk of Noncompliance in Accordance with Federal Regulations Applicable to: Department of Social Services Prior Year Finding Number: 2021-071 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; SNAP Cluster - 10.551, 10.561; Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2205VA5MAP; 221VA407S2514; 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Agriculture; U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(b) Known Questioned Costs: $0 Benefit Programs continues to not evaluate subrecipients' risk of noncompliance with federal regulations related to the administration of the SNAP and Medicaid Clusters and the TANF and LIHEAP federal grant programs. Benefit Programs develops its subrecipient monitoring approach using the size of the subrecipient; however, it does not perform any further risk assessment procedures to determine the monitoring approach. Social Services disbursed approximately $312 million to subrecipients from these federal programs during the fiscal year. Title 2 CFR ? 200.332(b) requires pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Further, 2 CFR ? 200.332(b) suggests that pass-through entities should consider the results of previous audits, subrecipient's prior experience with the same or similar subawards, and whether the subrecipient has new personnel or new or substantially changed systems. Benefit Programs developed a corrective action plan to perform risk assessment procedures to comply with 2 CFR ? 200.332(b); however, Benefit Programs was unable to implement corrective action due to staff turnover. Without performing the proper risk assessment procedures, Benefit Programs cannot demonstrate that it monitored the activities of the subrecipient as necessary to ensure that the pass-through entity used the subaward for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Benefit Programs should continue its corrective action efforts to implement a risk assessment process for subrecipients that is consistent with federal regulations and ensure that its monitoring efforts are consistent with the results of its risk assessment. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-018: Continue Strengthening Process over Medicaid Coverage Cancellations Applicable to: Department of Medical Assistance Services; Department of Social Services Prior Year Finding Number: 2021-067 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Eligibility - 42 CFR ? 433.400(d) Known Questioned Costs: $0 The Department of Medical Assistance Services (Medical Assistance Services) continues to oversee the review of individuals with an out of state address in the Medicaid claims processing module of the Medicaid management system who may no longer be eligible for Medicaid coverage. Based on data from our prior year finding, Medical Assistance Services, with assistance from Social Services, reviewed cases with an out of state address and subsequently closed approximately 6,700 cases and recouped $40.1 million in Managed Care Organization (MCO) payments. Medical Assistance Services further reviewed additional cases related to fiscal year 2022 and as of November 2022, Medical Assistance Services had identified an additional 8,500 cases for closure and recouped an additional $43.4 million in MCO payments. These efforts are ongoing as research is in progress for over approximately 4,700 cases; however, Medical Assistance Services anticipates completing the review of these cases by December 2022. Medicaid eligibility is based on several financial and non-financial requirements. Section 12VAC30-40-10 of the Virginia Administrative Code lays out the general conditions of eligibility that an individual must satisfy to enroll in the Medicaid program. One of the non-financial requirements is that the individual be a state resident. In Spring 2020, with the onset of the Public Health Emergency (PHE), the federal government modified the program requirements and based on the Families First Coronavirus Response Act ? 6008(b)(3), states cannot cancel Medicaid coverage during the PHE except in the following situations - an individual's death, an individual requests cancellation of coverage, or an individual relocates to another state. To ensure compliance with these requirements, Medical Assistance Services began reviewing coverage cancellation information monthly to ensure cancellations of coverage only occurred for allowable reasons during the PHE. Under the process, Medical Assistance Services reviewed cancellation codes in the eligibility system and reinstated coverage for those cases that did not meet certain cancellation reasons. For this process to be effective, Medical Assistance Services was relying on correct cancellation codes in the eligibility system; however, for the cases identified, the eligibility system produced a generic cancellation code causing Medical Assistance Services to reinstate the Medicaid coverage although the individual may have no longer been eligible for coverage. Medical Assistance Services has undertaken significant efforts to address this issue. Medical Assistance Services staff, along with Social Services and other contracted staff, have performed detailed eligibility reviews of over 17,000 individual cases. In addition to these reviews, Medical Assistance Services has worked with Social Services to ensure it correctly records future coverage cancellations related to relocations to another state in the eligibility system. As of June 2022, Social Services programmed the eligibility system to return a specific cancellation code for relocating out of Virginia instead of a generic cancellation code. While this system change should reduce the number of cases that Medical Assistance Services reinstates when an individual has moved out of state, Medical Assistance Services has also implemented a new quarterly review process to identify individuals who may have relocated out of state and may no longer be eligible for Medicaid coverage. We encourage Medical Assistance Services, along with Social Services, to continue with these efforts to ensure only eligible individuals are receiving Medicaid benefits. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-022: Improve Information Security Program and IT Governance Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness Information System Security Control Family: Information Security Roles and Responsibilities ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services has an insufficient governance structure to manage and maintain its information security program in accordance with the Commonwealth's Information Security Standard, SEC 501 (Security Standard). Specifically, Social Services does not assess information security requirements for its information technology (IT) projects and prioritize information security and IT resources to ensure its information security program effectively protects sensitive Commonwealth data in accordance with the Security Standard. Social Services uses numerous IT systems to carry out its mission and provide essential services to the public. The Security Standard, Section 2.4.2, requires the agency head to maintain an information security program that is sufficient to protect the agency's IT systems and to ensure the information security program is documented and effectively communicated. We communicated the internal control weaknesses to management in a separate document marked Freedom of Information Act (FOIAE) under ? 2.2-3705.2 of the Code of Virginia due to its sensitivity and description of security controls. The internal control weaknesses described in the communication marked FOIAE are the result of Social Services not assessing information security requirements prior to project implementation or prioritizing information security within the IT environment. Not prioritizing IT resources to properly manage its information security program can result in a data breach or unauthorized access to confidential and mission critical data, leading to data corruption, data loss, or system disruption if accessed by a malicious attacker, either internal or external. Additionally, not dedicating the necessary IT resources to information security has hindered Social Services' ability to remediate findings from management recommendations issued throughout prior audits consistently and timely and bring the information security program in compliance with the Security Standard. Because of the scope of this matter, we consider it to be a material weakness in internal control. Social Services should evaluate the most efficient and effective method to bring its IT and security program into compliance with the Security Standard. Social Services should also evaluate its IT resource levels to ensure sufficient resources are available and dedicated to prioritizing and implementing IT governance changes and address the internal control deficiencies discussed in the communication marked FOIAE. Implementing these recommendations will help to ensure Social Services protects the confidentiality, integrity, and availability of its sensitive and mission critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-024: Improve Information Security Program and Controls Applicable to: Department of Medical Assistance Services Prior Year Finding Number: 2021-024; 2020-024 Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness Information System Security Control Family: Access Control; Awareness and Training; Incident Response; Information Security Roles and Responsibilities; Personnel Security; Planning; Risk Assessment; Security Assessment and Authorization; System and Services Acquisition ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(a) Known Questioned Costs: $0 Medical Assistance Services continues to address weaknesses found during an audit of IT general controls. The audit performed by an external consultant during the period April 1, 2019, through March 31, 2020, resulted in 71 individual control weaknesses out of 100 controls tested, which the consultant grouped in ten findings. As of the end of fiscal year 2022, Medical Assistance Services resolved one of the ten findings and continues to make progress with nine remaining findings, which we communicated to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. Noncompliance with the required security controls increases the risk for unauthorized access to mission-critical systems and data in addition to weakening the agency's ability to respond to malicious attacks to its IT environment. Medical Assistance Services has experienced delays in addressing these findings due to staffing turnover and shortages as well as organizational changes that affected some of its processes. Medical Assistance Services updated its corrective action plan in June 2022, stating corrective actions are still ongoing for all nine findings and estimates it will complete corrective action for eight of the findings by the end of calendar year 2022 and the last finding by June 2023. Medical Assistance Services should continue to dedicate the necessary resources to ensure timely completion of its corrective action plans and to comply with the Security Standard. These actions will help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-029: Improve Web Application Security Applicable to: Department of Social Services Prior Year Finding Number: 2021-025; 2020-026; 2019-037 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Audit and Accountability; Configuration Management; Risk Assessment; System and Information Integrity ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services continues to not configure a sensitive web application in accordance with the Security Standard. Since the prior audit, Social Services has not remediated any of the previously identified weaknesses. We communicated the weaknesses to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. The Security Standard requires implementing certain internal controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services' information systems and data. Social Services cannot ensure adequate protection of its sensitive and mission- critical data without configuring its sensitive web application in accordance with the Security Standard. Lacking or insufficient procedures and processes to manage the web application contributed to the five weaknesses outlined in the separate FOIAE document. Social Services prioritization of other projects also contributed to the weaknesses persisting. Social Services should dedicate the necessary resources to remediate the weaknesses discussed in the communication marked FOIAE in accordance with the requirements in the Security Standard. Implementing required controls will help to ensure Social Services secures the web application to protect its sensitive and mission-critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-030: Continue Improving IT Risk Management Program Applicable to: Department of Social Services Prior Year Finding Number: 2021-026; 2020-027; 2019-063; 2018-025 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Contingency Planning; Planning; Risk Assessment ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services continues to not have a formal and effective IT risk management program that aligns with the requirements in the Security Standard. Since we first issued this finding during the fiscal year 2018 audit, Social Services remediated some risk management and contingency planning issues. However, Social Services continues to not: ? accurately verify and validate data and system sensitivity ratings; ? create risk assessments for 50 percent of its sensitive systems; ? create system security plans for 52 percent of its sensitive systems; ? perform annual reviews for 99 percent of its existing risk assessment documentation; ? perform annual reviews for 74 percent of its existing system security plan documentation; and ? implement corrective actions identified in risk assessments. We communicated the details of these weaknesses to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services' information systems and data. Due to the magnitude of the project, Social Services has not yet remediated all the weaknesses. Additionally, the requirements documented in the policy and the process documented in the procedure do not align, which contributed to Social Services not consistently completing risk management documentation due to conflicting roles and responsibilities. Without implementing a formal and effective IT risk management program, Social Services cannot assure itself that it is reducing unnecessary risk to the confidentiality, integrity, and availability to its information systems and data. Social Services should prioritize and dedicate the necessary resources to remediate the weaknesses discussed in the communication marked FOIAE in accordance with the requirements in the Security Standard. Completing its corrective action plan will help to ensure the confidentiality, integrity, and availability of the agency's sensitive systems and mission-essential functions. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-052: Continue Improving IT Change and Configuration Management Process Applicable to: Department of Social Services Prior Year Finding Number: 2021-049; 2020-044; 2019-038 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Configuration Management ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services continues to improve its IT change and configuration management process to align with the Security Standard. Change management is a key control to evaluate, approve, and verify configuration changes to security components. Two weaknesses remain since our last review, which we communicated to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. Social Services Change Management Process Guide details the process Social Services follows to manage changes but does not include all the required elements, which contributed to the weaknesses remaining. Additionally, the change request form does not have the necessary fields to document the required elements. The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services' information systems and data. Without doing such, Social Services cannot assure itself that it is reducing unnecessary risk to the confidentiality, integrity, and availability to its information systems and data. Social Services should resolve the remaining two weaknesses discussed in the communication marked FOIAE in accordance with the Security Standard. Continuing to improve Social Services' IT change and configuration management process will decrease the risk of unauthorized modifications to sensitive systems and help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-057: Improve Timely Removal of Critical System Access Applicable to: Department of Medical Assistance Services Prior Year Finding Number: 2021-037; 2020-049; 2019-024; 2018-040; 2017-016 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Personnel Security ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(a) Known Questioned Costs: $0 Medical Assistance Services did not remove access to the claims processing module or the eligibility system timely for individuals who separated from the agency and no longer needed access. For one out of eight (12.5%) users, Medical Assistance Services did not disable system access in the claims processing module within 24 hours of separation. The user retained their system access for 11 days after separation. For three out of 25 (12%) users, Medical Assistance Services did not disable system access in the eligibility system within 24 hours of separation. These three users were contract employees and retained their access to the system between 104 and 123 days after separation. Medical Assistance Services' Access Control Policy requires that "all user accounts must be disabled immediately upon separation or within 24 hours upon receipt by the Office of Compliance and Security" (Compliance and Security). Failing to disable access timely for web- based mission-critical systems threatens the data integrity of the systems. If separated users retain access to the claims processing module or the eligibility system, users are potentially able to view, copy, and edit sensitive information. There are several factors contributing to this issue. First, Medical Assistance Services' internal policy is not in compliance with the Security Standard. The Security Standard requires agencies disable access within 24 hours of separation, not within 24 hours of receipt of notification. Additionally, supervisors are not communicating information on separated employees timely. A separating employee's supervisor must initiate an exit clearance workflow for the system to automatically notify Compliance and Security for removal of system access. For the user of the claims processing module, the supervisor requested access termination more than 24 hours after the employee's separation. Finally, for the three users of the eligibility system, Compliance and Security received the access termination request timely but did not terminate access for more than 24 hours after receipt. In June 2022, Medical Assistance Services implemented several organizational changes, including dissolving Compliance and Security. The responsibility for system access management moved to the division responsible for the system and its applicable business function. Medical Assistance Services is currently updating its internal Access Control policy to ensure it is consistent with the Security Standard and organizational updates. Medical Assistance Services expects to complete the policy and process updates in December 2022. Medical Assistance Services should also train and educate supervisors on the importance of timely notification of separated employees. Finally, Medical Assistance Services should ensure compliance with the Security Standard by removing user access as required. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-059: Monitor Internal Controls to Ensure Timely Removal of System Access Applicable to: Department of Social Services Prior Year Finding Number: 2021-038; 2021-027; 2020-025; 2019-027; 2018-042 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Personnel Security ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services did not comply with the Security Standard requirements for removing system access for separated employees. For 13 of the 26 (50%) separations tested from fiscal year 2022, Social Services did not remove system access within 24 hours following each employee's separation date. Untimely removal of access ranged between two and 290 days after each employee's separation date. Section PS-4 of the Security Standard requires an organization to disable information system access within 24 hours of employment termination. To comply with the Security Standard, Social Services created a policy in Section 2.9 of its State/Local Security Officers Procedures Manual (Manual) that requires supervisors to complete the State Employee Separation and Transfer Checklist (Separation Checklist) at least 48 hours in advance of the employee's separation and submit it to the Division Security Officer. The Division Security Officer must then remove the separated employee from Social Services' access management system, which controls access to its internal systems, within 24 hours following the employee's separation date. Upon completion, the Division Security Officer is responsible for submitting the Separation Checklist to other Divisions, such as the Division of Human Resources (Human Resources) and the Central Security Office (Central Security), to make them aware of the separation. Social Services does not appear to monitor compliance with internal policies surrounding access removal for separated employees. Of the 13 employees with access removed more than 24 hours after their separation dates: ? We noted four instances where Social Services was unable to provide the Separation Checklist. As a result, Social Services was unable to demonstrate compliance with its internal policies surrounding access removal for separated employees. ? Of the remaining nine employees with completed Separation Checklists, we noted nine instances of untimely or inaccurate supervisor sign-offs. Specifically, there were seven instances where the supervisor did not submit the Separation Checklist to the Division Security Officer at least 48 hours in advance of the employee's date of separation and two instances where the supervisor did not properly sign off and date the Separation Checklist. Social Services administers numerous public assistance programs that collect personally identifiable information and other protected information from beneficiaries. Social Services places its data and reputation at risk by not removing access timely. Additionally, Social Services could incur a potential financial liability should its information become compromised. The Security Standard states that the Agency Head is responsible for security of the agency's IT systems and data. Since Human Resources, Central Security, and the Division Security Officers share ownership of the employee separation and access removal processes, Social Services' Executive Team should identify which division in the agency should be responsible for monitoring compliance with internal policies surrounding access removal for separated employees. Social Services' Executive Team should periodically review the monitoring results and take enforcement actions, as necessary, if the agency is not compliant. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-060: Upgrade End-of-Life Technology Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: System and Information Integrity ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services uses end-of-life technologies in its IT environment and maintains technologies that support mission-essential data on IT systems that its vendors no longer support. We communicated internal control weaknesses to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. The Security Standard prohibits using software that is end-of-life and which the vendor no longer supports to reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services' information systems and data. Social Services does not assign an individual or team with the responsibility to track end- of-life software dates and does not have a formal process to ensure that it upgrades software versions prior to the end-of-life date, which caused the end-of-life software to remain in the environment. Social Services use of the end-of-life software increases the risk that known vulnerabilities will persist in the system without the potential for patching or mitigation. These unpatched vulnerabilities increase the risk of successful cyberattack, exploit, and data breach by malicious parties. Further, vendors do not offer operational and technical support for end-of-life or end-of-support technology, which affects data availability by increasing the difficulty of restoring system functionality if a technical failure occurs. Social Services should dedicate the necessary resources to evaluate and implement the internal controls and recommendations discussed in the communication marked FOIAE in accordance with the Security Standard. Minimizing the use of end-of-life software will help to ensure that Social Services secures its IT environment and systems to protect its sensitive and mission-critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-064: Continue Developing Record Retention Requirements and Processes for Electronic Records Applicable to: Department of Social Services Prior Year Finding Number: 2021-047; 2020-041; 2019-049; 2018-054 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Contingency Planning ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services continues to operate without an adequate data retention process for its case management system. Social Services' case management system authorized over $10 billion in benefit payments from various public assistance programs to beneficiaries during fiscal year 2022. We communicated this weakness to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. Since fiscal year 2019, Social Services gathered retention requirements from the business divisions. During the fiscal year, Social Services finalized and documented policies with retention requirements. However, Social Services has not developed, documented, and implemented a policy, procedure, and process to operationalize the record retention requirements needed. Federal regulations require different record retention requirements for different federal programs. Additionally, the Virginia Public Records Act (? 42.1-91 of the Code of Virginia) requires each agency to be responsible for ensuring that it preserves, maintains, and makes accessible public-facing records throughout their lifecycle, including converting and migrating electronic records as often as necessary so that information is not lost due to hardware, software, or media obsolescence or deterioration. Further, the Security Standard, Section CP-9-COV, requires the agency implement backup and restoration plans for every IT system identified as sensitive relative to availability that address the retention of the data in accordance with the records retention policy. Without developing, documenting, and implementing a policy, procedure, and process to operationalize record retention requirements, Social Services increases data risk and increases potential exposure to fines, penalties, or other legal consequences. Additionally, Social Services may cause the Commonwealth to spend additional resources to maintain, back up, and protect the information. Social Services should develop and implement a records retention policy and procedure that defines its requirements and processes to ensure that consistent record retention processes can be operationalized across business divisions to ensure compliance with laws and regulations. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-066: Conduct Audits of Agency Sensitive Systems Timely Applicable to: Virginia Information Technologies Agency Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Audit and Accountability ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 VITA's Centralized IT Security Audit Service (Audit Services) conducts IT security audits for contracted agencies. The Commonwealth's Information Technology Security Audit Standard, SEC 502 (Security Audit Standard), Section 2.1, requires agencies to complete security audits for each sensitive system every three years from the last audit completion date. Based on our review of audit completion dates provided by Audit Services, we determined the following: ? During fiscal year 2022, Audit Services completed four of six agency IT security audits after the three-year audit deadline. ? As of June 30, 2022, Audit Services is currently engaged, or has not started, ten agency IT security audits that are past the three-year audit requirement. When an agency contracts with Audit Services, the agency head or designee signs a Memorandum of Understanding (MOU) which outlines the scope of work and pricing. It is the agency's responsibility to ensure the MOU includes all sensitive systems requiring a security audit. A properly defined MOU allows Audit Services to properly price and schedule the security audit. Audit Services audits all the systems in scope for an agency at the same time and issues one audit report covering all systems in scope per the MOU. Audit Services should consider adding information to the MOU related to audit deadlines or planned timeframe for the audit. This added communication will ensure all parties understand when Audit Services plans to complete the audits. Additionally, more information regarding audit timing will allow agencies to determine if they need to obtain a separate audit for specific systems to ensure those systems remain compliant with the Security Audit Standard between the date of the MOU and the anticipated deadline set by Audit Services. Of the four audits Audit Services completed late during fiscal year 2022, two of the delays are due to the agencies requesting postponements. Additionally, of the ten audits that were already late as of June 30, 2022, two are due to agency-requested postponements. The remaining late audits are primarily due to resource constraints within Audit Services. Audit Services should regularly monitor its audit workplan to ensure audit staff complete all IT security audits by the required deadlines. Additionally, Audit Services should evaluate its staffing levels and assess if VITA should contract with an outside audit firm to aid in completing IT security audits. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-090: Improve Third-Party Oversight Process Applicable to: Department of Medical Assistance Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(a) Known Questioned Costs: $0 Medical Assistance Services does not have a formal and consistent process for maintaining oversight for three of its IT third-party service providers (providers) that manage and support the Medicaid management system. As a result of an informal and inconsistent process, Medical Assistance Services did not verify or implement three controls required by the Hosted Environment Security Standard. We communicated the three weaknesses to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. Without a formal and consistent process to maintain oversight of its providers, Medical Assistance Services cannot validate whether its providers implement the security controls that meet the requirements in the Hosted Environment Security Standard to protect the agency's sensitive and mission-critical data. While Medical Assistance Services has a formal IT Third Party and Vendor Compliance Management Policy, effective as of December 31, 2021, the agency experienced turnover in its ISO position in June 2022 before the development of a formal procedure. As a result, Medical Assistance Services did not consistently maintain oversight of its providers in accordance with the Hosted Environment Security Standard. Medical Assistance Services should dedicate the necessary resources to develop a formal procedure to maintain oversight of its providers in accordance with its policy and the Hosted Environment Security Standard. Medical Assistance Services should also dedicate the necessary resources to implement and consistently perform the formal oversight process, which will help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-100: Continue to Ensure ITISP Suppliers Meet all Contractual Requirements Applicable to: Virginia Information Technologies Agency Prior Year Finding Number: 2021-023; 2020-070 Type of Finding: Internal Control Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Although VITA is monitoring and enforcing the contractual requirements each month, as of June 2022, there were still cases of Information Technology Infrastructure Services Program (ITISP) suppliers not meeting the minimum requirements. When ITISP suppliers do not meet all contractual requirements (e.g., key measures, critical service levels, deliverables), it impacts the ability of Commonwealth agencies that rely on the ITISP services to comply with the Security Standard. The Security Standard is a baseline for information security and risk management activities for Commonwealth agencies. Many agencies rely on services provided through the ITISP suppliers to ensure compliance with the Security Standard. For example, the Security Standard requires the installation of security-relevant software updates within 90 days of release (Security Standard Section: SI-2 Flaw Remediation). Commonwealth agencies rely on the ITISP suppliers for the installation of security patches in systems that support agencies' operations. Our audits at various agencies for fiscal year 2022 found critical and highly important security patches that were past the 90-day Security Standard requirement. The systems missing critical security updates are at an increased risk of successful cyberattack, exploit, and data breach by malicious parties. Additionally, the Security Standard requires agencies to review and analyze audit records at least every 30 days for indications of inappropriate or unusual activity (Security Standard Section: AU-6 Audit Review, Analysis, and Reporting). Our audits of various agencies for fiscal year 2022 found that agencies rely on the ITISP suppliers to provide access to a centralized monitoring tool that collects audit log information about activities in the IT environment. Certain agencies were unable to obtain access to the audit log information during fiscal year 2022, and thus were not able to comply with the Security Standard requirements related to audit log monitoring. Although the supplier was performing audit logging and monitoring, only a select few agencies have access to the monitoring tool while the supplier is pilot testing the tool. The Commonwealth's risk associated with data confidentiality, integrity and availability increases with agencies not being able to review and monitor their individual audit logs. During fiscal year 2022, VITA and the Multisource Service Integrator (MSI) evaluated the current service level measurements to ensure they align with the Commonwealth's needs. As of December 2022, VITA and the MSI are implementing changes to the service level related to security and vulnerability patching. The changes to this service level include establishing a Common Vulnerabilities and Exposures (CVE) threshold. The new security and vulnerability patching service level will require the ITISP suppliers to install any patch with a CVE score above the threshold within 90 days. VITA continues to work with the managed security supplier to address the agencies' inability to access the audit log information. The supplier replaced the original security incident and event management system with a new managed detection and response (MDR) platform. Currently, only a small number of agencies are piloting the new MDR system. VITA should document the rationale for all changes to the service levels, including the basis for the CVE score threshold selected, and continually reevaluate the service levels as risks change. To ensure all agencies that rely on the ITISP services can comply with the Security Standard, VITA should ensure ITISP suppliers meet all contractual requirements (e.g., key measures, critical service levels, deliverables). To aid in determining which requirements have Security Standard implications, VITA should crosswalk contractual requirements to the Security Standard. A crosswalk will help in identifying which requirements, if not met, could put an agency at risk per the Security Standard. If VITA determines an ITISP supplier is not meeting a contractual requirement that may have a Security Standard implication, VITA should communicate with the affected agencies and provide guidance on compensating controls and processes the agencies should implement to reduce risk while the suppliers work to meet the requirements of the contract. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-011: Perform Responsibilities Outlined in the Agency Monitoring Plan Applicable to: Department of Social Services Prior Year Finding Number: 2021-070; 2020-074; 2019-090; 2018-093 Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.303(a) Known Questioned Costs: $0 The Department of Social Services' (Social Service) Compliance Division (Compliance) continues to not adhere to its established approach to oversee the agency's subrecipient monitoring activities, as outlined in its Agency Monitoring Plan. During fiscal year 2022, Social Services disbursed approximately $588 million in federal funds from roughly 5,000 subawards. According to Social Services' Organizational Structure Report, Compliance is responsible for agency-wide compliance and risk mitigation that helps to ensure adherence to state and federal legal and regulatory standards, including subrecipient monitoring. During the audit, we noted the following deviations from the Agency Monitoring Plan: ? Compliance has not finalized the Agency Monitoring Plan and, as a result, has not communicated it to Subrecipient Monitoring Coordinators within each division of Social Services. Because of the lack of communication, there were deviations from the Agency Monitoring Plan at the division level. For example, the Agency Monitoring Plan requires each division to monitor subrecipients once every three years. However, the Local Review Team and Child Care Subsidy Program Monitoring Plans did not consider this requirement because the Subrecipient Monitoring Coordinators were unaware of this requirement. We communicated this matter to Social Services through the audit finding titled "Finalize the Agency Monitoring Plan and Communicate Responsibilities to Subrecipient Monitoring Coordinators," which we have included as a separate audit finding in this report. ? Compliance continues to not review division monitoring plans to ensure the divisions implemented a risk-based approach for monitoring subrecipients. The Agency Monitoring Plan states that Compliance will use a monitoring plan checklist to evaluate and determine if all the required elements for subrecipient monitoring are present in each division's plan. As a result of the lack of review, the Division of Benefit Programs' (Benefit Programs) monitoring plan continues to not meet all the requirements outlined in the Agency Monitoring Plan because it does not include a risk-based approach for subrecipient monitoring and does not consider all subrecipients who receive funding from the Temporary Assistance for Needy Families (TANF) federal grant program. We communicated these matters to Social Services through the audit findings titled "Verify that Monitoring Plan Includes All Subrecipient Programmatic Activities" and "Evaluate Subrecipients' Risk of Noncompliance in Accordance with Federal Regulations," which we have included as separate audit findings in this report. ?Compliance continues to not conduct an analysis of subrecipient monitoring review efforts performed by the divisions. As a result, Compliance has not produced quarterly reports of variances and noncompliance to brief Social Services' Executive Team on the agency's subrecipient monitoring activities. Because of the lack of analysis, Compliance was unaware of deviations from the Agency Monitoring Plan occurring at the divisions. For example, Benefit Programs only completed 25 of the 67 (37%) scheduled reviews for the Low-Income Home Energy Assistance Program (LIHEAP) federal grant program. Additionally, Benefit Programs did not upload its monitoring review records to Social Services' data repository timely for management review. As a result, Compliance was unaware that Regional Consultants were deviating from Benefit Programs' monitoring plan. We communicated this matter to Social Services through the audit finding titled "Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan," which we have included as a separate audit finding in this report. Without performing the responsibilities in the Agency Monitoring Plan, Compliance cannot provide Social Services' Executive Team with reasonable assurance that the agency complied with the pass-through entity federal requirements at 2 CFR ? 200.332. Title 2 CFR ? 200.303(a) requires pass through entities to establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Compliance planned to procure a centralized system to strengthen its monitoring activities but has been unsuccessful in its efforts and has not identified alternative approaches for carrying out the responsibilities in the Agency Monitoring Plan and discussed them with Social Services' Executive Team. Because of the scope of this matter, we consider it to be a material weakness in internal control. Social Services' Executive Team shapes strategies, develops objectives, and collectively resolves issues that are critical to the overall agency performance. Social Services' Executive Team and Compliance should work collaboratively to determine the best approach for carrying out the responsibilities in the Agency Monitoring Plan. Additionally, Social Services' Executive Team and Compliance should hold quarterly meetings to discuss the Agency Monitoring Plan and its activities. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-012: Finalize the Agency Monitoring Plan and Communicate Responsibilities to Subrecipient Monitoring Coordinators Applicable to: Department of Social Services Prior Year Finding Number: 2021-069; 2020-076 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(d) Known Questioned Costs: $0 Compliance has not finalized its Agency Monitoring Plan and communicated responsibilities to Subrecipient Monitoring Coordinators, as recommended during the fiscal year 2020 audit. The oversight of Social Services' subrecipient monitoring processes transitioned from the Division of Community and Volunteer Services (Community and Volunteer Services) to Compliance in fiscal year 2019. Community and Volunteer Services created the Agency Monitoring Plan, and it is now the responsibility of Compliance. However, Compliance has not updated the Agency Monitoring Plan to properly reflect agency operations over subrecipient monitoring. In effect, Compliance continues to not communicate the Agency Monitoring Plan to Subrecipient Monitoring Coordinators within each division of Social Services. During fiscal year 2022, Social Services disbursed approximately $588 million in federal funds from roughly 5,000 subawards. Title 2 CFR ? 200.332(d) requires pass-through entities to monitor the activities of subrecipients as necessary to ensure use of the subaward for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without clearly defining responsibilities and communicating federal requirements, Compliance cannot provide assurance that Social Services adequately monitors all its subrecipients to ensure they are achieving program objectives or complying with federal requirements. Compliance was unable to finalize the monitoring plan and communicate responsibilities to monitoring coordinators because it did not dedicate the resources necessary to implement corrective action. Compliance should allocate resources to finalize the Agency Monitoring Plan to properly address subrecipient monitoring responsibilities. Additionally, Compliance should communicate the Agency Monitoring Plan to Subrecipient Monitoring Coordinators within each division of Social Services. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-014: Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; SNAP Cluster - 10.551, 10.561; Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2205VA5MAP; 221VA407S2514; 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Agriculture; U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(d) Known Questioned Costs: $0 Benefit Programs does not oversee subrecipient monitoring activities to ensure monitoring activities are conducted in accordance with its monitoring plan. During the fiscal year, Benefit Programs disbursed approximately $312 million in subaward payments from the Supplemental Nutrition Assistance Program (SNAP) and Medicaid Clusters and the LIHEAP and TANF federal grant programs. During the audit, we noted the following deviations from Benefit Program's monitoring plan: ? Benefit Programs created a monitoring plan to comply with Social Services' Agency Monitoring Plan. Regional consultants, who perform subrecipient monitoring activities, created their own subrecipient monitoring schedules that were not consistent with Benefit Program's monitoring schedule. ? Benefit Programs did not confirm that fiscal year 2022 monitoring review records uploaded to its data repository were complete. Some of the missing records included the agency notification letter, case selection sample, and subrecipient monitoring checklist. ? At the beginning of audit fieldwork, the data repository did not contain all subrecipient monitoring reviews performed during the fiscal year. The Subrecipient Monitoring Coordinator subsequently obtained and uploaded the remaining subrecipient monitoring reviews to Benefit Programs' data repository. The data repository only included the following subrecipient monitoring reviews at the time of the audit: o 12 of 25 (48%) reviews performed for the LIHEAP federal grant program; o 22 of 73 (30%) reviews performed for the SNAP Cluster; o 13 of 62 (21%) reviews performed for the Medicaid Cluster; and nine of 62 (15%) reviews performed for the TANF federal grant program. Benefit Programs only completed 25 of the 67 (37%) scheduled reviews for the LIHEAP federal grant program. Benefit Programs did not identify these issues because its monitoring plan did not clearly delineate who was responsible for overseeing subrecipient monitoring activities. As a result, no one in Benefit Programs was overseeing subrecipient monitoring activities. Title 2 CFR ? 200.332(d) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the pass-through entity uses the subaward for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without confirming that program consultants conduct monitoring activities in accordance with the monitoring plan, Benefit Programs cannot provide assurance that it complied with 2 CFR ? 200.332(d). In March 2022, Benefit Programs created a Subrecipient Monitoring Coordinator position to oversee its monitoring activities. The Subrecipient Monitoring Coordinator is working with Benefit Program?s Associate Director for Operations and Support to confirm that Benefit Programs? monitoring plan meets federal requirements. Benefit Programs should continue its efforts to confirm that it conducts monitoring activities in accordance with its monitoring plan. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-016: Evaluate Subrecipients' Risk of Noncompliance in Accordance with Federal Regulations Applicable to: Department of Social Services Prior Year Finding Number: 2021-071 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; SNAP Cluster - 10.551, 10.561; Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2205VA5MAP; 221VA407S2514; 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Agriculture; U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(b) Known Questioned Costs: $0 Benefit Programs continues to not evaluate subrecipients' risk of noncompliance with federal regulations related to the administration of the SNAP and Medicaid Clusters and the TANF and LIHEAP federal grant programs. Benefit Programs develops its subrecipient monitoring approach using the size of the subrecipient; however, it does not perform any further risk assessment procedures to determine the monitoring approach. Social Services disbursed approximately $312 million to subrecipients from these federal programs during the fiscal year. Title 2 CFR ? 200.332(b) requires pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Further, 2 CFR ? 200.332(b) suggests that pass-through entities should consider the results of previous audits, subrecipient's prior experience with the same or similar subawards, and whether the subrecipient has new personnel or new or substantially changed systems. Benefit Programs developed a corrective action plan to perform risk assessment procedures to comply with 2 CFR ? 200.332(b); however, Benefit Programs was unable to implement corrective action due to staff turnover. Without performing the proper risk assessment procedures, Benefit Programs cannot demonstrate that it monitored the activities of the subrecipient as necessary to ensure that the pass-through entity used the subaward for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Benefit Programs should continue its corrective action efforts to implement a risk assessment process for subrecipients that is consistent with federal regulations and ensure that its monitoring efforts are consistent with the results of its risk assessment. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-018: Continue Strengthening Process over Medicaid Coverage Cancellations Applicable to: Department of Medical Assistance Services; Department of Social Services Prior Year Finding Number: 2021-067 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Eligibility - 42 CFR ? 433.400(d) Known Questioned Costs: $0 The Department of Medical Assistance Services (Medical Assistance Services) continues to oversee the review of individuals with an out of state address in the Medicaid claims processing module of the Medicaid management system who may no longer be eligible for Medicaid coverage. Based on data from our prior year finding, Medical Assistance Services, with assistance from Social Services, reviewed cases with an out of state address and subsequently closed approximately 6,700 cases and recouped $40.1 million in Managed Care Organization (MCO) payments. Medical Assistance Services further reviewed additional cases related to fiscal year 2022 and as of November 2022, Medical Assistance Services had identified an additional 8,500 cases for closure and recouped an additional $43.4 million in MCO payments. These efforts are ongoing as research is in progress for over approximately 4,700 cases; however, Medical Assistance Services anticipates completing the review of these cases by December 2022. Medicaid eligibility is based on several financial and non-financial requirements. Section 12VAC30-40-10 of the Virginia Administrative Code lays out the general conditions of eligibility that an individual must satisfy to enroll in the Medicaid program. One of the non-financial requirements is that the individual be a state resident. In Spring 2020, with the onset of the Public Health Emergency (PHE), the federal government modified the program requirements and based on the Families First Coronavirus Response Act ? 6008(b)(3), states cannot cancel Medicaid coverage during the PHE except in the following situations - an individual's death, an individual requests cancellation of coverage, or an individual relocates to another state. To ensure compliance with these requirements, Medical Assistance Services began reviewing coverage cancellation information monthly to ensure cancellations of coverage only occurred for allowable reasons during the PHE. Under the process, Medical Assistance Services reviewed cancellation codes in the eligibility system and reinstated coverage for those cases that did not meet certain cancellation reasons. For this process to be effective, Medical Assistance Services was relying on correct cancellation codes in the eligibility system; however, for the cases identified, the eligibility system produced a generic cancellation code causing Medical Assistance Services to reinstate the Medicaid coverage although the individual may have no longer been eligible for coverage. Medical Assistance Services has undertaken significant efforts to address this issue. Medical Assistance Services staff, along with Social Services and other contracted staff, have performed detailed eligibility reviews of over 17,000 individual cases. In addition to these reviews, Medical Assistance Services has worked with Social Services to ensure it correctly records future coverage cancellations related to relocations to another state in the eligibility system. As of June 2022, Social Services programmed the eligibility system to return a specific cancellation code for relocating out of Virginia instead of a generic cancellation code. While this system change should reduce the number of cases that Medical Assistance Services reinstates when an individual has moved out of state, Medical Assistance Services has also implemented a new quarterly review process to identify individuals who may have relocated out of state and may no longer be eligible for Medicaid coverage. We encourage Medical Assistance Services, along with Social Services, to continue with these efforts to ensure only eligible individuals are receiving Medicaid benefits. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-022: Improve Information Security Program and IT Governance Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness Information System Security Control Family: Information Security Roles and Responsibilities ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services has an insufficient governance structure to manage and maintain its information security program in accordance with the Commonwealth's Information Security Standard, SEC 501 (Security Standard). Specifically, Social Services does not assess information security requirements for its information technology (IT) projects and prioritize information security and IT resources to ensure its information security program effectively protects sensitive Commonwealth data in accordance with the Security Standard. Social Services uses numerous IT systems to carry out its mission and provide essential services to the public. The Security Standard, Section 2.4.2, requires the agency head to maintain an information security program that is sufficient to protect the agency's IT systems and to ensure the information security program is documented and effectively communicated. We communicated the internal control weaknesses to management in a separate document marked Freedom of Information Act (FOIAE) under ? 2.2-3705.2 of the Code of Virginia due to its sensitivity and description of security controls. The internal control weaknesses described in the communication marked FOIAE are the result of Social Services not assessing information security requirements prior to project implementation or prioritizing information security within the IT environment. Not prioritizing IT resources to properly manage its information security program can result in a data breach or unauthorized access to confidential and mission critical data, leading to data corruption, data loss, or system disruption if accessed by a malicious attacker, either internal or external. Additionally, not dedicating the necessary IT resources to information security has hindered Social Services' ability to remediate findings from management recommendations issued throughout prior audits consistently and timely and bring the information security program in compliance with the Security Standard. Because of the scope of this matter, we consider it to be a material weakness in internal control. Social Services should evaluate the most efficient and effective method to bring its IT and security program into compliance with the Security Standard. Social Services should also evaluate its IT resource levels to ensure sufficient resources are available and dedicated to prioritizing and implementing IT governance changes and address the internal control deficiencies discussed in the communication marked FOIAE. Implementing these recommendations will help to ensure Social Services protects the confidentiality, integrity, and availability of its sensitive and mission critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-024: Improve Information Security Program and Controls Applicable to: Department of Medical Assistance Services Prior Year Finding Number: 2021-024; 2020-024 Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness Information System Security Control Family: Access Control; Awareness and Training; Incident Response; Information Security Roles and Responsibilities; Personnel Security; Planning; Risk Assessment; Security Assessment and Authorization; System and Services Acquisition ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(a) Known Questioned Costs: $0 Medical Assistance Services continues to address weaknesses found during an audit of IT general controls. The audit performed by an external consultant during the period April 1, 2019, through March 31, 2020, resulted in 71 individual control weaknesses out of 100 controls tested, which the consultant grouped in ten findings. As of the end of fiscal year 2022, Medical Assistance Services resolved one of the ten findings and continues to make progress with nine remaining findings, which we communicated to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. Noncompliance with the required security controls increases the risk for unauthorized access to mission-critical systems and data in addition to weakening the agency's ability to respond to malicious attacks to its IT environment. Medical Assistance Services has experienced delays in addressing these findings due to staffing turnover and shortages as well as organizational changes that affected some of its processes. Medical Assistance Services updated its corrective action plan in June 2022, stating corrective actions are still ongoing for all nine findings and estimates it will complete corrective action for eight of the findings by the end of calendar year 2022 and the last finding by June 2023. Medical Assistance Services should continue to dedicate the necessary resources to ensure timely completion of its corrective action plans and to comply with the Security Standard. These actions will help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-029: Improve Web Application Security Applicable to: Department of Social Services Prior Year Finding Number: 2021-025; 2020-026; 2019-037 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Audit and Accountability; Configuration Management; Risk Assessment; System and Information Integrity ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services continues to not configure a sensitive web application in accordance with the Security Standard. Since the prior audit, Social Services has not remediated any of the previously identified weaknesses. We communicated the weaknesses to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. The Security Standard requires implementing certain internal controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services' information systems and data. Social Services cannot ensure adequate protection of its sensitive and mission- critical data without configuring its sensitive web application in accordance with the Security Standard. Lacking or insufficient procedures and processes to manage the web application contributed to the five weaknesses outlined in the separate FOIAE document. Social Services prioritization of other projects also contributed to the weaknesses persisting. Social Services should dedicate the necessary resources to remediate the weaknesses discussed in the communication marked FOIAE in accordance with the requirements in the Security Standard. Implementing required controls will help to ensure Social Services secures the web application to protect its sensitive and mission-critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-030: Continue Improving IT Risk Management Program Applicable to: Department of Social Services Prior Year Finding Number: 2021-026; 2020-027; 2019-063; 2018-025 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Contingency Planning; Planning; Risk Assessment ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services continues to not have a formal and effective IT risk management program that aligns with the requirements in the Security Standard. Since we first issued this finding during the fiscal year 2018 audit, Social Services remediated some risk management and contingency planning issues. However, Social Services continues to not: ? accurately verify and validate data and system sensitivity ratings; ? create risk assessments for 50 percent of its sensitive systems; ? create system security plans for 52 percent of its sensitive systems; ? perform annual reviews for 99 percent of its existing risk assessment documentation; ? perform annual reviews for 74 percent of its existing system security plan documentation; and ? implement corrective actions identified in risk assessments. We communicated the details of these weaknesses to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services' information systems and data. Due to the magnitude of the project, Social Services has not yet remediated all the weaknesses. Additionally, the requirements documented in the policy and the process documented in the procedure do not align, which contributed to Social Services not consistently completing risk management documentation due to conflicting roles and responsibilities. Without implementing a formal and effective IT risk management program, Social Services cannot assure itself that it is reducing unnecessary risk to the confidentiality, integrity, and availability to its information systems and data. Social Services should prioritize and dedicate the necessary resources to remediate the weaknesses discussed in the communication marked FOIAE in accordance with the requirements in the Security Standard. Completing its corrective action plan will help to ensure the confidentiality, integrity, and availability of the agency's sensitive systems and mission-essential functions. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-052: Continue Improving IT Change and Configuration Management Process Applicable to: Department of Social Services Prior Year Finding Number: 2021-049; 2020-044; 2019-038 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Configuration Management ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services continues to improve its IT change and configuration management process to align with the Security Standard. Change management is a key control to evaluate, approve, and verify configuration changes to security components. Two weaknesses remain since our last review, which we communicated to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. Social Services Change Management Process Guide details the process Social Services follows to manage changes but does not include all the required elements, which contributed to the weaknesses remaining. Additionally, the change request form does not have the necessary fields to document the required elements. The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services' information systems and data. Without doing such, Social Services cannot assure itself that it is reducing unnecessary risk to the confidentiality, integrity, and availability to its information systems and data. Social Services should resolve the remaining two weaknesses discussed in the communication marked FOIAE in accordance with the Security Standard. Continuing to improve Social Services' IT change and configuration management process will decrease the risk of unauthorized modifications to sensitive systems and help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-057: Improve Timely Removal of Critical System Access Applicable to: Department of Medical Assistance Services Prior Year Finding Number: 2021-037; 2020-049; 2019-024; 2018-040; 2017-016 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Personnel Security ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(a) Known Questioned Costs: $0 Medical Assistance Services did not remove access to the claims processing module or the eligibility system timely for individuals who separated from the agency and no longer needed access. For one out of eight (12.5%) users, Medical Assistance Services did not disable system access in the claims processing module within 24 hours of separation. The user retained their system access for 11 days after separation. For three out of 25 (12%) users, Medical Assistance Services did not disable system access in the eligibility system within 24 hours of separation. These three users were contract employees and retained their access to the system between 104 and 123 days after separation. Medical Assistance Services' Access Control Policy requires that "all user accounts must be disabled immediately upon separation or within 24 hours upon receipt by the Office of Compliance and Security" (Compliance and Security). Failing to disable access timely for web- based mission-critical systems threatens the data integrity of the systems. If separated users retain access to the claims processing module or the eligibility system, users are potentially able to view, copy, and edit sensitive information. There are several factors contributing to this issue. First, Medical Assistance Services' internal policy is not in compliance with the Security Standard. The Security Standard requires agencies disable access within 24 hours of separation, not within 24 hours of receipt of notification. Additionally, supervisors are not communicating information on separated employees timely. A separating employee's supervisor must initiate an exit clearance workflow for the system to automatically notify Compliance and Security for removal of system access. For the user of the claims processing module, the supervisor requested access termination more than 24 hours after the employee's separation. Finally, for the three users of the eligibility system, Compliance and Security received the access termination request timely but did not terminate access for more than 24 hours after receipt. In June 2022, Medical Assistance Services implemented several organizational changes, including dissolving Compliance and Security. The responsibility for system access management moved to the division responsible for the system and its applicable business function. Medical Assistance Services is currently updating its internal Access Control policy to ensure it is consistent with the Security Standard and organizational updates. Medical Assistance Services expects to complete the policy and process updates in December 2022. Medical Assistance Services should also train and educate supervisors on the importance of timely notification of separated employees. Finally, Medical Assistance Services should ensure compliance with the Security Standard by removing user access as required. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-059: Monitor Internal Controls to Ensure Timely Removal of System Access Applicable to: Department of Social Services Prior Year Finding Number: 2021-038; 2021-027; 2020-025; 2019-027; 2018-042 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Personnel Security ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services did not comply with the Security Standard requirements for removing system access for separated employees. For 13 of the 26 (50%) separations tested from fiscal year 2022, Social Services did not remove system access within 24 hours following each employee's separation date. Untimely removal of access ranged between two and 290 days after each employee's separation date. Section PS-4 of the Security Standard requires an organization to disable information system access within 24 hours of employment termination. To comply with the Security Standard, Social Services created a policy in Section 2.9 of its State/Local Security Officers Procedures Manual (Manual) that requires supervisors to complete the State Employee Separation and Transfer Checklist (Separation Checklist) at least 48 hours in advance of the employee's separation and submit it to the Division Security Officer. The Division Security Officer must then remove the separated employee from Social Services' access management system, which controls access to its internal systems, within 24 hours following the employee's separation date. Upon completion, the Division Security Officer is responsible for submitting the Separation Checklist to other Divisions, such as the Division of Human Resources (Human Resources) and the Central Security Office (Central Security), to make them aware of the separation. Social Services does not appear to monitor compliance with internal policies surrounding access removal for separated employees. Of the 13 employees with access removed more than 24 hours after their separation dates: ? We noted four instances where Social Services was unable to provide the Separation Checklist. As a result, Social Services was unable to demonstrate compliance with its internal policies surrounding access removal for separated employees. ? Of the remaining nine employees with completed Separation Checklists, we noted nine instances of untimely or inaccurate supervisor sign-offs. Specifically, there were seven instances where the supervisor did not submit the Separation Checklist to the Division Security Officer at least 48 hours in advance of the employee's date of separation and two instances where the supervisor did not properly sign off and date the Separation Checklist. Social Services administers numerous public assistance programs that collect personally identifiable information and other protected information from beneficiaries. Social Services places its data and reputation at risk by not removing access timely. Additionally, Social Services could incur a potential financial liability should its information become compromised. The Security Standard states that the Agency Head is responsible for security of the agency's IT systems and data. Since Human Resources, Central Security, and the Division Security Officers share ownership of the employee separation and access removal processes, Social Services' Executive Team should identify which division in the agency should be responsible for monitoring compliance with internal policies surrounding access removal for separated employees. Social Services' Executive Team should periodically review the monitoring results and take enforcement actions, as necessary, if the agency is not compliant. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-060: Upgrade End-of-Life Technology Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: System and Information Integrity ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services uses end-of-life technologies in its IT environment and maintains technologies that support mission-essential data on IT systems that its vendors no longer support. We communicated internal control weaknesses to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. The Security Standard prohibits using software that is end-of-life and which the vendor no longer supports to reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services' information systems and data. Social Services does not assign an individual or team with the responsibility to track end- of-life software dates and does not have a formal process to ensure that it upgrades software versions prior to the end-of-life date, which caused the end-of-life software to remain in the environment. Social Services use of the end-of-life software increases the risk that known vulnerabilities will persist in the system without the potential for patching or mitigation. These unpatched vulnerabilities increase the risk of successful cyberattack, exploit, and data breach by malicious parties. Further, vendors do not offer operational and technical support for end-of-life or end-of-support technology, which affects data availability by increasing the difficulty of restoring system functionality if a technical failure occurs. Social Services should dedicate the necessary resources to evaluate and implement the internal controls and recommendations discussed in the communication marked FOIAE in accordance with the Security Standard. Minimizing the use of end-of-life software will help to ensure that Social Services secures its IT environment and systems to protect its sensitive and mission-critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-064: Continue Developing Record Retention Requirements and Processes for Electronic Records Applicable to: Department of Social Services Prior Year Finding Number: 2021-047; 2020-041; 2019-049; 2018-054 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Contingency Planning ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services continues to operate without an adequate data retention process for its case management system. Social Services' case management system authorized over $10 billion in benefit payments from various public assistance programs to beneficiaries during fiscal year 2022. We communicated this weakness to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. Since fiscal year 2019, Social Services gathered retention requirements from the business divisions. During the fiscal year, Social Services finalized and documented policies with retention requirements. However, Social Services has not developed, documented, and implemented a policy, procedure, and process to operationalize the record retention requirements needed. Federal regulations require different record retention requirements for different federal programs. Additionally, the Virginia Public Records Act (? 42.1-91 of the Code of Virginia) requires each agency to be responsible for ensuring that it preserves, maintains, and makes accessible public-facing records throughout their lifecycle, including converting and migrating electronic records as often as necessary so that information is not lost due to hardware, software, or media obsolescence or deterioration. Further, the Security Standard, Section CP-9-COV, requires the agency implement backup and restoration plans for every IT system identified as sensitive relative to availability that address the retention of the data in accordance with the records retention policy. Without developing, documenting, and implementing a policy, procedure, and process to operationalize record retention requirements, Social Services increases data risk and increases potential exposure to fines, penalties, or other legal consequences. Additionally, Social Services may cause the Commonwealth to spend additional resources to maintain, back up, and protect the information. Social Services should develop and implement a records retention policy and procedure that defines its requirements and processes to ensure that consistent record retention processes can be operationalized across business divisions to ensure compliance with laws and regulations. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-066: Conduct Audits of Agency Sensitive Systems Timely Applicable to: Virginia Information Technologies Agency Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Audit and Accountability ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 VITA's Centralized IT Security Audit Service (Audit Services) conducts IT security audits for contracted agencies. The Commonwealth's Information Technology Security Audit Standard, SEC 502 (Security Audit Standard), Section 2.1, requires agencies to complete security audits for each sensitive system every three years from the last audit completion date. Based on our review of audit completion dates provided by Audit Services, we determined the following: ? During fiscal year 2022, Audit Services completed four of six agency IT security audits after the three-year audit deadline. ? As of June 30, 2022, Audit Services is currently engaged, or has not started, ten agency IT security audits that are past the three-year audit requirement. When an agency contracts with Audit Services, the agency head or designee signs a Memorandum of Understanding (MOU) which outlines the scope of work and pricing. It is the agency's responsibility to ensure the MOU includes all sensitive systems requiring a security audit. A properly defined MOU allows Audit Services to properly price and schedule the security audit. Audit Services audits all the systems in scope for an agency at the same time and issues one audit report covering all systems in scope per the MOU. Audit Services should consider adding information to the MOU related to audit deadlines or planned timeframe for the audit. This added communication will ensure all parties understand when Audit Services plans to complete the audits. Additionally, more information regarding audit timing will allow agencies to determine if they need to obtain a separate audit for specific systems to ensure those systems remain compliant with the Security Audit Standard between the date of the MOU and the anticipated deadline set by Audit Services. Of the four audits Audit Services completed late during fiscal year 2022, two of the delays are due to the agencies requesting postponements. Additionally, of the ten audits that were already late as of June 30, 2022, two are due to agency-requested postponements. The remaining late audits are primarily due to resource constraints within Audit Services. Audit Services should regularly monitor its audit workplan to ensure audit staff complete all IT security audits by the required deadlines. Additionally, Audit Services should evaluate its staffing levels and assess if VITA should contract with an outside audit firm to aid in completing IT security audits. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-090: Improve Third-Party Oversight Process Applicable to: Department of Medical Assistance Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(a) Known Questioned Costs: $0 Medical Assistance Services does not have a formal and consistent process for maintaining oversight for three of its IT third-party service providers (providers) that manage and support the Medicaid management system. As a result of an informal and inconsistent process, Medical Assistance Services did not verify or implement three controls required by the Hosted Environment Security Standard. We communicated the three weaknesses to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. Without a formal and consistent process to maintain oversight of its providers, Medical Assistance Services cannot validate whether its providers implement the security controls that meet the requirements in the Hosted Environment Security Standard to protect the agency's sensitive and mission-critical data. While Medical Assistance Services has a formal IT Third Party and Vendor Compliance Management Policy, effective as of December 31, 2021, the agency experienced turnover in its ISO position in June 2022 before the development of a formal procedure. As a result, Medical Assistance Services did not consistently maintain oversight of its providers in accordance with the Hosted Environment Security Standard. Medical Assistance Services should dedicate the necessary resources to develop a formal procedure to maintain oversight of its providers in accordance with its policy and the Hosted Environment Security Standard. Medical Assistance Services should also dedicate the necessary resources to implement and consistently perform the formal oversight process, which will help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-100: Continue to Ensure ITISP Suppliers Meet all Contractual Requirements Applicable to: Virginia Information Technologies Agency Prior Year Finding Number: 2021-023; 2020-070 Type of Finding: Internal Control Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Although VITA is monitoring and enforcing the contractual requirements each month, as of June 2022, there were still cases of Information Technology Infrastructure Services Program (ITISP) suppliers not meeting the minimum requirements. When ITISP suppliers do not meet all contractual requirements (e.g., key measures, critical service levels, deliverables), it impacts the ability of Commonwealth agencies that rely on the ITISP services to comply with the Security Standard. The Security Standard is a baseline for information security and risk management activities for Commonwealth agencies. Many agencies rely on services provided through the ITISP suppliers to ensure compliance with the Security Standard. For example, the Security Standard requires the installation of security-relevant software updates within 90 days of release (Security Standard Section: SI-2 Flaw Remediation). Commonwealth agencies rely on the ITISP suppliers for the installation of security patches in systems that support agencies' operations. Our audits at various agencies for fiscal year 2022 found critical and highly important security patches that were past the 90-day Security Standard requirement. The systems missing critical security updates are at an increased risk of successful cyberattack, exploit, and data breach by malicious parties. Additionally, the Security Standard requires agencies to review and analyze audit records at least every 30 days for indications of inappropriate or unusual activity (Security Standard Section: AU-6 Audit Review, Analysis, and Reporting). Our audits of various agencies for fiscal year 2022 found that agencies rely on the ITISP suppliers to provide access to a centralized monitoring tool that collects audit log information about activities in the IT environment. Certain agencies were unable to obtain access to the audit log information during fiscal year 2022, and thus were not able to comply with the Security Standard requirements related to audit log monitoring. Although the supplier was performing audit logging and monitoring, only a select few agencies have access to the monitoring tool while the supplier is pilot testing the tool. The Commonwealth's risk associated with data confidentiality, integrity and availability increases with agencies not being able to review and monitor their individual audit logs. During fiscal year 2022, VITA and the Multisource Service Integrator (MSI) evaluated the current service level measurements to ensure they align with the Commonwealth's needs. As of December 2022, VITA and the MSI are implementing changes to the service level related to security and vulnerability patching. The changes to this service level include establishing a Common Vulnerabilities and Exposures (CVE) threshold. The new security and vulnerability patching service level will require the ITISP suppliers to install any patch with a CVE score above the threshold within 90 days. VITA continues to work with the managed security supplier to address the agencies' inability to access the audit log information. The supplier replaced the original security incident and event management system with a new managed detection and response (MDR) platform. Currently, only a small number of agencies are piloting the new MDR system. VITA should document the rationale for all changes to the service levels, including the basis for the CVE score threshold selected, and continually reevaluate the service levels as risks change. To ensure all agencies that rely on the ITISP services can comply with the Security Standard, VITA should ensure ITISP suppliers meet all contractual requirements (e.g., key measures, critical service levels, deliverables). To aid in determining which requirements have Security Standard implications, VITA should crosswalk contractual requirements to the Security Standard. A crosswalk will help in identifying which requirements, if not met, could put an agency at risk per the Security Standard. If VITA determines an ITISP supplier is not meeting a contractual requirement that may have a Security Standard implication, VITA should communicate with the affected agencies and provide guidance on compensating controls and processes the agencies should implement to reduce risk while the suppliers work to meet the requirements of the contract. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-107: Complete FFATA Reporting for First Tier SABG Subawards Applicable to: Department of Behavioral Health and Developmental Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Block Grants for Prevention and Treatment of Substance Abuse - 93.959 (COVID-19) Federal Award Number and Year: B08TI083056 - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Reporting - 2 CFR Part 170 Appendix A Known Questioned Costs: $0 DBHDS Office of Fiscal and Grants Management (Fiscal and Grants Management) is not completing FFATA reporting for Community Service Boards (CSB) who received funding from the Substance Abuse Block Grant (SABG) federal grant program. During state fiscal year 2022, DBHDS disbursed approximately $62.2 million in SABG funds to CSBs. This total represents approximately 92 percent of the SABG federal grant program's expenses for state fiscal year 2022. Title 2 CFR Part 170 Appendix A requires the non-federal entity to report each obligating action, exceeding $30,000, to FSRS. Fiscal and Grants Management identified the reporting requirements in its policies and procedures for FFATA reporting and completed FFATA reporting for its other subrecipients. However, Fiscal and Grants Management was unable to complete FFATA reporting for CSB's because of staffing shortages. Additionally, Fiscal and Grants Management did not have all the information it needed to complete FFATA reporting because it was still working with the DBHDS Office of Enterprise Management Services (Enterprise Management Services) to ensure the performance contracts with CSBs included all information necessary for FFATA reporting. Not reporting to FSRS could result in a citizen or federal official having a distorted view as to how DBHDS is obligating federal funds from the SABG federal grant program. Fiscal and Grants Management should dedicate the necessary resources to fulfil its FFATA reporting responsibilities for the SABG federal grant program. Additionally, Fiscal and Grants Management should continue to work with Enterprise Management Services to ensure the performance contracts with CSBs include all required information necessary for FFATA reporting. Finally, Fiscal and Grants Management should evaluate whether it is fulfilling its FFATA reporting responsibilities for DBHDS's other federal grant programs. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-107: Complete FFATA Reporting for First Tier SABG Subawards Applicable to: Department of Behavioral Health and Developmental Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Block Grants for Prevention and Treatment of Substance Abuse - 93.959 (COVID-19) Federal Award Number and Year: B08TI083056 - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Reporting - 2 CFR Part 170 Appendix A Known Questioned Costs: $0 DBHDS Office of Fiscal and Grants Management (Fiscal and Grants Management) is not completing FFATA reporting for Community Service Boards (CSB) who received funding from the Substance Abuse Block Grant (SABG) federal grant program. During state fiscal year 2022, DBHDS disbursed approximately $62.2 million in SABG funds to CSBs. This total represents approximately 92 percent of the SABG federal grant program's expenses for state fiscal year 2022. Title 2 CFR Part 170 Appendix A requires the non-federal entity to report each obligating action, exceeding $30,000, to FSRS. Fiscal and Grants Management identified the reporting requirements in its policies and procedures for FFATA reporting and completed FFATA reporting for its other subrecipients. However, Fiscal and Grants Management was unable to complete FFATA reporting for CSB's because of staffing shortages. Additionally, Fiscal and Grants Management did not have all the information it needed to complete FFATA reporting because it was still working with the DBHDS Office of Enterprise Management Services (Enterprise Management Services) to ensure the performance contracts with CSBs included all information necessary for FFATA reporting. Not reporting to FSRS could result in a citizen or federal official having a distorted view as to how DBHDS is obligating federal funds from the SABG federal grant program. Fiscal and Grants Management should dedicate the necessary resources to fulfil its FFATA reporting responsibilities for the SABG federal grant program. Additionally, Fiscal and Grants Management should continue to work with Enterprise Management Services to ensure the performance contracts with CSBs include all required information necessary for FFATA reporting. Finally, Fiscal and Grants Management should evaluate whether it is fulfilling its FFATA reporting responsibilities for DBHDS's other federal grant programs. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-014: Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; SNAP Cluster - 10.551, 10.561; Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2205VA5MAP; 221VA407S2514; 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Agriculture; U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(d) Known Questioned Costs: $0 Benefit Programs does not oversee subrecipient monitoring activities to ensure monitoring activities are conducted in accordance with its monitoring plan. During the fiscal year, Benefit Programs disbursed approximately $312 million in subaward payments from the Supplemental Nutrition Assistance Program (SNAP) and Medicaid Clusters and the LIHEAP and TANF federal grant programs. During the audit, we noted the following deviations from Benefit Program's monitoring plan: ? Benefit Programs created a monitoring plan to comply with Social Services' Agency Monitoring Plan. Regional consultants, who perform subrecipient monitoring activities, created their own subrecipient monitoring schedules that were not consistent with Benefit Program's monitoring schedule. ? Benefit Programs did not confirm that fiscal year 2022 monitoring review records uploaded to its data repository were complete. Some of the missing records included the agency notification letter, case selection sample, and subrecipient monitoring checklist. ? At the beginning of audit fieldwork, the data repository did not contain all subrecipient monitoring reviews performed during the fiscal year. The Subrecipient Monitoring Coordinator subsequently obtained and uploaded the remaining subrecipient monitoring reviews to Benefit Programs' data repository. The data repository only included the following subrecipient monitoring reviews at the time of the audit: o 12 of 25 (48%) reviews performed for the LIHEAP federal grant program; o 22 of 73 (30%) reviews performed for the SNAP Cluster; o 13 of 62 (21%) reviews performed for the Medicaid Cluster; and nine of 62 (15%) reviews performed for the TANF federal grant program. Benefit Programs only completed 25 of the 67 (37%) scheduled reviews for the LIHEAP federal grant program. Benefit Programs did not identify these issues because its monitoring plan did not clearly delineate who was responsible for overseeing subrecipient monitoring activities. As a result, no one in Benefit Programs was overseeing subrecipient monitoring activities. Title 2 CFR ? 200.332(d) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the pass-through entity uses the subaward for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without confirming that program consultants conduct monitoring activities in accordance with the monitoring plan, Benefit Programs cannot provide assurance that it complied with 2 CFR ? 200.332(d). In March 2022, Benefit Programs created a Subrecipient Monitoring Coordinator position to oversee its monitoring activities. The Subrecipient Monitoring Coordinator is working with Benefit Program?s Associate Director for Operations and Support to confirm that Benefit Programs? monitoring plan meets federal requirements. Benefit Programs should continue its efforts to confirm that it conducts monitoring activities in accordance with its monitoring plan. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-016: Evaluate Subrecipients' Risk of Noncompliance in Accordance with Federal Regulations Applicable to: Department of Social Services Prior Year Finding Number: 2021-071 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; SNAP Cluster - 10.551, 10.561; Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2205VA5MAP; 221VA407S2514; 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Agriculture; U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(b) Known Questioned Costs: $0 Benefit Programs continues to not evaluate subrecipients' risk of noncompliance with federal regulations related to the administration of the SNAP and Medicaid Clusters and the TANF and LIHEAP federal grant programs. Benefit Programs develops its subrecipient monitoring approach using the size of the subrecipient; however, it does not perform any further risk assessment procedures to determine the monitoring approach. Social Services disbursed approximately $312 million to subrecipients from these federal programs during the fiscal year. Title 2 CFR ? 200.332(b) requires pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Further, 2 CFR ? 200.332(b) suggests that pass-through entities should consider the results of previous audits, subrecipient's prior experience with the same or similar subawards, and whether the subrecipient has new personnel or new or substantially changed systems. Benefit Programs developed a corrective action plan to perform risk assessment procedures to comply with 2 CFR ? 200.332(b); however, Benefit Programs was unable to implement corrective action due to staff turnover. Without performing the proper risk assessment procedures, Benefit Programs cannot demonstrate that it monitored the activities of the subrecipient as necessary to ensure that the pass-through entity used the subaward for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Benefit Programs should continue its corrective action efforts to implement a risk assessment process for subrecipients that is consistent with federal regulations and ensure that its monitoring efforts are consistent with the results of its risk assessment. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-089: Obtain, Review, and Document System and Organization Control Reports of Third- Party Service Providers Applicable to: Department of Social Services Prior Year Finding Number: 2021-019 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: SNAP Cluster - 10.551, 10.561 (COVID-19) Federal Award Number and Year: 221VA407S2514 - 2022 Name of Federal Agency: U.S. Department of Agriculture Type of Compliance Requirement - Criteria: Other - 7 CFR ? 274.1(i)(2) Known Questioned Costs: $0 Social Services continues to not have sufficient internal controls for obtaining, reviewing, and documenting System and Organization Control (SOC) reports of service providers. Social Services uses service providers to perform functions such as administering the Electronic Benefit Transfer (EBT) process for public assistance programs, processing public assistance program applications, and performing call center functions. SOC reports, specifically SOC 1, Type 2 reports, provide an independent description and evaluation of the operating effectiveness of a service provider's internal controls over financial processes and are a key tool in gaining an understanding of a service provider's internal control environment and maintaining oversight over outsourced operations. Social Services could not demonstrate that it reviewed service provider SOC reports to identify deficiencies or determined whether the reports provided adequate coverage over operations during the fiscal year. CAPP Manual Topic 10305 requires agencies to have adequate interaction with service providers to appropriately understand the service provider's internal control environment. Agencies must also maintain oversight over service providers to gain assurance over outsourced operations. Additionally, Section 1.1 of the Security Standard states that agency heads remain accountable for maintaining compliance with the Security Standard for information technology equipment, systems, and services procured from service providers, and that agencies must enforce the compliance requirements through documented agreements and oversight of the services provided. Finally, 2 CFR ? 200.303(a) requires non-federal entities to establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Social Services shares responsibilities for reviewing SOC reports with VITA's Enterprise Cloud Oversight Services (ECOS), based on the type of SOC report. The individuals responsible for obtaining and reviewing SOC 1, Type 2 reports misunderstood the services provided by ECOS, as ECOS does not review SOC 1, Type 2 reports, and did not have clear expectations as to what they should obtain, review, and document during their review of SOC 1, Type 2 reports. As a result, Social Services did not develop policies and procedures related to obtaining, reviewing, and documenting SOC 1, Type 2 reports in relation to our recommendation in the prior audit. Without adequate policies and procedures over service providers' operations, Social Services is unable to ensure its complementary controls are sufficient to support its reliance on the service providers' control design, implementation, and operating effectiveness. Additionally, Social Services is unable to address any internal control deficiencies and/or exceptions identified in the SOC reports. In effect, Social Services is increasing the risk that it will not detect a weakness in a service provider's environment by not obtaining the necessary SOC reports timely or properly documenting the review of the reports. Social Services should develop agency-wide policies and procedures that other divisions can use when obtaining, reviewing, and documenting SOC reports. Policies and procedures should comply with the requirements outlined in the CAPP Manual and Security Standard. These policies and procedures should include, at a minimum, the timeframes for obtaining SOC reports from the service provider, documentation requirements for user entity complementary controls, the steps needed to address internal control deficiencies and/or exceptions found in reviews, and the responsible staff for any corrective actions necessary to mitigate the risk to the Commonwealth until the service provider corrects the deficiency. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-101: Follow Eligibility Documentation Requirements for Women, Infants and Children Program Applicable to: Department of Health Prior Year Finding Number: 2021-061 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: WIC Special Supplemental Nutrition Program for Women, Infants, and Children - 10.557 (COVID-19) Federal Award Number and Year: 221VA707W1006 - 2022 Name of Federal Agency: U.S. Department of Agriculture Type of Compliance Requirement - Criteria: Eligibility - 7 CFR ? 246.7(c)(i) Known Questioned Costs: $0 Local health department eligibility staff did not complete required eligibility documentation for certain recipients under the Women, Infants and Children (WIC) program. For three of 25 (12%) cases, the local health department staff did not obtain acceptable forms of proof of identification or complete an affidavit confirming identity and residence requirements. While performance has significantly improved from the prior year, local health staff still did not follow policies and procedures in these instances. Local health department staff are primarily responsible for determining eligibility for the WIC program. As a result of the COVID-19 pandemic, the federal government waived the eligibility requirements related to physical presence and allowed states to adopt alternative procedures to verify identity and residence requirements. In June 2020, Health received additional guidance from the United States Department of Agriculture Food and Nutrition Services (FNS), requiring proof of identification through encrypted emails or other approved collection methods. If local health staff are unable to collect this proof of identification, Health's procedures require staff to complete an affidavit to verify identity and residency. Additionally, FNS communicated that Health should have recipients sign a statement as to why they are unable to provide proof of identification or residency. To address these policy changes, Health developed a Remote WIC Services policy in August 2020; however, the policy did not include the requirement for recipients to sign a statement in cases where the recipient could not provide proof of identification. In response to the prior year finding, Health revised the policy and provided training to local health department staff on the eligibility requirements. Health implemented the revised WIC Remote Services policy in January 2022 and although there has been improvement since the prior year, local health department staff are still adjusting to the revised policy. When local health department staff do not properly verify identification and residential eligibility for recipients, there is a risk that Health could pay WIC benefits to ineligible recipients. In addition, if local health staff do not complete and keep a record of an affidavit, Health cannot hold recipients accountable for their information. Health central office staff should continue working with local health department staff to ensure staff adhere to policies and procedures and maintain required documentation for WIC eligibility. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-101: Follow Eligibility Documentation Requirements for Women, Infants and Children Program Applicable to: Department of Health Prior Year Finding Number: 2021-061 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: WIC Special Supplemental Nutrition Program for Women, Infants, and Children - 10.557 (COVID-19) Federal Award Number and Year: 221VA707W1006 - 2022 Name of Federal Agency: U.S. Department of Agriculture Type of Compliance Requirement - Criteria: Eligibility - 7 CFR ? 246.7(c)(i) Known Questioned Costs: $0 Local health department eligibility staff did not complete required eligibility documentation for certain recipients under the Women, Infants and Children (WIC) program. For three of 25 (12%) cases, the local health department staff did not obtain acceptable forms of proof of identification or complete an affidavit confirming identity and residence requirements. While performance has significantly improved from the prior year, local health staff still did not follow policies and procedures in these instances. Local health department staff are primarily responsible for determining eligibility for the WIC program. As a result of the COVID-19 pandemic, the federal government waived the eligibility requirements related to physical presence and allowed states to adopt alternative procedures to verify identity and residence requirements. In June 2020, Health received additional guidance from the United States Department of Agriculture Food and Nutrition Services (FNS), requiring proof of identification through encrypted emails or other approved collection methods. If local health staff are unable to collect this proof of identification, Health's procedures require staff to complete an affidavit to verify identity and residency. Additionally, FNS communicated that Health should have recipients sign a statement as to why they are unable to provide proof of identification or residency. To address these policy changes, Health developed a Remote WIC Services policy in August 2020; however, the policy did not include the requirement for recipients to sign a statement in cases where the recipient could not provide proof of identification. In response to the prior year finding, Health revised the policy and provided training to local health department staff on the eligibility requirements. Health implemented the revised WIC Remote Services policy in January 2022 and although there has been improvement since the prior year, local health department staff are still adjusting to the revised policy. When local health department staff do not properly verify identification and residential eligibility for recipients, there is a risk that Health could pay WIC benefits to ineligible recipients. In addition, if local health staff do not complete and keep a record of an affidavit, Health cannot hold recipients accountable for their information. Health central office staff should continue working with local health department staff to ensure staff adhere to policies and procedures and maintain required documentation for WIC eligibility. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-014: Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; SNAP Cluster - 10.551, 10.561; Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2205VA5MAP; 221VA407S2514; 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Agriculture; U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(d) Known Questioned Costs: $0 Benefit Programs does not oversee subrecipient monitoring activities to ensure monitoring activities are conducted in accordance with its monitoring plan. During the fiscal year, Benefit Programs disbursed approximately $312 million in subaward payments from the Supplemental Nutrition Assistance Program (SNAP) and Medicaid Clusters and the LIHEAP and TANF federal grant programs. During the audit, we noted the following deviations from Benefit Program's monitoring plan: ? Benefit Programs created a monitoring plan to comply with Social Services' Agency Monitoring Plan. Regional consultants, who perform subrecipient monitoring activities, created their own subrecipient monitoring schedules that were not consistent with Benefit Program's monitoring schedule. ? Benefit Programs did not confirm that fiscal year 2022 monitoring review records uploaded to its data repository were complete. Some of the missing records included the agency notification letter, case selection sample, and subrecipient monitoring checklist. ? At the beginning of audit fieldwork, the data repository did not contain all subrecipient monitoring reviews performed during the fiscal year. The Subrecipient Monitoring Coordinator subsequently obtained and uploaded the remaining subrecipient monitoring reviews to Benefit Programs' data repository. The data repository only included the following subrecipient monitoring reviews at the time of the audit: o 12 of 25 (48%) reviews performed for the LIHEAP federal grant program; o 22 of 73 (30%) reviews performed for the SNAP Cluster; o 13 of 62 (21%) reviews performed for the Medicaid Cluster; and nine of 62 (15%) reviews performed for the TANF federal grant program. Benefit Programs only completed 25 of the 67 (37%) scheduled reviews for the LIHEAP federal grant program. Benefit Programs did not identify these issues because its monitoring plan did not clearly delineate who was responsible for overseeing subrecipient monitoring activities. As a result, no one in Benefit Programs was overseeing subrecipient monitoring activities. Title 2 CFR ? 200.332(d) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the pass-through entity uses the subaward for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without confirming that program consultants conduct monitoring activities in accordance with the monitoring plan, Benefit Programs cannot provide assurance that it complied with 2 CFR ? 200.332(d). In March 2022, Benefit Programs created a Subrecipient Monitoring Coordinator position to oversee its monitoring activities. The Subrecipient Monitoring Coordinator is working with Benefit Program?s Associate Director for Operations and Support to confirm that Benefit Programs? monitoring plan meets federal requirements. Benefit Programs should continue its efforts to confirm that it conducts monitoring activities in accordance with its monitoring plan. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-016: Evaluate Subrecipients' Risk of Noncompliance in Accordance with Federal Regulations Applicable to: Department of Social Services Prior Year Finding Number: 2021-071 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; SNAP Cluster - 10.551, 10.561; Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2205VA5MAP; 221VA407S2514; 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Agriculture; U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(b) Known Questioned Costs: $0 Benefit Programs continues to not evaluate subrecipients' risk of noncompliance with federal regulations related to the administration of the SNAP and Medicaid Clusters and the TANF and LIHEAP federal grant programs. Benefit Programs develops its subrecipient monitoring approach using the size of the subrecipient; however, it does not perform any further risk assessment procedures to determine the monitoring approach. Social Services disbursed approximately $312 million to subrecipients from these federal programs during the fiscal year. Title 2 CFR ? 200.332(b) requires pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Further, 2 CFR ? 200.332(b) suggests that pass-through entities should consider the results of previous audits, subrecipient's prior experience with the same or similar subawards, and whether the subrecipient has new personnel or new or substantially changed systems. Benefit Programs developed a corrective action plan to perform risk assessment procedures to comply with 2 CFR ? 200.332(b); however, Benefit Programs was unable to implement corrective action due to staff turnover. Without performing the proper risk assessment procedures, Benefit Programs cannot demonstrate that it monitored the activities of the subrecipient as necessary to ensure that the pass-through entity used the subaward for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Benefit Programs should continue its corrective action efforts to implement a risk assessment process for subrecipients that is consistent with federal regulations and ensure that its monitoring efforts are consistent with the results of its risk assessment. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-089: Obtain, Review, and Document System and Organization Control Reports of Third- Party Service Providers Applicable to: Department of Social Services Prior Year Finding Number: 2021-019 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: SNAP Cluster - 10.551, 10.561 (COVID-19) Federal Award Number and Year: 221VA407S2514 - 2022 Name of Federal Agency: U.S. Department of Agriculture Type of Compliance Requirement - Criteria: Other - 7 CFR ? 274.1(i)(2) Known Questioned Costs: $0 Social Services continues to not have sufficient internal controls for obtaining, reviewing, and documenting System and Organization Control (SOC) reports of service providers. Social Services uses service providers to perform functions such as administering the Electronic Benefit Transfer (EBT) process for public assistance programs, processing public assistance program applications, and performing call center functions. SOC reports, specifically SOC 1, Type 2 reports, provide an independent description and evaluation of the operating effectiveness of a service provider's internal controls over financial processes and are a key tool in gaining an understanding of a service provider's internal control environment and maintaining oversight over outsourced operations. Social Services could not demonstrate that it reviewed service provider SOC reports to identify deficiencies or determined whether the reports provided adequate coverage over operations during the fiscal year. CAPP Manual Topic 10305 requires agencies to have adequate interaction with service providers to appropriately understand the service provider's internal control environment. Agencies must also maintain oversight over service providers to gain assurance over outsourced operations. Additionally, Section 1.1 of the Security Standard states that agency heads remain accountable for maintaining compliance with the Security Standard for information technology equipment, systems, and services procured from service providers, and that agencies must enforce the compliance requirements through documented agreements and oversight of the services provided. Finally, 2 CFR ? 200.303(a) requires non-federal entities to establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Social Services shares responsibilities for reviewing SOC reports with VITA's Enterprise Cloud Oversight Services (ECOS), based on the type of SOC report. The individuals responsible for obtaining and reviewing SOC 1, Type 2 reports misunderstood the services provided by ECOS, as ECOS does not review SOC 1, Type 2 reports, and did not have clear expectations as to what they should obtain, review, and document during their review of SOC 1, Type 2 reports. As a result, Social Services did not develop policies and procedures related to obtaining, reviewing, and documenting SOC 1, Type 2 reports in relation to our recommendation in the prior audit. Without adequate policies and procedures over service providers' operations, Social Services is unable to ensure its complementary controls are sufficient to support its reliance on the service providers' control design, implementation, and operating effectiveness. Additionally, Social Services is unable to address any internal control deficiencies and/or exceptions identified in the SOC reports. In effect, Social Services is increasing the risk that it will not detect a weakness in a service provider's environment by not obtaining the necessary SOC reports timely or properly documenting the review of the reports. Social Services should develop agency-wide policies and procedures that other divisions can use when obtaining, reviewing, and documenting SOC reports. Policies and procedures should comply with the requirements outlined in the CAPP Manual and Security Standard. These policies and procedures should include, at a minimum, the timeframes for obtaining SOC reports from the service provider, documentation requirements for user entity complementary controls, the steps needed to address internal control deficiencies and/or exceptions found in reviews, and the responsible staff for any corrective actions necessary to mitigate the risk to the Commonwealth until the service provider corrects the deficiency. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-097: Monitor Internal Procedures to Ensure Compliance with the Conflict of Interests Act Applicable to: Department of Social Services Prior Year Finding Number: 2021-060 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Pandemic EBT - Admin Costs - 10.649 (COVID-19) Federal Award Number and Year: 221VA457S9007 - 2022 Name of Federal Agency: U.S. Department of Agriculture Type of Compliance Requirement - Criteria: Procurement and Suspension and Debarment - 2 CFR ? 200.317 Known Questioned Costs: $0 Human Resources is not monitoring compliance with its internal procedures to ensure individuals in positions of trust file the required SOEI disclosure form and complete the required COIA training. Of the 41 employees identified in positions of trust, nine employees (22%) did not file an SOEI form. Three of the nine individuals who did not file an SOEI form held positions with procurement responsibilities. Additionally, of nine randomly selected employees identified in positions of trust, Human Resources was unable to locate the training records for five employees (56%) to demonstrate they completed their required COIA training. Executive Order Number Eight (2018) requires that the head of each agency, institution, board, commission, council, and authority within the Executive Branch be responsible for ensuring that designated officers and employees file their SOEI form in accordance with ? 2.2- 3114 of the Code of Virginia. Additionally, ? 2.2-3114 and ? 2.2-3118.2 of the Code of Virginia state that persons occupying positions of trust within state government or non-salaried citizen members of policy and supervisory boards shall file a disclosure statement with the Commonwealth's Ethics Advisory Council of their personal interests, and such other information as is required on the form, on or before the day such office or position of employment is assumed, and thereafter shall file such a statement annually on or before February 1. Further, ? 2.2-3130 of the Code of Virginia states orientation training is required to be completed by filers within two months of their hire or appointment and at least once during each consecutive period of two calendar years. Finally, the Virginia Public Procurement Act requires state agencies to adopt the provisions of the COIA to promote ethics in public contracting, and 2 CFR ? 200.317 requires states to follow its procurement policies and procedures when procuring property and services with federal funds. While Human Resources has sufficient policies and procedures in place to ensure compliance with the COIA, it has not monitored compliance with its procedures to ensure all employees in positions of trust file their SOEI forms timely and complete the required training. Human Resources has not been able to monitor compliance with its policy because of turnover within its division. Without appropriately monitoring individuals in positions of trust, Human Resources cannot ensure that it is fully compliant with the provisions in the COIA. In effect, Social Services could be susceptible to actual or perceived conflicts of interest and limited in its ability to hold employees accountable. These actions could potentially lead to a violation of state or federal laws or regulations. Human Resources should dedicate the resources necessary to monitor all employees designated in a position of trust to ensure they file the required SOEI form and complete the required COIA training. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-097: Monitor Internal Procedures to Ensure Compliance with the Conflict of Interests Act Applicable to: Department of Social Services Prior Year Finding Number: 2021-060 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Pandemic EBT - Admin Costs - 10.649 (COVID-19) Federal Award Number and Year: 221VA457S9007 - 2022 Name of Federal Agency: U.S. Department of Agriculture Type of Compliance Requirement - Criteria: Procurement and Suspension and Debarment - 2 CFR ? 200.317 Known Questioned Costs: $0 Human Resources is not monitoring compliance with its internal procedures to ensure individuals in positions of trust file the required SOEI disclosure form and complete the required COIA training. Of the 41 employees identified in positions of trust, nine employees (22%) did not file an SOEI form. Three of the nine individuals who did not file an SOEI form held positions with procurement responsibilities. Additionally, of nine randomly selected employees identified in positions of trust, Human Resources was unable to locate the training records for five employees (56%) to demonstrate they completed their required COIA training. Executive Order Number Eight (2018) requires that the head of each agency, institution, board, commission, council, and authority within the Executive Branch be responsible for ensuring that designated officers and employees file their SOEI form in accordance with ? 2.2- 3114 of the Code of Virginia. Additionally, ? 2.2-3114 and ? 2.2-3118.2 of the Code of Virginia state that persons occupying positions of trust within state government or non-salaried citizen members of policy and supervisory boards shall file a disclosure statement with the Commonwealth's Ethics Advisory Council of their personal interests, and such other information as is required on the form, on or before the day such office or position of employment is assumed, and thereafter shall file such a statement annually on or before February 1. Further, ? 2.2-3130 of the Code of Virginia states orientation training is required to be completed by filers within two months of their hire or appointment and at least once during each consecutive period of two calendar years. Finally, the Virginia Public Procurement Act requires state agencies to adopt the provisions of the COIA to promote ethics in public contracting, and 2 CFR ? 200.317 requires states to follow its procurement policies and procedures when procuring property and services with federal funds. While Human Resources has sufficient policies and procedures in place to ensure compliance with the COIA, it has not monitored compliance with its procedures to ensure all employees in positions of trust file their SOEI forms timely and complete the required training. Human Resources has not been able to monitor compliance with its policy because of turnover within its division. Without appropriately monitoring individuals in positions of trust, Human Resources cannot ensure that it is fully compliant with the provisions in the COIA. In effect, Social Services could be susceptible to actual or perceived conflicts of interest and limited in its ability to hold employees accountable. These actions could potentially lead to a violation of state or federal laws or regulations. Human Resources should dedicate the resources necessary to monitor all employees designated in a position of trust to ensure they file the required SOEI form and complete the required COIA training. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-010: Comply with Federal Requirements for Review of Tax Performance System Applicable to: Virginia Employment Commission Prior Year Finding Number: 2021-064 Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness ALPT or Cluster Name and ALN: Unemployment Insurance - 17.225 (COVID-19) Federal Award Number and Year: UI233F2200 - 2022 Name of Federal Agency: U.S. Department of Labor Type of Compliance Requirement - Criteria: Special Tests and Provisions - 20 CFR ? 602 Known Questioned Costs: $0 The Virginia Employment Commission (Commission) did not comply with U.S. Department of Labor (Labor) Tax Performance System (TPS) review requirements. The TPS review is a quality assurance review that provides information on a state's compliance with Labor guidelines. The Commission did not follow TPS review requirements in the following areas: ?The Commission did not complete a sampling review for five of six (83%) areas requiring an annual review. ?The reviewer did not complete and/or retain the required checklist for three of 18 (17%) samples selected for review. ?The reviewer's "pass" decision was not reasonable for seven of 18 (39%) samples reviewed related to the benefit charging function. Title 20 U.S. Code of Federal Regulations (CFR) ? 602 requires states to operate a program to assess their Unemployment Insurance (UI) tax and benefit programs and includes specific procedures for the program. TPS provides a cost-effective means to assess the major internal UI tax functions and operations. The TPS review assists state administrators in improving their UI programs by providing objective information on the quality of existing revenue operations. TPS also serves to help Labor carry out its oversight, technical assistance, and policy development responsibilities. One of the primary goals of the system is to achieve continuous improvement of overall performance quality. Not performing the required reviews increases the risk that the Commission's tax system is not properly calculating employer tax rates. System errors could lead to employers paying less than required causing an unnecessary burden on the trust fund, or paying more than required, causing unnecessary burdens on employers and the need for the Commission to calculate and issue refunds. The lack of adherence to the review requirements was due to a new employee in this area who the Quality Assurance Manager had not yet fully trained. The Commission should ensure staff follow proper procedures for completion of the TPS report and required system reviews. Employees responsible for TPS reviews should have a comprehensive knowledge of the UI tax system, skills in planning and conducting systems reviews, and the ability to communicate effectively through presentation of findings and recommendations to line staff and management. The Quality Assurance Manager should ensure that the employee responsible for preparation of the TPS report receives the necessary training to fully understand the requirements of the annual review. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-026: Improve Database Security Applicable to: Virginia Employment Commission Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Access Control; Audit and Accountability; Configuration Management; Identification and Authentication; System and Information Integrity ALPT or Cluster Name and ALN: Unemployment Insurance - 17.225 (COVID-19) Federal Award Number and Year: UI233F2200 - 2022 Name of Federal Agency: U.S. Department of Labor Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 The Commission does not secure the database that supports its internal benefits system in accordance with its internal policies, the Security Standard, and industry best practices. We communicated four control weaknesses to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. The Commission's policies, the Security Standard, and industry best practices require the Commission to implement certain controls to reduce unnecessary risk to data confidentiality, integrity, and availability in systems processing or storing sensitive information. The Commission's dedication of resources to other higher priorities and lack of certain control processes caused the weaknesses to occur. The Commission should allocate the necessary resources to ensure database configurations, controls, and processes align with the requirements in its policies, the Security Standard, and industry best practices. Improving security of the database will help maintain the confidentiality, integrity, and availability of the Commission's sensitive data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-027: Upgrade End-of-Life Technology Applicable to: Virginia Employment Commission Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: System and Information Integrity; System and Services Acquisition ALPT or Cluster Name and ALN: Unemployment Insurance - 17.225 (COVID-19) Federal Award Number and Year: UI233F2200 - 2022 Name of Federal Agency: U.S. Department of Labor Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 The Commission uses end-of-life technology on one of its IT systems that processes mission-essential data without an approved exception. We communicated the control weakness to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia, due to it containing descriptions of security mechanisms. The Security Standard prohibits agencies from using software that is end-of-life and the vendor no longer supports to reduce unnecessary risk to the confidentiality, integrity, and availability of the Commission's information systems and data. If the Commission is not able to update its software to a supported version due to compatibility or other operational issues, the Security Standard requires the Agency Head to submit an exception request for approval to the Commonwealth's Chief ISO (Security Standard, Sections: SI-2-COV Flaw Remediation; SA-22 Unsupported System Components; 1.5 Exceptions to Security Requirements). The Commission began efforts to migrate to a new environment in June 2020; however, due to VITA supplier and infrastructure issues, the Commission abandoned the project and delayed upgrading its end-of-life technology. As of June 2022, the Commission began new efforts to migrate to a different infrastructure, which will allow the Commission to upgrade its end-of-life technology. The Commission should upgrade its systems running outdated and unsupported software. Additionally, while upgrade efforts are ongoing, the Commission should submit and receive an approved exception that includes a description of compensating controls that will reduce the software vulnerability risk. The exception request should also include the Commission's future plans to upgrade the systems running outdated and unsupported software. Upgrading systems from end-of-life software will increase the Commission's security posture and help protect the confidentiality, integrity, and availability of sensitive and mission-critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-028: Properly Update and Review System Access Applicable to: Virginia Employment Commission Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Access Control; Personnel Security ALPT or Cluster Name and ALN: Unemployment Insurance - 17.225 (COVID-19) Federal Award Number and Year: UI233F2200 - 2022 Name of Federal Agency: U.S. Department of Labor Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 The Commission's system access controls are not adequate to ensure compliance with the Commission's policies and the Security Standard. The Commission did not remove terminated employee system access timely, maintain proper documentation for new users; or perform an annual review of all user access, as follows: ? The Commission did not terminate system access to the financial management system for one of four (25%) employees until 54 days after termination. ? The Commission did not terminate system access to the benefits system for eight of 25 (32%) employees until three to ten days after termination. ? The Commission did not maintain proper documentation to support the approval of new user access roles in the benefits system for six of 40 (15%) employees. ? The Commission performed an annual system access review for the new benefits system which has over 4,500 users across the benefits, tax, and appeals modules. However, the Commission only reviewed benefits user roles and, as a result, excluded over half of the system's users from the review. ? The Commission's Access Control Policies and Procedures, Section A - Account Management (AC-2), subsection 11c, states that the system owner should deactivate user accounts for terminated employees within 24 hours of notification of the employee's separation from the agency. In addition, subsection 5b states that the system owner must maintain documented access approvals. Further, the Security Standard, Section PS-4, states an organization must disable information system access within 24 hours of employee separation and terminate any authenticators or credentials associated with the individual. Finally, the Security Standard, Section AC- 6, requires agencies to perform annual reviews of privileges assigned to all users to validate the need for such privileges. The lack of proper internal controls over system access increases the risk that terminated employees may retain unauthorized access to internal systems and sensitive information. In addition, for new or existing users the Commission could grant or maintain access that is inappropriate or unnecessary based on job responsibilities. Factors contributing to the untimely system access terminations and new access approval deficiencies include a lack of communication between supervisors and system administrators and the decentralized nature of access controls across the Commission's systems. Supervisors, as well as system owners and contractor designees, are not always following internal policies and procedures related to notification of the need for access removals, timely removal of access, and maintenance of approval documentation. In addition, we determined that the Commission performed an access review during the fiscal year when it transitioned users of the previous benefits system to the new system; however, the Commission did not perform a review for users already active in the new system. This review did not occur as the agency had not yet implemented a replacement access management application. The Commission is currently working to establish procedures over this application. The Commission should deactivate terminated employees' system access timely, in accordance with the Security Standard and the Commission's policies and procedures. In addition, the Commission should maintain documentation related to access approvals and modifications. Also, the Commission should perform and document a review of access for all systems' user accounts at least annually. Finally, the Commission should update its internal Access Control Policies and Procedures to reflect all access control requirements and processes. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-108: Submit Required Reports Timely Applicable to: Virginia Employment Commission Prior Year Finding Number: 2021-086; 2020-091 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Unemployment Insurance - 17.225 (COVID-19) Federal Award Number and Year: UI233F2200 - 2022 Name of Federal Agency: U.S. Department of Labor Type of Compliance Requirement - Criteria: Reporting - 2 CFR ? 200.300(b); Department of Labor Handbooks ETA 336 and 401 Known Questioned Costs: $0 The Commission did not submit monthly and quarterly Employment and Training Administration (ETA) Reports timely. There were multiple instances where the Commission did not submit reports by the required deadlines, including: ? Submitting one of twelve (8%) Unemployment Insurance Financial Transaction Summary (ETA 2112) reports seven days late; ? Submitting one of four (25%) Statement of Expenditures and Financial Adjustments of Federal Funds for Unemployment Compensation for Federal Employees and Ex- Service Members (ETA 191) reports 13 days late; ? Submitting one of four (25%) Overpayment Detection and Recovery Activities (ETA 227) reports 76 days late; ? Submitting one of four (25%) Quarterly Narrative Progress Reports (ETA 9178) four days late; ? Submitting one of twelve (8%) Time Lapse of All First Payments Except Workshare (ETA 9050) reports five days late; ? Not submitting one of four (25%) Reemployment Services and Eligibility Assessment Workload (ETA 9128) reports; and ? Not submitting four of four (100%) Reemployment Services and Eligibility Assessment Outcomes (ETA 9129) reports. Labor Handbook 401 requires specific filing dates for all reports. These reports provide information to Labor to measure the performance and effectiveness of various benefit programs. According to the grant agreement between the Commission and Labor, the Commission should submit its required reports to Labor in a timely manner and in accordance with Labor Handbook 401. Not submitting reports timely may cause delays in funding from Labor or suspension of funds needed for ongoing Commission operations. In addition, continued delays could result in additional federal oversight. The implementation of the new benefits system affected the Commission's ability to submit required ETA reports timely. Specifically, the Commission encountered errors when submitting several reports containing data from the internal benefits system, which the Commission was unable to resolve. Further, there are no specific policies and procedures outlining guidance for submission of specific reports. The Commission has continued to work with the system contractor to resolve any existing errors in order to successfully submit required federal reports. For reports not impacted by the internal benefits system implementation, management did not provide proper oversight to ensure timely filings due to competing work priorities. We encourage the Commission to continue working with the contractor to resolve any data issues in the benefits system. Also, management should exercise adequate oversight to ensure staff file all reports by the required due date. The Commission should also update internal policies and procedures for each required report to provide clear guidance for report submission and consequences for late filing. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-109: Submit Accurate Special Reports to Department of Labor Applicable to: Virginia Employment Commission Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Unemployment Insurance - 17.225 (COVID-19) Federal Award Number and Year: UI233F2200 - 2022 Name of Federal Agency: U.S. Department of Labor Type of Compliance Requirement - Criteria: Reporting - 2 CFR ? 200.300(b); Department of Labor Handbooks ETA 336 and 401 Known Questioned Costs: $0 The Commission did not accurately report activity on the Quarterly Unemployment Insurance Above-Base Report (ETA 2208A Report) for one of two (50%) quarters tested. The June 2022 quarterly report included amounts that were not in agreement with supporting documentation. Labor Handbook 336 requires that data reported must fairly and accurately represent the utilization of staff years and be traceable to supporting documentation. This special report provides information to Labor on the number of staff years worked and paid for various UI program categories to use in determining above-base entitlements. According to the grant agreement between the Commission and Labor, the Commission should submit its required reports to Labor in accordance with Labor Handbook 336. Submitting reports with inaccurate information may cause an incorrect determination of entitlements above employee base pay. The employee responsible for preparing the ETA 2208A Report identified typographical errors after submission of the report; however, the employee did not notify management of the errors. The employee incorrectly decided to revise and resubmit the report, without management's knowledge, based on the premise that the next quarterly report would reflect accurate year-to- date activity, resolving the error from the prior period. The Commission should properly train all employees responsible for report preparation. In addition, the Commission should update its policies and procedures to ensure employees notify management if they discover an error to determine if corrected reports require an updated submission. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-010: Comply with Federal Requirements for Review of Tax Performance System Applicable to: Virginia Employment Commission Prior Year Finding Number: 2021-064 Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness ALPT or Cluster Name and ALN: Unemployment Insurance - 17.225 (COVID-19) Federal Award Number and Year: UI233F2200 - 2022 Name of Federal Agency: U.S. Department of Labor Type of Compliance Requirement - Criteria: Special Tests and Provisions - 20 CFR ? 602 Known Questioned Costs: $0 The Virginia Employment Commission (Commission) did not comply with U.S. Department of Labor (Labor) Tax Performance System (TPS) review requirements. The TPS review is a quality assurance review that provides information on a state's compliance with Labor guidelines. The Commission did not follow TPS review requirements in the following areas: ?The Commission did not complete a sampling review for five of six (83%) areas requiring an annual review. ?The reviewer did not complete and/or retain the required checklist for three of 18 (17%) samples selected for review. ?The reviewer's "pass" decision was not reasonable for seven of 18 (39%) samples reviewed related to the benefit charging function. Title 20 U.S. Code of Federal Regulations (CFR) ? 602 requires states to operate a program to assess their Unemployment Insurance (UI) tax and benefit programs and includes specific procedures for the program. TPS provides a cost-effective means to assess the major internal UI tax functions and operations. The TPS review assists state administrators in improving their UI programs by providing objective information on the quality of existing revenue operations. TPS also serves to help Labor carry out its oversight, technical assistance, and policy development responsibilities. One of the primary goals of the system is to achieve continuous improvement of overall performance quality. Not performing the required reviews increases the risk that the Commission's tax system is not properly calculating employer tax rates. System errors could lead to employers paying less than required causing an unnecessary burden on the trust fund, or paying more than required, causing unnecessary burdens on employers and the need for the Commission to calculate and issue refunds. The lack of adherence to the review requirements was due to a new employee in this area who the Quality Assurance Manager had not yet fully trained. The Commission should ensure staff follow proper procedures for completion of the TPS report and required system reviews. Employees responsible for TPS reviews should have a comprehensive knowledge of the UI tax system, skills in planning and conducting systems reviews, and the ability to communicate effectively through presentation of findings and recommendations to line staff and management. The Quality Assurance Manager should ensure that the employee responsible for preparation of the TPS report receives the necessary training to fully understand the requirements of the annual review. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-026: Improve Database Security Applicable to: Virginia Employment Commission Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Access Control; Audit and Accountability; Configuration Management; Identification and Authentication; System and Information Integrity ALPT or Cluster Name and ALN: Unemployment Insurance - 17.225 (COVID-19) Federal Award Number and Year: UI233F2200 - 2022 Name of Federal Agency: U.S. Department of Labor Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 The Commission does not secure the database that supports its internal benefits system in accordance with its internal policies, the Security Standard, and industry best practices. We communicated four control weaknesses to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. The Commission's policies, the Security Standard, and industry best practices require the Commission to implement certain controls to reduce unnecessary risk to data confidentiality, integrity, and availability in systems processing or storing sensitive information. The Commission's dedication of resources to other higher priorities and lack of certain control processes caused the weaknesses to occur. The Commission should allocate the necessary resources to ensure database configurations, controls, and processes align with the requirements in its policies, the Security Standard, and industry best practices. Improving security of the database will help maintain the confidentiality, integrity, and availability of the Commission's sensitive data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-027: Upgrade End-of-Life Technology Applicable to: Virginia Employment Commission Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: System and Information Integrity; System and Services Acquisition ALPT or Cluster Name and ALN: Unemployment Insurance - 17.225 (COVID-19) Federal Award Number and Year: UI233F2200 - 2022 Name of Federal Agency: U.S. Department of Labor Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 The Commission uses end-of-life technology on one of its IT systems that processes mission-essential data without an approved exception. We communicated the control weakness to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia, due to it containing descriptions of security mechanisms. The Security Standard prohibits agencies from using software that is end-of-life and the vendor no longer supports to reduce unnecessary risk to the confidentiality, integrity, and availability of the Commission's information systems and data. If the Commission is not able to update its software to a supported version due to compatibility or other operational issues, the Security Standard requires the Agency Head to submit an exception request for approval to the Commonwealth's Chief ISO (Security Standard, Sections: SI-2-COV Flaw Remediation; SA-22 Unsupported System Components; 1.5 Exceptions to Security Requirements). The Commission began efforts to migrate to a new environment in June 2020; however, due to VITA supplier and infrastructure issues, the Commission abandoned the project and delayed upgrading its end-of-life technology. As of June 2022, the Commission began new efforts to migrate to a different infrastructure, which will allow the Commission to upgrade its end-of-life technology. The Commission should upgrade its systems running outdated and unsupported software. Additionally, while upgrade efforts are ongoing, the Commission should submit and receive an approved exception that includes a description of compensating controls that will reduce the software vulnerability risk. The exception request should also include the Commission's future plans to upgrade the systems running outdated and unsupported software. Upgrading systems from end-of-life software will increase the Commission's security posture and help protect the confidentiality, integrity, and availability of sensitive and mission-critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-028: Properly Update and Review System Access Applicable to: Virginia Employment Commission Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Access Control; Personnel Security ALPT or Cluster Name and ALN: Unemployment Insurance - 17.225 (COVID-19) Federal Award Number and Year: UI233F2200 - 2022 Name of Federal Agency: U.S. Department of Labor Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 The Commission's system access controls are not adequate to ensure compliance with the Commission's policies and the Security Standard. The Commission did not remove terminated employee system access timely, maintain proper documentation for new users; or perform an annual review of all user access, as follows: ? The Commission did not terminate system access to the financial management system for one of four (25%) employees until 54 days after termination. ? The Commission did not terminate system access to the benefits system for eight of 25 (32%) employees until three to ten days after termination. ? The Commission did not maintain proper documentation to support the approval of new user access roles in the benefits system for six of 40 (15%) employees. ? The Commission performed an annual system access review for the new benefits system which has over 4,500 users across the benefits, tax, and appeals modules. However, the Commission only reviewed benefits user roles and, as a result, excluded over half of the system's users from the review. ? The Commission's Access Control Policies and Procedures, Section A - Account Management (AC-2), subsection 11c, states that the system owner should deactivate user accounts for terminated employees within 24 hours of notification of the employee's separation from the agency. In addition, subsection 5b states that the system owner must maintain documented access approvals. Further, the Security Standard, Section PS-4, states an organization must disable information system access within 24 hours of employee separation and terminate any authenticators or credentials associated with the individual. Finally, the Security Standard, Section AC- 6, requires agencies to perform annual reviews of privileges assigned to all users to validate the need for such privileges. The lack of proper internal controls over system access increases the risk that terminated employees may retain unauthorized access to internal systems and sensitive information. In addition, for new or existing users the Commission could grant or maintain access that is inappropriate or unnecessary based on job responsibilities. Factors contributing to the untimely system access terminations and new access approval deficiencies include a lack of communication between supervisors and system administrators and the decentralized nature of access controls across the Commission's systems. Supervisors, as well as system owners and contractor designees, are not always following internal policies and procedures related to notification of the need for access removals, timely removal of access, and maintenance of approval documentation. In addition, we determined that the Commission performed an access review during the fiscal year when it transitioned users of the previous benefits system to the new system; however, the Commission did not perform a review for users already active in the new system. This review did not occur as the agency had not yet implemented a replacement access management application. The Commission is currently working to establish procedures over this application. The Commission should deactivate terminated employees' system access timely, in accordance with the Security Standard and the Commission's policies and procedures. In addition, the Commission should maintain documentation related to access approvals and modifications. Also, the Commission should perform and document a review of access for all systems' user accounts at least annually. Finally, the Commission should update its internal Access Control Policies and Procedures to reflect all access control requirements and processes. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-108: Submit Required Reports Timely Applicable to: Virginia Employment Commission Prior Year Finding Number: 2021-086; 2020-091 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Unemployment Insurance - 17.225 (COVID-19) Federal Award Number and Year: UI233F2200 - 2022 Name of Federal Agency: U.S. Department of Labor Type of Compliance Requirement - Criteria: Reporting - 2 CFR ? 200.300(b); Department of Labor Handbooks ETA 336 and 401 Known Questioned Costs: $0 The Commission did not submit monthly and quarterly Employment and Training Administration (ETA) Reports timely. There were multiple instances where the Commission did not submit reports by the required deadlines, including: ? Submitting one of twelve (8%) Unemployment Insurance Financial Transaction Summary (ETA 2112) reports seven days late; ? Submitting one of four (25%) Statement of Expenditures and Financial Adjustments of Federal Funds for Unemployment Compensation for Federal Employees and Ex- Service Members (ETA 191) reports 13 days late; ? Submitting one of four (25%) Overpayment Detection and Recovery Activities (ETA 227) reports 76 days late; ? Submitting one of four (25%) Quarterly Narrative Progress Reports (ETA 9178) four days late; ? Submitting one of twelve (8%) Time Lapse of All First Payments Except Workshare (ETA 9050) reports five days late; ? Not submitting one of four (25%) Reemployment Services and Eligibility Assessment Workload (ETA 9128) reports; and ? Not submitting four of four (100%) Reemployment Services and Eligibility Assessment Outcomes (ETA 9129) reports. Labor Handbook 401 requires specific filing dates for all reports. These reports provide information to Labor to measure the performance and effectiveness of various benefit programs. According to the grant agreement between the Commission and Labor, the Commission should submit its required reports to Labor in a timely manner and in accordance with Labor Handbook 401. Not submitting reports timely may cause delays in funding from Labor or suspension of funds needed for ongoing Commission operations. In addition, continued delays could result in additional federal oversight. The implementation of the new benefits system affected the Commission's ability to submit required ETA reports timely. Specifically, the Commission encountered errors when submitting several reports containing data from the internal benefits system, which the Commission was unable to resolve. Further, there are no specific policies and procedures outlining guidance for submission of specific reports. The Commission has continued to work with the system contractor to resolve any existing errors in order to successfully submit required federal reports. For reports not impacted by the internal benefits system implementation, management did not provide proper oversight to ensure timely filings due to competing work priorities. We encourage the Commission to continue working with the contractor to resolve any data issues in the benefits system. Also, management should exercise adequate oversight to ensure staff file all reports by the required due date. The Commission should also update internal policies and procedures for each required report to provide clear guidance for report submission and consequences for late filing. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-109: Submit Accurate Special Reports to Department of Labor Applicable to: Virginia Employment Commission Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Unemployment Insurance - 17.225 (COVID-19) Federal Award Number and Year: UI233F2200 - 2022 Name of Federal Agency: U.S. Department of Labor Type of Compliance Requirement - Criteria: Reporting - 2 CFR ? 200.300(b); Department of Labor Handbooks ETA 336 and 401 Known Questioned Costs: $0 The Commission did not accurately report activity on the Quarterly Unemployment Insurance Above-Base Report (ETA 2208A Report) for one of two (50%) quarters tested. The June 2022 quarterly report included amounts that were not in agreement with supporting documentation. Labor Handbook 336 requires that data reported must fairly and accurately represent the utilization of staff years and be traceable to supporting documentation. This special report provides information to Labor on the number of staff years worked and paid for various UI program categories to use in determining above-base entitlements. According to the grant agreement between the Commission and Labor, the Commission should submit its required reports to Labor in accordance with Labor Handbook 336. Submitting reports with inaccurate information may cause an incorrect determination of entitlements above employee base pay. The employee responsible for preparing the ETA 2208A Report identified typographical errors after submission of the report; however, the employee did not notify management of the errors. The employee incorrectly decided to revise and resubmit the report, without management's knowledge, based on the premise that the next quarterly report would reflect accurate year-to- date activity, resolving the error from the prior period. The Commission should properly train all employees responsible for report preparation. In addition, the Commission should update its policies and procedures to ensure employees notify management if they discover an error to determine if corrected reports require an updated submission. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-110: Develop and Implement Internal Controls to Obtain Reasonable Assurance over Contractor Compliance with Program Regulations Applicable to: Department of Housing and Community Development Prior Year Finding Number: 2021-088 Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness ALPT or Cluster Name and ALN: Emergency Rental Assistance Program - 21.023 (COVID-19) Federal Award Number and Year: ERA0402; ERAE070; ERA0451; ERAE0400 - 2022 Name of Federal Agency: U.S. Department of the Treasury Type of Compliance Requirement - Criteria: Eligibility - 2 CFR ? 200.303(a); 2 CFR ? 200.501(g) Known Questioned Costs: $0 The Department of Housing and Community Development (Housing and Community Development) cannot provide reasonable assurance that its contractors administered the Emergency Rental Assistance (ERA) federal grant program in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Because of resource limitations, Housing and Community Development partnered with two separate contractors to process applications and determine eligibility on its behalf. The main objective of the ERA federal grant program is to provide rent relief to eligible tenants to prevent eviction and homelessness. Since the ERA federal program's inception, Housing and Community Development has provided $571 million in rental assistance to beneficiaries based on eligibility determinations made by its contractors. The Code of Federal Regulations, 2 CFR ? 200.501(g) states that the auditee is responsible for reviewing the contractor's records to determine program compliance. Additionally, 2 CFR ? 200.303(a) states that non-federal entities must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Reasonable assurance is a high, but not absolute, level of assurance that the entity and its contractors have complied with federal laws and regulations. Housing and Community Development's contractual agreement with their contractors places ultimate responsibility for program compliance with Housing and Community Development. Housing and Community Development incorporated certain measures into its contractual agreements with its contractors related to compliance with 2 CFR ? 200.501(g) and 2 CFR ? 200.303(a). First, Housing and Community Development communicated program requirements to its contractors through a formalized document and received documentation as to how the contractor has designed its internal controls to ensure program compliance. Second, Housing and Community Development added a requirement to the contractual agreement that stipulates the contractor is to provide a daily payment file, listing beneficiaries qualifying to receive payments, that Housing and Community Development is to approve before the contractor processes payment to beneficiaries. While Housing and Community Development's contractual agreements contain important provisions related to program compliance, Housing and Community Development has not developed and implemented a systematic approach for obtaining reasonable assurance over the contractor's internal controls and compliance with federal program regulations. Although Housing and Community Development periodically verifies the contractor's internal controls and compliance when it receives a call from beneficiaries about their application, the agency has not included the periodic verification process in its official policies and procedures. Additionally, the periodic verification process is not sufficient to provide reasonable assurance over the contractor's internal controls or compliance with program operations as they are sporadic in nature. Finally, Housing and Community Development did not maintain appropriate evidence to demonstrate that it reviewed contractor records for program compliance prior to approving the daily payment file. Since management has not collected the evidence needed to provide reasonable assurance of federal program compliance, this has created a scope limitation for the audit and has led the Auditor of Public Accounts to disclaim an opinion for the ERA federal grant program. Housing and Community Development first received ERA federal grant program funding in January 2021 and had until September 2021 to obligate at least 65 percent of its funding or the funding would be subject to recapture from the federal government. Because of the fast- paced nature of this program, much of Housing and Community Development's focus has been on interpreting and implementing the legislation and providing financial assistance to applicants as quickly as possible. Additionally Housing and Community Development's Office of Eviction Prevention and Rental Assistance (Eviction Prevention and Rental Assistance) and Division of Administration (Administration) that are responsible for administering the ERA federal grant program have been unable to develop and implement a systematic process for obtaining reasonable assurance over the contractor's internal controls and compliance because of the lack of time and available resources. Close out for the first grant allotment (ERA1) for the ERA federal award will occur in April 2023. Eviction Prevention and Rental Assistance and Administration should work collaboratively to develop and implement a systematic approach for reviewing contractor records that provides reasonable assurance that it complied with federal statutes, regulations, and the terms and conditions of the federal award. Housing and Community Development should document this process and incorporate it into the agency's official policies and procedures. Further, Housing and Community Development should retain appropriate evidence to demonstrate its review of the contractor's records for program compliance. Finally, Housing and Community Development's executive leadership should oversee the implementation of this process to ensure the agency properly incorporates the policies and procedures into its operations. If Housing and Community Development does not believe it will complete corrective actions before ERA1 close-out, it should work collaboratively with the United States Department of the Treasury to find alternate solutions for ensuring program compliance. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-111: Perform Subrecipient Monitoring Activities Required by the Risk Assessment Applicable to: Department of Housing and Community Development Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness ALPT or Cluster Name and ALN: Emergency Rental Assistance Program - 21.023 (COVID-19) Federal Award Number and Year: ERA0402; ERAE070; ERA0451; ERAE0400 - 2022 Name of Federal Agency: U.S. Department of the Treasury Type of Compliance Requirement - Criteria: Eligibility - 2 CFR ? 200.332(d) Known Questioned Costs: $0 Housing and Community Development has not monitored subrecipient activities for the ERA federal grant program in accordance with its subrecipient monitoring policies and procedures. Since the prior audit, Housing and Community Development performed a risk assessment for its ERA subrecipient and determined that they were high risk. Housing and Community Development's Risk Evaluation and Assessment Core Tool Instructions states that for a high risk subrecipient, program personnel must perform monitoring procedures as soon as possible but no later than six months after the completion of the risk assessment procedures, or a total of nine months from entering the subaward agreement. As of the end of the fiscal year, Housing and Community Development has not conducted the monitoring activities its Risk Evaluation and Assessment Core Tool Instructions requires. Over the life of the ERA federal grant program, the subrecipient has determined eligibility for landlords, which has led to beneficiary payment amounts totaling approximately $255 million. Title 2 CFR ? 200.332(d) requires grantees to monitor the activities of the subrecipient as necessary to ensure that it uses the subaward for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward; and that the subrecipient achieved subaward performance goals. While Housing and Community Development was able to demonstrate that it established recurring meetings to discuss the performance of the program with its subrecipient, these monitoring activities alone are not adequate based on the subrecipient's risk level identified in the risk assessment. In effect, Housing and Community Development cannot provide reasonable assurance that it used the subaward for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward. Reasonable assurance is a high, but not absolute, level of assurance that the entity and its subrecipient have complied with federal laws and regulations. Housing and Community Development was unable to perform the required monitoring activities because of the lack of time and available resources. Since management has not performed the required monitoring activities outlined in 2 CFR ? 200.332(d), this has created a scope limitation for the audit and has led the Auditor of Public Accounts to disclaim an opinion for the ERA federal grant program. Close out for the ERA1 federal award will occur in April 2023. Housing and Community Development should perform the required monitoring activities before it closes out the ERA1 federal award. If Housing and Community Development does not believe it will complete these monitoring activities before the ERA1 federal award close-out, it should work collaboratively with the United States Department of the Treasury to discuss alternate solutions for ensuring program compliance. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-102: Ensure the Correct Award Year is Applied to Federal Reports Applicable to: Department of Education - Central Office Operations Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Title I Grants to Local Educational Agencies - 84.010 Federal Award Number and Year: S010A200046 - 2021-2022 Name of Federal Agency: U.S. Department of Education Type of Compliance Requirement - Criteria: Reporting - 2 CFR ? 170 Appendix A Known Questioned Costs: $0 Education included an incorrect award year to the federal government in its required Federal Funding Accountability and Transparency Act (FFATA) reporting. Specifically, since 2020, Education submitted information with the award year 2020, which made it appear that it made 846 subawards totaling $1.5 billion for its fiscal year 2020 Title I award. However, annually, Education only receives around $250 million in Title I funding and makes around 135 subawards. Title 2 U.S. Code of Federal Regulations Part 170 Appendix A, which the U.S. Department of Education included in the terms of the award for Title I, requires Education to report each obligating action exceeding $30,000 to the FFATA Subrecipient Reporting System. The incorrect submission by Education results in USASpending.gov reporting inaccurate information, which may cause users of this website to make improper conclusions about Education's Title I subawards. The manager's review of Education's FFATA submission did not detect that after 2020, subsequent Title I subaward information appended to the 2020 award. Education's management should ensure that it has an effective review of its future FFATA submissions and work with the federal government to determine if it can correct the award year in prior submissions. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-013: Review Non-Locality Subrecipient Single Audit Reports Applicable to: Department of Social Services Prior Year Finding Number: 2021-072; 2020-075; 2019-091; 2018-092 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(d)(3)(f) Known Questioned Costs: $0 Compliance continues to not review non-locality subrecipient Single Audit reports as established within its Agency Monitoring Plan. Non-locality subrecipients are subrecipients, who are not local governments, and are mainly comprised of non-profit organizations. During fiscal year 2022, Social Services disbursed approximately $80 million in federal funds to roughly 200 non-locality subrecipients. While reviewing the audit reports for the 27 non-locality subrecipients that received more than $750,000 in federal funds from Social Services, we noted the following: Five non-locality subrecipients (19%) did not have a current Single Audit report available in the Federal Audit Clearinghouse (Clearinghouse). Fiscal year 2022 federal disbursements to these non-locality subrecipients totaled approximately $6.5 million. Two non-locality subrecipients (7%) had audit findings that affected one or more of Social Services' federal grant programs. As a result of the lack of review over non- locality subrecipient Single Audit reports, Social Services did not issue management decision letters within six months of acceptance of the audit reports by the Clearinghouse to collaboratively resolve audit findings related to Social Services' federal programs. According to 2 CFR ? 200.332(f), all pass-through entities must verify their subrecipients are audited if it is expected that subrecipient's federal awards expended during the respective fiscal year equaled or exceeded $750,000. Additionally, 2 CFR ? 200.332(d)(3) requires pass- through entities to issue management decisions for applicable audit findings within six months of acceptance of the audit report by the Clearinghouse. Without verifying whether non-locality subrecipients received a Single Audit report, Compliance is unable to provide assurance that Social Services met the audit requirements set forth in 2 CFR ? 200.332(d)(3) and (f). Additionally, Compliance cannot provide Social Services' Executive Team with assurance that its subrecipient monitoring efforts are adequate without reviewing non-locality Single Audit reports. Compliance did not review non-locality subrecipient Single Audit reports because it did not dedicate the resources necessary to implement corrective action. In its corrective action plan, Compliance planned to procure a centralized system to support its subrecipient monitoring efforts. However, Compliance was unable to procure a centralized system to support its subrecipient monitoring efforts during the fiscal year and it did not implement an alternative solution to comply with the requirements in 2 CFR ? 200.332(d)(3) and (f). Compliance should determine what alternative solutions are available, if it is unable to procure a centralized system, and start reviewing non-locality Single Audit reports to comply with the federal regulations in 2 CFR ? 200.332(d)(3) and (f). Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-014: Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; SNAP Cluster - 10.551, 10.561; Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2205VA5MAP; 221VA407S2514; 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Agriculture; U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(d) Known Questioned Costs: $0 Benefit Programs does not oversee subrecipient monitoring activities to ensure monitoring activities are conducted in accordance with its monitoring plan. During the fiscal year, Benefit Programs disbursed approximately $312 million in subaward payments from the Supplemental Nutrition Assistance Program (SNAP) and Medicaid Clusters and the LIHEAP and TANF federal grant programs. During the audit, we noted the following deviations from Benefit Program's monitoring plan: ? Benefit Programs created a monitoring plan to comply with Social Services' Agency Monitoring Plan. Regional consultants, who perform subrecipient monitoring activities, created their own subrecipient monitoring schedules that were not consistent with Benefit Program's monitoring schedule. ? Benefit Programs did not confirm that fiscal year 2022 monitoring review records uploaded to its data repository were complete. Some of the missing records included the agency notification letter, case selection sample, and subrecipient monitoring checklist. ? At the beginning of audit fieldwork, the data repository did not contain all subrecipient monitoring reviews performed during the fiscal year. The Subrecipient Monitoring Coordinator subsequently obtained and uploaded the remaining subrecipient monitoring reviews to Benefit Programs' data repository. The data repository only included the following subrecipient monitoring reviews at the time of the audit: o 12 of 25 (48%) reviews performed for the LIHEAP federal grant program; o 22 of 73 (30%) reviews performed for the SNAP Cluster; o 13 of 62 (21%) reviews performed for the Medicaid Cluster; and nine of 62 (15%) reviews performed for the TANF federal grant program. Benefit Programs only completed 25 of the 67 (37%) scheduled reviews for the LIHEAP federal grant program. Benefit Programs did not identify these issues because its monitoring plan did not clearly delineate who was responsible for overseeing subrecipient monitoring activities. As a result, no one in Benefit Programs was overseeing subrecipient monitoring activities. Title 2 CFR ? 200.332(d) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the pass-through entity uses the subaward for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without confirming that program consultants conduct monitoring activities in accordance with the monitoring plan, Benefit Programs cannot provide assurance that it complied with 2 CFR ? 200.332(d). In March 2022, Benefit Programs created a Subrecipient Monitoring Coordinator position to oversee its monitoring activities. The Subrecipient Monitoring Coordinator is working with Benefit Program?s Associate Director for Operations and Support to confirm that Benefit Programs? monitoring plan meets federal requirements. Benefit Programs should continue its efforts to confirm that it conducts monitoring activities in accordance with its monitoring plan. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-015: Verify that Monitoring Plan Includes All Subrecipient Programmatic Activities Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(b)(d) Known Questioned Costs: $0 Benefit Programs' monitoring plan does not include all subrecipient programmatic activities for the TANF federal grant program. Benefit Programs' primary programmatic activity for the TANF federal grant program is eligibility determination functions performed by local agencies. However, Benefit Programs also awards various competitive grants to local governments and non-profit organizations to help TANF recipients become self-sufficient. Benefit Programs did not include these programmatic activities in its monitoring plan. During the fiscal year, Benefit Programs disbursed approximately $47 million in TANF competitive grants to roughly 160 organizations. Title 2 CFR ? 200.332(b) requires all pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Additionally, 2 CFR ? 200.332(d) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the pass-through entity uses the subaward for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward; and achieves subaward performance goals. When Benefit Programs developed its monitoring plan, it only focused on eligibility functions performed by local agencies but did not consider other programmatic activities for the TANF federal grant program. Without including the other programmatic activities in the monitoring plan, Benefit Programs cannot provide assurance that subrecipients used TANF federal grant funds for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Benefit Programs should update its monitoring plan to include all subrecipient programmatic activities for the TANF federal grant program and ensure each subrecipient is subject to the appropriate risk assessment procedures. Additionally, Benefit Programs should review its awards data for the federal grant programs under its purview to determine if it should include any other subrecipient programmatic activities in its monitoring plan. Benefit Programs' monitoring coordinators should then review the division's monitoring efforts to ensure program consultants conduct them in accordance with the risk assessment. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-016: Evaluate Subrecipients' Risk of Noncompliance in Accordance with Federal Regulations Applicable to: Department of Social Services Prior Year Finding Number: 2021-071 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; SNAP Cluster - 10.551, 10.561; Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2205VA5MAP; 221VA407S2514; 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Agriculture; U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(b) Known Questioned Costs: $0 Benefit Programs continues to not evaluate subrecipients' risk of noncompliance with federal regulations related to the administration of the SNAP and Medicaid Clusters and the TANF and LIHEAP federal grant programs. Benefit Programs develops its subrecipient monitoring approach using the size of the subrecipient; however, it does not perform any further risk assessment procedures to determine the monitoring approach. Social Services disbursed approximately $312 million to subrecipients from these federal programs during the fiscal year. Title 2 CFR ? 200.332(b) requires pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Further, 2 CFR ? 200.332(b) suggests that pass-through entities should consider the results of previous audits, subrecipient's prior experience with the same or similar subawards, and whether the subrecipient has new personnel or new or substantially changed systems. Benefit Programs developed a corrective action plan to perform risk assessment procedures to comply with 2 CFR ? 200.332(b); however, Benefit Programs was unable to implement corrective action due to staff turnover. Without performing the proper risk assessment procedures, Benefit Programs cannot demonstrate that it monitored the activities of the subrecipient as necessary to ensure that the pass-through entity used the subaward for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Benefit Programs should continue its corrective action efforts to implement a risk assessment process for subrecipients that is consistent with federal regulations and ensure that its monitoring efforts are consistent with the results of its risk assessment. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-017: Comply with TANF Requirement to Participate in the Income Eligibility and Verification System Applicable to: Department of Social Services Prior Year Finding Number: 2021-068; 2020-077; 2019-088; 2018-087 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Special Tests and Provisions - 45 CFR ? 264.10 Known Questioned Costs: $0 Social Services continues to work on implementing a process to comply with the Income Eligibility and Verification System (IEVS) requirement for the TANF federal grant program. In August 2020, Social Services completed and implemented the design for the new IEVS process to provide a defined process for working the IEVS matches. However, due to Internal Revenue Service (IRS) security requirements, Local Departments of Social Services (local agency) staff are unable to use IEVS. Title 45 CFR ? 264.10 requires states to meet the requirements of IEVS and request the following information: (1) IRS unearned income; (2) State Wage Information Collections Agency (SWICA) employer quarterly reports of income and unemployment insurance benefit payments; (3) IRS earned income maintained by the Social Security Administration; and (4) immigration status information maintained by the Immigration and Naturalization Service. IEVS requires local agency employees to have background investigations, including Federal Bureau of Investigation (FBI) fingerprinting for employees who can access IEVS, as it contains federal tax information. IRS Publication 1075, Section 2.C.3 Background Investigation Minimum Requirements, states background investigations for any individual granted access to federal tax information must include, at a minimum, FBI fingerprinting, a check of where the subject has lived, worked, and/or attended school within the last five years; and validation of citizenship/residency to ensure the individual is legally eligible to work in the United States. Virginia law does not require local agency employees to successfully pass a fingerprint background check; therefore, local agencies continue to determine eligibility for TANF participants by verifying income and other information using various state databases that do not contain data from the IRS. Social Services drafted a legislative proposal for a fingerprint background check requirement for local agency employees and presented the proposal to the Secretary of Health and Human Resources for consideration during the 2022 General Assembly session. However, the Secretary of Health and Human Resources did not approve this proposal to move forward to the General Assembly. By not using IEVS when verifying income for TANF participants, Social Services cannot verify that participants in the TANF program have met all eligibility requirements. As a result, per 45 CFR ? 264.11, the Commonwealth could incur a two-percent reduction of the adjusted State Family Assistance Grant payable for the immediately succeeding fiscal year, unless the state demonstrates that it had reasonable cause or achieved compliance under a corrective compliance plan. Social Services will not fully comply with the IEVS federal requirement until the Secretary of Health and Human Resources approves the legislative proposal to move forward to the General Assembly. Social Services should continue to work with the Secretary of Health and Human Resources to propose legislation to the General Assembly to require local agency employees to successfully pass a fingerprint background check. If the General Assembly passes legislation, Social Services should then implement a policy and procedure requiring background checks of local agency employees who access IEVS and ensure the local agencies processing TANF applications properly verify income using IEVS when determining eligibility for TANF. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-103: Implement Internal Controls over TANF Federal Performance Reporting Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Reporting - 45 CFR ? 265.7(b) Known Questioned Costs: $0 Benefit Programs does not have adequate internal controls in place to ensure accurate reporting for the Administration for Children and Families (ACF) 199 TANF Data Report (ACF-199) and 209 Separate State Programs-Maintenance-of-Effort (SSP-MOE) Data Report (ACF-209). Social Services submits these reports quarterly and creates them using a fully automated process that extracts data from Social Services' case management system. ACF uses the information in these reports to determine whether the Commonwealth met the minimum work participation requirements for the TANF federal grant program. Benefit Programs uses a third-party service provider (service provider) to produce the ACF-199 and ACF-209 reports and relies solely on the service provider's internal controls during the data extraction and data reporting process. During our review, we identified the following instances where the service provider did not report key line information accurately based on the information maintained in Social Services' case management system or the supporting data: ? Ten out of 50 (20%) cases included in the "Receives Subsidized Child Care" key line, four out of 50 (8%) cases included in the "Unsubsidized Employment" key line item, and two out of 50 (4%) cases included in the "Work Participation Status" key line item did not agree to Social Services' case management system. ? Three out of three (100%) of the "Total Number of TANF Families" key line item and three out of three (100%) of the "Total Number of SSP-MOE Families" key line items did not agree to the supporting data. Title 45 CFR ? 265.7(b) requires states to have complete and accurate reports, which means that the reported data accurately reflects information available in case records, are free of computational errors, and are internally consistent. Reporting potentially inaccurate or incomplete information prevents the ACF from adequately monitoring Social Services' work participation rates and the overall performance for the TANF program. In addition, ACF can impose a penalty if it finds Social Services to not be meeting statutory required work participation rates. Benefit Programs has not developed its own policies and procedures to identify how it obtains assurance over the accuracy of the data included within the submissions. Benefit Programs also relies on the error correction controls of the ACF, performed after report submission, with no secondary review or data validation processes performed within the agency prior to report submission to determine whether the TANF work participation information reported is accurate. Because of the scope of this matter, we consider it to be a material weakness in internal control. Benefit Programs should implement policies and procedures over the TANF performance reporting process and include a documented secondary review process. Benefit Programs should confirm completion of this review prior to the report submission to ensure accurate reporting of TANF work participation information to ACF in accordance with the ACF-199 and ACF-209 reporting instructions. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-106: Strengthen Internal Controls over FFATA Reporting Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19); Adoption Assistance - 93.659; Foster Care Title IV-E - 93.658; Social Services Block Grant - 93.667 Federal Award Number and Year: 2201VATANF; 2201VAADPT; 2201VAFOST; 2201VASOSR - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Reporting - 2 CFR Part 170 Appendix A Known Questioned Costs: $0 Finance is not maintaining proper internal controls over FFATA reporting. FFATA reporting helps to provide full disclosure for how entities and organizations obligate federal funding. During the fiscal year, Social Services disbursed approximately $588 million in federal funds from roughly 5,000 subawards. During our audit of the TANF, Adoption Assistance, Foster Care, and SSBG federal grant programs, we noted the following deviations from Finance's policy: ? Finance did not complete the required FFATA reporting submissions for the TANF and SSBG federal grant programs. ? Finance did not complete FFATA reporting submissions for three of five (60%) of the subawards sampled for the Adoption Assistance federal grant program. For the two reports tested, Finance could not provide documentation supporting entries into the FFATA Subaward Reporting System (FSRS). Additionally, Finance submitted these reports nearly three and one-half months after the due date. ? For the five subawards tested for the Foster Care federal grant program, Social Services was unable to provide documentation supporting entries into the FSRS for all subawards. Additionally, Finance submitted these reports nearly three and one-half months after the due date. Title 2 CFR Part 170 Appendix A requires the non-federal entity to report each obligating action exceeding $30,000 to the FSRS. Further, 2 CFR Part 170 Appendix A requires the non- federal entity to submit subaward information no later than the end of the month following the month in which it made the obligation. Finally, 2 CFR ? 200.303(a) states that the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Finance did not report this information to FSRS because program personnel did not submit the required information to Finance to report in FSRS. Additionally, Finance was not reviewing Social Services' financial records to ensure program personnel reported all required subaward information. Not uploading obligating actions to FSRS could result in a citizen or federal official having a distorted view as to how Social Services is obligating federal funds. Finance should remind program personnel to submit required FFATA subaward reporting information as required by its policy. Additionally, Finance should consider periodically checking Social Services' financial records to see if there are instances where program personnel are not submitting the required FFATA subaward reporting information. If so, Finance should collect this information from them promptly to comply with the FFATA reporting requirements. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-013: Review Non-Locality Subrecipient Single Audit Reports Applicable to: Department of Social Services Prior Year Finding Number: 2021-072; 2020-075; 2019-091; 2018-092 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(d)(3)(f) Known Questioned Costs: $0 Compliance continues to not review non-locality subrecipient Single Audit reports as established within its Agency Monitoring Plan. Non-locality subrecipients are subrecipients, who are not local governments, and are mainly comprised of non-profit organizations. During fiscal year 2022, Social Services disbursed approximately $80 million in federal funds to roughly 200 non-locality subrecipients. While reviewing the audit reports for the 27 non-locality subrecipients that received more than $750,000 in federal funds from Social Services, we noted the following: Five non-locality subrecipients (19%) did not have a current Single Audit report available in the Federal Audit Clearinghouse (Clearinghouse). Fiscal year 2022 federal disbursements to these non-locality subrecipients totaled approximately $6.5 million. Two non-locality subrecipients (7%) had audit findings that affected one or more of Social Services' federal grant programs. As a result of the lack of review over non- locality subrecipient Single Audit reports, Social Services did not issue management decision letters within six months of acceptance of the audit reports by the Clearinghouse to collaboratively resolve audit findings related to Social Services' federal programs. According to 2 CFR ? 200.332(f), all pass-through entities must verify their subrecipients are audited if it is expected that subrecipient's federal awards expended during the respective fiscal year equaled or exceeded $750,000. Additionally, 2 CFR ? 200.332(d)(3) requires pass- through entities to issue management decisions for applicable audit findings within six months of acceptance of the audit report by the Clearinghouse. Without verifying whether non-locality subrecipients received a Single Audit report, Compliance is unable to provide assurance that Social Services met the audit requirements set forth in 2 CFR ? 200.332(d)(3) and (f). Additionally, Compliance cannot provide Social Services' Executive Team with assurance that its subrecipient monitoring efforts are adequate without reviewing non-locality Single Audit reports. Compliance did not review non-locality subrecipient Single Audit reports because it did not dedicate the resources necessary to implement corrective action. In its corrective action plan, Compliance planned to procure a centralized system to support its subrecipient monitoring efforts. However, Compliance was unable to procure a centralized system to support its subrecipient monitoring efforts during the fiscal year and it did not implement an alternative solution to comply with the requirements in 2 CFR ? 200.332(d)(3) and (f). Compliance should determine what alternative solutions are available, if it is unable to procure a centralized system, and start reviewing non-locality Single Audit reports to comply with the federal regulations in 2 CFR ? 200.332(d)(3) and (f). Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-014: Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; SNAP Cluster - 10.551, 10.561; Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2205VA5MAP; 221VA407S2514; 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Agriculture; U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(d) Known Questioned Costs: $0 Benefit Programs does not oversee subrecipient monitoring activities to ensure monitoring activities are conducted in accordance with its monitoring plan. During the fiscal year, Benefit Programs disbursed approximately $312 million in subaward payments from the Supplemental Nutrition Assistance Program (SNAP) and Medicaid Clusters and the LIHEAP and TANF federal grant programs. During the audit, we noted the following deviations from Benefit Program's monitoring plan: ? Benefit Programs created a monitoring plan to comply with Social Services' Agency Monitoring Plan. Regional consultants, who perform subrecipient monitoring activities, created their own subrecipient monitoring schedules that were not consistent with Benefit Program's monitoring schedule. ? Benefit Programs did not confirm that fiscal year 2022 monitoring review records uploaded to its data repository were complete. Some of the missing records included the agency notification letter, case selection sample, and subrecipient monitoring checklist. ? At the beginning of audit fieldwork, the data repository did not contain all subrecipient monitoring reviews performed during the fiscal year. The Subrecipient Monitoring Coordinator subsequently obtained and uploaded the remaining subrecipient monitoring reviews to Benefit Programs' data repository. The data repository only included the following subrecipient monitoring reviews at the time of the audit: o 12 of 25 (48%) reviews performed for the LIHEAP federal grant program; o 22 of 73 (30%) reviews performed for the SNAP Cluster; o 13 of 62 (21%) reviews performed for the Medicaid Cluster; and nine of 62 (15%) reviews performed for the TANF federal grant program. Benefit Programs only completed 25 of the 67 (37%) scheduled reviews for the LIHEAP federal grant program. Benefit Programs did not identify these issues because its monitoring plan did not clearly delineate who was responsible for overseeing subrecipient monitoring activities. As a result, no one in Benefit Programs was overseeing subrecipient monitoring activities. Title 2 CFR ? 200.332(d) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the pass-through entity uses the subaward for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without confirming that program consultants conduct monitoring activities in accordance with the monitoring plan, Benefit Programs cannot provide assurance that it complied with 2 CFR ? 200.332(d). In March 2022, Benefit Programs created a Subrecipient Monitoring Coordinator position to oversee its monitoring activities. The Subrecipient Monitoring Coordinator is working with Benefit Program?s Associate Director for Operations and Support to confirm that Benefit Programs? monitoring plan meets federal requirements. Benefit Programs should continue its efforts to confirm that it conducts monitoring activities in accordance with its monitoring plan. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-015: Verify that Monitoring Plan Includes All Subrecipient Programmatic Activities Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(b)(d) Known Questioned Costs: $0 Benefit Programs' monitoring plan does not include all subrecipient programmatic activities for the TANF federal grant program. Benefit Programs' primary programmatic activity for the TANF federal grant program is eligibility determination functions performed by local agencies. However, Benefit Programs also awards various competitive grants to local governments and non-profit organizations to help TANF recipients become self-sufficient. Benefit Programs did not include these programmatic activities in its monitoring plan. During the fiscal year, Benefit Programs disbursed approximately $47 million in TANF competitive grants to roughly 160 organizations. Title 2 CFR ? 200.332(b) requires all pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Additionally, 2 CFR ? 200.332(d) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the pass-through entity uses the subaward for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward; and achieves subaward performance goals. When Benefit Programs developed its monitoring plan, it only focused on eligibility functions performed by local agencies but did not consider other programmatic activities for the TANF federal grant program. Without including the other programmatic activities in the monitoring plan, Benefit Programs cannot provide assurance that subrecipients used TANF federal grant funds for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Benefit Programs should update its monitoring plan to include all subrecipient programmatic activities for the TANF federal grant program and ensure each subrecipient is subject to the appropriate risk assessment procedures. Additionally, Benefit Programs should review its awards data for the federal grant programs under its purview to determine if it should include any other subrecipient programmatic activities in its monitoring plan. Benefit Programs' monitoring coordinators should then review the division's monitoring efforts to ensure program consultants conduct them in accordance with the risk assessment. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-016: Evaluate Subrecipients' Risk of Noncompliance in Accordance with Federal Regulations Applicable to: Department of Social Services Prior Year Finding Number: 2021-071 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; SNAP Cluster - 10.551, 10.561; Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2205VA5MAP; 221VA407S2514; 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Agriculture; U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(b) Known Questioned Costs: $0 Benefit Programs continues to not evaluate subrecipients' risk of noncompliance with federal regulations related to the administration of the SNAP and Medicaid Clusters and the TANF and LIHEAP federal grant programs. Benefit Programs develops its subrecipient monitoring approach using the size of the subrecipient; however, it does not perform any further risk assessment procedures to determine the monitoring approach. Social Services disbursed approximately $312 million to subrecipients from these federal programs during the fiscal year. Title 2 CFR ? 200.332(b) requires pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Further, 2 CFR ? 200.332(b) suggests that pass-through entities should consider the results of previous audits, subrecipient's prior experience with the same or similar subawards, and whether the subrecipient has new personnel or new or substantially changed systems. Benefit Programs developed a corrective action plan to perform risk assessment procedures to comply with 2 CFR ? 200.332(b); however, Benefit Programs was unable to implement corrective action due to staff turnover. Without performing the proper risk assessment procedures, Benefit Programs cannot demonstrate that it monitored the activities of the subrecipient as necessary to ensure that the pass-through entity used the subaward for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Benefit Programs should continue its corrective action efforts to implement a risk assessment process for subrecipients that is consistent with federal regulations and ensure that its monitoring efforts are consistent with the results of its risk assessment. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-017: Comply with TANF Requirement to Participate in the Income Eligibility and Verification System Applicable to: Department of Social Services Prior Year Finding Number: 2021-068; 2020-077; 2019-088; 2018-087 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Special Tests and Provisions - 45 CFR ? 264.10 Known Questioned Costs: $0 Social Services continues to work on implementing a process to comply with the Income Eligibility and Verification System (IEVS) requirement for the TANF federal grant program. In August 2020, Social Services completed and implemented the design for the new IEVS process to provide a defined process for working the IEVS matches. However, due to Internal Revenue Service (IRS) security requirements, Local Departments of Social Services (local agency) staff are unable to use IEVS. Title 45 CFR ? 264.10 requires states to meet the requirements of IEVS and request the following information: (1) IRS unearned income; (2) State Wage Information Collections Agency (SWICA) employer quarterly reports of income and unemployment insurance benefit payments; (3) IRS earned income maintained by the Social Security Administration; and (4) immigration status information maintained by the Immigration and Naturalization Service. IEVS requires local agency employees to have background investigations, including Federal Bureau of Investigation (FBI) fingerprinting for employees who can access IEVS, as it contains federal tax information. IRS Publication 1075, Section 2.C.3 Background Investigation Minimum Requirements, states background investigations for any individual granted access to federal tax information must include, at a minimum, FBI fingerprinting, a check of where the subject has lived, worked, and/or attended school within the last five years; and validation of citizenship/residency to ensure the individual is legally eligible to work in the United States. Virginia law does not require local agency employees to successfully pass a fingerprint background check; therefore, local agencies continue to determine eligibility for TANF participants by verifying income and other information using various state databases that do not contain data from the IRS. Social Services drafted a legislative proposal for a fingerprint background check requirement for local agency employees and presented the proposal to the Secretary of Health and Human Resources for consideration during the 2022 General Assembly session. However, the Secretary of Health and Human Resources did not approve this proposal to move forward to the General Assembly. By not using IEVS when verifying income for TANF participants, Social Services cannot verify that participants in the TANF program have met all eligibility requirements. As a result, per 45 CFR ? 264.11, the Commonwealth could incur a two-percent reduction of the adjusted State Family Assistance Grant payable for the immediately succeeding fiscal year, unless the state demonstrates that it had reasonable cause or achieved compliance under a corrective compliance plan. Social Services will not fully comply with the IEVS federal requirement until the Secretary of Health and Human Resources approves the legislative proposal to move forward to the General Assembly. Social Services should continue to work with the Secretary of Health and Human Resources to propose legislation to the General Assembly to require local agency employees to successfully pass a fingerprint background check. If the General Assembly passes legislation, Social Services should then implement a policy and procedure requiring background checks of local agency employees who access IEVS and ensure the local agencies processing TANF applications properly verify income using IEVS when determining eligibility for TANF. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-103: Implement Internal Controls over TANF Federal Performance Reporting Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Reporting - 45 CFR ? 265.7(b) Known Questioned Costs: $0 Benefit Programs does not have adequate internal controls in place to ensure accurate reporting for the Administration for Children and Families (ACF) 199 TANF Data Report (ACF-199) and 209 Separate State Programs-Maintenance-of-Effort (SSP-MOE) Data Report (ACF-209). Social Services submits these reports quarterly and creates them using a fully automated process that extracts data from Social Services' case management system. ACF uses the information in these reports to determine whether the Commonwealth met the minimum work participation requirements for the TANF federal grant program. Benefit Programs uses a third-party service provider (service provider) to produce the ACF-199 and ACF-209 reports and relies solely on the service provider's internal controls during the data extraction and data reporting process. During our review, we identified the following instances where the service provider did not report key line information accurately based on the information maintained in Social Services' case management system or the supporting data: ? Ten out of 50 (20%) cases included in the "Receives Subsidized Child Care" key line, four out of 50 (8%) cases included in the "Unsubsidized Employment" key line item, and two out of 50 (4%) cases included in the "Work Participation Status" key line item did not agree to Social Services' case management system. ? Three out of three (100%) of the "Total Number of TANF Families" key line item and three out of three (100%) of the "Total Number of SSP-MOE Families" key line items did not agree to the supporting data. Title 45 CFR ? 265.7(b) requires states to have complete and accurate reports, which means that the reported data accurately reflects information available in case records, are free of computational errors, and are internally consistent. Reporting potentially inaccurate or incomplete information prevents the ACF from adequately monitoring Social Services' work participation rates and the overall performance for the TANF program. In addition, ACF can impose a penalty if it finds Social Services to not be meeting statutory required work participation rates. Benefit Programs has not developed its own policies and procedures to identify how it obtains assurance over the accuracy of the data included within the submissions. Benefit Programs also relies on the error correction controls of the ACF, performed after report submission, with no secondary review or data validation processes performed within the agency prior to report submission to determine whether the TANF work participation information reported is accurate. Because of the scope of this matter, we consider it to be a material weakness in internal control. Benefit Programs should implement policies and procedures over the TANF performance reporting process and include a documented secondary review process. Benefit Programs should confirm completion of this review prior to the report submission to ensure accurate reporting of TANF work participation information to ACF in accordance with the ACF-199 and ACF-209 reporting instructions. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-106: Strengthen Internal Controls over FFATA Reporting Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19); Adoption Assistance - 93.659; Foster Care Title IV-E - 93.658; Social Services Block Grant - 93.667 Federal Award Number and Year: 2201VATANF; 2201VAADPT; 2201VAFOST; 2201VASOSR - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Reporting - 2 CFR Part 170 Appendix A Known Questioned Costs: $0 Finance is not maintaining proper internal controls over FFATA reporting. FFATA reporting helps to provide full disclosure for how entities and organizations obligate federal funding. During the fiscal year, Social Services disbursed approximately $588 million in federal funds from roughly 5,000 subawards. During our audit of the TANF, Adoption Assistance, Foster Care, and SSBG federal grant programs, we noted the following deviations from Finance's policy: ? Finance did not complete the required FFATA reporting submissions for the TANF and SSBG federal grant programs. ? Finance did not complete FFATA reporting submissions for three of five (60%) of the subawards sampled for the Adoption Assistance federal grant program. For the two reports tested, Finance could not provide documentation supporting entries into the FFATA Subaward Reporting System (FSRS). Additionally, Finance submitted these reports nearly three and one-half months after the due date. ? For the five subawards tested for the Foster Care federal grant program, Social Services was unable to provide documentation supporting entries into the FSRS for all subawards. Additionally, Finance submitted these reports nearly three and one-half months after the due date. Title 2 CFR Part 170 Appendix A requires the non-federal entity to report each obligating action exceeding $30,000 to the FSRS. Further, 2 CFR Part 170 Appendix A requires the non- federal entity to submit subaward information no later than the end of the month following the month in which it made the obligation. Finally, 2 CFR ? 200.303(a) states that the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Finance did not report this information to FSRS because program personnel did not submit the required information to Finance to report in FSRS. Additionally, Finance was not reviewing Social Services' financial records to ensure program personnel reported all required subaward information. Not uploading obligating actions to FSRS could result in a citizen or federal official having a distorted view as to how Social Services is obligating federal funds. Finance should remind program personnel to submit required FFATA subaward reporting information as required by its policy. Additionally, Finance should consider periodically checking Social Services' financial records to see if there are instances where program personnel are not submitting the required FFATA subaward reporting information. If so, Finance should collect this information from them promptly to comply with the FFATA reporting requirements. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-106: Strengthen Internal Controls over FFATA Reporting Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19); Adoption Assistance - 93.659; Foster Care Title IV-E - 93.658; Social Services Block Grant - 93.667 Federal Award Number and Year: 2201VATANF; 2201VAADPT; 2201VAFOST; 2201VASOSR - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Reporting - 2 CFR Part 170 Appendix A Known Questioned Costs: $0 Finance is not maintaining proper internal controls over FFATA reporting. FFATA reporting helps to provide full disclosure for how entities and organizations obligate federal funding. During the fiscal year, Social Services disbursed approximately $588 million in federal funds from roughly 5,000 subawards. During our audit of the TANF, Adoption Assistance, Foster Care, and SSBG federal grant programs, we noted the following deviations from Finance's policy: ? Finance did not complete the required FFATA reporting submissions for the TANF and SSBG federal grant programs. ? Finance did not complete FFATA reporting submissions for three of five (60%) of the subawards sampled for the Adoption Assistance federal grant program. For the two reports tested, Finance could not provide documentation supporting entries into the FFATA Subaward Reporting System (FSRS). Additionally, Finance submitted these reports nearly three and one-half months after the due date. ? For the five subawards tested for the Foster Care federal grant program, Social Services was unable to provide documentation supporting entries into the FSRS for all subawards. Additionally, Finance submitted these reports nearly three and one-half months after the due date. Title 2 CFR Part 170 Appendix A requires the non-federal entity to report each obligating action exceeding $30,000 to the FSRS. Further, 2 CFR Part 170 Appendix A requires the non- federal entity to submit subaward information no later than the end of the month following the month in which it made the obligation. Finally, 2 CFR ? 200.303(a) states that the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Finance did not report this information to FSRS because program personnel did not submit the required information to Finance to report in FSRS. Additionally, Finance was not reviewing Social Services' financial records to ensure program personnel reported all required subaward information. Not uploading obligating actions to FSRS could result in a citizen or federal official having a distorted view as to how Social Services is obligating federal funds. Finance should remind program personnel to submit required FFATA subaward reporting information as required by its policy. Additionally, Finance should consider periodically checking Social Services' financial records to see if there are instances where program personnel are not submitting the required FFATA subaward reporting information. If so, Finance should collect this information from them promptly to comply with the FFATA reporting requirements. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-106: Strengthen Internal Controls over FFATA Reporting Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19); Adoption Assistance - 93.659; Foster Care Title IV-E - 93.658; Social Services Block Grant - 93.667 Federal Award Number and Year: 2201VATANF; 2201VAADPT; 2201VAFOST; 2201VASOSR - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Reporting - 2 CFR Part 170 Appendix A Known Questioned Costs: $0 Finance is not maintaining proper internal controls over FFATA reporting. FFATA reporting helps to provide full disclosure for how entities and organizations obligate federal funding. During the fiscal year, Social Services disbursed approximately $588 million in federal funds from roughly 5,000 subawards. During our audit of the TANF, Adoption Assistance, Foster Care, and SSBG federal grant programs, we noted the following deviations from Finance's policy: ? Finance did not complete the required FFATA reporting submissions for the TANF and SSBG federal grant programs. ? Finance did not complete FFATA reporting submissions for three of five (60%) of the subawards sampled for the Adoption Assistance federal grant program. For the two reports tested, Finance could not provide documentation supporting entries into the FFATA Subaward Reporting System (FSRS). Additionally, Finance submitted these reports nearly three and one-half months after the due date. ? For the five subawards tested for the Foster Care federal grant program, Social Services was unable to provide documentation supporting entries into the FSRS for all subawards. Additionally, Finance submitted these reports nearly three and one-half months after the due date. Title 2 CFR Part 170 Appendix A requires the non-federal entity to report each obligating action exceeding $30,000 to the FSRS. Further, 2 CFR Part 170 Appendix A requires the non- federal entity to submit subaward information no later than the end of the month following the month in which it made the obligation. Finally, 2 CFR ? 200.303(a) states that the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Finance did not report this information to FSRS because program personnel did not submit the required information to Finance to report in FSRS. Additionally, Finance was not reviewing Social Services' financial records to ensure program personnel reported all required subaward information. Not uploading obligating actions to FSRS could result in a citizen or federal official having a distorted view as to how Social Services is obligating federal funds. Finance should remind program personnel to submit required FFATA subaward reporting information as required by its policy. Additionally, Finance should consider periodically checking Social Services' financial records to see if there are instances where program personnel are not submitting the required FFATA subaward reporting information. If so, Finance should collect this information from them promptly to comply with the FFATA reporting requirements. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-104: Perform Analysis to Identify Service Provider Agencies That Perform Significant Fiscal Processes Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Social Services Block Grant - 93.667 Federal Award Number and Year: 2201VASOSR - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(a) Known Questioned Costs: $0 Social Services is not performing a comprehensive analysis of service provider agencies during its Agency Risk Management and Internal Control Standards (ARMICS) review to determine if they perform significant fiscal processes. Significant fiscal processes include, but are not limited to, programs or activities that have a high degree of public visibility, represent areas of concern and high risk to mission-critical business processes for agency managers and stakeholders, or have a significant effect on general ledger account balances. Social Services transferred $90 million to other state agencies or institutions from various federal grant programs during the fiscal year to administer certain grants management functions on its behalf. CAPP Manual Topic 10305 states an agency (primary agency) may use another agency (service provider agency) to perform significant fiscal processes for the primary agency. ARMICS states that decisions about significance should consider not only quantitative, but also qualitative factors, and managers should define any fiscal process as significant if errors or misstatements in the process could have adverse consequences for legal or regulatory obligations. Further, CAPP Manual Topic 10305 states that if a primary agency identifies a service provider agency that performs significant fiscal processes, the primary agency must have adequate interaction with the service provider agency to gain an appropriate understanding of the service provider agency's control environment and obtain assurances from the service provider agency regarding the state of internal control applicable to the significant fiscal processes performed. Finally, 2 CFR ? 200.303(a) states that the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. During its analysis of service provider agencies, Social Services only considered service provider agencies that have a significant effect on general ledger account balances and not those that have a high degree of public visibility or represent areas of concern or high risk to mission- critical business processes. Without performing a comprehensive analysis of service provider agencies during its ARMICS review, Social Services cannot assure itself that it has obtained adequate coverage over service provider agency operations that are quantitatively or qualitatively significant to its operations. Social Services should identify all service provider agencies and determine which of them provide significant fiscal processes. Thereafter, Social Services should perform a comprehensive analysis to determine if it has an appropriate understanding of the service provider agency's control environment and obtain assurance from the service provider agency regarding the state of internal control applicable to the significant fiscal processes performed. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-105: Document Process to Collect and Retain Documentation Supporting the SSBG Post- Expenditure Report Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Social Services Block Grant - 93.667 Federal Award Number and Year: 2201VASOSR - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Reporting - 2 CFR ? 200.303(a) Known Questioned Costs: $0 Finance does not have a documented process in place to collect and retain documentation supporting the number of eligible individuals who received services paid for in part or in whole with federal funds under the Social Services Block Grant (SSBG), which it reported in its federal fiscal year 2021 SSBG Post-Expenditure Report submission to the ACF in March 2022. ACF requires that states submit an annual Post-Expenditure Report that describes how the state expended SSBG funds for the past year. ACF's Office of Community Services analyzes SSBG expenditure and recipient data reported through the Post-Expenditure Reports to develop the SSBG Annual Report and performance measures for the SSBG program. Title 45 CFR ? 96.74 requires states to report actual numbers of recipients and actual expenditures when this information is available. Additionally, 2 CFR ? 200.303(a) requires pass- through entities to establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Finance has a consistent process for obtaining and retaining supporting documentation for financial data reported to the federal government but has not yet documented a process for collecting and retaining performance data showing the number of eligible individuals who received services from SSBG. Without documenting its process and retaining supporting documentation, Finance cannot provide assurance that the data included in the SSBG Post- Expenditure Report is accurate. Finance should document a process to collect and retain all supporting documentation used to complete the SSBG Post-Expenditure Report submitted to ACF to provide assurance that the data included within the Report is accurate. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-106: Strengthen Internal Controls over FFATA Reporting Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19); Adoption Assistance - 93.659; Foster Care Title IV-E - 93.658; Social Services Block Grant - 93.667 Federal Award Number and Year: 2201VATANF; 2201VAADPT; 2201VAFOST; 2201VASOSR - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Reporting - 2 CFR Part 170 Appendix A Known Questioned Costs: $0 Finance is not maintaining proper internal controls over FFATA reporting. FFATA reporting helps to provide full disclosure for how entities and organizations obligate federal funding. During the fiscal year, Social Services disbursed approximately $588 million in federal funds from roughly 5,000 subawards. During our audit of the TANF, Adoption Assistance, Foster Care, and SSBG federal grant programs, we noted the following deviations from Finance's policy: ? Finance did not complete the required FFATA reporting submissions for the TANF and SSBG federal grant programs. ? Finance did not complete FFATA reporting submissions for three of five (60%) of the subawards sampled for the Adoption Assistance federal grant program. For the two reports tested, Finance could not provide documentation supporting entries into the FFATA Subaward Reporting System (FSRS). Additionally, Finance submitted these reports nearly three and one-half months after the due date. ? For the five subawards tested for the Foster Care federal grant program, Social Services was unable to provide documentation supporting entries into the FSRS for all subawards. Additionally, Finance submitted these reports nearly three and one-half months after the due date. Title 2 CFR Part 170 Appendix A requires the non-federal entity to report each obligating action exceeding $30,000 to the FSRS. Further, 2 CFR Part 170 Appendix A requires the non- federal entity to submit subaward information no later than the end of the month following the month in which it made the obligation. Finally, 2 CFR ? 200.303(a) states that the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Finance did not report this information to FSRS because program personnel did not submit the required information to Finance to report in FSRS. Additionally, Finance was not reviewing Social Services' financial records to ensure program personnel reported all required subaward information. Not uploading obligating actions to FSRS could result in a citizen or federal official having a distorted view as to how Social Services is obligating federal funds. Finance should remind program personnel to submit required FFATA subaward reporting information as required by its policy. Additionally, Finance should consider periodically checking Social Services' financial records to see if there are instances where program personnel are not submitting the required FFATA subaward reporting information. If so, Finance should collect this information from them promptly to comply with the FFATA reporting requirements. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-011: Perform Responsibilities Outlined in the Agency Monitoring Plan Applicable to: Department of Social Services Prior Year Finding Number: 2021-070; 2020-074; 2019-090; 2018-093 Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.303(a) Known Questioned Costs: $0 The Department of Social Services' (Social Service) Compliance Division (Compliance) continues to not adhere to its established approach to oversee the agency's subrecipient monitoring activities, as outlined in its Agency Monitoring Plan. During fiscal year 2022, Social Services disbursed approximately $588 million in federal funds from roughly 5,000 subawards. According to Social Services' Organizational Structure Report, Compliance is responsible for agency-wide compliance and risk mitigation that helps to ensure adherence to state and federal legal and regulatory standards, including subrecipient monitoring. During the audit, we noted the following deviations from the Agency Monitoring Plan: ? Compliance has not finalized the Agency Monitoring Plan and, as a result, has not communicated it to Subrecipient Monitoring Coordinators within each division of Social Services. Because of the lack of communication, there were deviations from the Agency Monitoring Plan at the division level. For example, the Agency Monitoring Plan requires each division to monitor subrecipients once every three years. However, the Local Review Team and Child Care Subsidy Program Monitoring Plans did not consider this requirement because the Subrecipient Monitoring Coordinators were unaware of this requirement. We communicated this matter to Social Services through the audit finding titled "Finalize the Agency Monitoring Plan and Communicate Responsibilities to Subrecipient Monitoring Coordinators," which we have included as a separate audit finding in this report. ? Compliance continues to not review division monitoring plans to ensure the divisions implemented a risk-based approach for monitoring subrecipients. The Agency Monitoring Plan states that Compliance will use a monitoring plan checklist to evaluate and determine if all the required elements for subrecipient monitoring are present in each division's plan. As a result of the lack of review, the Division of Benefit Programs' (Benefit Programs) monitoring plan continues to not meet all the requirements outlined in the Agency Monitoring Plan because it does not include a risk-based approach for subrecipient monitoring and does not consider all subrecipients who receive funding from the Temporary Assistance for Needy Families (TANF) federal grant program. We communicated these matters to Social Services through the audit findings titled "Verify that Monitoring Plan Includes All Subrecipient Programmatic Activities" and "Evaluate Subrecipients' Risk of Noncompliance in Accordance with Federal Regulations," which we have included as separate audit findings in this report. ?Compliance continues to not conduct an analysis of subrecipient monitoring review efforts performed by the divisions. As a result, Compliance has not produced quarterly reports of variances and noncompliance to brief Social Services' Executive Team on the agency's subrecipient monitoring activities. Because of the lack of analysis, Compliance was unaware of deviations from the Agency Monitoring Plan occurring at the divisions. For example, Benefit Programs only completed 25 of the 67 (37%) scheduled reviews for the Low-Income Home Energy Assistance Program (LIHEAP) federal grant program. Additionally, Benefit Programs did not upload its monitoring review records to Social Services' data repository timely for management review. As a result, Compliance was unaware that Regional Consultants were deviating from Benefit Programs' monitoring plan. We communicated this matter to Social Services through the audit finding titled "Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan," which we have included as a separate audit finding in this report. Without performing the responsibilities in the Agency Monitoring Plan, Compliance cannot provide Social Services' Executive Team with reasonable assurance that the agency complied with the pass-through entity federal requirements at 2 CFR ? 200.332. Title 2 CFR ? 200.303(a) requires pass through entities to establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Compliance planned to procure a centralized system to strengthen its monitoring activities but has been unsuccessful in its efforts and has not identified alternative approaches for carrying out the responsibilities in the Agency Monitoring Plan and discussed them with Social Services' Executive Team. Because of the scope of this matter, we consider it to be a material weakness in internal control. Social Services' Executive Team shapes strategies, develops objectives, and collectively resolves issues that are critical to the overall agency performance. Social Services' Executive Team and Compliance should work collaboratively to determine the best approach for carrying out the responsibilities in the Agency Monitoring Plan. Additionally, Social Services' Executive Team and Compliance should hold quarterly meetings to discuss the Agency Monitoring Plan and its activities. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-012: Finalize the Agency Monitoring Plan and Communicate Responsibilities to Subrecipient Monitoring Coordinators Applicable to: Department of Social Services Prior Year Finding Number: 2021-069; 2020-076 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(d) Known Questioned Costs: $0 Compliance has not finalized its Agency Monitoring Plan and communicated responsibilities to Subrecipient Monitoring Coordinators, as recommended during the fiscal year 2020 audit. The oversight of Social Services' subrecipient monitoring processes transitioned from the Division of Community and Volunteer Services (Community and Volunteer Services) to Compliance in fiscal year 2019. Community and Volunteer Services created the Agency Monitoring Plan, and it is now the responsibility of Compliance. However, Compliance has not updated the Agency Monitoring Plan to properly reflect agency operations over subrecipient monitoring. In effect, Compliance continues to not communicate the Agency Monitoring Plan to Subrecipient Monitoring Coordinators within each division of Social Services. During fiscal year 2022, Social Services disbursed approximately $588 million in federal funds from roughly 5,000 subawards. Title 2 CFR ? 200.332(d) requires pass-through entities to monitor the activities of subrecipients as necessary to ensure use of the subaward for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without clearly defining responsibilities and communicating federal requirements, Compliance cannot provide assurance that Social Services adequately monitors all its subrecipients to ensure they are achieving program objectives or complying with federal requirements. Compliance was unable to finalize the monitoring plan and communicate responsibilities to monitoring coordinators because it did not dedicate the resources necessary to implement corrective action. Compliance should allocate resources to finalize the Agency Monitoring Plan to properly address subrecipient monitoring responsibilities. Additionally, Compliance should communicate the Agency Monitoring Plan to Subrecipient Monitoring Coordinators within each division of Social Services. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-014: Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; SNAP Cluster - 10.551, 10.561; Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2205VA5MAP; 221VA407S2514; 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Agriculture; U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(d) Known Questioned Costs: $0 Benefit Programs does not oversee subrecipient monitoring activities to ensure monitoring activities are conducted in accordance with its monitoring plan. During the fiscal year, Benefit Programs disbursed approximately $312 million in subaward payments from the Supplemental Nutrition Assistance Program (SNAP) and Medicaid Clusters and the LIHEAP and TANF federal grant programs. During the audit, we noted the following deviations from Benefit Program's monitoring plan: ? Benefit Programs created a monitoring plan to comply with Social Services' Agency Monitoring Plan. Regional consultants, who perform subrecipient monitoring activities, created their own subrecipient monitoring schedules that were not consistent with Benefit Program's monitoring schedule. ? Benefit Programs did not confirm that fiscal year 2022 monitoring review records uploaded to its data repository were complete. Some of the missing records included the agency notification letter, case selection sample, and subrecipient monitoring checklist. ? At the beginning of audit fieldwork, the data repository did not contain all subrecipient monitoring reviews performed during the fiscal year. The Subrecipient Monitoring Coordinator subsequently obtained and uploaded the remaining subrecipient monitoring reviews to Benefit Programs' data repository. The data repository only included the following subrecipient monitoring reviews at the time of the audit: o 12 of 25 (48%) reviews performed for the LIHEAP federal grant program; o 22 of 73 (30%) reviews performed for the SNAP Cluster; o 13 of 62 (21%) reviews performed for the Medicaid Cluster; and nine of 62 (15%) reviews performed for the TANF federal grant program. Benefit Programs only completed 25 of the 67 (37%) scheduled reviews for the LIHEAP federal grant program. Benefit Programs did not identify these issues because its monitoring plan did not clearly delineate who was responsible for overseeing subrecipient monitoring activities. As a result, no one in Benefit Programs was overseeing subrecipient monitoring activities. Title 2 CFR ? 200.332(d) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the pass-through entity uses the subaward for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without confirming that program consultants conduct monitoring activities in accordance with the monitoring plan, Benefit Programs cannot provide assurance that it complied with 2 CFR ? 200.332(d). In March 2022, Benefit Programs created a Subrecipient Monitoring Coordinator position to oversee its monitoring activities. The Subrecipient Monitoring Coordinator is working with Benefit Program?s Associate Director for Operations and Support to confirm that Benefit Programs? monitoring plan meets federal requirements. Benefit Programs should continue its efforts to confirm that it conducts monitoring activities in accordance with its monitoring plan. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-016: Evaluate Subrecipients' Risk of Noncompliance in Accordance with Federal Regulations Applicable to: Department of Social Services Prior Year Finding Number: 2021-071 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; SNAP Cluster - 10.551, 10.561; Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2205VA5MAP; 221VA407S2514; 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Agriculture; U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(b) Known Questioned Costs: $0 Benefit Programs continues to not evaluate subrecipients' risk of noncompliance with federal regulations related to the administration of the SNAP and Medicaid Clusters and the TANF and LIHEAP federal grant programs. Benefit Programs develops its subrecipient monitoring approach using the size of the subrecipient; however, it does not perform any further risk assessment procedures to determine the monitoring approach. Social Services disbursed approximately $312 million to subrecipients from these federal programs during the fiscal year. Title 2 CFR ? 200.332(b) requires pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Further, 2 CFR ? 200.332(b) suggests that pass-through entities should consider the results of previous audits, subrecipient's prior experience with the same or similar subawards, and whether the subrecipient has new personnel or new or substantially changed systems. Benefit Programs developed a corrective action plan to perform risk assessment procedures to comply with 2 CFR ? 200.332(b); however, Benefit Programs was unable to implement corrective action due to staff turnover. Without performing the proper risk assessment procedures, Benefit Programs cannot demonstrate that it monitored the activities of the subrecipient as necessary to ensure that the pass-through entity used the subaward for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Benefit Programs should continue its corrective action efforts to implement a risk assessment process for subrecipients that is consistent with federal regulations and ensure that its monitoring efforts are consistent with the results of its risk assessment. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-018: Continue Strengthening Process over Medicaid Coverage Cancellations Applicable to: Department of Medical Assistance Services; Department of Social Services Prior Year Finding Number: 2021-067 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Eligibility - 42 CFR ? 433.400(d) Known Questioned Costs: $0 The Department of Medical Assistance Services (Medical Assistance Services) continues to oversee the review of individuals with an out of state address in the Medicaid claims processing module of the Medicaid management system who may no longer be eligible for Medicaid coverage. Based on data from our prior year finding, Medical Assistance Services, with assistance from Social Services, reviewed cases with an out of state address and subsequently closed approximately 6,700 cases and recouped $40.1 million in Managed Care Organization (MCO) payments. Medical Assistance Services further reviewed additional cases related to fiscal year 2022 and as of November 2022, Medical Assistance Services had identified an additional 8,500 cases for closure and recouped an additional $43.4 million in MCO payments. These efforts are ongoing as research is in progress for over approximately 4,700 cases; however, Medical Assistance Services anticipates completing the review of these cases by December 2022. Medicaid eligibility is based on several financial and non-financial requirements. Section 12VAC30-40-10 of the Virginia Administrative Code lays out the general conditions of eligibility that an individual must satisfy to enroll in the Medicaid program. One of the non-financial requirements is that the individual be a state resident. In Spring 2020, with the onset of the Public Health Emergency (PHE), the federal government modified the program requirements and based on the Families First Coronavirus Response Act ? 6008(b)(3), states cannot cancel Medicaid coverage during the PHE except in the following situations - an individual's death, an individual requests cancellation of coverage, or an individual relocates to another state. To ensure compliance with these requirements, Medical Assistance Services began reviewing coverage cancellation information monthly to ensure cancellations of coverage only occurred for allowable reasons during the PHE. Under the process, Medical Assistance Services reviewed cancellation codes in the eligibility system and reinstated coverage for those cases that did not meet certain cancellation reasons. For this process to be effective, Medical Assistance Services was relying on correct cancellation codes in the eligibility system; however, for the cases identified, the eligibility system produced a generic cancellation code causing Medical Assistance Services to reinstate the Medicaid coverage although the individual may have no longer been eligible for coverage. Medical Assistance Services has undertaken significant efforts to address this issue. Medical Assistance Services staff, along with Social Services and other contracted staff, have performed detailed eligibility reviews of over 17,000 individual cases. In addition to these reviews, Medical Assistance Services has worked with Social Services to ensure it correctly records future coverage cancellations related to relocations to another state in the eligibility system. As of June 2022, Social Services programmed the eligibility system to return a specific cancellation code for relocating out of Virginia instead of a generic cancellation code. While this system change should reduce the number of cases that Medical Assistance Services reinstates when an individual has moved out of state, Medical Assistance Services has also implemented a new quarterly review process to identify individuals who may have relocated out of state and may no longer be eligible for Medicaid coverage. We encourage Medical Assistance Services, along with Social Services, to continue with these efforts to ensure only eligible individuals are receiving Medicaid benefits. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-022: Improve Information Security Program and IT Governance Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness Information System Security Control Family: Information Security Roles and Responsibilities ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services has an insufficient governance structure to manage and maintain its information security program in accordance with the Commonwealth's Information Security Standard, SEC 501 (Security Standard). Specifically, Social Services does not assess information security requirements for its information technology (IT) projects and prioritize information security and IT resources to ensure its information security program effectively protects sensitive Commonwealth data in accordance with the Security Standard. Social Services uses numerous IT systems to carry out its mission and provide essential services to the public. The Security Standard, Section 2.4.2, requires the agency head to maintain an information security program that is sufficient to protect the agency's IT systems and to ensure the information security program is documented and effectively communicated. We communicated the internal control weaknesses to management in a separate document marked Freedom of Information Act (FOIAE) under ? 2.2-3705.2 of the Code of Virginia due to its sensitivity and description of security controls. The internal control weaknesses described in the communication marked FOIAE are the result of Social Services not assessing information security requirements prior to project implementation or prioritizing information security within the IT environment. Not prioritizing IT resources to properly manage its information security program can result in a data breach or unauthorized access to confidential and mission critical data, leading to data corruption, data loss, or system disruption if accessed by a malicious attacker, either internal or external. Additionally, not dedicating the necessary IT resources to information security has hindered Social Services' ability to remediate findings from management recommendations issued throughout prior audits consistently and timely and bring the information security program in compliance with the Security Standard. Because of the scope of this matter, we consider it to be a material weakness in internal control. Social Services should evaluate the most efficient and effective method to bring its IT and security program into compliance with the Security Standard. Social Services should also evaluate its IT resource levels to ensure sufficient resources are available and dedicated to prioritizing and implementing IT governance changes and address the internal control deficiencies discussed in the communication marked FOIAE. Implementing these recommendations will help to ensure Social Services protects the confidentiality, integrity, and availability of its sensitive and mission critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-024: Improve Information Security Program and Controls Applicable to: Department of Medical Assistance Services Prior Year Finding Number: 2021-024; 2020-024 Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness Information System Security Control Family: Access Control; Awareness and Training; Incident Response; Information Security Roles and Responsibilities; Personnel Security; Planning; Risk Assessment; Security Assessment and Authorization; System and Services Acquisition ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(a) Known Questioned Costs: $0 Medical Assistance Services continues to address weaknesses found during an audit of IT general controls. The audit performed by an external consultant during the period April 1, 2019, through March 31, 2020, resulted in 71 individual control weaknesses out of 100 controls tested, which the consultant grouped in ten findings. As of the end of fiscal year 2022, Medical Assistance Services resolved one of the ten findings and continues to make progress with nine remaining findings, which we communicated to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. Noncompliance with the required security controls increases the risk for unauthorized access to mission-critical systems and data in addition to weakening the agency's ability to respond to malicious attacks to its IT environment. Medical Assistance Services has experienced delays in addressing these findings due to staffing turnover and shortages as well as organizational changes that affected some of its processes. Medical Assistance Services updated its corrective action plan in June 2022, stating corrective actions are still ongoing for all nine findings and estimates it will complete corrective action for eight of the findings by the end of calendar year 2022 and the last finding by June 2023. Medical Assistance Services should continue to dedicate the necessary resources to ensure timely completion of its corrective action plans and to comply with the Security Standard. These actions will help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-029: Improve Web Application Security Applicable to: Department of Social Services Prior Year Finding Number: 2021-025; 2020-026; 2019-037 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Audit and Accountability; Configuration Management; Risk Assessment; System and Information Integrity ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services continues to not configure a sensitive web application in accordance with the Security Standard. Since the prior audit, Social Services has not remediated any of the previously identified weaknesses. We communicated the weaknesses to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. The Security Standard requires implementing certain internal controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services' information systems and data. Social Services cannot ensure adequate protection of its sensitive and mission- critical data without configuring its sensitive web application in accordance with the Security Standard. Lacking or insufficient procedures and processes to manage the web application contributed to the five weaknesses outlined in the separate FOIAE document. Social Services prioritization of other projects also contributed to the weaknesses persisting. Social Services should dedicate the necessary resources to remediate the weaknesses discussed in the communication marked FOIAE in accordance with the requirements in the Security Standard. Implementing required controls will help to ensure Social Services secures the web application to protect its sensitive and mission-critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-030: Continue Improving IT Risk Management Program Applicable to: Department of Social Services Prior Year Finding Number: 2021-026; 2020-027; 2019-063; 2018-025 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Contingency Planning; Planning; Risk Assessment ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services continues to not have a formal and effective IT risk management program that aligns with the requirements in the Security Standard. Since we first issued this finding during the fiscal year 2018 audit, Social Services remediated some risk management and contingency planning issues. However, Social Services continues to not: ? accurately verify and validate data and system sensitivity ratings; ? create risk assessments for 50 percent of its sensitive systems; ? create system security plans for 52 percent of its sensitive systems; ? perform annual reviews for 99 percent of its existing risk assessment documentation; ? perform annual reviews for 74 percent of its existing system security plan documentation; and ? implement corrective actions identified in risk assessments. We communicated the details of these weaknesses to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services' information systems and data. Due to the magnitude of the project, Social Services has not yet remediated all the weaknesses. Additionally, the requirements documented in the policy and the process documented in the procedure do not align, which contributed to Social Services not consistently completing risk management documentation due to conflicting roles and responsibilities. Without implementing a formal and effective IT risk management program, Social Services cannot assure itself that it is reducing unnecessary risk to the confidentiality, integrity, and availability to its information systems and data. Social Services should prioritize and dedicate the necessary resources to remediate the weaknesses discussed in the communication marked FOIAE in accordance with the requirements in the Security Standard. Completing its corrective action plan will help to ensure the confidentiality, integrity, and availability of the agency's sensitive systems and mission-essential functions. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-052: Continue Improving IT Change and Configuration Management Process Applicable to: Department of Social Services Prior Year Finding Number: 2021-049; 2020-044; 2019-038 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Configuration Management ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services continues to improve its IT change and configuration management process to align with the Security Standard. Change management is a key control to evaluate, approve, and verify configuration changes to security components. Two weaknesses remain since our last review, which we communicated to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. Social Services Change Management Process Guide details the process Social Services follows to manage changes but does not include all the required elements, which contributed to the weaknesses remaining. Additionally, the change request form does not have the necessary fields to document the required elements. The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services' information systems and data. Without doing such, Social Services cannot assure itself that it is reducing unnecessary risk to the confidentiality, integrity, and availability to its information systems and data. Social Services should resolve the remaining two weaknesses discussed in the communication marked FOIAE in accordance with the Security Standard. Continuing to improve Social Services' IT change and configuration management process will decrease the risk of unauthorized modifications to sensitive systems and help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-057: Improve Timely Removal of Critical System Access Applicable to: Department of Medical Assistance Services Prior Year Finding Number: 2021-037; 2020-049; 2019-024; 2018-040; 2017-016 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Personnel Security ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(a) Known Questioned Costs: $0 Medical Assistance Services did not remove access to the claims processing module or the eligibility system timely for individuals who separated from the agency and no longer needed access. For one out of eight (12.5%) users, Medical Assistance Services did not disable system access in the claims processing module within 24 hours of separation. The user retained their system access for 11 days after separation. For three out of 25 (12%) users, Medical Assistance Services did not disable system access in the eligibility system within 24 hours of separation. These three users were contract employees and retained their access to the system between 104 and 123 days after separation. Medical Assistance Services' Access Control Policy requires that "all user accounts must be disabled immediately upon separation or within 24 hours upon receipt by the Office of Compliance and Security" (Compliance and Security). Failing to disable access timely for web- based mission-critical systems threatens the data integrity of the systems. If separated users retain access to the claims processing module or the eligibility system, users are potentially able to view, copy, and edit sensitive information. There are several factors contributing to this issue. First, Medical Assistance Services' internal policy is not in compliance with the Security Standard. The Security Standard requires agencies disable access within 24 hours of separation, not within 24 hours of receipt of notification. Additionally, supervisors are not communicating information on separated employees timely. A separating employee's supervisor must initiate an exit clearance workflow for the system to automatically notify Compliance and Security for removal of system access. For the user of the claims processing module, the supervisor requested access termination more than 24 hours after the employee's separation. Finally, for the three users of the eligibility system, Compliance and Security received the access termination request timely but did not terminate access for more than 24 hours after receipt. In June 2022, Medical Assistance Services implemented several organizational changes, including dissolving Compliance and Security. The responsibility for system access management moved to the division responsible for the system and its applicable business function. Medical Assistance Services is currently updating its internal Access Control policy to ensure it is consistent with the Security Standard and organizational updates. Medical Assistance Services expects to complete the policy and process updates in December 2022. Medical Assistance Services should also train and educate supervisors on the importance of timely notification of separated employees. Finally, Medical Assistance Services should ensure compliance with the Security Standard by removing user access as required. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-059: Monitor Internal Controls to Ensure Timely Removal of System Access Applicable to: Department of Social Services Prior Year Finding Number: 2021-038; 2021-027; 2020-025; 2019-027; 2018-042 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Personnel Security ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services did not comply with the Security Standard requirements for removing system access for separated employees. For 13 of the 26 (50%) separations tested from fiscal year 2022, Social Services did not remove system access within 24 hours following each employee's separation date. Untimely removal of access ranged between two and 290 days after each employee's separation date. Section PS-4 of the Security Standard requires an organization to disable information system access within 24 hours of employment termination. To comply with the Security Standard, Social Services created a policy in Section 2.9 of its State/Local Security Officers Procedures Manual (Manual) that requires supervisors to complete the State Employee Separation and Transfer Checklist (Separation Checklist) at least 48 hours in advance of the employee's separation and submit it to the Division Security Officer. The Division Security Officer must then remove the separated employee from Social Services' access management system, which controls access to its internal systems, within 24 hours following the employee's separation date. Upon completion, the Division Security Officer is responsible for submitting the Separation Checklist to other Divisions, such as the Division of Human Resources (Human Resources) and the Central Security Office (Central Security), to make them aware of the separation. Social Services does not appear to monitor compliance with internal policies surrounding access removal for separated employees. Of the 13 employees with access removed more than 24 hours after their separation dates: ? We noted four instances where Social Services was unable to provide the Separation Checklist. As a result, Social Services was unable to demonstrate compliance with its internal policies surrounding access removal for separated employees. ? Of the remaining nine employees with completed Separation Checklists, we noted nine instances of untimely or inaccurate supervisor sign-offs. Specifically, there were seven instances where the supervisor did not submit the Separation Checklist to the Division Security Officer at least 48 hours in advance of the employee's date of separation and two instances where the supervisor did not properly sign off and date the Separation Checklist. Social Services administers numerous public assistance programs that collect personally identifiable information and other protected information from beneficiaries. Social Services places its data and reputation at risk by not removing access timely. Additionally, Social Services could incur a potential financial liability should its information become compromised. The Security Standard states that the Agency Head is responsible for security of the agency's IT systems and data. Since Human Resources, Central Security, and the Division Security Officers share ownership of the employee separation and access removal processes, Social Services' Executive Team should identify which division in the agency should be responsible for monitoring compliance with internal policies surrounding access removal for separated employees. Social Services' Executive Team should periodically review the monitoring results and take enforcement actions, as necessary, if the agency is not compliant. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-060: Upgrade End-of-Life Technology Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: System and Information Integrity ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services uses end-of-life technologies in its IT environment and maintains technologies that support mission-essential data on IT systems that its vendors no longer support. We communicated internal control weaknesses to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. The Security Standard prohibits using software that is end-of-life and which the vendor no longer supports to reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services' information systems and data. Social Services does not assign an individual or team with the responsibility to track end- of-life software dates and does not have a formal process to ensure that it upgrades software versions prior to the end-of-life date, which caused the end-of-life software to remain in the environment. Social Services use of the end-of-life software increases the risk that known vulnerabilities will persist in the system without the potential for patching or mitigation. These unpatched vulnerabilities increase the risk of successful cyberattack, exploit, and data breach by malicious parties. Further, vendors do not offer operational and technical support for end-of-life or end-of-support technology, which affects data availability by increasing the difficulty of restoring system functionality if a technical failure occurs. Social Services should dedicate the necessary resources to evaluate and implement the internal controls and recommendations discussed in the communication marked FOIAE in accordance with the Security Standard. Minimizing the use of end-of-life software will help to ensure that Social Services secures its IT environment and systems to protect its sensitive and mission-critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-064: Continue Developing Record Retention Requirements and Processes for Electronic Records Applicable to: Department of Social Services Prior Year Finding Number: 2021-047; 2020-041; 2019-049; 2018-054 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Contingency Planning ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services continues to operate without an adequate data retention process for its case management system. Social Services' case management system authorized over $10 billion in benefit payments from various public assistance programs to beneficiaries during fiscal year 2022. We communicated this weakness to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. Since fiscal year 2019, Social Services gathered retention requirements from the business divisions. During the fiscal year, Social Services finalized and documented policies with retention requirements. However, Social Services has not developed, documented, and implemented a policy, procedure, and process to operationalize the record retention requirements needed. Federal regulations require different record retention requirements for different federal programs. Additionally, the Virginia Public Records Act (? 42.1-91 of the Code of Virginia) requires each agency to be responsible for ensuring that it preserves, maintains, and makes accessible public-facing records throughout their lifecycle, including converting and migrating electronic records as often as necessary so that information is not lost due to hardware, software, or media obsolescence or deterioration. Further, the Security Standard, Section CP-9-COV, requires the agency implement backup and restoration plans for every IT system identified as sensitive relative to availability that address the retention of the data in accordance with the records retention policy. Without developing, documenting, and implementing a policy, procedure, and process to operationalize record retention requirements, Social Services increases data risk and increases potential exposure to fines, penalties, or other legal consequences. Additionally, Social Services may cause the Commonwealth to spend additional resources to maintain, back up, and protect the information. Social Services should develop and implement a records retention policy and procedure that defines its requirements and processes to ensure that consistent record retention processes can be operationalized across business divisions to ensure compliance with laws and regulations. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-066: Conduct Audits of Agency Sensitive Systems Timely Applicable to: Virginia Information Technologies Agency Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Audit and Accountability ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 VITA's Centralized IT Security Audit Service (Audit Services) conducts IT security audits for contracted agencies. The Commonwealth's Information Technology Security Audit Standard, SEC 502 (Security Audit Standard), Section 2.1, requires agencies to complete security audits for each sensitive system every three years from the last audit completion date. Based on our review of audit completion dates provided by Audit Services, we determined the following: ? During fiscal year 2022, Audit Services completed four of six agency IT security audits after the three-year audit deadline. ? As of June 30, 2022, Audit Services is currently engaged, or has not started, ten agency IT security audits that are past the three-year audit requirement. When an agency contracts with Audit Services, the agency head or designee signs a Memorandum of Understanding (MOU) which outlines the scope of work and pricing. It is the agency's responsibility to ensure the MOU includes all sensitive systems requiring a security audit. A properly defined MOU allows Audit Services to properly price and schedule the security audit. Audit Services audits all the systems in scope for an agency at the same time and issues one audit report covering all systems in scope per the MOU. Audit Services should consider adding information to the MOU related to audit deadlines or planned timeframe for the audit. This added communication will ensure all parties understand when Audit Services plans to complete the audits. Additionally, more information regarding audit timing will allow agencies to determine if they need to obtain a separate audit for specific systems to ensure those systems remain compliant with the Security Audit Standard between the date of the MOU and the anticipated deadline set by Audit Services. Of the four audits Audit Services completed late during fiscal year 2022, two of the delays are due to the agencies requesting postponements. Additionally, of the ten audits that were already late as of June 30, 2022, two are due to agency-requested postponements. The remaining late audits are primarily due to resource constraints within Audit Services. Audit Services should regularly monitor its audit workplan to ensure audit staff complete all IT security audits by the required deadlines. Additionally, Audit Services should evaluate its staffing levels and assess if VITA should contract with an outside audit firm to aid in completing IT security audits. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-090: Improve Third-Party Oversight Process Applicable to: Department of Medical Assistance Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(a) Known Questioned Costs: $0 Medical Assistance Services does not have a formal and consistent process for maintaining oversight for three of its IT third-party service providers (providers) that manage and support the Medicaid management system. As a result of an informal and inconsistent process, Medical Assistance Services did not verify or implement three controls required by the Hosted Environment Security Standard. We communicated the three weaknesses to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. Without a formal and consistent process to maintain oversight of its providers, Medical Assistance Services cannot validate whether its providers implement the security controls that meet the requirements in the Hosted Environment Security Standard to protect the agency's sensitive and mission-critical data. While Medical Assistance Services has a formal IT Third Party and Vendor Compliance Management Policy, effective as of December 31, 2021, the agency experienced turnover in its ISO position in June 2022 before the development of a formal procedure. As a result, Medical Assistance Services did not consistently maintain oversight of its providers in accordance with the Hosted Environment Security Standard. Medical Assistance Services should dedicate the necessary resources to develop a formal procedure to maintain oversight of its providers in accordance with its policy and the Hosted Environment Security Standard. Medical Assistance Services should also dedicate the necessary resources to implement and consistently perform the formal oversight process, which will help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-100: Continue to Ensure ITISP Suppliers Meet all Contractual Requirements Applicable to: Virginia Information Technologies Agency Prior Year Finding Number: 2021-023; 2020-070 Type of Finding: Internal Control Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Although VITA is monitoring and enforcing the contractual requirements each month, as of June 2022, there were still cases of Information Technology Infrastructure Services Program (ITISP) suppliers not meeting the minimum requirements. When ITISP suppliers do not meet all contractual requirements (e.g., key measures, critical service levels, deliverables), it impacts the ability of Commonwealth agencies that rely on the ITISP services to comply with the Security Standard. The Security Standard is a baseline for information security and risk management activities for Commonwealth agencies. Many agencies rely on services provided through the ITISP suppliers to ensure compliance with the Security Standard. For example, the Security Standard requires the installation of security-relevant software updates within 90 days of release (Security Standard Section: SI-2 Flaw Remediation). Commonwealth agencies rely on the ITISP suppliers for the installation of security patches in systems that support agencies' operations. Our audits at various agencies for fiscal year 2022 found critical and highly important security patches that were past the 90-day Security Standard requirement. The systems missing critical security updates are at an increased risk of successful cyberattack, exploit, and data breach by malicious parties. Additionally, the Security Standard requires agencies to review and analyze audit records at least every 30 days for indications of inappropriate or unusual activity (Security Standard Section: AU-6 Audit Review, Analysis, and Reporting). Our audits of various agencies for fiscal year 2022 found that agencies rely on the ITISP suppliers to provide access to a centralized monitoring tool that collects audit log information about activities in the IT environment. Certain agencies were unable to obtain access to the audit log information during fiscal year 2022, and thus were not able to comply with the Security Standard requirements related to audit log monitoring. Although the supplier was performing audit logging and monitoring, only a select few agencies have access to the monitoring tool while the supplier is pilot testing the tool. The Commonwealth's risk associated with data confidentiality, integrity and availability increases with agencies not being able to review and monitor their individual audit logs. During fiscal year 2022, VITA and the Multisource Service Integrator (MSI) evaluated the current service level measurements to ensure they align with the Commonwealth's needs. As of December 2022, VITA and the MSI are implementing changes to the service level related to security and vulnerability patching. The changes to this service level include establishing a Common Vulnerabilities and Exposures (CVE) threshold. The new security and vulnerability patching service level will require the ITISP suppliers to install any patch with a CVE score above the threshold within 90 days. VITA continues to work with the managed security supplier to address the agencies' inability to access the audit log information. The supplier replaced the original security incident and event management system with a new managed detection and response (MDR) platform. Currently, only a small number of agencies are piloting the new MDR system. VITA should document the rationale for all changes to the service levels, including the basis for the CVE score threshold selected, and continually reevaluate the service levels as risks change. To ensure all agencies that rely on the ITISP services can comply with the Security Standard, VITA should ensure ITISP suppliers meet all contractual requirements (e.g., key measures, critical service levels, deliverables). To aid in determining which requirements have Security Standard implications, VITA should crosswalk contractual requirements to the Security Standard. A crosswalk will help in identifying which requirements, if not met, could put an agency at risk per the Security Standard. If VITA determines an ITISP supplier is not meeting a contractual requirement that may have a Security Standard implication, VITA should communicate with the affected agencies and provide guidance on compensating controls and processes the agencies should implement to reduce risk while the suppliers work to meet the requirements of the contract. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-011: Perform Responsibilities Outlined in the Agency Monitoring Plan Applicable to: Department of Social Services Prior Year Finding Number: 2021-070; 2020-074; 2019-090; 2018-093 Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.303(a) Known Questioned Costs: $0 The Department of Social Services' (Social Service) Compliance Division (Compliance) continues to not adhere to its established approach to oversee the agency's subrecipient monitoring activities, as outlined in its Agency Monitoring Plan. During fiscal year 2022, Social Services disbursed approximately $588 million in federal funds from roughly 5,000 subawards. According to Social Services' Organizational Structure Report, Compliance is responsible for agency-wide compliance and risk mitigation that helps to ensure adherence to state and federal legal and regulatory standards, including subrecipient monitoring. During the audit, we noted the following deviations from the Agency Monitoring Plan: ? Compliance has not finalized the Agency Monitoring Plan and, as a result, has not communicated it to Subrecipient Monitoring Coordinators within each division of Social Services. Because of the lack of communication, there were deviations from the Agency Monitoring Plan at the division level. For example, the Agency Monitoring Plan requires each division to monitor subrecipients once every three years. However, the Local Review Team and Child Care Subsidy Program Monitoring Plans did not consider this requirement because the Subrecipient Monitoring Coordinators were unaware of this requirement. We communicated this matter to Social Services through the audit finding titled "Finalize the Agency Monitoring Plan and Communicate Responsibilities to Subrecipient Monitoring Coordinators," which we have included as a separate audit finding in this report. ? Compliance continues to not review division monitoring plans to ensure the divisions implemented a risk-based approach for monitoring subrecipients. The Agency Monitoring Plan states that Compliance will use a monitoring plan checklist to evaluate and determine if all the required elements for subrecipient monitoring are present in each division's plan. As a result of the lack of review, the Division of Benefit Programs' (Benefit Programs) monitoring plan continues to not meet all the requirements outlined in the Agency Monitoring Plan because it does not include a risk-based approach for subrecipient monitoring and does not consider all subrecipients who receive funding from the Temporary Assistance for Needy Families (TANF) federal grant program. We communicated these matters to Social Services through the audit findings titled "Verify that Monitoring Plan Includes All Subrecipient Programmatic Activities" and "Evaluate Subrecipients' Risk of Noncompliance in Accordance with Federal Regulations," which we have included as separate audit findings in this report. ?Compliance continues to not conduct an analysis of subrecipient monitoring review efforts performed by the divisions. As a result, Compliance has not produced quarterly reports of variances and noncompliance to brief Social Services' Executive Team on the agency's subrecipient monitoring activities. Because of the lack of analysis, Compliance was unaware of deviations from the Agency Monitoring Plan occurring at the divisions. For example, Benefit Programs only completed 25 of the 67 (37%) scheduled reviews for the Low-Income Home Energy Assistance Program (LIHEAP) federal grant program. Additionally, Benefit Programs did not upload its monitoring review records to Social Services' data repository timely for management review. As a result, Compliance was unaware that Regional Consultants were deviating from Benefit Programs' monitoring plan. We communicated this matter to Social Services through the audit finding titled "Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan," which we have included as a separate audit finding in this report. Without performing the responsibilities in the Agency Monitoring Plan, Compliance cannot provide Social Services' Executive Team with reasonable assurance that the agency complied with the pass-through entity federal requirements at 2 CFR ? 200.332. Title 2 CFR ? 200.303(a) requires pass through entities to establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Compliance planned to procure a centralized system to strengthen its monitoring activities but has been unsuccessful in its efforts and has not identified alternative approaches for carrying out the responsibilities in the Agency Monitoring Plan and discussed them with Social Services' Executive Team. Because of the scope of this matter, we consider it to be a material weakness in internal control. Social Services' Executive Team shapes strategies, develops objectives, and collectively resolves issues that are critical to the overall agency performance. Social Services' Executive Team and Compliance should work collaboratively to determine the best approach for carrying out the responsibilities in the Agency Monitoring Plan. Additionally, Social Services' Executive Team and Compliance should hold quarterly meetings to discuss the Agency Monitoring Plan and its activities. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-012: Finalize the Agency Monitoring Plan and Communicate Responsibilities to Subrecipient Monitoring Coordinators Applicable to: Department of Social Services Prior Year Finding Number: 2021-069; 2020-076 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(d) Known Questioned Costs: $0 Compliance has not finalized its Agency Monitoring Plan and communicated responsibilities to Subrecipient Monitoring Coordinators, as recommended during the fiscal year 2020 audit. The oversight of Social Services' subrecipient monitoring processes transitioned from the Division of Community and Volunteer Services (Community and Volunteer Services) to Compliance in fiscal year 2019. Community and Volunteer Services created the Agency Monitoring Plan, and it is now the responsibility of Compliance. However, Compliance has not updated the Agency Monitoring Plan to properly reflect agency operations over subrecipient monitoring. In effect, Compliance continues to not communicate the Agency Monitoring Plan to Subrecipient Monitoring Coordinators within each division of Social Services. During fiscal year 2022, Social Services disbursed approximately $588 million in federal funds from roughly 5,000 subawards. Title 2 CFR ? 200.332(d) requires pass-through entities to monitor the activities of subrecipients as necessary to ensure use of the subaward for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without clearly defining responsibilities and communicating federal requirements, Compliance cannot provide assurance that Social Services adequately monitors all its subrecipients to ensure they are achieving program objectives or complying with federal requirements. Compliance was unable to finalize the monitoring plan and communicate responsibilities to monitoring coordinators because it did not dedicate the resources necessary to implement corrective action. Compliance should allocate resources to finalize the Agency Monitoring Plan to properly address subrecipient monitoring responsibilities. Additionally, Compliance should communicate the Agency Monitoring Plan to Subrecipient Monitoring Coordinators within each division of Social Services. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-014: Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; SNAP Cluster - 10.551, 10.561; Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2205VA5MAP; 221VA407S2514; 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Agriculture; U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(d) Known Questioned Costs: $0 Benefit Programs does not oversee subrecipient monitoring activities to ensure monitoring activities are conducted in accordance with its monitoring plan. During the fiscal year, Benefit Programs disbursed approximately $312 million in subaward payments from the Supplemental Nutrition Assistance Program (SNAP) and Medicaid Clusters and the LIHEAP and TANF federal grant programs. During the audit, we noted the following deviations from Benefit Program's monitoring plan: ? Benefit Programs created a monitoring plan to comply with Social Services' Agency Monitoring Plan. Regional consultants, who perform subrecipient monitoring activities, created their own subrecipient monitoring schedules that were not consistent with Benefit Program's monitoring schedule. ? Benefit Programs did not confirm that fiscal year 2022 monitoring review records uploaded to its data repository were complete. Some of the missing records included the agency notification letter, case selection sample, and subrecipient monitoring checklist. ? At the beginning of audit fieldwork, the data repository did not contain all subrecipient monitoring reviews performed during the fiscal year. The Subrecipient Monitoring Coordinator subsequently obtained and uploaded the remaining subrecipient monitoring reviews to Benefit Programs' data repository. The data repository only included the following subrecipient monitoring reviews at the time of the audit: o 12 of 25 (48%) reviews performed for the LIHEAP federal grant program; o 22 of 73 (30%) reviews performed for the SNAP Cluster; o 13 of 62 (21%) reviews performed for the Medicaid Cluster; and nine of 62 (15%) reviews performed for the TANF federal grant program. Benefit Programs only completed 25 of the 67 (37%) scheduled reviews for the LIHEAP federal grant program. Benefit Programs did not identify these issues because its monitoring plan did not clearly delineate who was responsible for overseeing subrecipient monitoring activities. As a result, no one in Benefit Programs was overseeing subrecipient monitoring activities. Title 2 CFR ? 200.332(d) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the pass-through entity uses the subaward for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without confirming that program consultants conduct monitoring activities in accordance with the monitoring plan, Benefit Programs cannot provide assurance that it complied with 2 CFR ? 200.332(d). In March 2022, Benefit Programs created a Subrecipient Monitoring Coordinator position to oversee its monitoring activities. The Subrecipient Monitoring Coordinator is working with Benefit Program?s Associate Director for Operations and Support to confirm that Benefit Programs? monitoring plan meets federal requirements. Benefit Programs should continue its efforts to confirm that it conducts monitoring activities in accordance with its monitoring plan. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-016: Evaluate Subrecipients' Risk of Noncompliance in Accordance with Federal Regulations Applicable to: Department of Social Services Prior Year Finding Number: 2021-071 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; SNAP Cluster - 10.551, 10.561; Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2205VA5MAP; 221VA407S2514; 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Agriculture; U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(b) Known Questioned Costs: $0 Benefit Programs continues to not evaluate subrecipients' risk of noncompliance with federal regulations related to the administration of the SNAP and Medicaid Clusters and the TANF and LIHEAP federal grant programs. Benefit Programs develops its subrecipient monitoring approach using the size of the subrecipient; however, it does not perform any further risk assessment procedures to determine the monitoring approach. Social Services disbursed approximately $312 million to subrecipients from these federal programs during the fiscal year. Title 2 CFR ? 200.332(b) requires pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Further, 2 CFR ? 200.332(b) suggests that pass-through entities should consider the results of previous audits, subrecipient's prior experience with the same or similar subawards, and whether the subrecipient has new personnel or new or substantially changed systems. Benefit Programs developed a corrective action plan to perform risk assessment procedures to comply with 2 CFR ? 200.332(b); however, Benefit Programs was unable to implement corrective action due to staff turnover. Without performing the proper risk assessment procedures, Benefit Programs cannot demonstrate that it monitored the activities of the subrecipient as necessary to ensure that the pass-through entity used the subaward for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Benefit Programs should continue its corrective action efforts to implement a risk assessment process for subrecipients that is consistent with federal regulations and ensure that its monitoring efforts are consistent with the results of its risk assessment. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-018: Continue Strengthening Process over Medicaid Coverage Cancellations Applicable to: Department of Medical Assistance Services; Department of Social Services Prior Year Finding Number: 2021-067 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Eligibility - 42 CFR ? 433.400(d) Known Questioned Costs: $0 The Department of Medical Assistance Services (Medical Assistance Services) continues to oversee the review of individuals with an out of state address in the Medicaid claims processing module of the Medicaid management system who may no longer be eligible for Medicaid coverage. Based on data from our prior year finding, Medical Assistance Services, with assistance from Social Services, reviewed cases with an out of state address and subsequently closed approximately 6,700 cases and recouped $40.1 million in Managed Care Organization (MCO) payments. Medical Assistance Services further reviewed additional cases related to fiscal year 2022 and as of November 2022, Medical Assistance Services had identified an additional 8,500 cases for closure and recouped an additional $43.4 million in MCO payments. These efforts are ongoing as research is in progress for over approximately 4,700 cases; however, Medical Assistance Services anticipates completing the review of these cases by December 2022. Medicaid eligibility is based on several financial and non-financial requirements. Section 12VAC30-40-10 of the Virginia Administrative Code lays out the general conditions of eligibility that an individual must satisfy to enroll in the Medicaid program. One of the non-financial requirements is that the individual be a state resident. In Spring 2020, with the onset of the Public Health Emergency (PHE), the federal government modified the program requirements and based on the Families First Coronavirus Response Act ? 6008(b)(3), states cannot cancel Medicaid coverage during the PHE except in the following situations - an individual's death, an individual requests cancellation of coverage, or an individual relocates to another state. To ensure compliance with these requirements, Medical Assistance Services began reviewing coverage cancellation information monthly to ensure cancellations of coverage only occurred for allowable reasons during the PHE. Under the process, Medical Assistance Services reviewed cancellation codes in the eligibility system and reinstated coverage for those cases that did not meet certain cancellation reasons. For this process to be effective, Medical Assistance Services was relying on correct cancellation codes in the eligibility system; however, for the cases identified, the eligibility system produced a generic cancellation code causing Medical Assistance Services to reinstate the Medicaid coverage although the individual may have no longer been eligible for coverage. Medical Assistance Services has undertaken significant efforts to address this issue. Medical Assistance Services staff, along with Social Services and other contracted staff, have performed detailed eligibility reviews of over 17,000 individual cases. In addition to these reviews, Medical Assistance Services has worked with Social Services to ensure it correctly records future coverage cancellations related to relocations to another state in the eligibility system. As of June 2022, Social Services programmed the eligibility system to return a specific cancellation code for relocating out of Virginia instead of a generic cancellation code. While this system change should reduce the number of cases that Medical Assistance Services reinstates when an individual has moved out of state, Medical Assistance Services has also implemented a new quarterly review process to identify individuals who may have relocated out of state and may no longer be eligible for Medicaid coverage. We encourage Medical Assistance Services, along with Social Services, to continue with these efforts to ensure only eligible individuals are receiving Medicaid benefits. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-022: Improve Information Security Program and IT Governance Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness Information System Security Control Family: Information Security Roles and Responsibilities ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services has an insufficient governance structure to manage and maintain its information security program in accordance with the Commonwealth's Information Security Standard, SEC 501 (Security Standard). Specifically, Social Services does not assess information security requirements for its information technology (IT) projects and prioritize information security and IT resources to ensure its information security program effectively protects sensitive Commonwealth data in accordance with the Security Standard. Social Services uses numerous IT systems to carry out its mission and provide essential services to the public. The Security Standard, Section 2.4.2, requires the agency head to maintain an information security program that is sufficient to protect the agency's IT systems and to ensure the information security program is documented and effectively communicated. We communicated the internal control weaknesses to management in a separate document marked Freedom of Information Act (FOIAE) under ? 2.2-3705.2 of the Code of Virginia due to its sensitivity and description of security controls. The internal control weaknesses described in the communication marked FOIAE are the result of Social Services not assessing information security requirements prior to project implementation or prioritizing information security within the IT environment. Not prioritizing IT resources to properly manage its information security program can result in a data breach or unauthorized access to confidential and mission critical data, leading to data corruption, data loss, or system disruption if accessed by a malicious attacker, either internal or external. Additionally, not dedicating the necessary IT resources to information security has hindered Social Services' ability to remediate findings from management recommendations issued throughout prior audits consistently and timely and bring the information security program in compliance with the Security Standard. Because of the scope of this matter, we consider it to be a material weakness in internal control. Social Services should evaluate the most efficient and effective method to bring its IT and security program into compliance with the Security Standard. Social Services should also evaluate its IT resource levels to ensure sufficient resources are available and dedicated to prioritizing and implementing IT governance changes and address the internal control deficiencies discussed in the communication marked FOIAE. Implementing these recommendations will help to ensure Social Services protects the confidentiality, integrity, and availability of its sensitive and mission critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-024: Improve Information Security Program and Controls Applicable to: Department of Medical Assistance Services Prior Year Finding Number: 2021-024; 2020-024 Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness Information System Security Control Family: Access Control; Awareness and Training; Incident Response; Information Security Roles and Responsibilities; Personnel Security; Planning; Risk Assessment; Security Assessment and Authorization; System and Services Acquisition ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(a) Known Questioned Costs: $0 Medical Assistance Services continues to address weaknesses found during an audit of IT general controls. The audit performed by an external consultant during the period April 1, 2019, through March 31, 2020, resulted in 71 individual control weaknesses out of 100 controls tested, which the consultant grouped in ten findings. As of the end of fiscal year 2022, Medical Assistance Services resolved one of the ten findings and continues to make progress with nine remaining findings, which we communicated to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. Noncompliance with the required security controls increases the risk for unauthorized access to mission-critical systems and data in addition to weakening the agency's ability to respond to malicious attacks to its IT environment. Medical Assistance Services has experienced delays in addressing these findings due to staffing turnover and shortages as well as organizational changes that affected some of its processes. Medical Assistance Services updated its corrective action plan in June 2022, stating corrective actions are still ongoing for all nine findings and estimates it will complete corrective action for eight of the findings by the end of calendar year 2022 and the last finding by June 2023. Medical Assistance Services should continue to dedicate the necessary resources to ensure timely completion of its corrective action plans and to comply with the Security Standard. These actions will help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-029: Improve Web Application Security Applicable to: Department of Social Services Prior Year Finding Number: 2021-025; 2020-026; 2019-037 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Audit and Accountability; Configuration Management; Risk Assessment; System and Information Integrity ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services continues to not configure a sensitive web application in accordance with the Security Standard. Since the prior audit, Social Services has not remediated any of the previously identified weaknesses. We communicated the weaknesses to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. The Security Standard requires implementing certain internal controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services' information systems and data. Social Services cannot ensure adequate protection of its sensitive and mission- critical data without configuring its sensitive web application in accordance with the Security Standard. Lacking or insufficient procedures and processes to manage the web application contributed to the five weaknesses outlined in the separate FOIAE document. Social Services prioritization of other projects also contributed to the weaknesses persisting. Social Services should dedicate the necessary resources to remediate the weaknesses discussed in the communication marked FOIAE in accordance with the requirements in the Security Standard. Implementing required controls will help to ensure Social Services secures the web application to protect its sensitive and mission-critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-030: Continue Improving IT Risk Management Program Applicable to: Department of Social Services Prior Year Finding Number: 2021-026; 2020-027; 2019-063; 2018-025 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Contingency Planning; Planning; Risk Assessment ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services continues to not have a formal and effective IT risk management program that aligns with the requirements in the Security Standard. Since we first issued this finding during the fiscal year 2018 audit, Social Services remediated some risk management and contingency planning issues. However, Social Services continues to not: ? accurately verify and validate data and system sensitivity ratings; ? create risk assessments for 50 percent of its sensitive systems; ? create system security plans for 52 percent of its sensitive systems; ? perform annual reviews for 99 percent of its existing risk assessment documentation; ? perform annual reviews for 74 percent of its existing system security plan documentation; and ? implement corrective actions identified in risk assessments. We communicated the details of these weaknesses to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services' information systems and data. Due to the magnitude of the project, Social Services has not yet remediated all the weaknesses. Additionally, the requirements documented in the policy and the process documented in the procedure do not align, which contributed to Social Services not consistently completing risk management documentation due to conflicting roles and responsibilities. Without implementing a formal and effective IT risk management program, Social Services cannot assure itself that it is reducing unnecessary risk to the confidentiality, integrity, and availability to its information systems and data. Social Services should prioritize and dedicate the necessary resources to remediate the weaknesses discussed in the communication marked FOIAE in accordance with the requirements in the Security Standard. Completing its corrective action plan will help to ensure the confidentiality, integrity, and availability of the agency's sensitive systems and mission-essential functions. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-052: Continue Improving IT Change and Configuration Management Process Applicable to: Department of Social Services Prior Year Finding Number: 2021-049; 2020-044; 2019-038 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Configuration Management ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services continues to improve its IT change and configuration management process to align with the Security Standard. Change management is a key control to evaluate, approve, and verify configuration changes to security components. Two weaknesses remain since our last review, which we communicated to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. Social Services Change Management Process Guide details the process Social Services follows to manage changes but does not include all the required elements, which contributed to the weaknesses remaining. Additionally, the change request form does not have the necessary fields to document the required elements. The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services' information systems and data. Without doing such, Social Services cannot assure itself that it is reducing unnecessary risk to the confidentiality, integrity, and availability to its information systems and data. Social Services should resolve the remaining two weaknesses discussed in the communication marked FOIAE in accordance with the Security Standard. Continuing to improve Social Services' IT change and configuration management process will decrease the risk of unauthorized modifications to sensitive systems and help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-057: Improve Timely Removal of Critical System Access Applicable to: Department of Medical Assistance Services Prior Year Finding Number: 2021-037; 2020-049; 2019-024; 2018-040; 2017-016 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Personnel Security ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(a) Known Questioned Costs: $0 Medical Assistance Services did not remove access to the claims processing module or the eligibility system timely for individuals who separated from the agency and no longer needed access. For one out of eight (12.5%) users, Medical Assistance Services did not disable system access in the claims processing module within 24 hours of separation. The user retained their system access for 11 days after separation. For three out of 25 (12%) users, Medical Assistance Services did not disable system access in the eligibility system within 24 hours of separation. These three users were contract employees and retained their access to the system between 104 and 123 days after separation. Medical Assistance Services' Access Control Policy requires that "all user accounts must be disabled immediately upon separation or within 24 hours upon receipt by the Office of Compliance and Security" (Compliance and Security). Failing to disable access timely for web- based mission-critical systems threatens the data integrity of the systems. If separated users retain access to the claims processing module or the eligibility system, users are potentially able to view, copy, and edit sensitive information. There are several factors contributing to this issue. First, Medical Assistance Services' internal policy is not in compliance with the Security Standard. The Security Standard requires agencies disable access within 24 hours of separation, not within 24 hours of receipt of notification. Additionally, supervisors are not communicating information on separated employees timely. A separating employee's supervisor must initiate an exit clearance workflow for the system to automatically notify Compliance and Security for removal of system access. For the user of the claims processing module, the supervisor requested access termination more than 24 hours after the employee's separation. Finally, for the three users of the eligibility system, Compliance and Security received the access termination request timely but did not terminate access for more than 24 hours after receipt. In June 2022, Medical Assistance Services implemented several organizational changes, including dissolving Compliance and Security. The responsibility for system access management moved to the division responsible for the system and its applicable business function. Medical Assistance Services is currently updating its internal Access Control policy to ensure it is consistent with the Security Standard and organizational updates. Medical Assistance Services expects to complete the policy and process updates in December 2022. Medical Assistance Services should also train and educate supervisors on the importance of timely notification of separated employees. Finally, Medical Assistance Services should ensure compliance with the Security Standard by removing user access as required. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-059: Monitor Internal Controls to Ensure Timely Removal of System Access Applicable to: Department of Social Services Prior Year Finding Number: 2021-038; 2021-027; 2020-025; 2019-027; 2018-042 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Personnel Security ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services did not comply with the Security Standard requirements for removing system access for separated employees. For 13 of the 26 (50%) separations tested from fiscal year 2022, Social Services did not remove system access within 24 hours following each employee's separation date. Untimely removal of access ranged between two and 290 days after each employee's separation date. Section PS-4 of the Security Standard requires an organization to disable information system access within 24 hours of employment termination. To comply with the Security Standard, Social Services created a policy in Section 2.9 of its State/Local Security Officers Procedures Manual (Manual) that requires supervisors to complete the State Employee Separation and Transfer Checklist (Separation Checklist) at least 48 hours in advance of the employee's separation and submit it to the Division Security Officer. The Division Security Officer must then remove the separated employee from Social Services' access management system, which controls access to its internal systems, within 24 hours following the employee's separation date. Upon completion, the Division Security Officer is responsible for submitting the Separation Checklist to other Divisions, such as the Division of Human Resources (Human Resources) and the Central Security Office (Central Security), to make them aware of the separation. Social Services does not appear to monitor compliance with internal policies surrounding access removal for separated employees. Of the 13 employees with access removed more than 24 hours after their separation dates: ? We noted four instances where Social Services was unable to provide the Separation Checklist. As a result, Social Services was unable to demonstrate compliance with its internal policies surrounding access removal for separated employees. ? Of the remaining nine employees with completed Separation Checklists, we noted nine instances of untimely or inaccurate supervisor sign-offs. Specifically, there were seven instances where the supervisor did not submit the Separation Checklist to the Division Security Officer at least 48 hours in advance of the employee's date of separation and two instances where the supervisor did not properly sign off and date the Separation Checklist. Social Services administers numerous public assistance programs that collect personally identifiable information and other protected information from beneficiaries. Social Services places its data and reputation at risk by not removing access timely. Additionally, Social Services could incur a potential financial liability should its information become compromised. The Security Standard states that the Agency Head is responsible for security of the agency's IT systems and data. Since Human Resources, Central Security, and the Division Security Officers share ownership of the employee separation and access removal processes, Social Services' Executive Team should identify which division in the agency should be responsible for monitoring compliance with internal policies surrounding access removal for separated employees. Social Services' Executive Team should periodically review the monitoring results and take enforcement actions, as necessary, if the agency is not compliant. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-060: Upgrade End-of-Life Technology Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: System and Information Integrity ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services uses end-of-life technologies in its IT environment and maintains technologies that support mission-essential data on IT systems that its vendors no longer support. We communicated internal control weaknesses to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. The Security Standard prohibits using software that is end-of-life and which the vendor no longer supports to reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services' information systems and data. Social Services does not assign an individual or team with the responsibility to track end- of-life software dates and does not have a formal process to ensure that it upgrades software versions prior to the end-of-life date, which caused the end-of-life software to remain in the environment. Social Services use of the end-of-life software increases the risk that known vulnerabilities will persist in the system without the potential for patching or mitigation. These unpatched vulnerabilities increase the risk of successful cyberattack, exploit, and data breach by malicious parties. Further, vendors do not offer operational and technical support for end-of-life or end-of-support technology, which affects data availability by increasing the difficulty of restoring system functionality if a technical failure occurs. Social Services should dedicate the necessary resources to evaluate and implement the internal controls and recommendations discussed in the communication marked FOIAE in accordance with the Security Standard. Minimizing the use of end-of-life software will help to ensure that Social Services secures its IT environment and systems to protect its sensitive and mission-critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-064: Continue Developing Record Retention Requirements and Processes for Electronic Records Applicable to: Department of Social Services Prior Year Finding Number: 2021-047; 2020-041; 2019-049; 2018-054 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Contingency Planning ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services continues to operate without an adequate data retention process for its case management system. Social Services' case management system authorized over $10 billion in benefit payments from various public assistance programs to beneficiaries during fiscal year 2022. We communicated this weakness to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. Since fiscal year 2019, Social Services gathered retention requirements from the business divisions. During the fiscal year, Social Services finalized and documented policies with retention requirements. However, Social Services has not developed, documented, and implemented a policy, procedure, and process to operationalize the record retention requirements needed. Federal regulations require different record retention requirements for different federal programs. Additionally, the Virginia Public Records Act (? 42.1-91 of the Code of Virginia) requires each agency to be responsible for ensuring that it preserves, maintains, and makes accessible public-facing records throughout their lifecycle, including converting and migrating electronic records as often as necessary so that information is not lost due to hardware, software, or media obsolescence or deterioration. Further, the Security Standard, Section CP-9-COV, requires the agency implement backup and restoration plans for every IT system identified as sensitive relative to availability that address the retention of the data in accordance with the records retention policy. Without developing, documenting, and implementing a policy, procedure, and process to operationalize record retention requirements, Social Services increases data risk and increases potential exposure to fines, penalties, or other legal consequences. Additionally, Social Services may cause the Commonwealth to spend additional resources to maintain, back up, and protect the information. Social Services should develop and implement a records retention policy and procedure that defines its requirements and processes to ensure that consistent record retention processes can be operationalized across business divisions to ensure compliance with laws and regulations. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-066: Conduct Audits of Agency Sensitive Systems Timely Applicable to: Virginia Information Technologies Agency Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Audit and Accountability ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 VITA's Centralized IT Security Audit Service (Audit Services) conducts IT security audits for contracted agencies. The Commonwealth's Information Technology Security Audit Standard, SEC 502 (Security Audit Standard), Section 2.1, requires agencies to complete security audits for each sensitive system every three years from the last audit completion date. Based on our review of audit completion dates provided by Audit Services, we determined the following: ? During fiscal year 2022, Audit Services completed four of six agency IT security audits after the three-year audit deadline. ? As of June 30, 2022, Audit Services is currently engaged, or has not started, ten agency IT security audits that are past the three-year audit requirement. When an agency contracts with Audit Services, the agency head or designee signs a Memorandum of Understanding (MOU) which outlines the scope of work and pricing. It is the agency's responsibility to ensure the MOU includes all sensitive systems requiring a security audit. A properly defined MOU allows Audit Services to properly price and schedule the security audit. Audit Services audits all the systems in scope for an agency at the same time and issues one audit report covering all systems in scope per the MOU. Audit Services should consider adding information to the MOU related to audit deadlines or planned timeframe for the audit. This added communication will ensure all parties understand when Audit Services plans to complete the audits. Additionally, more information regarding audit timing will allow agencies to determine if they need to obtain a separate audit for specific systems to ensure those systems remain compliant with the Security Audit Standard between the date of the MOU and the anticipated deadline set by Audit Services. Of the four audits Audit Services completed late during fiscal year 2022, two of the delays are due to the agencies requesting postponements. Additionally, of the ten audits that were already late as of June 30, 2022, two are due to agency-requested postponements. The remaining late audits are primarily due to resource constraints within Audit Services. Audit Services should regularly monitor its audit workplan to ensure audit staff complete all IT security audits by the required deadlines. Additionally, Audit Services should evaluate its staffing levels and assess if VITA should contract with an outside audit firm to aid in completing IT security audits. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-090: Improve Third-Party Oversight Process Applicable to: Department of Medical Assistance Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(a) Known Questioned Costs: $0 Medical Assistance Services does not have a formal and consistent process for maintaining oversight for three of its IT third-party service providers (providers) that manage and support the Medicaid management system. As a result of an informal and inconsistent process, Medical Assistance Services did not verify or implement three controls required by the Hosted Environment Security Standard. We communicated the three weaknesses to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. Without a formal and consistent process to maintain oversight of its providers, Medical Assistance Services cannot validate whether its providers implement the security controls that meet the requirements in the Hosted Environment Security Standard to protect the agency's sensitive and mission-critical data. While Medical Assistance Services has a formal IT Third Party and Vendor Compliance Management Policy, effective as of December 31, 2021, the agency experienced turnover in its ISO position in June 2022 before the development of a formal procedure. As a result, Medical Assistance Services did not consistently maintain oversight of its providers in accordance with the Hosted Environment Security Standard. Medical Assistance Services should dedicate the necessary resources to develop a formal procedure to maintain oversight of its providers in accordance with its policy and the Hosted Environment Security Standard. Medical Assistance Services should also dedicate the necessary resources to implement and consistently perform the formal oversight process, which will help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-100: Continue to Ensure ITISP Suppliers Meet all Contractual Requirements Applicable to: Virginia Information Technologies Agency Prior Year Finding Number: 2021-023; 2020-070 Type of Finding: Internal Control Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Although VITA is monitoring and enforcing the contractual requirements each month, as of June 2022, there were still cases of Information Technology Infrastructure Services Program (ITISP) suppliers not meeting the minimum requirements. When ITISP suppliers do not meet all contractual requirements (e.g., key measures, critical service levels, deliverables), it impacts the ability of Commonwealth agencies that rely on the ITISP services to comply with the Security Standard. The Security Standard is a baseline for information security and risk management activities for Commonwealth agencies. Many agencies rely on services provided through the ITISP suppliers to ensure compliance with the Security Standard. For example, the Security Standard requires the installation of security-relevant software updates within 90 days of release (Security Standard Section: SI-2 Flaw Remediation). Commonwealth agencies rely on the ITISP suppliers for the installation of security patches in systems that support agencies' operations. Our audits at various agencies for fiscal year 2022 found critical and highly important security patches that were past the 90-day Security Standard requirement. The systems missing critical security updates are at an increased risk of successful cyberattack, exploit, and data breach by malicious parties. Additionally, the Security Standard requires agencies to review and analyze audit records at least every 30 days for indications of inappropriate or unusual activity (Security Standard Section: AU-6 Audit Review, Analysis, and Reporting). Our audits of various agencies for fiscal year 2022 found that agencies rely on the ITISP suppliers to provide access to a centralized monitoring tool that collects audit log information about activities in the IT environment. Certain agencies were unable to obtain access to the audit log information during fiscal year 2022, and thus were not able to comply with the Security Standard requirements related to audit log monitoring. Although the supplier was performing audit logging and monitoring, only a select few agencies have access to the monitoring tool while the supplier is pilot testing the tool. The Commonwealth's risk associated with data confidentiality, integrity and availability increases with agencies not being able to review and monitor their individual audit logs. During fiscal year 2022, VITA and the Multisource Service Integrator (MSI) evaluated the current service level measurements to ensure they align with the Commonwealth's needs. As of December 2022, VITA and the MSI are implementing changes to the service level related to security and vulnerability patching. The changes to this service level include establishing a Common Vulnerabilities and Exposures (CVE) threshold. The new security and vulnerability patching service level will require the ITISP suppliers to install any patch with a CVE score above the threshold within 90 days. VITA continues to work with the managed security supplier to address the agencies' inability to access the audit log information. The supplier replaced the original security incident and event management system with a new managed detection and response (MDR) platform. Currently, only a small number of agencies are piloting the new MDR system. VITA should document the rationale for all changes to the service levels, including the basis for the CVE score threshold selected, and continually reevaluate the service levels as risks change. To ensure all agencies that rely on the ITISP services can comply with the Security Standard, VITA should ensure ITISP suppliers meet all contractual requirements (e.g., key measures, critical service levels, deliverables). To aid in determining which requirements have Security Standard implications, VITA should crosswalk contractual requirements to the Security Standard. A crosswalk will help in identifying which requirements, if not met, could put an agency at risk per the Security Standard. If VITA determines an ITISP supplier is not meeting a contractual requirement that may have a Security Standard implication, VITA should communicate with the affected agencies and provide guidance on compensating controls and processes the agencies should implement to reduce risk while the suppliers work to meet the requirements of the contract. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-011: Perform Responsibilities Outlined in the Agency Monitoring Plan Applicable to: Department of Social Services Prior Year Finding Number: 2021-070; 2020-074; 2019-090; 2018-093 Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.303(a) Known Questioned Costs: $0 The Department of Social Services' (Social Service) Compliance Division (Compliance) continues to not adhere to its established approach to oversee the agency's subrecipient monitoring activities, as outlined in its Agency Monitoring Plan. During fiscal year 2022, Social Services disbursed approximately $588 million in federal funds from roughly 5,000 subawards. According to Social Services' Organizational Structure Report, Compliance is responsible for agency-wide compliance and risk mitigation that helps to ensure adherence to state and federal legal and regulatory standards, including subrecipient monitoring. During the audit, we noted the following deviations from the Agency Monitoring Plan: ? Compliance has not finalized the Agency Monitoring Plan and, as a result, has not communicated it to Subrecipient Monitoring Coordinators within each division of Social Services. Because of the lack of communication, there were deviations from the Agency Monitoring Plan at the division level. For example, the Agency Monitoring Plan requires each division to monitor subrecipients once every three years. However, the Local Review Team and Child Care Subsidy Program Monitoring Plans did not consider this requirement because the Subrecipient Monitoring Coordinators were unaware of this requirement. We communicated this matter to Social Services through the audit finding titled "Finalize the Agency Monitoring Plan and Communicate Responsibilities to Subrecipient Monitoring Coordinators," which we have included as a separate audit finding in this report. ? Compliance continues to not review division monitoring plans to ensure the divisions implemented a risk-based approach for monitoring subrecipients. The Agency Monitoring Plan states that Compliance will use a monitoring plan checklist to evaluate and determine if all the required elements for subrecipient monitoring are present in each division's plan. As a result of the lack of review, the Division of Benefit Programs' (Benefit Programs) monitoring plan continues to not meet all the requirements outlined in the Agency Monitoring Plan because it does not include a risk-based approach for subrecipient monitoring and does not consider all subrecipients who receive funding from the Temporary Assistance for Needy Families (TANF) federal grant program. We communicated these matters to Social Services through the audit findings titled "Verify that Monitoring Plan Includes All Subrecipient Programmatic Activities" and "Evaluate Subrecipients' Risk of Noncompliance in Accordance with Federal Regulations," which we have included as separate audit findings in this report. ?Compliance continues to not conduct an analysis of subrecipient monitoring review efforts performed by the divisions. As a result, Compliance has not produced quarterly reports of variances and noncompliance to brief Social Services' Executive Team on the agency's subrecipient monitoring activities. Because of the lack of analysis, Compliance was unaware of deviations from the Agency Monitoring Plan occurring at the divisions. For example, Benefit Programs only completed 25 of the 67 (37%) scheduled reviews for the Low-Income Home Energy Assistance Program (LIHEAP) federal grant program. Additionally, Benefit Programs did not upload its monitoring review records to Social Services' data repository timely for management review. As a result, Compliance was unaware that Regional Consultants were deviating from Benefit Programs' monitoring plan. We communicated this matter to Social Services through the audit finding titled "Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan," which we have included as a separate audit finding in this report. Without performing the responsibilities in the Agency Monitoring Plan, Compliance cannot provide Social Services' Executive Team with reasonable assurance that the agency complied with the pass-through entity federal requirements at 2 CFR ? 200.332. Title 2 CFR ? 200.303(a) requires pass through entities to establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Compliance planned to procure a centralized system to strengthen its monitoring activities but has been unsuccessful in its efforts and has not identified alternative approaches for carrying out the responsibilities in the Agency Monitoring Plan and discussed them with Social Services' Executive Team. Because of the scope of this matter, we consider it to be a material weakness in internal control. Social Services' Executive Team shapes strategies, develops objectives, and collectively resolves issues that are critical to the overall agency performance. Social Services' Executive Team and Compliance should work collaboratively to determine the best approach for carrying out the responsibilities in the Agency Monitoring Plan. Additionally, Social Services' Executive Team and Compliance should hold quarterly meetings to discuss the Agency Monitoring Plan and its activities. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-012: Finalize the Agency Monitoring Plan and Communicate Responsibilities to Subrecipient Monitoring Coordinators Applicable to: Department of Social Services Prior Year Finding Number: 2021-069; 2020-076 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(d) Known Questioned Costs: $0 Compliance has not finalized its Agency Monitoring Plan and communicated responsibilities to Subrecipient Monitoring Coordinators, as recommended during the fiscal year 2020 audit. The oversight of Social Services' subrecipient monitoring processes transitioned from the Division of Community and Volunteer Services (Community and Volunteer Services) to Compliance in fiscal year 2019. Community and Volunteer Services created the Agency Monitoring Plan, and it is now the responsibility of Compliance. However, Compliance has not updated the Agency Monitoring Plan to properly reflect agency operations over subrecipient monitoring. In effect, Compliance continues to not communicate the Agency Monitoring Plan to Subrecipient Monitoring Coordinators within each division of Social Services. During fiscal year 2022, Social Services disbursed approximately $588 million in federal funds from roughly 5,000 subawards. Title 2 CFR ? 200.332(d) requires pass-through entities to monitor the activities of subrecipients as necessary to ensure use of the subaward for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without clearly defining responsibilities and communicating federal requirements, Compliance cannot provide assurance that Social Services adequately monitors all its subrecipients to ensure they are achieving program objectives or complying with federal requirements. Compliance was unable to finalize the monitoring plan and communicate responsibilities to monitoring coordinators because it did not dedicate the resources necessary to implement corrective action. Compliance should allocate resources to finalize the Agency Monitoring Plan to properly address subrecipient monitoring responsibilities. Additionally, Compliance should communicate the Agency Monitoring Plan to Subrecipient Monitoring Coordinators within each division of Social Services. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-014: Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; SNAP Cluster - 10.551, 10.561; Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2205VA5MAP; 221VA407S2514; 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Agriculture; U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(d) Known Questioned Costs: $0 Benefit Programs does not oversee subrecipient monitoring activities to ensure monitoring activities are conducted in accordance with its monitoring plan. During the fiscal year, Benefit Programs disbursed approximately $312 million in subaward payments from the Supplemental Nutrition Assistance Program (SNAP) and Medicaid Clusters and the LIHEAP and TANF federal grant programs. During the audit, we noted the following deviations from Benefit Program's monitoring plan: ? Benefit Programs created a monitoring plan to comply with Social Services' Agency Monitoring Plan. Regional consultants, who perform subrecipient monitoring activities, created their own subrecipient monitoring schedules that were not consistent with Benefit Program's monitoring schedule. ? Benefit Programs did not confirm that fiscal year 2022 monitoring review records uploaded to its data repository were complete. Some of the missing records included the agency notification letter, case selection sample, and subrecipient monitoring checklist. ? At the beginning of audit fieldwork, the data repository did not contain all subrecipient monitoring reviews performed during the fiscal year. The Subrecipient Monitoring Coordinator subsequently obtained and uploaded the remaining subrecipient monitoring reviews to Benefit Programs' data repository. The data repository only included the following subrecipient monitoring reviews at the time of the audit: o 12 of 25 (48%) reviews performed for the LIHEAP federal grant program; o 22 of 73 (30%) reviews performed for the SNAP Cluster; o 13 of 62 (21%) reviews performed for the Medicaid Cluster; and nine of 62 (15%) reviews performed for the TANF federal grant program. Benefit Programs only completed 25 of the 67 (37%) scheduled reviews for the LIHEAP federal grant program. Benefit Programs did not identify these issues because its monitoring plan did not clearly delineate who was responsible for overseeing subrecipient monitoring activities. As a result, no one in Benefit Programs was overseeing subrecipient monitoring activities. Title 2 CFR ? 200.332(d) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the pass-through entity uses the subaward for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without confirming that program consultants conduct monitoring activities in accordance with the monitoring plan, Benefit Programs cannot provide assurance that it complied with 2 CFR ? 200.332(d). In March 2022, Benefit Programs created a Subrecipient Monitoring Coordinator position to oversee its monitoring activities. The Subrecipient Monitoring Coordinator is working with Benefit Program?s Associate Director for Operations and Support to confirm that Benefit Programs? monitoring plan meets federal requirements. Benefit Programs should continue its efforts to confirm that it conducts monitoring activities in accordance with its monitoring plan. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-016: Evaluate Subrecipients' Risk of Noncompliance in Accordance with Federal Regulations Applicable to: Department of Social Services Prior Year Finding Number: 2021-071 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; SNAP Cluster - 10.551, 10.561; Temporary Assistance for Needy Families (TANF) - 93.558 (COVID-19) Federal Award Number and Year: 2205VA5MAP; 221VA407S2514; 2201VATANF - 2022 Name of Federal Agency: U.S. Department of Agriculture; U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR ? 200.332(b) Known Questioned Costs: $0 Benefit Programs continues to not evaluate subrecipients' risk of noncompliance with federal regulations related to the administration of the SNAP and Medicaid Clusters and the TANF and LIHEAP federal grant programs. Benefit Programs develops its subrecipient monitoring approach using the size of the subrecipient; however, it does not perform any further risk assessment procedures to determine the monitoring approach. Social Services disbursed approximately $312 million to subrecipients from these federal programs during the fiscal year. Title 2 CFR ? 200.332(b) requires pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Further, 2 CFR ? 200.332(b) suggests that pass-through entities should consider the results of previous audits, subrecipient's prior experience with the same or similar subawards, and whether the subrecipient has new personnel or new or substantially changed systems. Benefit Programs developed a corrective action plan to perform risk assessment procedures to comply with 2 CFR ? 200.332(b); however, Benefit Programs was unable to implement corrective action due to staff turnover. Without performing the proper risk assessment procedures, Benefit Programs cannot demonstrate that it monitored the activities of the subrecipient as necessary to ensure that the pass-through entity used the subaward for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Benefit Programs should continue its corrective action efforts to implement a risk assessment process for subrecipients that is consistent with federal regulations and ensure that its monitoring efforts are consistent with the results of its risk assessment. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-018: Continue Strengthening Process over Medicaid Coverage Cancellations Applicable to: Department of Medical Assistance Services; Department of Social Services Prior Year Finding Number: 2021-067 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Eligibility - 42 CFR ? 433.400(d) Known Questioned Costs: $0 The Department of Medical Assistance Services (Medical Assistance Services) continues to oversee the review of individuals with an out of state address in the Medicaid claims processing module of the Medicaid management system who may no longer be eligible for Medicaid coverage. Based on data from our prior year finding, Medical Assistance Services, with assistance from Social Services, reviewed cases with an out of state address and subsequently closed approximately 6,700 cases and recouped $40.1 million in Managed Care Organization (MCO) payments. Medical Assistance Services further reviewed additional cases related to fiscal year 2022 and as of November 2022, Medical Assistance Services had identified an additional 8,500 cases for closure and recouped an additional $43.4 million in MCO payments. These efforts are ongoing as research is in progress for over approximately 4,700 cases; however, Medical Assistance Services anticipates completing the review of these cases by December 2022. Medicaid eligibility is based on several financial and non-financial requirements. Section 12VAC30-40-10 of the Virginia Administrative Code lays out the general conditions of eligibility that an individual must satisfy to enroll in the Medicaid program. One of the non-financial requirements is that the individual be a state resident. In Spring 2020, with the onset of the Public Health Emergency (PHE), the federal government modified the program requirements and based on the Families First Coronavirus Response Act ? 6008(b)(3), states cannot cancel Medicaid coverage during the PHE except in the following situations - an individual's death, an individual requests cancellation of coverage, or an individual relocates to another state. To ensure compliance with these requirements, Medical Assistance Services began reviewing coverage cancellation information monthly to ensure cancellations of coverage only occurred for allowable reasons during the PHE. Under the process, Medical Assistance Services reviewed cancellation codes in the eligibility system and reinstated coverage for those cases that did not meet certain cancellation reasons. For this process to be effective, Medical Assistance Services was relying on correct cancellation codes in the eligibility system; however, for the cases identified, the eligibility system produced a generic cancellation code causing Medical Assistance Services to reinstate the Medicaid coverage although the individual may have no longer been eligible for coverage. Medical Assistance Services has undertaken significant efforts to address this issue. Medical Assistance Services staff, along with Social Services and other contracted staff, have performed detailed eligibility reviews of over 17,000 individual cases. In addition to these reviews, Medical Assistance Services has worked with Social Services to ensure it correctly records future coverage cancellations related to relocations to another state in the eligibility system. As of June 2022, Social Services programmed the eligibility system to return a specific cancellation code for relocating out of Virginia instead of a generic cancellation code. While this system change should reduce the number of cases that Medical Assistance Services reinstates when an individual has moved out of state, Medical Assistance Services has also implemented a new quarterly review process to identify individuals who may have relocated out of state and may no longer be eligible for Medicaid coverage. We encourage Medical Assistance Services, along with Social Services, to continue with these efforts to ensure only eligible individuals are receiving Medicaid benefits. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-022: Improve Information Security Program and IT Governance Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness Information System Security Control Family: Information Security Roles and Responsibilities ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services has an insufficient governance structure to manage and maintain its information security program in accordance with the Commonwealth's Information Security Standard, SEC 501 (Security Standard). Specifically, Social Services does not assess information security requirements for its information technology (IT) projects and prioritize information security and IT resources to ensure its information security program effectively protects sensitive Commonwealth data in accordance with the Security Standard. Social Services uses numerous IT systems to carry out its mission and provide essential services to the public. The Security Standard, Section 2.4.2, requires the agency head to maintain an information security program that is sufficient to protect the agency's IT systems and to ensure the information security program is documented and effectively communicated. We communicated the internal control weaknesses to management in a separate document marked Freedom of Information Act (FOIAE) under ? 2.2-3705.2 of the Code of Virginia due to its sensitivity and description of security controls. The internal control weaknesses described in the communication marked FOIAE are the result of Social Services not assessing information security requirements prior to project implementation or prioritizing information security within the IT environment. Not prioritizing IT resources to properly manage its information security program can result in a data breach or unauthorized access to confidential and mission critical data, leading to data corruption, data loss, or system disruption if accessed by a malicious attacker, either internal or external. Additionally, not dedicating the necessary IT resources to information security has hindered Social Services' ability to remediate findings from management recommendations issued throughout prior audits consistently and timely and bring the information security program in compliance with the Security Standard. Because of the scope of this matter, we consider it to be a material weakness in internal control. Social Services should evaluate the most efficient and effective method to bring its IT and security program into compliance with the Security Standard. Social Services should also evaluate its IT resource levels to ensure sufficient resources are available and dedicated to prioritizing and implementing IT governance changes and address the internal control deficiencies discussed in the communication marked FOIAE. Implementing these recommendations will help to ensure Social Services protects the confidentiality, integrity, and availability of its sensitive and mission critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-024: Improve Information Security Program and Controls Applicable to: Department of Medical Assistance Services Prior Year Finding Number: 2021-024; 2020-024 Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness Information System Security Control Family: Access Control; Awareness and Training; Incident Response; Information Security Roles and Responsibilities; Personnel Security; Planning; Risk Assessment; Security Assessment and Authorization; System and Services Acquisition ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(a) Known Questioned Costs: $0 Medical Assistance Services continues to address weaknesses found during an audit of IT general controls. The audit performed by an external consultant during the period April 1, 2019, through March 31, 2020, resulted in 71 individual control weaknesses out of 100 controls tested, which the consultant grouped in ten findings. As of the end of fiscal year 2022, Medical Assistance Services resolved one of the ten findings and continues to make progress with nine remaining findings, which we communicated to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. Noncompliance with the required security controls increases the risk for unauthorized access to mission-critical systems and data in addition to weakening the agency's ability to respond to malicious attacks to its IT environment. Medical Assistance Services has experienced delays in addressing these findings due to staffing turnover and shortages as well as organizational changes that affected some of its processes. Medical Assistance Services updated its corrective action plan in June 2022, stating corrective actions are still ongoing for all nine findings and estimates it will complete corrective action for eight of the findings by the end of calendar year 2022 and the last finding by June 2023. Medical Assistance Services should continue to dedicate the necessary resources to ensure timely completion of its corrective action plans and to comply with the Security Standard. These actions will help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-029: Improve Web Application Security Applicable to: Department of Social Services Prior Year Finding Number: 2021-025; 2020-026; 2019-037 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Audit and Accountability; Configuration Management; Risk Assessment; System and Information Integrity ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services continues to not configure a sensitive web application in accordance with the Security Standard. Since the prior audit, Social Services has not remediated any of the previously identified weaknesses. We communicated the weaknesses to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. The Security Standard requires implementing certain internal controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services' information systems and data. Social Services cannot ensure adequate protection of its sensitive and mission- critical data without configuring its sensitive web application in accordance with the Security Standard. Lacking or insufficient procedures and processes to manage the web application contributed to the five weaknesses outlined in the separate FOIAE document. Social Services prioritization of other projects also contributed to the weaknesses persisting. Social Services should dedicate the necessary resources to remediate the weaknesses discussed in the communication marked FOIAE in accordance with the requirements in the Security Standard. Implementing required controls will help to ensure Social Services secures the web application to protect its sensitive and mission-critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-030: Continue Improving IT Risk Management Program Applicable to: Department of Social Services Prior Year Finding Number: 2021-026; 2020-027; 2019-063; 2018-025 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Contingency Planning; Planning; Risk Assessment ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services continues to not have a formal and effective IT risk management program that aligns with the requirements in the Security Standard. Since we first issued this finding during the fiscal year 2018 audit, Social Services remediated some risk management and contingency planning issues. However, Social Services continues to not: ? accurately verify and validate data and system sensitivity ratings; ? create risk assessments for 50 percent of its sensitive systems; ? create system security plans for 52 percent of its sensitive systems; ? perform annual reviews for 99 percent of its existing risk assessment documentation; ? perform annual reviews for 74 percent of its existing system security plan documentation; and ? implement corrective actions identified in risk assessments. We communicated the details of these weaknesses to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services' information systems and data. Due to the magnitude of the project, Social Services has not yet remediated all the weaknesses. Additionally, the requirements documented in the policy and the process documented in the procedure do not align, which contributed to Social Services not consistently completing risk management documentation due to conflicting roles and responsibilities. Without implementing a formal and effective IT risk management program, Social Services cannot assure itself that it is reducing unnecessary risk to the confidentiality, integrity, and availability to its information systems and data. Social Services should prioritize and dedicate the necessary resources to remediate the weaknesses discussed in the communication marked FOIAE in accordance with the requirements in the Security Standard. Completing its corrective action plan will help to ensure the confidentiality, integrity, and availability of the agency's sensitive systems and mission-essential functions. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-052: Continue Improving IT Change and Configuration Management Process Applicable to: Department of Social Services Prior Year Finding Number: 2021-049; 2020-044; 2019-038 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Configuration Management ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services continues to improve its IT change and configuration management process to align with the Security Standard. Change management is a key control to evaluate, approve, and verify configuration changes to security components. Two weaknesses remain since our last review, which we communicated to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. Social Services Change Management Process Guide details the process Social Services follows to manage changes but does not include all the required elements, which contributed to the weaknesses remaining. Additionally, the change request form does not have the necessary fields to document the required elements. The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services' information systems and data. Without doing such, Social Services cannot assure itself that it is reducing unnecessary risk to the confidentiality, integrity, and availability to its information systems and data. Social Services should resolve the remaining two weaknesses discussed in the communication marked FOIAE in accordance with the Security Standard. Continuing to improve Social Services' IT change and configuration management process will decrease the risk of unauthorized modifications to sensitive systems and help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-057: Improve Timely Removal of Critical System Access Applicable to: Department of Medical Assistance Services Prior Year Finding Number: 2021-037; 2020-049; 2019-024; 2018-040; 2017-016 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Personnel Security ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(a) Known Questioned Costs: $0 Medical Assistance Services did not remove access to the claims processing module or the eligibility system timely for individuals who separated from the agency and no longer needed access. For one out of eight (12.5%) users, Medical Assistance Services did not disable system access in the claims processing module within 24 hours of separation. The user retained their system access for 11 days after separation. For three out of 25 (12%) users, Medical Assistance Services did not disable system access in the eligibility system within 24 hours of separation. These three users were contract employees and retained their access to the system between 104 and 123 days after separation. Medical Assistance Services' Access Control Policy requires that "all user accounts must be disabled immediately upon separation or within 24 hours upon receipt by the Office of Compliance and Security" (Compliance and Security). Failing to disable access timely for web- based mission-critical systems threatens the data integrity of the systems. If separated users retain access to the claims processing module or the eligibility system, users are potentially able to view, copy, and edit sensitive information. There are several factors contributing to this issue. First, Medical Assistance Services' internal policy is not in compliance with the Security Standard. The Security Standard requires agencies disable access within 24 hours of separation, not within 24 hours of receipt of notification. Additionally, supervisors are not communicating information on separated employees timely. A separating employee's supervisor must initiate an exit clearance workflow for the system to automatically notify Compliance and Security for removal of system access. For the user of the claims processing module, the supervisor requested access termination more than 24 hours after the employee's separation. Finally, for the three users of the eligibility system, Compliance and Security received the access termination request timely but did not terminate access for more than 24 hours after receipt. In June 2022, Medical Assistance Services implemented several organizational changes, including dissolving Compliance and Security. The responsibility for system access management moved to the division responsible for the system and its applicable business function. Medical Assistance Services is currently updating its internal Access Control policy to ensure it is consistent with the Security Standard and organizational updates. Medical Assistance Services expects to complete the policy and process updates in December 2022. Medical Assistance Services should also train and educate supervisors on the importance of timely notification of separated employees. Finally, Medical Assistance Services should ensure compliance with the Security Standard by removing user access as required. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-059: Monitor Internal Controls to Ensure Timely Removal of System Access Applicable to: Department of Social Services Prior Year Finding Number: 2021-038; 2021-027; 2020-025; 2019-027; 2018-042 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Personnel Security ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services did not comply with the Security Standard requirements for removing system access for separated employees. For 13 of the 26 (50%) separations tested from fiscal year 2022, Social Services did not remove system access within 24 hours following each employee's separation date. Untimely removal of access ranged between two and 290 days after each employee's separation date. Section PS-4 of the Security Standard requires an organization to disable information system access within 24 hours of employment termination. To comply with the Security Standard, Social Services created a policy in Section 2.9 of its State/Local Security Officers Procedures Manual (Manual) that requires supervisors to complete the State Employee Separation and Transfer Checklist (Separation Checklist) at least 48 hours in advance of the employee's separation and submit it to the Division Security Officer. The Division Security Officer must then remove the separated employee from Social Services' access management system, which controls access to its internal systems, within 24 hours following the employee's separation date. Upon completion, the Division Security Officer is responsible for submitting the Separation Checklist to other Divisions, such as the Division of Human Resources (Human Resources) and the Central Security Office (Central Security), to make them aware of the separation. Social Services does not appear to monitor compliance with internal policies surrounding access removal for separated employees. Of the 13 employees with access removed more than 24 hours after their separation dates: ? We noted four instances where Social Services was unable to provide the Separation Checklist. As a result, Social Services was unable to demonstrate compliance with its internal policies surrounding access removal for separated employees. ? Of the remaining nine employees with completed Separation Checklists, we noted nine instances of untimely or inaccurate supervisor sign-offs. Specifically, there were seven instances where the supervisor did not submit the Separation Checklist to the Division Security Officer at least 48 hours in advance of the employee's date of separation and two instances where the supervisor did not properly sign off and date the Separation Checklist. Social Services administers numerous public assistance programs that collect personally identifiable information and other protected information from beneficiaries. Social Services places its data and reputation at risk by not removing access timely. Additionally, Social Services could incur a potential financial liability should its information become compromised. The Security Standard states that the Agency Head is responsible for security of the agency's IT systems and data. Since Human Resources, Central Security, and the Division Security Officers share ownership of the employee separation and access removal processes, Social Services' Executive Team should identify which division in the agency should be responsible for monitoring compliance with internal policies surrounding access removal for separated employees. Social Services' Executive Team should periodically review the monitoring results and take enforcement actions, as necessary, if the agency is not compliant. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-060: Upgrade End-of-Life Technology Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: System and Information Integrity ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services uses end-of-life technologies in its IT environment and maintains technologies that support mission-essential data on IT systems that its vendors no longer support. We communicated internal control weaknesses to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. The Security Standard prohibits using software that is end-of-life and which the vendor no longer supports to reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services' information systems and data. Social Services does not assign an individual or team with the responsibility to track end- of-life software dates and does not have a formal process to ensure that it upgrades software versions prior to the end-of-life date, which caused the end-of-life software to remain in the environment. Social Services use of the end-of-life software increases the risk that known vulnerabilities will persist in the system without the potential for patching or mitigation. These unpatched vulnerabilities increase the risk of successful cyberattack, exploit, and data breach by malicious parties. Further, vendors do not offer operational and technical support for end-of-life or end-of-support technology, which affects data availability by increasing the difficulty of restoring system functionality if a technical failure occurs. Social Services should dedicate the necessary resources to evaluate and implement the internal controls and recommendations discussed in the communication marked FOIAE in accordance with the Security Standard. Minimizing the use of end-of-life software will help to ensure that Social Services secures its IT environment and systems to protect its sensitive and mission-critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-064: Continue Developing Record Retention Requirements and Processes for Electronic Records Applicable to: Department of Social Services Prior Year Finding Number: 2021-047; 2020-041; 2019-049; 2018-054 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Contingency Planning ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Social Services continues to operate without an adequate data retention process for its case management system. Social Services' case management system authorized over $10 billion in benefit payments from various public assistance programs to beneficiaries during fiscal year 2022. We communicated this weakness to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. Since fiscal year 2019, Social Services gathered retention requirements from the business divisions. During the fiscal year, Social Services finalized and documented policies with retention requirements. However, Social Services has not developed, documented, and implemented a policy, procedure, and process to operationalize the record retention requirements needed. Federal regulations require different record retention requirements for different federal programs. Additionally, the Virginia Public Records Act (? 42.1-91 of the Code of Virginia) requires each agency to be responsible for ensuring that it preserves, maintains, and makes accessible public-facing records throughout their lifecycle, including converting and migrating electronic records as often as necessary so that information is not lost due to hardware, software, or media obsolescence or deterioration. Further, the Security Standard, Section CP-9-COV, requires the agency implement backup and restoration plans for every IT system identified as sensitive relative to availability that address the retention of the data in accordance with the records retention policy. Without developing, documenting, and implementing a policy, procedure, and process to operationalize record retention requirements, Social Services increases data risk and increases potential exposure to fines, penalties, or other legal consequences. Additionally, Social Services may cause the Commonwealth to spend additional resources to maintain, back up, and protect the information. Social Services should develop and implement a records retention policy and procedure that defines its requirements and processes to ensure that consistent record retention processes can be operationalized across business divisions to ensure compliance with laws and regulations. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-066: Conduct Audits of Agency Sensitive Systems Timely Applicable to: Virginia Information Technologies Agency Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Audit and Accountability ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 VITA's Centralized IT Security Audit Service (Audit Services) conducts IT security audits for contracted agencies. The Commonwealth's Information Technology Security Audit Standard, SEC 502 (Security Audit Standard), Section 2.1, requires agencies to complete security audits for each sensitive system every three years from the last audit completion date. Based on our review of audit completion dates provided by Audit Services, we determined the following: ? During fiscal year 2022, Audit Services completed four of six agency IT security audits after the three-year audit deadline. ? As of June 30, 2022, Audit Services is currently engaged, or has not started, ten agency IT security audits that are past the three-year audit requirement. When an agency contracts with Audit Services, the agency head or designee signs a Memorandum of Understanding (MOU) which outlines the scope of work and pricing. It is the agency's responsibility to ensure the MOU includes all sensitive systems requiring a security audit. A properly defined MOU allows Audit Services to properly price and schedule the security audit. Audit Services audits all the systems in scope for an agency at the same time and issues one audit report covering all systems in scope per the MOU. Audit Services should consider adding information to the MOU related to audit deadlines or planned timeframe for the audit. This added communication will ensure all parties understand when Audit Services plans to complete the audits. Additionally, more information regarding audit timing will allow agencies to determine if they need to obtain a separate audit for specific systems to ensure those systems remain compliant with the Security Audit Standard between the date of the MOU and the anticipated deadline set by Audit Services. Of the four audits Audit Services completed late during fiscal year 2022, two of the delays are due to the agencies requesting postponements. Additionally, of the ten audits that were already late as of June 30, 2022, two are due to agency-requested postponements. The remaining late audits are primarily due to resource constraints within Audit Services. Audit Services should regularly monitor its audit workplan to ensure audit staff complete all IT security audits by the required deadlines. Additionally, Audit Services should evaluate its staffing levels and assess if VITA should contract with an outside audit firm to aid in completing IT security audits. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-090: Improve Third-Party Oversight Process Applicable to: Department of Medical Assistance Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(a) Known Questioned Costs: $0 Medical Assistance Services does not have a formal and consistent process for maintaining oversight for three of its IT third-party service providers (providers) that manage and support the Medicaid management system. As a result of an informal and inconsistent process, Medical Assistance Services did not verify or implement three controls required by the Hosted Environment Security Standard. We communicated the three weaknesses to management in a separate document marked FOIAE under ? 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. Without a formal and consistent process to maintain oversight of its providers, Medical Assistance Services cannot validate whether its providers implement the security controls that meet the requirements in the Hosted Environment Security Standard to protect the agency's sensitive and mission-critical data. While Medical Assistance Services has a formal IT Third Party and Vendor Compliance Management Policy, effective as of December 31, 2021, the agency experienced turnover in its ISO position in June 2022 before the development of a formal procedure. As a result, Medical Assistance Services did not consistently maintain oversight of its providers in accordance with the Hosted Environment Security Standard. Medical Assistance Services should dedicate the necessary resources to develop a formal procedure to maintain oversight of its providers in accordance with its policy and the Hosted Environment Security Standard. Medical Assistance Services should also dedicate the necessary resources to implement and consistently perform the formal oversight process, which will help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-100: Continue to Ensure ITISP Suppliers Meet all Contractual Requirements Applicable to: Virginia Information Technologies Agency Prior Year Finding Number: 2021-023; 2020-070 Type of Finding: Internal Control Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 (COVID-19) Federal Award Number and Year: 2205VA5MAP - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR ? 200.303(e) Known Questioned Costs: $0 Although VITA is monitoring and enforcing the contractual requirements each month, as of June 2022, there were still cases of Information Technology Infrastructure Services Program (ITISP) suppliers not meeting the minimum requirements. When ITISP suppliers do not meet all contractual requirements (e.g., key measures, critical service levels, deliverables), it impacts the ability of Commonwealth agencies that rely on the ITISP services to comply with the Security Standard. The Security Standard is a baseline for information security and risk management activities for Commonwealth agencies. Many agencies rely on services provided through the ITISP suppliers to ensure compliance with the Security Standard. For example, the Security Standard requires the installation of security-relevant software updates within 90 days of release (Security Standard Section: SI-2 Flaw Remediation). Commonwealth agencies rely on the ITISP suppliers for the installation of security patches in systems that support agencies' operations. Our audits at various agencies for fiscal year 2022 found critical and highly important security patches that were past the 90-day Security Standard requirement. The systems missing critical security updates are at an increased risk of successful cyberattack, exploit, and data breach by malicious parties. Additionally, the Security Standard requires agencies to review and analyze audit records at least every 30 days for indications of inappropriate or unusual activity (Security Standard Section: AU-6 Audit Review, Analysis, and Reporting). Our audits of various agencies for fiscal year 2022 found that agencies rely on the ITISP suppliers to provide access to a centralized monitoring tool that collects audit log information about activities in the IT environment. Certain agencies were unable to obtain access to the audit log information during fiscal year 2022, and thus were not able to comply with the Security Standard requirements related to audit log monitoring. Although the supplier was performing audit logging and monitoring, only a select few agencies have access to the monitoring tool while the supplier is pilot testing the tool. The Commonwealth's risk associated with data confidentiality, integrity and availability increases with agencies not being able to review and monitor their individual audit logs. During fiscal year 2022, VITA and the Multisource Service Integrator (MSI) evaluated the current service level measurements to ensure they align with the Commonwealth's needs. As of December 2022, VITA and the MSI are implementing changes to the service level related to security and vulnerability patching. The changes to this service level include establishing a Common Vulnerabilities and Exposures (CVE) threshold. The new security and vulnerability patching service level will require the ITISP suppliers to install any patch with a CVE score above the threshold within 90 days. VITA continues to work with the managed security supplier to address the agencies' inability to access the audit log information. The supplier replaced the original security incident and event management system with a new managed detection and response (MDR) platform. Currently, only a small number of agencies are piloting the new MDR system. VITA should document the rationale for all changes to the service levels, including the basis for the CVE score threshold selected, and continually reevaluate the service levels as risks change. To ensure all agencies that rely on the ITISP services can comply with the Security Standard, VITA should ensure ITISP suppliers meet all contractual requirements (e.g., key measures, critical service levels, deliverables). To aid in determining which requirements have Security Standard implications, VITA should crosswalk contractual requirements to the Security Standard. A crosswalk will help in identifying which requirements, if not met, could put an agency at risk per the Security Standard. If VITA determines an ITISP supplier is not meeting a contractual requirement that may have a Security Standard implication, VITA should communicate with the affected agencies and provide guidance on compensating controls and processes the agencies should implement to reduce risk while the suppliers work to meet the requirements of the contract. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-107: Complete FFATA Reporting for First Tier SABG Subawards Applicable to: Department of Behavioral Health and Developmental Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Block Grants for Prevention and Treatment of Substance Abuse - 93.959 (COVID-19) Federal Award Number and Year: B08TI083056 - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Reporting - 2 CFR Part 170 Appendix A Known Questioned Costs: $0 DBHDS Office of Fiscal and Grants Management (Fiscal and Grants Management) is not completing FFATA reporting for Community Service Boards (CSB) who received funding from the Substance Abuse Block Grant (SABG) federal grant program. During state fiscal year 2022, DBHDS disbursed approximately $62.2 million in SABG funds to CSBs. This total represents approximately 92 percent of the SABG federal grant program's expenses for state fiscal year 2022. Title 2 CFR Part 170 Appendix A requires the non-federal entity to report each obligating action, exceeding $30,000, to FSRS. Fiscal and Grants Management identified the reporting requirements in its policies and procedures for FFATA reporting and completed FFATA reporting for its other subrecipients. However, Fiscal and Grants Management was unable to complete FFATA reporting for CSB's because of staffing shortages. Additionally, Fiscal and Grants Management did not have all the information it needed to complete FFATA reporting because it was still working with the DBHDS Office of Enterprise Management Services (Enterprise Management Services) to ensure the performance contracts with CSBs included all information necessary for FFATA reporting. Not reporting to FSRS could result in a citizen or federal official having a distorted view as to how DBHDS is obligating federal funds from the SABG federal grant program. Fiscal and Grants Management should dedicate the necessary resources to fulfil its FFATA reporting responsibilities for the SABG federal grant program. Additionally, Fiscal and Grants Management should continue to work with Enterprise Management Services to ensure the performance contracts with CSBs include all required information necessary for FFATA reporting. Finally, Fiscal and Grants Management should evaluate whether it is fulfilling its FFATA reporting responsibilities for DBHDS's other federal grant programs. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.
2022-107: Complete FFATA Reporting for First Tier SABG Subawards Applicable to: Department of Behavioral Health and Developmental Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency ALPT or Cluster Name and ALN: Block Grants for Prevention and Treatment of Substance Abuse - 93.959 (COVID-19) Federal Award Number and Year: B08TI083056 - 2022 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Reporting - 2 CFR Part 170 Appendix A Known Questioned Costs: $0 DBHDS Office of Fiscal and Grants Management (Fiscal and Grants Management) is not completing FFATA reporting for Community Service Boards (CSB) who received funding from the Substance Abuse Block Grant (SABG) federal grant program. During state fiscal year 2022, DBHDS disbursed approximately $62.2 million in SABG funds to CSBs. This total represents approximately 92 percent of the SABG federal grant program's expenses for state fiscal year 2022. Title 2 CFR Part 170 Appendix A requires the non-federal entity to report each obligating action, exceeding $30,000, to FSRS. Fiscal and Grants Management identified the reporting requirements in its policies and procedures for FFATA reporting and completed FFATA reporting for its other subrecipients. However, Fiscal and Grants Management was unable to complete FFATA reporting for CSB's because of staffing shortages. Additionally, Fiscal and Grants Management did not have all the information it needed to complete FFATA reporting because it was still working with the DBHDS Office of Enterprise Management Services (Enterprise Management Services) to ensure the performance contracts with CSBs included all information necessary for FFATA reporting. Not reporting to FSRS could result in a citizen or federal official having a distorted view as to how DBHDS is obligating federal funds from the SABG federal grant program. Fiscal and Grants Management should dedicate the necessary resources to fulfil its FFATA reporting responsibilities for the SABG federal grant program. Additionally, Fiscal and Grants Management should continue to work with Enterprise Management Services to ensure the performance contracts with CSBs include all required information necessary for FFATA reporting. Finally, Fiscal and Grants Management should evaluate whether it is fulfilling its FFATA reporting responsibilities for DBHDS's other federal grant programs. Views of Responsible Officials: Views of responsible officials are in the report related to their agency, which can be found at www.apa.virginia.gov. In summary, the views of responsible officials in the agency report do not express a disagreement with the finding.