Finding 2025-034 Compliance with Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Eligibility for Medicaid The Department is responsible for ensuring that all of its expenditures under the Medicaid program [ALN 93.778] are appropriate, and that it complies with federal and state program requirements. In Colorado, the responsibility for determining recipient eligibility for Medicaid program benefits is shared between local counties, designated Medical Assistance eligibility sites (MA sites), and the Department (in this case, the State). Individuals and families apply for Medicaid benefits at their local county departments of human/social services, designated MA sites, or online through the Department’s Program Eligibility and Application Kit (PEAK) system. Local counties and MA sites are responsible for administering the benefits application process, reviewing the PEAK system for application data, entering the required data for eligibility determination into the Colorado Benefits Management System (CBMS), and approving or denying an applicant’s eligibility based on program criteria. Federal regulations require state medical assistance programs to renew a beneficiary’s eligibility once every 12 months to determine whether the beneficiary continues to qualify for benefits (also known as redetermination). States must first attempt to redetermine the beneficiary’s eligibility based on information the Department has available at the time, either from the beneficiary’s case file or other electronic data sources, like PEAK and CBMS, without requiring information from the beneficiary. This is called an “ex parte” renewal. If sufficient information is available, the Department can renew eligibility on an ex parte basis and notify the beneficiary that their coverage has been renewed. If sufficient information is not available, the Department will provide the beneficiary with a renewal form and request any additional documentation needed to determine eligibility. Once the renewal forms are completed and returned to the Department for processing, the caseworker enters the applicant’s information into CBMS, and, once all required information is entered, they can mark the application as complete. At that point, CBMS determines the applicant’s eligibility based on the information entered. If the application is incomplete, a caseworker is responsible for contacting the individual to assist with completing their application. An eligible beneficiary’s income and countable resources cannot exceed a limit set by federal and state regulations. CBMS has a system check to mark eligibility as “fail” if the applicant’s reported income exceeds the limit. Eligibility data from CBMS feeds into the Colorado interChange system (Colorado interChange), which issues payments to Medicaid providers for the services that they provide to Medicaid beneficiaries. The Department pays for Medicaid services through one of two reimbursement methods: (1) fee-for-service (FFS) payments for specific services rendered or (2) capitation payments, monthly fixed payments that are paid to managed care entities (MCEs). Once a beneficiary is determined eligible, then they determine whether to enroll in FFS or an MCE. FFS reimbursements are paid directly to providers for services rendered. Capitation payments are paid to MCEs, which are groups or organizations of medical service providers who contract with a network of providers for services. The Department pays monthly capitation payments to MCEs on behalf of beneficiaries based on the number of eligible beneficiaries enrolled in its plan. These payments are made to the MCE regardless of whether the beneficiaries receive medical services during the month. Colorado interChange is programmed to pay the FFS and monthly capitation payments only on behalf of beneficiaries deemed eligible in Colorado interChange based on eligibility information received from CBMS and requirements specified in federal and state rules and regulations. The Department is responsible for supervising and monitoring the local counties’ and MA sites’ administration of Medicaid eligibility determinations. The Department is also responsible for ensuring that it only provides Medicaid payments to eligible providers for providing allowable services on behalf of Medicaid-eligible individuals. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the Department had appropriate internal controls over and complied with applicable federal and state Medicaid eligibility requirements during Fiscal Year 2025. Another purpose of our audit work was to determine whether the Department implemented our Fiscal Year 2023 audit recommendation to ensure local counties and MA site caseworkers are appropriately trained and are held to required timelines for processing beneficiary applications, using the correct income thresholds to determine eligibility, and maintaining the required documentation to support eligibility in the case file. The Department planned to implement this recommendation by January 2025. During our audit, we performed testing related to the Department’s Medicaid eligibility internal controls in place during Fiscal Year 2025. In addition, we performed specific testing on a random nonstatistical sample of 125 beneficiaries to determine if they were properly deemed eligible for and received Medicaid benefits during Fiscal Year 2025. Our sampling methodology, including the strata and sample sizes, was developed based on our risk assessment procedures and included the following procedures: *We obtained a listing of Medicaid FFS claims that were submitted by providers and paid by the Department during Fiscal Year 2025 and a listing of capitation payments made to MCEs on behalf of Medicaid-eligible individuals during Fiscal Year 2025. The Department pulled this data from the Colorado interChange claims system. • We summarized each listing by Medicaid ID numbers (ID), and removed any IDs for which total payments and adjustments netted to $0, which can happen when the Department catches and fixes payments made in error. This resulted in two populations: (1) a population of capitation payments totaling $2,156,417,706, made on behalf of 1,398,794 individual beneficiaries, and (2) a population of FFS claims totaling $10,553,035,025, made on behalf of 1,018,911 individual beneficiaries. • We stratified our population, as shown in the following table, into six strata defined by the total amount of payments for each unique ID. As part of our analysis, we noted FFS beneficiaries represented 42 percent of the total number of individual beneficiaries who had payments made on their behalf during Fiscal Year 2025, and beneficiaries with capitation payments represented 58 percent of the total number of individual beneficiaries who had capitation payments made on their behalf during Fiscal Year 2025. Although FFS claims represented only 42 percent of the total number of individual beneficiaries, they represented 83 percent of the total dollar amount of all claims and individual capitation payments made during Fiscal Year 2025. As such, we stratified the data with two strata for capitation payments and four strata for FFS payments. We selected 26 capitation samples and 99 FFS samples from the strata for a total sample of 125 payments for beneficiaries. • For each sampled ID, we tested eligibility covering the dates of service for every Fiscal Year 2025 payment made on the beneficiary’s behalf. See " Schedule of Findings and Questioned Costs" for table/chart. Our testing included reviewing each payment’s supporting documentation, which included case files, information in CBMS data fields related to eligibility determination/redetermination, and Medicaid payment information in Colorado interChange. We performed testwork to determine whether the Department ensured that local county and MA site caseworkers obtained and maintained the required documents that supported eligibility determinations in the case files, correctly entered eligibility data into CBMS, and determined eligibility in a timely manner. What problems did the audit work identify and how were the results measured? Based on the testwork performed, we determined that the Department is still in the process of fully implementing our Fiscal Year 2023 recommendation. While we did not identify any errors related to processing beneficiary applications within the required timeframes, we continued to identify issues related to missing case file documentation and income calculations. We identified at least one error in 7 of the 125 Medicaid case files tested (6 percent). These errors resulted in a total of $240,606 in known federal and state questioned costs for Fiscal Year 2025 ($120,302 in federal costs and $120,304 in state costs). Specifically, we found the following: • Missing Case File Documentation. In three cases, we determined the case file did not have documentation to support income and/or resources, such as wage stubs or bank statements, which are necessary to support the Medicaid eligibility determination, as required by federal and state regulations. This resulted in known questioned costs of $237,745 ($118,872 in federal costs and $118,873 in state costs). Federal regulation [420 CFR 435.914] requires the Department to obtain and maintain documentation to support each beneficiary’s Medicaid eligibility determination. State regulation [10 CCR 2505-10, 8.100.4.B] notes that income may be self-attested by an applicant or member and verified through an electronic data source. If the self-attested income cannot be verified electronically, the applicant must provide documentation of income. Earned income must be verified by wage stubs, tax documents, written documentation from the employer stating the employee’s gross income, or through a telephone call to an employer. State regulation [10 CCR 2505-10, 8.100.7.A] notes that applicants receiving long-term case services under the 300% Institutionalized Special Income category must conform with the regulations regarding resource limits and exemptions set forth in section 10 CCR 2505-10, 8- 100.5, which notes that the resource limit for these long-term care individuals is $2,000. State regulation [10 CCR 2505-10, 8.100.5.M] notes that the resource limit for individuals receiving Home and Community Based Services assistance is $2,000. • Issues with Income Calculations. In four cases, we identified issues with the income calculation used to support the Medicaid eligibility determination, as required by federal and state regulations. Specifically, we found the following: III-8 Colorado Office of the State Auditor In two cases, the incorrect number of household members was entered into CBMS, which caused the incorrect income threshold to be used in the income calculation. In addition, one of these cases also incorrectly excluded reportable income in the member’s income calculation. These issues resulted in known questioned costs of $725 ($362 in federal costs and $363 in state costs). In two cases, out-of-date income information was used in the calculation. We noted in both instances, CBMS had current income information that was not used in the income calculation. For one of those cases, if the correct income was used in the calculation, the members’ total income would have been over the eligibility limit. This resulted in known questioned costs of $2,136 ($1,068 in federal costs and $1,068 in state costs). Federal regulation [42 CFR 435.119] requires household income to be at or below 133 percent threshold of the federal poverty level. State regulation [10 CCR 2505-10, 8.100.4.G.4] notes that adults applying for medical assistance shall be determined financially eligible for medical assistance as long as their total household income does not exceed 133% of the federal poverty level. State regulation [10 CCR 2505-10, 8.100.4.C] notes that the financial eligibility of applicants for medical assistance shall be determined based on current or previous monthly household income and family size. The Modified Adjusted Gross Income calculation for the purposes of determining a household’s financial eligibility shall consist of, but is not limited to, earned income in the form of wages, salaries, and tips. Why did these problems occur? We determined that the Department’s existing internal controls over the income calculations and income and resource documentation requirements, which are necessary for Medicaid eligibility determinations, did not ensure caseworkers were determining eligibility appropriately, and in accordance with federal and state regulations. Specifically, caseworkers were not adequately trained or held accountable for ensuring that (1) the required documentation to support the income calculation was maintained within the case file, (2) current income and resource information is used when calculating monthly income and resource amounts, and (3) the correct household composition is used when determining eligibility. Why do these problems matter? As the state department responsible for ensuring that all Medicaid expenditures are appropriate, it is essential for the Department to ensure that eligibility determinations are made appropriately and in accordance with federal and state regulations. This includes ensuring that inaccurate processing of information used to determine Medicaid eligibility does not result in Medicaid benefits being provided to, and paid on behalf of, ineligible individuals, or that eligible individuals are denied benefits. Ultimately, the federal government may disallow federal funds for Medicaid program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. See " Schedule of Findings and Questioned Costs" for table/chart. Recommendation 2025-034 The Department of Health Care Policy and Financing should strengthen its internal controls over the income calculation and income and resource documentation requirements that are necessary for Medicaid eligibility determinations to ensure eligibility is determined appropriately and in accordance with federal and state regulations. This should include ensuring that (1) local counties and Medical Assistance site caseworkers are sufficiently trained to maintain the required documentation to support eligibility in the case file, (2) current income and resource information is used when calculating monthly income and resource amounts, and (3) the correct household composition is used when determining eligibility. Response Department of Health Care Policy and Financing Agree Implementation Date: February 2027 The Department agrees with the recommendation and will strengthen internal controls over Medicaid eligibility determinations to ensure compliance with federal and state regulations. The Department will issue formal Management Decision Letters to the identified counties requiring the development and implementation of Department-approved Corrective Action Plans. These plans will be required to address root causes related to income and resource calculation, documentation of eligibility determinations, and household composition, including any necessary training or guidance for county and Medical Assistance site caseworkers. The Department will review, approve, and monitor corrective actions to ensure deficiencies are appropriately addressed.
Finding 2025-035 Compliance with Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Eligibility for Children’s Basic Health Plan The Department is responsible for ensuring that all federal Children’s Health Insurance Plan (CHIP) [ALN 93.767] expenditures are appropriate, and that the State complies with federal and state program requirements. CBHP, Colorado’s state-administered children’s health plan, is partially funded with federal CHIP dollars. In Colorado, the responsibility for determining recipient eligibility for CBHP program benefits is shared between local counties, designated MA sites, and the Department. For CBHP, individuals and families apply for benefits at their local county departments of human/social services, designated MA sites, or online through the PEAK system. When applying in person, the local counties and MA sites are responsible for administering the benefits application process, entering the required data for eligibility determination into CBMS, and approving or denying an applicant’s eligibility. Once eligibility is determined, the county or MA site is responsible for maintaining records on each applicant in a case file, and then retaining those case files for the periods required by federal and state laws. After an individual is determined eligible for CBHP, the individual is enrolled into an MCE plan. The specific MCE plan the individual is enrolled in is based on the county the individual lives in. The Department provides all county, MA site, and Department eligibility staff with copies of its Department-prepared policy and operational training documents and guides for reference. These documents are meant to provide eligibility staff with consistent and accurate program information, and are posted online for all county and MA sites to use. For CBHP, the Department contracts with MCEs, which are groups or organizations of medical service providers that furnish services to CBHP members under capitated reimbursement agreements. Under these agreements, MCEs contract with a network of providers to provide services to CBHP members. The CBMS eligibility data feeds into the Department’s medical claims system, Colorado interChange, which is programmed to pay MCEs in lump-sum monthly payments (capitation payments) for the services that they provide on behalf of CBHP beneficiaries. Colorado interChange makes these payments based on eligibility information received from CBMS and requirements specified in federal and state regulations. The Department pays MCEs based on the number of eligible beneficiaries enrolled in its plan. Capitation payments are paid to the MCE regardless of whether the providers serve beneficiaries during the month or not. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to review the Department’s internal controls over the CBHP eligibility determination process, as well as to determine whether the Department complied with applicable federal and state CBHP eligibility requirements during Fiscal Year 2025. Another purpose of our audit work was to determine whether the Department implemented our Fiscal Year 2023 audit recommendation to ensure local counties and MA site caseworkers are appropriately trained and held to required timelines for processing beneficiary applications, eligibility requirements related to applicants that have other health insurance, and maintaining the required documentation to support eligibility in the case file. The Department planned to implement this recommendation by January 2025. During our audit, we reviewed the Department’s CBHP eligibility internal controls in place during Fiscal Year 2025. In addition, we performed testing on a random nonstatistical sample of 60 beneficiaries to determine if they were properly determined eligible and received CBHP benefits during Fiscal Year 2025. We obtained a listing of CBHP capitation payments totaling $256,524,048, that were submitted by MCEs and paid by the Department during Fiscal Year 2025 on behalf of 156,430 individual beneficiaries. From that listing, we selected 60 beneficiaries to determine whether those individual’s CBHP eligibility determinations were appropriate. Our testing included reviewing supporting documentation, including case files, information in CBMS data fields related to eligibility determination/redetermination, and CBHP payment information in Colorado interChange. We performed testwork to determine whether the Department ensured that local county and MA site caseworkers obtained and maintained the required documents supporting eligibility determinations in the case files, correctly entered eligibility data into CBMS, and determined eligibility in a timely manner. What problems did the audit work identify and how were the results measured? Based on the testwork performed, we determined the Department is still in the process of fully implementing our Fiscal Year 2023 recommendation. While we did not identify any errors related to processing beneficiary applications within the required timeframes or eligibility requirements related to applicants with other health insurance, we continued to identify issues with missing case file documentation. We identified errors in 7 of the 60 CBHP case files tested (12 percent). These errors resulted in a total of $7,154 in known federal and state questioned costs for Fiscal Year 2025 ($4,650 in federal costs and $2,504 in state costs). Specifically, we found the following: • Missing Case File Documentation. In two cases, we determined the case file did not have documentation to support income, such as wage stubs, which is necessary to support the CBHP eligibility determination, as required by federal and state regulations. This resulted in known questioned costs of $2,553 ($1,659 in federal costs and $894 in state costs). Federal regulation [42 CFR 457.965] notes that the state must include in each applicant’s record facts to support the state’s determination of the applicant’s eligibility for CHIP. State regulation [10 CCR 2505-3, 130] notes that, to be eligible for CBHP, an applicant shall provide minimal verification as required in 10 CCR 2505-10-8.100.4.B. At minimum, applicants seeking medical assistance shall provide all of the following: social security number, verification of citizenship and identity and/or legal immigrant status, and support for earned and unearned income. State regulation [10 CCR 2505-10, 8.100.4.B] notes that income may be self-attested by an applicant or member and verified through an electronic data source. If the self-attested income cannot be verified electronically, the applicant must provide income documentation. Earned income must be verified by wage stubs, tax documents, written documentation from the employer stating the employee’s gross income, or through a telephone call to an employer. • Issues with Income Calculations. In five cases, we identified issues with the income calculation used to support the CBHP eligibility determination, as required by federal and state regulations. Specifically, we found the following: In 1 case, the incorrect number of household members was entered into CBMS, which caused the incorrect income threshold to be used in the income calculation. If the correct number of household members was used in the calculation, the member’s total income would have been over the eligibility limit. This resulted in known questioned costs of $2,037 ($1,324 in federal costs and $713 in state costs). In 3 cases, out-of-date income information was used in the calculation. In 2 of those cases, if the correct income was used in the calculation, the members’ total income would have been over the eligibility limit. This resulted in known questioned costs of $1,423 ($925 in federal costs and $498 in state costs). In 1 case for a self-employed individual, an incorrect expense amount was used in the member’s income calculation, which caused total income to be understated in the calculation. If the correct expense amount was used in the calculation, the member’s total income would have been over the eligibility limit. This resulted in known questioned costs of $1,141 ($741 in federal costs and $400 in state costs). State regulation [10 CCR 2505-3.110.1.E] notes that, to be eligible for the CBHP, an eligible person shall have a household income greater than 142 percent, but not exceeding 260 percent of the federal poverty level, adjusted for household size for children younger than age 19. State regulation [10 CCR 2505-3, 150.1] notes that the income calculation for the CBHP shall be determined by following the Medicaid Modified Adjusted Gross Income Methodology for income calculation, which is defined in 10 CCR 2505-10-8-100.4.C. State regulation [10 CCR 2505-10, 8.100.4.C] notes that the financial eligibility of applicants for medical assistance shall be determined based on current or previous monthly household income and family size. The Modified Adjusted Gross Income calculation for the purpose of determining a household’s financial eligibility shall consist of, but is not limited to, earned income in the form of wages, salaries, and tips. State regulation [10 CCR 2505-10, 8.100.3.K.9] notes that in order to determine the net profit (or income) of a self-employed applicant, the cost of doing business (expenses) should be deducted from gross income. Why did these problems occur? We determined that the Department’s existing internal controls over CBHP eligibility determinations did not consistently ensure caseworkers were determining eligibility appropriately and in accordance with federal and state regulations. Specifically, caseworkers were not adequately trained or held accountable for ensuring that the required documentation to support the income calculation was maintained within the case file, and that the correct income and income thresholds were used when determining eligibility. Why do these problems matter? As the state department responsible for ensuring that all expenditures under CBHP are appropriate, it is essential for the Department to ensure that eligibility determinations are made appropriately and in accordance with federal and state regulations. This includes ensuring that inaccurate processing of information used to determine eligibility does not result in CBHP benefits being provided to, and paid on behalf of, ineligible individuals, or that eligible individuals are denied benefits. Ultimately, the federal government may disallow federal funds for the CBHP program expenditures that do not adhere to regulations, and the State would be required to bear the cost of these errors. See "Schedule of Findings and Questioned Costs" for table/chart. Recommendation 2025-035 The Department of Health Care Policy and Financing should strengthen its internal controls over the Children’s Basic Health Plan eligibility requirements to ensure eligibility is determined appropriately and in accordance with federal and state regulations by addressing the issues identified in the audit. This should include ensuring that local county and Medical Assistance site caseworkers are appropriately trained on and comply with requirements to maintain appropriate income documentation to support eligibility in the case file, and comply with requirements to use the correct income and income thresholds when determining eligibility. Response Department of Health Care Policy and Financing Agree Implementation Date: February 2027 The Department agrees with the recommendation and will strengthen internal controls over Children’s Basic Health Plan eligibility determinations to ensure compliance with federal and state regulations. The Department will issue formal Management Decision Letters to the identified counties requiring Department-approved Corrective Action Plans. These plans will be required to address root causes related to income documentation, application of correct income thresholds, and compliance with CBHP eligibility requirements, including any necessary training or guidance for county and Medical Assistance site caseworkers. The Department will review, approve, and monitor corrective actions to ensure deficiencies are addressed.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2025 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Disposition of Prior Audit Recommendations of this report. See "Schedule of Findings and Questioned Costs" for table/chart. Finding 2024-032 Compliance with Activities Allowed or Unallowed and Allowable Costs/Cost Principles for Medicaid Medicaid Claims Payments The Department reimburses medical providers, pharmacies, and medical equipment providers for claims submitted to the Department for services provided to eligible beneficiaries in the Medicaid program. To be allowable, Medicaid costs for services must be (1) covered by the CMS-approved state plan or the CMS-approved waivers; (2) reviewed by the Department consistent with the Department’s documented procedures and system for determining the medical necessity of claims; (3) properly coded; and (4) paid at the rate allowed by the state plan. A Medicaid state plan is a formal, written agreement between a state and the federal government describing how a state administers its Medicaid program, which includes both the basic requirements of the program and individualized content that reflects the characteristics of the state’s program [42 CFR 430.10]. The state plan is written by the state and must be approved by CMS in order for the State to access federal Medicaid funds. The Department uses Colorado interChange as its medical claims system. Colorado interChange is programmed to make Medicaid claims payments on behalf of eligible beneficiaries in accordance with federal and state Medicaid rules and regulations. During Fiscal Year 2024, the Department contracted with a fiscal agent, Gainwell Technologies (Gainwell), to manage Colorado interChange. A fiscal agent is a contractor that acts on behalf of the Department in respect to claims processing activities, including evaluating and approving or rejecting claims payments in accordance with established Department policies. Although Gainwell receives and processes all claims, the Department is ultimately responsible for ensuring that the claims are paid in accordance with federal and state regulations. Providers are responsible for preparing and submitting Medicaid claims to Gainwell for processing in compliance with the Department’s claim filing requirements. All provider claims must include a diagnosis code, procedure code, and the provider’s usual and customary charges for payment (Provider Rate). Procedure codes are dependent on the type of service and claim type. Colorado interChange is programmed with CMS-approved rates for each procedure code. Gainwell will use the claims information received by the provider, including the specific procedure codes and Provider Rate, to process and pay the claims in Colorado interChange. Providers are advised by the Department to bill their usual and customary charges for services, and the Colorado interChange system pays the lower of either (1) the Provider Rate, or (2) the Department’s CMS-approved rates. If needed, all claims may be adjusted for increased payment, decreased payment, or recovery without repayment. Adjustments that increase or decrease the original payment amount are processed as a two-part transaction in Colorado interChange—the first piece of the transaction reverses the previously made payment, and the second piece of the transaction repays the claim at the corrected rate. If a previously paid claim is adjusted to pay less than the original amount, the adjustment will result in a retraction of the difference between the original payment and the corrected payment amount. If a previously paid claim is adjusted to pay more than the original amount, depending on if the provider billed usual and customary rates, the adjustment will result in an additional payment to the provider. The Department authorizes updates to the rate tables in Colorado interChange whenever there are changes in the claims rates. All provider rate increases are subject to CMS approval prior to implementation of an increase. Rate changes are generally made at the beginning of each fiscal year, but can be made anytime an update is required, such as when CMS issues a rate change that is based on the federal fiscal year (which begins on October 1). To make a change in the rate tables, Department staff fill out a change request form (Update Form) including the purpose of the request, instructions on the specific information that needs updating, and any other special instructions related to the request. The Department must include specific instructions on the Update Form if any claims have to be reprocessed as part of the request. A reprocessing request is needed if the actual rate change is made after the effective date of the change. For example, if a rate change was effective at the beginning of the fiscal year (July 1) but processed on July 15, the Update Form should include a specific request to reprocess claims with dates of service from July 1 to July 15, which would ensure the claims are paid at the correct rates. Once complete, Department staff send the Update Form to Gainwell for processing in Colorado interChange. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to review the Department’s internal controls over the Medicaid claims payment process and to determine whether payments were processed and paid in accordance with state and federal regulations during Fiscal Year 2024. During our audit, we obtained a list of all Medicaid claims that were paid by the Department during Fiscal Year 2024, which included 77,824,795 individual Medicaid claims totaling $11,542,679,377. We performed testing on a randomly selected sample of 40 Medicaid claims paid during Fiscal Year 2024 totaling $4,486,936 to determine whether the claim (1) matched the claims information that was reported in Colorado interChange; (2) was paid at the rate allowed by the state plan; and (3) beneficiary was eligible for the Medicaid program at the time of service. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: Federal regulations [45 CFR 75.403] require that costs under federal awards must be necessary, reasonable, and allocable; conform to any limitations or exclusions; be consistent with policies and procedures; receive consistent treatment; adhere to Generally Accepted Accounting Principles (GAAP); not be used for cost sharing of other programs; and be adequately documented. Section 25.5-4-301(2), C.R.S., states that any overpayment to a provider is recoverable, regardless of whether the overpayment is the result of an error by the state department, a county department of human or social services, an entity acting on behalf of either department, or by the provider or any agent of the provider. Federal regulations [45 CFR 75.303] state that recipients of federal funds must establish and maintain effective internal controls over its federal awards, which provide reasonable assurance that the recipient is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with “Standards for Internal Control in the Federal Government” (Green Book), published by the U.S. Government Accountability Office. Principles 3.09-3.10, Documentation of the Internal Control System, state that management is to develop and maintain documentation of its internal control system. This documentation should establish the who, what, when, where, and why of internal control execution to personnel. Documentation also provides a means to retain organizational knowledge and mitigate the risk of having that knowledge limited to a few personnel. What problem did the audit work identify? Based on our audit testwork, we determined that one of the 40 claims tested (2.5 percent) contained procedure codes that were paid at the incorrect rate for Fiscal Year 2024. Specifically, the claim selected for testing contained three specific procedures, two of which were paid at the rate in effect during Fiscal Year 2023 instead of the correct Fiscal Year 2024 rate. The third procedure code had the same rate for both Fiscal Year 2023 and 2024, so no difference was noted. The total known questioned costs for this claim were $137.20. See Schedule of Findings and Questioned Costs for chart/table. We provided the claim to Department staff to research, and they determined that this claim was part of a group of 2,423 individual claims with specific procedure codes that were paid at the rate in effect during Fiscal Year 2023 instead of the correct Fiscal Year 2024 rate. The total known questioned costs for this group of claims, including the sample tested above, was $189,015.98. Why did this problem occur? The Department does not have adequate internal controls, including formal policies and procedures, in place related to the rate updating process in Colorado interChange. Specifically, the Department lacked policies and procedures detailing how to complete the rate Update Form, requiring a secondary review process over the completed Update Form prior to submission to Gainwell, and requiring a post-implementation review of the rate changes made in Colorado interChange to confirm they were correctly made by Gainwell. On July 21, 2023, Department staff completed and submitted an Update Form to Gainwell to process the annual rate updates; the Department staff who processed the rate update had been trained on the process before, but this was the first time they completed the process independently and they overlooked including specific instructions to reprocess any claims with dates of service before the update (July 1, 2023 to July 21, 2023) at the new rate. This caused the Fiscal Year 2024 rate changes to take effect on July 21, 2023 instead of July 1, 2023 (the first day of the fiscal year). The Department did not have a review process in place to confirm that the Update Forms were completed accurately and included all necessary information, so the Department was unaware of the issue until it was identified during our audit. Once notified of the error, Department staff contacted Gainwell to initiate an adjustment to correct all claims with dates of service from July 1, 2023 to July 21, 2023 that were paid at the incorrect rate. The Department also notified all providers of the issue on the Department’s Provider Resources website and in the December 2024 Provider Bulletin. The adjustment was processed on November 22, 2024. Why does this problem matter? Strong internal controls over the Medicaid claims process—including documented policies and procedures detailing how to complete the Update Form and an effective review process—are necessary to ensure that Medicaid claims are paid at the correct rates approved by the state plan and in accordance with federal and state regulations. In addition, making payments over the specific rates can result in the Department having to repay the federal government for the federal portion of the overpayments. See Schedule of Finding and Questioned Costs for chart/table. Recommendation 2024-032 The Department of Health Care Policy and Financing (Department) should strengthen its internal controls over the Medicaid claims process by developing, documenting, and implementing formal policies and procedures over the rate updating process in Colorado interChange, the Department’s medical claims system. These policies and procedures should include details on how to complete the rate change request form (Update Form), require a secondary review process over the completed Update Form prior to submission to Gainwell Technologies—the Department’s contracted fiscal agent that manages Colorado interChange—and require a post-implementation review of the rate changes made in Colorado interChange to confirm they were correctly made by Gainwell. Response Department of Health Care Policy and Financing Agree Implementation Date: July 2025 The Department of Health Care Policy and Financing has examined rate maintenance practices since FY2024 to determine the best course of action to strengthen internal controls to subsequently develop formal policies and procedures. The Waiver and Fee Schedule Rates section will develop a formal, recorded training and corresponding training materials based on current, informal processes on completion of the rate update form to be submitted to the Department's fiscal agent, Gainwell Technologies. Since FY2024, the Waiver and Fee Schedule Rates section has implemented a multilevel secondary review process prior to any rate change submission to ensure accuracy in rate update submissions. The Rates section has also worked closely with other internal partners to formalize informal update processes for quality assurance and maintenance of a minimal error percentage. The Rates section has also implemented a post-implementation data analysis review of all rate update submissions to ensure the update was implemented as directed and expected to ensure accountability on behalf of the Department's fiscal agent Gainwell Technologies. The Rates section is currently in process of documenting and formalizing all rate update processes and policies for future training and process maintenance.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses were communicated to the Department of Health Care Policy and Financing (Department) in the previous year and have not been remediated as of June 30, 2025 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Disposition of Prior Audit Recommendations of this report. See "Schedule of Findings and Questioned Costs" for table/chart. Finding 2024-033 Compliance with Eligibility for Medicaid and CBHP Ex Parte Renewal Process Federal regulations require state medical assistance programs to renew a beneficiary’s eligibility once every 12 months to determine whether the beneficiary continues to qualify for benefits. States must first attempt to redetermine the beneficiary’s eligibility based on information the Department has available at that time, either from the beneficiary’s case file or other electronic data sources, without requiring information from the beneficiary. This is called an “ex parte” renewal. If sufficient information is available, the Department can renew eligibility on an ex parte basis and notify the beneficiary that their coverage has been renewed. If sufficient information is not available, the Department will provide the beneficiary with a renewal form and request any additional documentation needed to determine eligibility. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to review the Department’s internal controls over the Medicaid and CBHP eligibility determination process, as well as to determine whether the Department complied with applicable federal and state Medicaid and CBHP eligibility requirements during Fiscal Year 2024. During our audit, we inquired with the Department on the ex parte renewal process for Medicaid and CBHP beneficiaries. How were the results of the audit work measured? We measured the results of our audit work against the following: Federal regulations require states to complete a redetermination of eligibility based on available information for each individual in the household, regardless of the eligibility of others in the household unit. Specifically, these regulations require that states complete a redetermination of eligibility for all beneficiaries without requiring information from the individual if able to do so based on reliable information contained in the individual’s case file or more current information available to the state (ex parte basis) [42 CFR 435.916(b)(2) and 457.343]. If they are unable to do so, the state must provide the individual with a pre-populated renewal form and give them at least 30 calendar days to respond and provide any necessary information [42 CFR 435.916(b)(2)]. Federal regulations [42 CFR 435.952(d) and 457.380(f)] specify that states may not terminate eligibility or reduce benefits on the basis of information obtained through the ex parte renewal process without first contacting the beneficiary and offering them an opportunity to provide new information. What problem did the audit work identify? The Department reported to us that they were not in compliance with eligibility requirements related to the ex parte renewal process during Fiscal Year 2024. As CMS worked with individual states on their COVID-19 unwinding plans, they identified 29 states that were not in compliance with certain ex parte renewal requirements for Medicaid and CBHP beneficiaries, including Colorado. The Department was inappropriately conducting ex parte renewals at the household level rather than individual level, without using individually-specific eligibility statutes and income thresholds for individuals within the household. Specifically, if eligibility could not be renewed on an ex parte basis for at least one member of a household, renewal forms were sent to the entire household. If the renewal forms were returned, the appropriate eligibility determinations were made and those who are eligible were approved. If the renewal forms were not returned, the Department’s eligibility system, the Colorado Benefits Management System (CBMS), would disenroll all individuals in the household, including any who may have been determined to be eligible through the ex parte process. Why did this problem occur? In August 2023, CMS instructed all states to review their ex parte renewal process to assess compliance with federal requirements to complete eligibility redeterminations based on the available information for each individual in the household, regardless of the eligibility of others in the household unit. States that identified any areas of noncompliance were required to (1) pause terminations for any ex parte renewal processes that are not compliant with federal guidance and whose coverage may be terminated inappropriately; (2) reinstate coverage for all affected individuals who have been disenrolled due to a failure to complete redeterminations based on the available information for each individual in the household; (3) fix the state’s systems and processes to ensure that redeterminations are conducted appropriately; and (4) implement a mitigation strategy to prevent continued inappropriate terminations until the state has fixed all systems and processes to be in compliance with federal renewal requirements. States were required to submit the state’s plan and timeline for remediation to CMS. In September 2023, the Department reported to CMS that it was not fully in compliance with the federal requirements for determining eligibility for each individual in the household, and it submitted a mitigation plan and timeline to fix the CBMS system and Department’s processes to ensure that redeterminations were conducted appropriately in the future. As part of the Department’s mitigation plan, automatic terminations of any households who did not return a renewal form were temporarily paused until a short-term system fix was put in place. In October 2023, a CBMS fix was put into place for households that did not return their renewal forms. CBMS continued to send renewal forms to households requesting additional information; however, for any multi-member household that did not return its form, the Department started reviewing eligibility for all members of the household individually. This short-term system fix brought the Department into compliance with federal ex parte renewal requirements. The Department is currently working on a permanent system change for CBMS that will only send out renewal forms for individuals not eligible through the ex parte process, with targeted implementation by December 2026. Why does this problem matter? When the Department is out of compliance with federal requirements, such as Medicaid requirements, the Department risks sanctions and/or other penalties. After CMS identified the Department’s noncompliance related to the Medicaid ex parte renewal issue, the Department researched the issue and identified 7,510 individuals who were incorrectly disenrolled from Medicaid or CBHP during the period May 2023 to October 2023. In November 2023, the Department retroactively reinstated these individuals’ eligibility back to the date at which their household was terminated, without a gap in coverage. In addition, the individuals were notified that their coverage had been reinstated and provided information on how to obtain payment for unpaid medical bills and/or ensure that any eligible service during the period that the individual was disenrolled were covered. See Schedule of Findings and Questioned Costs for chart/table. Recommendation 2024-033 The Department of Health Care Policy and Financing should strengthen its internal controls over Medicaid eligibility to ensure compliance with federal and state regulations by continuing to implement the Colorado Benefits Management System change related to the ex parte eligibility process to ensure that eligibility is determined on an individual rather than household basis, as required. Response Department of Health Care Policy and Financing Agree Implementation Date: December 2026 The Department agrees to strengthen its internal controls over Medicaid eligibility to ensure compliance with federal and state regulations. Colorado will continue its approved Centers for Medicare and Medicaid mitigation plan to ensure that eligibility is determined on an individual rather than a household basis. The Department will continue to conduct ex parte reviews to determine eligibility for all household members based on available information. Those members identified as eligible at ex parte will be approved, regardless if others in the household continue to need verifications or are no longer eligible. The Department is currently working on a permanent system change for CBMS that will only send out renewal forms for individuals not eligible through the ex parte process, with implementation by December 2026.
Finding 2025-038 Internal Controls and Compliance over Student Financial Assistance Cluster – NSLDS Reporting The federal Department of Education (USDE) requires institutions of higher education who receive Title IV Student Financial Assistance funds (Title IV) to report student enrollment information within specified timeframes to the USDE through its central database for student financial assistance, the National Student Loan Data System (NSLDS). Enrollment reporting, including the submission of student roster files and enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of the Student Financial Assistance Cluster. In accordance with federal requirements, each campus within the Colorado State University – System (CSU-System)—Colorado State University, Colorado State University – Pueblo and Colorado State University – Global Campus—submits student roster files to NSLDS via a thirdparty servicer, the National Student Clearinghouse (Clearinghouse), and each roster file is then uploaded by the Clearinghouse directly to NSLDS. The Registrar’s Office at each campus of the CSU-System compiles the student roster files to report details such as the campus-level enrollment and program attendance for the students who have received federal Title IV aid at the CSU-System. Each campus performs an initial review of participating students’ enrollment information during each semester’s census, which is typically during the second week of the semester, for reporting to USDE through the NSLDS. The initial review of participating students’ enrollment information is performed using enrollment information generated by each campus’s Financial Aid system (reporting system). After the census date each semester, the Registrar Office’s staff prepare student roster files of enrollment status that include information on reductions or increases in attendance levels, graduation, withdrawals, and/or students who have been accepted for enrollment but never attended. The Registrar’s Office prepares this through a manual comparison of applicable students’ enrollment status at the census date to the current enrollment status per each campus’s reporting system. During Fiscal Year 2025, the CSU-System issued approximately $306.0 million of federal Title IV aid during the year, which included approximately $64.6 million and $238.0 million of Pell Grant and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether each campus within the CSU-System had adequate internal controls over and complied with federal Title IV Student Financial Assistance enrollment reporting requirements regarding the student attendance status changes for Pell Grants and Direct Loan programs during Fiscal Year 2025. As part of our Fiscal Year 2025 testwork, we reviewed a total random sample of 40 student’s enrollment status change information, consisting of 26 students at Colorado State University, 10 students at Colorado State University – Global Campus, and 4 students at Colorado State University – Pueblo, that was required to be reported to USDE through NSLDS during Fiscal Year 2025 The sample consisted of enrollment status changes that occurred during the Fall 2024 and Spring 2025 semesters. For each student in our sample, we compared information within the CSU-System’s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal, graduation, or a change in enrolled credit hours, to determine if the information was reported accurately and within the federally required timelines. How were the results of the audit work measured? We measured the results of our audit work against the following: Under the federal Pell Grant and Direct Loan program requirements, 34 CFR 690.83(b)(2) and 34 CFR 685.309(b)(2), an institution must report any enrollment status changes, including the date of the change, per the institution’s reporting system, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student’s enrollment status to NSLDS when there is a (a) reduction or increase in the student’s attendance levels, (b) graduation, (c) withdrawal, and/or (d) a student who has been accepted for enrollment but never attended. Institutions are responsible for timely reporting whether they report directly or via a third-party servicer. We measured the results of our testing against the USDE-required 60-day timeframe for submission of student roster files. What problems did the audit work identify? We found that the Colorado State University and Colorado State University – Pueblo campuses did not timely report the student enrollment status changes to the USDE through NSLDS for 2 out of the 40 (5 percent) students we tested during the Fall 2024 and Spring 2025 semesters. Specifically, one student’s enrollment status information during the Fall 2024 semester at Colorado State University was submitted 166 days beyond the federal reporting requirement and one student’s enrollment status information during the Fall 2024 semester at Colorado State University – Pueblo was submitted 18 days beyond the federal reporting requirement. Why did these problems occur? The Colorado State University and Colorado State University – Pueblo campuses did not have adequate review processes in place to ensure that it fully complied with federal student enrollment reporting requirements for the Title IV Student Financial Assistance program. For both instances, the Student Financial Assistance Office staff at each campus indicated that the student enrollment status was not reported timely because the new students, who were first enrolled at their respective campus during the Fall 2024 semester, were not included in the student roster files used to compare each students’ enrollment status at the census date to the current status in the reporting system due to the reports used to perform the manual comparison not being correctly configured to capture all student enrollment status of students who first enrolled during the Fall 2024 semester. Additionally, the review process failed to adequately ensure the completeness of the prepared student roster files. As a result, those changes were not included in the enrollment status report submitted by the Clearinghouse to NSLDS within the required federal reporting timeframe. Why do these problems matter? Enrollment reporting assists lenders in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Thus, if the CSUSystem campuses fail to meet the required reporting timelines, the borrower’s repayment responsibilities may be reported incorrectly and result in either a lack of timely repayments by the borrower or the student being inappropriately moved into loan repayment status. See "Schedule of Findings and Questioned Costs" for table/chart. Recommendation 2025-038 The Colorado State University and Colorado State University – Pueblo campuses should strengthen their internal controls over reporting Student Financial Assistance Pell Grants and Direct Loan Program’s student enrollment to the U.S. Department of Education (USDE) to ensure student enrollment status changes are submitted by the National Student Clearinghouse to USDE’s National Student Loan Data System within 60-days of any enrollment change. This should include improving their review processes over the preparation and completeness of the student roster files used to compare each student’s enrollment status at the census date to current enrollment status in the reporting system to ensure that the student roster files include all students that are newly enrolled at the campus. Response Colorado State University System Agree Implementation Date: June 2026 The Colorado State University and Colorado State University – Pueblo campuses will strengthen their internal controls to ensure enrollment changes are reported within the required 60-day timeline for newly enrolled students. Additionally, the Colorado State University and Colorado State University – Pueblo campuses will improve the documentation provided as part of compliance testing as both students referenced within the finding were unique situations. In both instances referenced, additional context was not provided during compliance testing for both students that was not captured on the provided National Student Loan Data System Campus Enrollment Details webpage that showed the appearance of reporting an enrollment status change outside of the 60-day requirement. For the Colorado State University, the student was reported with an effective date of the beginning of the Fall 2024 Semester but did not complete verification procedures until February 2025 and was then disbursed the Fall 2024 portion of their Pell Grant. For Colorado State University – Pueblo, the student was reported with an effective date of the beginning of the Fall 2024 Semester, but corrections were required on the student’s FAFSA before federal student financial aid could be disbursed. The campuses will improve documentation provided during compliance testing for when these unique situations with enrollment reporting occur.
Finding 2025-039 Internal Controls and Compliance with Special Tests and Provisions for Student Financial Assistance Metropolitan State University of Denver (MSU-Denver) receives funding from the federal Department of Education’s (USDE) Title IV Student Financial Assistance (Student Financial Aid) program, which requires MSU-Denver to obtain sensitive data from students. For example, MSUDenver obtains personally identifiable financial and tax information from students in order to administer its federal Student Financial Aid program. As a result, MSU-Denver’s Information Technology Services (ITS) department is responsible for ensuring compliance with the federal Gramm-Leach-Bliley Act (GLBA). The GLBA, which was enacted in 1999, mandates that financial institutions disclose their information-sharing practices and provide consumers with opt-out options for their personal data. It also established the Financial Privacy Rule, which requires institutions to protect sensitive customer information and provide clear privacy notices to customers. Before MSU-Denver receives federal Student Financial Aid from USDE, MSU-Denver agrees to adhere to compliance requirements within a Program Participation Agreement (PPA), and a Student Aid Internet Gateway Agreement (SAIGA). One of the compliance requirements MSU-Denver agrees to within the PPA and SAIGA is the GLBA, which requires MSU-Denver to explain their information-sharing practices with their students and safeguard sensitive data, with particular attention to information provided to MSU-Denver by the USDE or otherwise obtained in support of the administration of MSU-Denver’s Student Financial Aid program. The GLBA requirements are codified in Title 16, Part 314, Section 4 of the Code of Federal Regulations (16 CFR 314.4), and requires MSU-Denver to develop, implement, and maintain a comprehensive written information security program (WISP) in one or more readily accessible parts. This federal regulation also specifies the elements and safeguards that MSU-Denver’s WISP needs to include for the protection of students’ financial aid information. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to review MSU-Denver’s internal controls over its WISP, and determine if it included the minimum elements and safeguards required by the GLBA during Fiscal Year 2025. Our review included obtaining MSU-Denver’s WISP and performing the following procedures: • We met with MSU-Denver’s ITS management to determine how it developed, implemented, and maintained its WISP. • We compared MSU-Denver’s WISP to the elements and safeguards required by the GLBA. • We reviewed the ITS’ policies and procedures to determine if MSU-Denver had suitably designed and implemented the GLBA required elements and safeguards during Fiscal Year 2025. How were the results of the audit work measured? We measured the results of our audit against federal regulation 16 CFR 314.4, which states that an institution’s WISP, at a minimum, must include the seven following elements that include eight minimum safeguards: 1. Designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. 2. Provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. 3. Provide for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment. At a minimum, the following are the eight safeguards that a WISP must address: i. Implement and periodically review access controls. ii. Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted. iii. Encrypt customer information on the institution’s system and when it is in transit. iv. Assess applications developed by the institution. v. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. vi. Dispose of customer information securely. vii. Anticipate and evaluate changes to the information system or network. viii. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. 4. Provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. 5. Provide for the implementation of policies and procedures to ensure that personnel are able to enact the information security program. 6. Address how the institution will oversee its information system service providers. 7. Provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows has reason to know may have a material impact on the institution’s information security program. What problem did the audit work identify? Based on our audit work, we determined that MSU-Denver’s WISP addressed some, but not all, of the elements that institutions must address. Specifically, the WISP did not address the three following elements: 1. Design and implementation of the three following safeguards: i. Conducting a periodic inventory of data, noting where it is collected, stored, or transmitted. ii. Assessing applications developed by the institution. iii. Implementing multi-factor authentication for anyone accessing customer information on the institution’s system. 2. Regular testing or monitoring the effectiveness of the safeguards MSU-Denver implemented. 3. Evaluation and adjustment of MSU-Denver’s WISP in light of the results of the required testing and monitoring. Why did this problem occur? MSU-Denver did not have adequate internal controls in place to ensure that its WISP fully complied with the requirements of federal regulation 16 CFR 314.4 because its WISP was only in draft form and the ITS department did not have a proper process in place to review its WISP and update it to reflect current federal requirements. MSU-Denver’s ITS management indicated that a WISP that meets these federal requirements is being developed and, once approved by MSU-Denver leadership, will become an official policy. Why does this problem matter? Protecting students’ sensitive data is a critical compliance requirement for institutions participating in the USDE’s Student Financial Aid program. Without the proper development, implementation, and maintenance of a WISP to ensure that MSU-Denver addresses all of the required elements and safeguards specified in federal regulation 16 CFR 314.4, MSU-Denver increases its exposure to potential data breaches, loss of data, or other fraudulent acts that could occur. Additionally, failure to comply with the GLBA increases MSU-Denver’s risk of material noncompliance with the USDE’s Student Financial Aid program requirements. See " Schedule of Findings and Questioned Costs" for table/chart. Recommendation 2025-039 The Metropolitan State University of Denver’s (MSU-Denver) Information Technology Services (ITS) department should strengthen its internal controls over information security by establishing, implementing, and maintaining a comprehensive written information security program (WISP) that reflects the current federal requirements of the Gramm-Leach-Bliley Act. This should include processes for ITS to test and monitor its information security to determine when adjustments are needed to the MSU-Denver WISP, and to obtain a formal review and approval of the WISP from MSU-Denver’s leadership. Response Metropolitan State University of Denver Agree Implementation Date: June 2026 MSU Denver IT Security will update its written information security program to address the necessary requirements of the Gramm-Leach-Bliley Act. The WISP will be reviewed and updated at least once each year, with updates being based on risk assessments, audits, changes to the environment, and any incidents which indicate a need for changes to the WISP. The updated WISP will include existing policies as well as new policies that describe standards for: • Periodic inventory of data • Multi-Factor Authentication, Single Sign-On, and passwords • Assessment of applications developed by the institution • Testing our safeguards The updated WISP will be formally reviewed and approved by the Chief Financial Officer by June 30, 2026.
Finding 2025-040 Internal Controls and Compliance Over Student Financial Assistance Cluster – NSLDS Reporting The federal Department of Education (USDE) requires institutions of higher education that receive Title IV Student Financial Assistance (Student Financial Aid) funds to report enrollment information within specified timeframes to the USDE through its central database for student assistance, the National Student Loan Data System (NSLDS). Enrollment reporting, through the submission of student roster files with enrollment status changes, assists the federal government in managing the Pell Grant and Direct Loan programs, which are both parts of Student Financial Aid. In accordance with federal requirements, the Metropolitan State University of Denver (MSUDenver) submits student roster files with enrollment status changes to the National Student Clearinghouse (Clearinghouse), a third-party service provider. The Clearinghouse uploads MSUDenver’s student roster files with enrollment status changes directly to NSLDS. MSU-Denver’s Registrar’s Office (Registrar’s Office) compiles the student roster file to report details about students, such as the campus-level enrollment and program attendance for the students who have received Student Financial Aid at MSU-Denver. The Registrar’s Office performs an initial review of participating students’ enrollment information during the census, which is typically during the second week of the semester, for reporting to NSLDS. After the census date each semester, the Registrar’s Office staff prepare student roster files of enrollment status changes, such as a withdrawal, graduation, or a change in enrolled credit hours, through a manual comparison of applicable students’ enrollment status at the census date to the current enrollment status on MSUDenver’s reporting system, Banner. During Fiscal Year 2025, MSU-Denver issued approximately $95.1 million in federal Student Financial Aid to its enrolled students during the year, which included approximately $40.5 million and $52.7 million of Pell Grants and Direct Loan funding, respectively. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether MSU-Denver had adequate internal controls over, and complied with, requirements for reporting enrollment status changes to the USDE for Pell Grants and Direct Loan programs during Fiscal Year 2025. As part of our Fiscal Year 2025 testwork, we reviewed enrollment information that MSU-Denver was required to report to USDE via NSLDS during Fiscal Year 2025 for a random sample of 40 students. For each student in our sample, we compared information within MSU-Denver’s Financial Aid system to information contained on the NSLDS website for the specific enrollment status change selected, such as a withdrawal, graduation, or a change in enrolled credit hours, to determine if MSU-Denver reported the information accurately and no later than USDE’s deadlines. How were the results of the audit work measured? We measured the results of our audit work against the following: Under the federal Pell Grant and Direct Loan program requirements, 34 CFR 690.83(b)(2) and 34 CFR 685.309(b)(2), an institution must report any enrollment status changes through student roster files, including the date of the change, to NSLDS for participating students within 60 days of the change. An institution must report a change in a student’s enrollment status to NSLDS when there is a (a) reduction or increase in the student’s attendance levels, (b) graduation, (c) withdrawal, or (d) a student accepted for enrollment but never attended. Institutions are responsible for submitting their enrollment status reporting no later than the required federal deadlines regardless of whether they report directly through NSLDS or via a third-party servicer. We measured the results of our testing against the USDE’s 60-day timeframe for submitted roster files. What problem did the audit work identify? We found that MSU-Denver did not report enrollment status changes to the USDE by the required federal deadlines for 14 of the 40 (35 percent) students we tested. Specifically, MSU-Denver reported enrollment status changes for these 14 students between 18 to 53 days after USDE’s 60- day enrollment status change reporting requirement. These delays occurred between December 2024 and April 2025 and related to the following enrollment status changes: 12 of the students we tested graduated from MSU-Denver, one of the students we tested withdrew from MSU-Denver, and one of the students we tested had a change in enrolled credit hours. Why did this problem occur? MSU-Denver did not have adequate internal controls in place to ensure that it fully complied with federal student enrollment reporting requirements for the Student Financial Aid program. The Registrar’s Office staff indicated that the student roster files prepared from Banner that were submitted to the Clearinghouse were rejected by the Clearinghouse due to errors within the configuration of student roster files. This technical issue required the Registrar’s Office to reconfigure the student roster files that are prepared for submission to the Clearinghouse. The timing of when the Clearinghouse notified the Registrar’s Office of the rejections of the student roster files, and the reconfiguration that was required, resulted in MSU-Denver not reporting enrollment status changes within USDE’s required timeframe. Why does this problem matter? Enrollment reporting is a critical compliance requirement for institutions participating in the federal Student Financial Aid program. For recipients of Pell Grants, timely enrollment reporting by institutions assists with their eligibility, future disbursement amounts, and continued access to Student Financial Aid. For borrowers of Direct Loans, timely enrollment reporting by institutions assists the USDE in the determination of whether a borrower should be moved into loan repayment status or if they are eligible for an in-school deferment. Failure to meet the USDE’s required enrollment status change reporting timelines increases MSU-Denver’s risk of material noncompliance with federal Student Financial Aid program requirements. See " Schedule of Findings and Questioned Costs" for chart/table. Recommendation 2025-040 The Metropolitan State University of Denver (MSU-Denver) should strengthen its internal controls over enrollment reporting to the federal Department of Education (USDE) for students who receive Title IV Student Financial Assistance through Pell Grants or the Direct Loan Program. This should include preparing student roster files in the correct configuration to ensure that these changes are submitted by the National Student Clearinghouse (NSC) to USDE’s National Student Loan Data System within 60-days of the enrollment change, as required by federal regulations. Response Metropolitan State University of Denver Agree Implementation Date: June 2026 MSU Denver manages enrollment reporting within the Office of the Registrar. We develop a schedule each calendar year and semester with NSC to identify scheduled reporting dates for each term in alignment with critical semester dates (start, end, drop, etc.). In Fiscal Year 2025, there was a technical issue in which we had to work with our ERP vendor, Ellucian, to provide a solution. The Office of the Registrar will strengthen its internal controls to ensure enrollment changes are reported within the required 60-day timeline.
Finding 2025-041 AWARE – Information Security and Change Management Government Auditing Standards allow for information that is considered sensitive in nature, such as detailed information related to IT system security, to be issued through a separate “classified or limited use” report because of the potential damage that could be caused by the misuse of this information. We consider the specific technical details of this finding, along with the response, to be sensitive in nature and not appropriate for public disclosure. Therefore, the details of the following finding and response have been provided to the Department in a separate, confidential memorandum. The Department of Labor and Employment’s Division of Vocational Rehabilitation administers the federal Rehabilitation Services – Vocational Rehabilitation Grants to States [ALN 84.126] (Vocational Rehabilitation) program and relies on its Accessible Web-Based Activity and Reporting Environment (AWARE) IT system to aid with management of the program and to track expenditures. The AWARE system is a configurable, off-the-shelf (COTS) system that is managed and hosted by the Department’s third-party IT service provider, Alliance Enterprises (Alliance). Department staff access the system via a secure Web portal. Program information is stored on servers and databases managed by Alliance. Alliance developed the AWARE system specifically to meet federal requirements for Vocational Rehabilitation program services and is used by multiple states. In order for the Department to achieve its objectives and respond to risks, including those related to the federal programs it administers, management should establish a strong framework of internal controls that also includes information system controls. Specifically, information system controls typically start with management documenting IT policies that address IT general control responsibilities and procedures that document the more granular details of how to implement Department policies. These IT general control policies and procedures should include those policies and procedures that are specific to information security and access management. The Department has policies that define the rules for various software systems based on the Department’s needs and security requirements; and the AWARE System Security Plan (SSP), which lists security requirements and describes the controls that must be in place to ensure all the security policy requirements are met. Once policies and procedures have been formalized and communicated to responsible staff and the Department’s contractor, specific internal control activities can be implemented and operationalized. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to gain an understanding of, and determine whether the Department had designed and implemented IT general controls, specifically information security and change management controls, over the AWARE system. Our audit work consisted of inquiries to the Department to gain an understanding of these IT general control areas, along with a review of related documentation provided by the Department staff. How were the results of the audit work measured? We applied the following criteria when evaluating the design effectiveness of the IT general controls: • The Governor’s Office of Information Technology (OIT)’s Colorado Information Security Policies (Security Policies). • Federal regulations [2 CFR 200.303] require the Department to establish and maintain effective internal controls, including IT general controls, over federal awards that provide reasonable assurance that the Department is managing its federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal award. • Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office (GAO), is a leading industry internal control framework. The Office of the State Controller (OSC) has adopted the Green Book as the State’s standard for internal controls, which all state agencies must follow. Green Book, Paragraphs 3.09, Documentation of the Internal Control System, and 12.02, Documentation of Responsibilities through Policies, requires that management develop and maintain documentation of its internal control system and document in policies the internal control responsibilities of the organization. Green Book, Paragraph 12.05, Periodic Review of Control Activities, also requires that management periodically review policies and procedures for continued relevance and effectiveness in achieving the entity’s objectives or addressing related risks. If there is a significant change in an entity’s process, management should review this process in a timely manner after the change to verify that the control activities are designed and implemented appropriately. • Green Book, Paragraph 14.03, Communication throughout the Entity, prescribes that management should communicate quality information to enable personnel to perform key roles in achieving objectives, addressing risks, and supporting the internal control system. In these communications, management should assign the internal control responsibilities for key roles. What problems did the audit work identify? During Fiscal Year 2025, we identified problems with the Department’s information security and change management IT general controls for the AWARE system. Why did these problems occur? According to the Department, it is in the final stages of modernizing a new case management system that will replace its current AWARE system and, therefore, did not update its SSP or policies and procedures for AWARE during Fiscal Year 2025. Department staff indicated that they expected AWARE to be decommissioned prior to the end of Fiscal Year 2025, and therefore determined it was not feasible to update the AWARE SSP during Fiscal Year 2025 to comply with OIT’s Security Policies. However, deployment of the new system was delayed due to the Department working through the new system’s User Acceptance Testing. The Department indicated that it will develop policies for the new case management system during the modernization process, which it expects to be finalized with the decommissioning of AWARE in January 2026. Why do these problems matter? It is important for the Department to have an effective system of internal controls in place in order to meet its objectives and comply with federal requirements for the Vocation Rehabilitation program. Without an effective internal control system, the reliability of the data processed, stored, and reported on by the Department’s IT system for the Vocational Rehabilitation program can be adversely impacted. When IT policies and procedures are not maintained, updated, and communicated, Department staff, and others who are subject to the requirements and processes, may not be able to adequately manage or consistently apply IT policy requirements and processes to meet management’s objectives and expectations, respond to risks appropriately, and ensure the confidentiality, integrity, and availability of the Department’s information systems. See "Schedule of Findings and Questioned Costs" for table/chart. Recommendation 2025-041 The Department of Labor and Employment should improve its overall IT governance and information security IT general controls for the information system used for the Rehabilitation Services – Vocational Rehabilitation Grants to States program by: A. Implementing recommendation Part A as noted in the confidential finding. B. Implementing recommendation Part B as noted in the confidential finding. Response Department of Labor and Employment A. Agree Implementation Date: July 2026 The Department will implement Part A of the confidential finding. B. Agree Implementation Date: July 2026 The Department will implement Part B of the confidential finding.
Finding 2025-042 MyUI+ – IT Governance and Information Security Government Auditing Standards allow for information that is considered sensitive in nature, such as detailed information related to information technology system security, to be issued through a separate “classified or limited use” report because of the potential damage that could be caused by the misuse of this information. We consider the specific technical details of this finding, along with the response, to be sensitive in nature and not appropriate for public disclosure. Therefore, the details of the following finding and response have been provided to the Department in a separate, confidential memorandum. The Department administers the federal Unemployment Insurance (UI) program, and relies on its IT system, MyUI+, to aid with determining applicants’ eligibility for the UI program and to provide data necessary for federal reporting to the U.S. Department of Labor for the UI program. The Department is the business owner of the MyUI+ system and works with OIT and the Department’s external IT service provider to manage MyUI+. The OSC has adopted the GAO’s Green Book as the State’s standard for internal controls, which all state agencies must follow. For the Department to achieve its objectives and respond to risks, including those related to the federal programs it administers, management should establish a strong framework of internal controls that also address information system controls. Specifically, information system controls typically start with management documenting IT policies that address IT general control responsibilities and procedures that document the more granular details on how to implement Department policies. These IT general control policies and procedures should include those policies and procedures that are specific to information security, for example controls related to issuing new user credentials. Once the Department has formalized and communicated its policies and procedures to responsible staff, specific internal control activities can be implemented and operationalized. OIT has promulgated the Security Policies that apply to the Department and its systems, and outline specific business owner IT requirements with which the Department must comply. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the Department implemented our Fiscal Year 2024 audit recommendations related to MyUI+. As part of our recommendations, we recommended that the Department should improve its IT governance for the MyUI+ system by: • Formalizing and communicating IT procedures guidance to Department staff and the Department’s IT service provider performing IT general control activities, including a Department-defined periodic review process of OIT’s Security Policies to ensure the Department’s IT policies, procedures, and rules align with the most current version of the Security Policies. • Implementing the recommendation as noted in the confidential finding. The Department agreed with these recommendations and planned to implement them by June 2025. Our audit work consisted of assessing the design and implementation of the Department’s IT policies and procedures, through inquiry with Department staff and inspection of supporting documentation. How were the results of the audit work measured? We measured the results of our audit work against the following: • OIT Security Policies that are developed, published, and required to be followed by the Department and its external IT service providers state within the Policy section and the General Responsibilities section, specifically 8.3.1 and 8.3.2 for business owners, that all agencies, including the Department, must implement governance principles, which would include IT policies and procedures, for promoting data quality and integrity for their systems. OIT Security Policies also indicate that the Department, as the business owner for MyUI+, is responsible for following and adhering to all identified business owner requirements. • OIT Security Policies and IRS Publication 1075, Tax Information Security Guidelines for Federal State and Local Agencies. Department management stated that it aligns with IRS Publication 1075 for its systems even though MyUI+ does not contain Federal Tax Information, which is the focus of Publication 1075’s security requirements. • Federal regulations [2 CFR 200.303] require the Department to establish and maintain effective internal controls, including IT general controls, over federal awards that provide reasonable assurance that the Department is managing its federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal award. • Green Book, Paragraphs 3.09, Documentation of Internal Control System, and 12.02, Documentation of Responsibilities through Policies, states that management should develop and maintain documentation of its internal control system and document in policies the internal control responsibilities of the organization. Paragraphs 11.06 and 11.07, Design Appropriate Types of Control Activities, state that management should design appropriate types of control activities in the entity's information system, including information system general controls that facilitate the proper operation of the entity’s systems. What problems did the audit work identify? The Department did not fully implement our prior audit recommendations to improve its IT governance related to MyUI+ during Fiscal Year 2025. Specifically: • The Department took steps to implement the recommendation by beginning to formalize IT procedures for MyUI+, including those that defined a required periodic review of OIT’s Security Policies; however, the Department did not have the formalized procedures in place nor had it communicated the procedures to employees or its IT service provider by the end of Fiscal Year 2025. • We found that the Department did not fully implement the confidential prior audit recommendation during Fiscal Year 2025, which put the Department at risk for not complying with Publication 1075. Why did these problems occur? According to the Department, the review, updating, and communication process of its procedures did not occur by the end of Fiscal Year 2025 due to turnover and contract renegotiations, resulting in partial implementation of the recommendations by fiscal year end. Why do these problems matter? The lack of established IT policies and procedures make it difficult for Department management to measure and hold staff accountable for meeting management’s expectations, as well as ensuring risks are addressed and overall objectives and missions are fulfilled. Without policies and procedures, staff may not perform processes and controls in a consistent manner. The identified deficiencies increase the risk of system compromise and can affect the confidentiality, integrity, and availability of the MyUI+ system, as well as adversely impact the reliability of data that is processed, stored, and generated by the system. Additionally, if the MyUI+ information security processes and controls are not appropriately implemented and operating effectively, the Department may not be able to ensure compliance with federal requirements, OIT’s Security Policies, and Publication 1075. See "Schedule of Findings and Questioned Costs" for table/chart. Recommendation 2025-042 The Department of Labor and Employment (Department) should improve its overall IT governance and information security IT general controls, and work with its IT service provider, as applicable, for the MyUI+ information system by: A. Prioritizing staffing to complete and communicate the formalized IT procedures, including a required Department-defined periodic review process of the Colorado Information Security Policies, developed and published by the Governor’s Office of Information Technology, to Department staff and the Department’s IT service provider performing IT general control activities for MyUI+. B. Implementing recommendation Part B as noted in the confidential finding. Response Department of Labor and Employment A. Agree Implementation Date: April 2026 The Department will complete and communicate formalized IT procedures to staff and IT service providers for IT general control activities for MyUI+ by April 2026. B. Agree Implementation Date: April 2026 The Department will implement Part B of the confidential finding.
Finding 2025-043 Compliance with Reporting for Community Development Block Grant program The Department administers the federal Community Development Block Grant/State’s program and Non-Entitlement Grants in Hawaii (Community Development Block Grant or CDBG) [ALN 14.228] for non-entitlement municipalities and counties to carry out community development activities. The federal government splits the Department’s CDBG program into sub-programs related to the CARES Act (CDBG-CV), Disaster Recovery (CDBG-DR), and the Neighborhood Stabilization Program (CDBG-NSP). The CARES (Coronavirus Aid, Relief, and Economic Security) Act, enacted March 27, 2020, appropriated $5.0 billion in CDBG-CV funds to be allocated to about 1,250 states, local governments, and insular areas to fund activities to prevent, prepare for, and respond to Coronavirus. CDBG-CV and CDBG grants are a flexible source of funding that can be used to pay costs that are not covered by other sources of assistance, particularly to benefit persons of low and moderate income. The primary objective for CDBG-DR is to provide disaster relief, long-term recovery, restoration of infrastructure and housing, and economic revitalization in the most impacted and distressed areas resulting from a major disaster, declared pursuant to the Robert T. Stafford Disaster Relief and Emergency Assistance Act of 1974. The objectives of the CDBG-NSP are to: (1) stabilize property values, (2) arrest neighborhood decline, (3) assist in preventing neighborhood blight, and (4) stabilize communities across America hardest hit by residential foreclosures and abandonment. These objectives have been achieved through the purchase and redevelopment of foreclosed and abandoned homes and residential properties that allows those properties to turn into useful, safe and sanitary housing. The grants are to be considered CDBG funds. The Department is required to submit financial information electronically to the federal Housing and Urban Development (HUD) Exchange IT system on an annual basis. The Department is required to submit various reports that include the following: • Performance reports titled, Performance and Evaluation Financial Summary Reports (PR28), are required to list all of the financial activity related to the CDBG program and CDBG-CV subprogram. • Quarterly Performance Reports for the CDBG-DR program and CDBG-NSP. The Quarterly Performance Reports include the Department’s activities related to the CDBG grant for these sub-programs on a quarterly basis. The Department is also required to comply with the Federal Funding Accountability and Transparency Act of 2006 (Transparency Act or FFATA) for its CDBG awards. The Transparency Act was created to empower Americans with the ability to hold the government accountable for each spending decision and, as a result, to reduce wasteful spending by the government. The Transparency Act requires the federal government to make certain information on federal awards, including information about amounts passed through to subrecipients, or subawards, given to other governments or nonprofit organizations, available to the public. Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the Department, to an entity to carry out part of a federal grant award received by the pass-through entity. A subrecipient is defined in federal regulations [2 CFR 200.1] as an entity, usually but not limited to non-federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other federal awards directly from a federal awarding agency. The Department is required to submit FFATA information through the FFATA Subaward Reporting System (formerly FSRS)—the System for Award Management (SAM.gov). Once the Department submits a report to SAM.gov, the public can view information from the report, including the subrecipient’s name, subaward identification number, subaward obligation/action date, subaward amount, federal awarding agency and subagency, the Department’s name, and the Department’s grant award identification number. In Fiscal Year 2025, the Department made 25 CDBG subawards to 18 subrecipients totaling $10.2 million that were subject to FFATA reporting. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to identify and review the operational effectiveness of the Department’s internal controls and compliance over the federal reporting process for the CDBG program, and determine whether the reports were prepared and submitted in accordance with state and federal regulations. During our audit, we reviewed two PR28 Performance and Evaluation Financial Summary Reports—one for CDBG overall and one for the CDBG-CV sub-program filed by the Department during Fiscal Year 2025—and the related supporting documentation. We also reviewed eight Quarterly Performance Reports—four reports for each of the CDBG-DR and CDBG-NSP subprograms filed by the Department for Fiscal Year 2025—and the related supporting documentation. Additionally, we received the Department’s sub-awardee report submitted to SAM.gov for FFATA reporting for Fiscal Year 2025 for the CDBG grant and tested 7 of the 25 subawards listed on the report. We used both performance and sub-awardee reports to determine if the financial activity in these reports could be traced to the expenditures recorded within the Colorado Operations Resource Engine (CORE), the State’s accounting system, for the CDBG grant program for Fiscal Year 2025. We also performed testwork to determine if the performance and sub-awardee reports were reviewed and approved internally, submitted in a timely manner, and approved by HUD. How were the results of the audit work measured? For the CDBG program, we measured the results of our audit work against the following requirements: • As noted previously, the Department is required to submit certain financial information electronically to HUD through its HUD Exchange system on an annual basis. HUD requires that the reports be prepared in accordance with Generally Accepted Accounting Principles (GAAP). Per the federal Office of Management and Budget’s (OMB) Compliance Supplement, the various reports that the Department must submit include the following: PR28 Performance and Evaluation Financial Summary Reports for the CDBG program and CDBG-CV sub-program. This report is required to list all of the financial activity related to the CDBG program, such as the overall benefit to low- and moderate-income persons, the maximum allowable costs for administration, technical assistance, and overall planning, management and administration, and must be submitted quarterly, 30 days after the reporting period end date. Quarterly Performance Reports for the CDBG-DR program and CDBG-NSP. The Quarterly Performance Reports must cover all expenditures on the cooperative agreement from the start date of the reporting period to the reporting period end date related to the CDBG grant for these sub-programs and must be submitted on a quarterly basis. • In accordance with federal regulations [2 CFR 170, Appendix A], the Department is required to report subawards of $30,000 or more to SAM.gov by the end of the month following the month in which the award was made. For example, the Department would have to submit a FFATA report to SAM.gov in May 2025 if it made an award or supplemental award equal to or greater than $30,000 in April 2025. • Federal regulations [2 CFR 200.303] state that recipients of federal funds must establish and maintain effective internal controls over their federal awards which provide reasonable assurance that the recipient is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with the Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office. Green Book states in Paragraphs 3.09 and 3.10 that management is to develop and maintain documentation of its internal control system, establishing the who, what, when, where, and why of internal control execution to personnel. What problems did the audit work identify? We identified problems in all of the Department’s reports for CDBG that we tested for Fiscal Year 2025. Specifically: • We identified issues in both of the two (100 percent) PR28 performance reports we reviewed. Specifically, we could not tie disbursement amounts for the CDBG program and CDBG-CV sub program totaling approximately $15,000 and $21.7 million, respectively, contained on the two PR28 performance reports to the Department’s accounting records. Additionally, the Department could not provide evidence that Department staff reviewed and approved the reports internally prior to submission to the federal government. • We identified issues in 7 of the 8 (88 percent) Quarterly Performance Reports we reviewed. The following table reflects quarterly amounts expended that could not be tied out for each programmatic report: See "Schedule of Findings and Questioned Costs" for table/chart. *The Department did not submit 4 of the 7 (57 percent) FFATA reports to SAM.gov within the required time period. We specifically noted that the Department submitted these four subawards to SAM.gov after the close of Fiscal Year 2025 in October 2025, which caused them to be out of compliance by up to 14 months. Why did these problems occur? The Department did not have adequate internal controls over its federal reporting processes, such as supervisory review and approval of the PR28 and FFATA reports prior to submission and publication. In addition, the Department failed to maintain adequate records of submissions and accounting support due to a lack of internal monitoring and review processes necessary for tracking report submissions and ensuring reports are submitted timely and are complete. The Department stated that the delay in the submission of the FFATA reports was due to technical difficulties experienced by the Department when the federal government switched from requiring the use of the previous FSRS system to SAM.gov on March 8, 2025. Why do these problems matter? By not providing accurate information to HUD or maintaining support for the Department’s performance reports, it is not meeting federal requirements. Further, the Department may not be addressing CDBG regulatory requirements that are intended to result in an overall benefit to lowand moderate-income persons and an overall benefit to the public. Additionally, inaccurate reporting could result in actual costs exceeding the maximum allowable costs for technical assistance, and overall planning, management and administration. By failing to report the subawards to SAM.gov in a timely manner, as required under FFATA, the Department is out of compliance with federal reporting requirements and risks federal sanctions. Additionally, by not reporting the relevant information—including subrecipient name, subrecipient Data Universal Numbering System number, amount of subaward, subaward obligation/action date, date of report submission, subaward number, subaward project description, subrecipient names, and compensation of highly compensated officers—the Department is failing to meet the federal intent of transparency for federal program spending. Furthermore, the Department not maintaining documentation of the review and approval of its federal reports can lead to a lack of accountability, making it difficult to verify compliance and potentially resulting in further scrutiny or penalties from federal oversight bodies. See "Schedule of Findings and Questioned Costs" for table/chart. Recommendation 2025-043 The Department of Local Affairs should strengthen its internal controls over federal reporting for its Community Development Block Grant/State’s program and Non-Entitlement Grants in Hawaii, including the Federal Funding Accountability and Transparency Act (FFATA) reporting, and ensure that its reporting meets federal requirements by: A. Ensuring that FFATA reporting occurs as required for subawards of $30,000 or more in the System for Award Management, SAM.gov, by the end of the month following the month the subawards are made. B. Documenting and implementing internal monitoring policies and procedures, including the performance of reconciliations of reports, to ensure that the required Performance and Evaluation Financial Summary Reports (PR28) and Quarterly Performance Reports are accurate and complete. This should include maintaining documentation of evidence of the review and approval of each report prior to its submission to the federal government. Response Department of Local Affairs A. Agree Implementation Date: April 2026 The Department will strengthen its internal controls over federal reporting by implementing policies and procedures that include a monitoring process to ensure that FFATA reporting occurs as required for subawards of $30,000 or more in SAM.gov by the end of the month following the month the subawards are made. B. Agree Implementation Date: April 2026 The Department will document and implement internal monitoring policies and procedures, including the performance of reconciliations of reports, to ensure that the required PR28 and Quarterly Performance Reports are accurate and complete. This will include maintaining documentation of evidence of the review and approval of each report prior to its submission to the federal government.
Finding 2025-044 Compliance with Activities Allowed or Unallowed and Allowable Costs/Cost Principles for the Coronavirus Capital Projects Fund The Department administers the federal Coronavirus Capital Projects Fund program (CCPF) [ALN 21.029] for non-entitlement municipalities, counties, and subcontractors to carry out capital development and infrastructure activities related to increasing awareness, education, and monitoring of the Coronavirus emergency by developing broadband infrastructure. Examples of activities related to CCPF include the development of fiber-optic broadband infrastructure and investments in improving broadband infrastructure within a municipality, addressing affordability and access to broadband infrastructure, and the development and improvement of buildings that directly enables work related to the education and monitoring of the Coronavirus emergency. The Department’s accounting section records all financial transactions within CORE and must ensure the accurate reporting of federal award expenditures and reimbursements and maintain adequate supporting documentation related to transactions recorded in CORE. The Department’s accounting section is also responsible for providing information through the submission of exhibits to the Office of the State Controller (OSC) to assist in preparation of the State’s financial statements, required note disclosures, and the State’s Schedule of Expenditures of Federal Awards (SEFA). For Fiscal Year 2025, the Department reported $33.7 million in expenditures for CCPF. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department’s internal controls over the CCPF payment processes and to determine whether payments were processed and paid in accordance with state regulations and federal “allowable cost” requirements during Fiscal Year 2025. As part of our audit work, we obtained from the Department the Fiscal Year 2025 expenditures listing for CCPF, comprised of eight transactions. We tested five transactions as part of our testing of the Department’s compliance with federal allowable cost requirements for the CCPF program. We also reviewed the Department’s Exhibit K1, Schedule of Federal Assistance, which it submitted to the OSC for Fiscal Year 2025 year-end reporting, and the related supporting documentation, including CORE transaction detail for revenues and expenditures associated with CCPF, to determine whether Department accounting staff prepared the exhibit in accordance with the OSC’s Fiscal Procedures Manual (Manual), and to determine whether the Exhibit K1 was accurate and complete. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: • Federal regulations [2 CFR 200.403] require that costs under federal awards must be necessary, reasonable, and allocable; conform to any limitations or exclusions; be consistent with policies and procedures; receive consistent treatment; adhere to GAAP; not be used for cost sharing of other programs; and be adequately documented. • Federal regulations [2 CFR 200.302] require that recipients must expend and account for the federal award in accordance with State laws and procedures for expending and accounting for the State’s funds. All recipients’ financial management systems, including records documenting compliance with federal statutes, regulations, and the terms and conditions of the federal award, must be sufficient to permit the preparation of reports required by the terms and conditions; and tracking expenditures to establish that funds have been used in accordance with federal statutes, regulations, and the terms and conditions of the federal award. • The OSC’s Manual contains instructions for the completion of exhibits. Specifically, the Exhibit K1 is used to report federal expenditure information to the OSC for inclusion in the State’s SEFA. • Federal regulations [2 CFR 200.303] state that each recipient of federal funds must establish and maintain effective internal controls over its federal awards, which provide reasonable assurance that the recipient is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. The OSC has adopted the Green Book as the State’s standard for internal controls, which all state agencies must follow. Green Book, Paragraphs 3.09 and 3.10, states that management is to develop and maintain documentation of its internal control system, establishing the who, what, when, where, and why of internal control execution to personnel. What problem did the audit work identify? Through our audit testwork, we identified an error with 1 of the 5 expenditures (20 percent) tested. Specifically, the Department recorded the expenditure transaction, which totaled $3,266,662, twice in CORE. Further, because CORE is programmed to automatically record earned federal revenue when a federal expenditure is recorded, the Department also recorded federal revenue in CORE to match the duplicate federal expenditure. As a result, the Department overstated both revenues and expenditures for CCPF by $3,266,662. In addition, the Department overstated its Fiscal Year 2025 CCPF expenditures on its Exhibit K1 by $3,266,662. After we notified Department staff of the errors, they provided a corrected Exhibit K1 to the OSC. The Department passed on correcting the overstated expenditures and revenues in CORE because, based on discussions with the auditors, the amount was not material. Why did this problem occur? The Department lacked sufficient internal controls during Fiscal Year 2025 over its financial management and federal allowable cost compliance requirements for the CCPF program. Specifically, the Department lacked sufficient training over the calculation of its year-end accrued liabilities. The Department incorrectly calculated and recorded the year-end accrual entry in CORE, and lacked adequate internal review processes, including a supervisory review process, to ensure the program’s accrued expenditures—and ultimately amounts reported on the Exhibit K1—were accurate and complete. Why does this problem matter? By failing to have strong internal controls over the recording and monitoring of federal expenditures and revenues, the Department cannot ensure that financial records are accurate, complete, and recorded in a timely manner. Internal review and approval processes reduce the risk of material misstatements affecting federal awards. Additionally, insufficient controls over federal program requirements can lead to a lack of accountability, making it difficult to demonstrate compliance and potentially resulting in further scrutiny or penalties from federal oversight bodies. Finally, failing to properly report expenditures of federal funds on its Exhibit K1, if uncorrected, could cause the State’s overall SEFA to be inaccurate and out of compliance with federal regulations. See "Schedule of Findings and Questioned Costs" for table/chart. Recommendation 2025-044 The Department of Local Affairs should strengthen its internal controls over the financial management of federal Coronavirus Capital Projects Fund grant expenditures by implementing an adequate supervisory review process and training for staff over year-end estimates/accruals to ensure transactions are accurately recorded in the Colorado Operations Resource Engine (CORE), the State’s accounting system; and that the Exhibit K1, Schedule of Federal Assistance, is accurate and complete. Response Department of Local Affairs Agree Implementation Date: April 2026 The Department of Local Affairs (Department) agrees with the recommendation to strengthen internal controls over the financial management of federal Coronavirus Capital Projects Fund grant expenditures and the accuracy and completeness of the Exhibit K1, Schedule of Federal Assistance. The Department will develop a corrective action plan that includes enhanced procedures for the performance of year-end estimates/accruals. The Department will create and implement staff training for staff that are responsible for preparing and reviewing the estimates/accruals, the Exhibit K1, grant transactions and enhancements.
Finding 2025-045 Compliance with Reporting for Immunization Cooperative Agreements – FFATA Reporting The Department is required to comply with the Federal Funding Accountability and Transparency Act of 2006 (Transparency Act or FFATA) for its Immunization Cooperative Agreements program [ALN 93.268] (Program). The Transparency Act was created to empower Americans with the ability to hold the government accountable for each spending decision and, as a result, to reduce wasteful spending by the government. The Transparency Act requires the federal government to make certain information on federal awards available to the public, including information about amounts passed through to subrecipients. The Department is required to report information about subgrants, or subawards, given to other governments or to nonprofit organizations, also referred to as subrecipients. Federal regulation [2 CFR 200.1] defines a subaward as an award provided by a pass-through entity, in this case the Department, to an entity to carry out part of a federal grant award received by the pass-through entity. A subrecipient is defined in federal regulation [2 CFR 200.1] as an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency. The Department is required to submit FFATA information through the federal government’s System for Award Management website, SAM.gov. Once the Department submits a report to SAM.gov, the public can view information from the report, including the subrecipient’s name, subaward identification number, subaward obligation/action date, subaward amount, federal awarding agency and subagency, the Department’s name, and the Department’s grant award identification number. In Fiscal Year 2025, the Department reported $112.0 million in total Program expenditures. Of this amount, the Department issued $15.8 million in subawards under the Program. The Department had 70 subrecipients with subawards for which it was required to submit FFATA information through SAM.gov during the fiscal year. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had adequate internal controls over and complied with FFATA reporting requirements for the Program during Fiscal Year 2025. As part of our audit work, we requested the Department’s policies and procedures over FFATA reporting and a list of all subrecipients for the Program during Fiscal Year 2025. We also inquired with Department staff about its internal control processes related to FFATA reporting. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: In accordance with federal regulations [2 CFR 170, Appendix A], the Department is required to report subawards of $30,000 or more to SAM.gov by the end of the month following the month in which the award was made. For example, the Department would have to submit a FFATA report to SAM.gov in May 2025 if it made an award or supplemental award equal to or greater than $30,000 in April 2025. Federal regulations [2 CFR 200.303] require the Department to establish and maintain effective internal controls over federal awards that provide reasonable assurance that the Department is managing its federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal award. The Department’s policies and procedures related to FFATA reporting state that its grants accountant is responsible for performing monthly FFATA reporting. What problem did the audit work identify? We determined that the Department did not comply with FFATA reporting requirements for the Program during Fiscal Year 2025. Specifically, the Department did not submit any FFATA reports to SAM.gov for the Program’s subawards issued during Fiscal Year 2025 and, as a result, did not report approximately $15.2 million in subawards for Fiscal Year 2025. Why did this problem occur? The Department did not have adequate internal controls over federal reporting requirements in place for the Program during Fiscal Year 2025. Specifically, the Department’s existing policies and procedures were not detailed enough to ensure that FFATA reporting was completed in accordance with federal requirements. The procedures in place designated one individual who was responsible for the FFATA reporting process, but did not include procedures to identify when FFATA reporting was required for subawards or to ensure that appropriate reporting was completed when required. Additionally, the Department’s procedures did not include any secondary review process over FFATA reporting or a process to ensure that FFATA reporting had been completed as required. Why does this problem matter? By failing to properly report FFATA subawards through SAM.gov, the Department is out of compliance with federal reporting requirements, risks federal sanctions, and does not meet the federal intent of transparency for federal program spending. See "Schedule of Findings and Questioned Costs" for table/chart. Recommendation 2025-045 The Department of Public Health and Environment should strengthen its internal controls over, and ensure it complies with, the Federal Funding Accountability and Transparency Act of 2006 (FFATA) reporting requirements for its Immunization Cooperative Agreements program. This should include updating its existing policies and procedures to include a monthly review of all subawards in order to identify those required to be reported each month and a secondary review process of the FFATA reports and submissions to ensure that FFATA reporting has been completed as required. Response Department of Public Health and Environment Agree Implementation Date: July 2026 CDPHE fiscal procedures have been updated to reflect changes to the reporting process, specifically noting the recent federal website change and adding the requirement of a secondary level of review. By July 31, 2026, all outstanding FFATA reports will be filed with the federal government and the monthly review process in the updated fiscal procedures will be implemented.
Finding 2025-046 Compliance with Subrecipient Monitoring for Disaster Grants The Federal Emergency Management Agency (FEMA) Disaster Grants program [ALN 97.036] provides supplemental assistance to recipients to assist communities with responding to and recovering from major disasters or emergencies. The program also provides funding for hazard mitigation measures to help communities implement hazard mitigation projects that can protect them from future disasters. The Disaster Grants program is based on a partnership between FEMA, the recipient (in this case, the Department), and, as applicable, the subrecipient (local governments). FEMA is responsible for managing the Disaster Grants program, approving grants, and providing technical assistance to the state, local, tribal, and territorial governments. The Department, as a recipient of Disaster Grants program funds, is responsible for providing technical advice and assistance to eligible subrecipients, providing support for damage survey activities, ensuring that all potential applicants are aware of funding assistance available, and submitting documents necessary for grant awards. A subrecipient is defined in federal regulations [2 CFR 200.1] as an entity, usually but not limited to non-federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other federal awards directly from a federal awarding agency. Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity (such as the Department) to an entity (subrecipient) to carry out part of a federal grant award received by the pass-through entity. Specifically for this program, the subrecipient is expected to request assistance, as needed; identify the damaged facilities; provide information to support its funding requests; maintain accurate documentation; and perform other work, as necessary. As part of its subrecipient monitoring process, the Department should complete an annual risk assessment to determine the extent of its subrecipient monitoring activities. The risk assessment should include considerations of financial risk factors, such as financial implications of operational and compliance failures; operational risk factors, such as risks resulting from inadequate internal controls; and compliance risks, such as violations with laws, regulations, and internal policies. In addition, the Department should be using monitoring tools to track the status of whether the subrecipient underwent a Single Audit, if applicable, and whether that audit has been reviewed by Department staff and any resulting management decisions issued by those staff to the subrecipient, if applicable, that address the Department’s assessment and planned actions to address any findings or issues identified in the audit During Fiscal Year 2025, the Department passed approximately $76.0 million to 66 subrecipients for responses to various disasters covered by the Department’s Disaster Grants program. In addition, the Department reported that it approved no new subawards during Fiscal Year 2025. All funds passed through to subrecipients by the Department were related to reimbursements for prior period expenses. In total, the Department reported that it had passed through Disaster Grant funding to another 68 subrecipients in prior years who did not receive funding passed through from the Department during Fiscal Year 2025; many of these subrecipients had multiple open projects that had been completed in prior years but were awaiting final approval and close-out from FEMA. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had adequate internal controls in place over, and complied with, subrecipient monitoring requirements over the Disaster Grants program during Fiscal Year 2025. Another purpose of the audit work was to determine whether the Department implemented our Fiscal Year 2024 audit recommendation to review all subrecipients’ federally-required Single Audit reports, as required. The Department agreed with the recommendation and planned to implement it by June 2025. As part of our audit work, we performed testwork to determine whether the Department obtained its subrecipients’ Single Audit reports and issued a management decision, if applicable. We also determined whether the Department performed risk assessments on the subrecipients as required by federal regulations. Finally, we performed this testing over a random sample of 9 of 68 subrecipients that received pass-through funding in the current year. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: • Federal regulations [2 CFR 200.332] require the Department to evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate level of subrecipient monitoring based on the Department’s assessment of risk posed by the subrecipients. Additionally, it requires the Department to verify that every subrecipient is audited as required by 2 CFR 200, Subpart F, Audit Requirements, which sets forth the federal regulations around Single Audit threshold requirements for subrecipients. It also covers the federal regulations to consider whether the results of the subrecipient’s audits indicates conditions that necessitate adjustment to the passthrough entity’s—in this case, the Department’s—own records. Further, federal regulations [2 CFR 200.521] require the Department to issue a management decision, which is defined as the Department’s written determination of the adequacy of the subrecipient’s proposed corrective action to address any findings in the subrecipient’s Single Audit reports within 6 months of the federal audit clearinghouse’s acceptance of the audit report. • The Department’s Division of Homeland Security and Emergency Management’s (DHSEM) Subrecipient Monitoring policy states that it “…will perform an annual evaluation of Subrecipient’s risks prior to the start of each State fiscal year, analyzing active awards and assessing Subrecipients for the upcoming year to determine the financial status of each Subrecipient and which subrecipients will receive on-site monitoring which may include desk reviews.” The policy further goes on to indicate that each subrecipient will receive an overall risk score that is used to determine which subrecipients will undergo monitoring review during the fiscal year based on the quantitative and qualitative data used for the assessment inputs. • The DHSEM Subrecipient Monitoring policy also states that “DHSEM will perform reviews of single audit results for Subrecipients who have expended Federal grant funds in excess of $750,000 of which some portion is passed through DHSEM.” • Federal regulations [2 CFR 200.329] stipulate that the non-federal award recipient—in this case the Department—is responsible for oversight of the operations of its federal award-supported activities. The regulations further state that the “non-federal entity” must monitor its activities under federal awards to assure that compliance with applicable federal requirements and performance expectations is being achieved. What problems did the audit work identify? Based on our audit work, we determined that the Department did not fully implement our prior audit recommendation by its planned implementation date of June 30, 2025, and did not complete required subrecipient monitoring activities for its Disaster Grants program. Specifically, we found that the Department did update the risk assessment policies for the 2025 risk assessment and fully assessed risks for subrecipients for Fiscal Year 2025. However, there was one subrecipient that had not yet issued a finalized audit report and, therefore, the Department’s subrecipient monitoring process was pending completion. Why did these problems occur? Although the Department designated staff to obtain and review Single Audit reports for all of its subrecipients, Department staff stated that they were not able to complete their reviews of previously unreviewed Single Audit reports during Fiscal Year 2025, as letters were still being processed for execution and distribution under the updated policies. The Department also subsequently stated that some of these reviews were incomplete due to the subrecipients not yet finalizing their Single Audits with their auditors. Why do these problems matter? By failing to complete all of its reviews of subrecipients’ Single Audit reports, the Department is out of compliance with both federal requirements and with its policy to complete monitoring reviews for each subrecipient. This could result in the Department not timely identifying enforcement actions that may be needed against noncompliant subrecipients and then making revisions, as applicable, to its monitoring risk assessment for the subrecipient. See "Schedule of Findings and Questioned Costs" for table/chart. Recommendation 2025-046 The Department of Public Safety (Department) should continue to implement its subrecipient monitoring policy and ensure the Department is in compliance with federal regulations to review all subrecipients’ Single Audit reports in a timely manner. This should also include the Department completing its reviews of the subrecipients’ prior year’s Single Audit reports and issuing the management decision letters for those reports. Response Department of Public Safety Agree Implementation Date: June 2026 The Department will continue to follow the current Policy and Procedure related to the Single Audit reviews and has allocated an individual to review the Single Audits. This includes issuing a management decision letter if required, in accordance with the timeline established in federal guidance.
Finding 2025-047 Compliance with Reporting for the Highway Safety Cluster The Department is required to comply with the Federal Funding Accountability and Transparency Act of 2006 (Transparency Act or FFATA) for its Highway Safety Cluster programs, specifically the State and Community Highway Safety [ALN 20.600] and National Priority Safety Programs [ALN 20.616] (Programs). The Transparency Act was created to empower Americans with the ability to hold the government accountable for each spending decision and, as a result, to reduce wasteful spending by the government. The Transparency Act requires the federal government to make certain information on federal awards available to the public, including information about amounts passed through to subrecipients. The Department is required to report information about subgrants, or subawards, given to other governments or to nonprofit organizations (also referred to as subrecipients). Federal regulation [2 CFR 200.1] defines a subaward as an award provided by a pass-through entity, in this case the Department, to an entity to carry out part of a federal grant award received by the pass-through entity. A subrecipient is defined in federal regulation [2 CFR 200.1] as an entity, usually but not limited to non-federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other federal awards directly from a federal awarding agency. The Department is required to file FFATA reports through the System for Award Management website, SAM.gov. Once the Department submits a report to SAM.gov, the public can view certain information from the report, including the subrecipient’s name, subaward identification number, subaward obligation/action date, subaward amount, federal awarding agency and subagency, the Department’s name, and the Department’s grant award identification number. In Fiscal Year 2025, the Department reported approximately $12.9 million in total for the Programs’ expenditures. Of this amount, the Department issued about $6.8 million in subawards under the Programs. The Department had 70 subrecipients with subawards it was required to submit FFATA information for through SAM.gov during the fiscal year. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the Department had adequate internal controls over and complied with FFATA reporting requirements for the Highway Safety Cluster Programs during Fiscal Year 2025. Another purpose of our audit work was to determine whether the Department implemented our Fiscal Year 2024 audit recommendations to strengthen its internal controls over and to ensure it complies with FFATA reporting requirements for the Highway Safety Cluster Programs. The Department agreed with these recommendations and planned to implement them by June 2025. As part of our audit work, we selected 24 Fiscal Year 2025 subrecipient expenditure transactions out of a total of 70 subrecipient transactions for which FFATA reporting was required for these Programs. We obtained copies of the FFATA reports that the Department uploaded to SAM.gov and obtained subaward agreements and purchase orders for each sample. We compared the Department’s subaward information to the information the Department submitted to SAM.gov to determine whether the Department reported accurate information. In addition, we performed testwork to determine whether the Department submitted the FFATA reports within the month following the month it made the subaward, as required by federal regulations. We also tested the Department’s progress in implementing our prior audit recommendations by reviewing their updated policies and procedures. How were the results of the audit work measured? We measured the results of our audit work against the following: • Federal regulations [2 CFR 170] require direct recipients of federal grants to report subawards of $30,000 or more to SAM.gov by the end of the month following the month in which the award was made. For example, the Department would have to submit a FFATA report to SAM.gov in May 2025 if an award or supplemental award equal to or greater than $30,000 was made in April 2025. Federal regulations [2 CFR 200.303] require the non-federal entity—in this instance the Department—to establish and maintain effective internal controls over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. • Federal regulation [2 CFR 200.332 (a)(1)] states that the Department’s subawards must clearly identify certain information, including but not limited to, the unique entity identifier, the Assistance Listing Number, the federal award date, and the federal award identification number. What problem did the audit work identify? Based on our audit work, we determined that the Department did not fully comply with FFATA reporting requirements for the Programs during Fiscal Year 2025 and did not fully implement our prior audit recommendations. Of the 24 subaward reports selected for testing, we identified issues on 5 subaward reports (21 percent). Specifically, we identified the following issues: • The Department was unable to provide documentation demonstrating that two subaward FFATA reports related to Fiscal Year 2024 awards had been submitted in SAM.gov. These submissions could not be located in SAM.gov. The amount of the subawards not submitted was $375,553. We further noted that these two reports had still not been submitted during Fiscal Year 2025. • For three subawards totaling $771,258, the Department did not maintain adequate documentation to support the amounts reported in SAM.gov. Specifically, the Department reported amounts of $537,573 for the three subawards, which did not agree to the Department’s subaward records, and represented a difference of $233,684. In addition, the Department did not meet the required FFATA reporting timelines for these subawards. Specifically, one subaward was reported 271 days late and two were reported 301 days late. Why did this problem occur? The Department did not have adequate internal controls in place related to FFATA reporting for the Highway Safety Cluster during Fiscal Year 2025 that ensured that reporting occurred as required for subawards of $30,000 or more in SAM.gov by the end of the month following the month the subawards are made. The Department implemented policies and procedures related to FFATA reporting during the fiscal year; however, Department staff indicated that staff were still being trained on these new procedures. In addition, the Department did not have procedures in place to ensure that, when an unsubmitted FFATA report is identified, the report is subsequently filed in SAM.gov, even if the submission is late. Why does this problem matter? By failing to properly report FFATA subawards through SAM.gov, the Department is out of compliance with federal reporting requirements, risks federal sanctions, and does not meet the federal intent of transparency for federal program spending. See "Schedule of Findings and Questioned Costs" for table/chart. Recommendation 2025-047 The Department of Transportation (Department) should strengthen its internal controls over and ensure it complies with Federal Funding Accountability and Transparency Act (FFATA) reporting requirements for the Highway Safety Cluster by: A. Ensuring that FFATA reporting occurs as required for subawards of $30,000 or more by the end of the month following the month the subawards are made and, if an unsubmitted FFATA report is identified, subsequently filing the report as soon as possible through SAM.gov, even if the submission is late. B. Providing training to Department staff to follow FFATA reporting policies and procedures. C. Ensuring Department staff follow the Department’s FFATA policies and procedures to ensure that FFATA reports are accurate and complete. Response Department of Transportation A. Agree Implementation Date: June 2026 The Department agrees with the recommendation. The Department will review, assess, and, where necessary, update existing procedures for FFATA reporting relating to the requirement that state subawards for $30,000+ be submitted within 30 days of committed budget. This will include ensuring that the confirmation date is documented. This process will be a coordinated effort between the Office Transportation Safety (OTS) and the Center for Accounting. This will include updating our reconciliation process to include additional data, reviewing and updating reconciliation and review procedures as needed, and reconciling Grants awarded in prior fiscal years that are still active and ensuring they have been appropriately reported. The findings related to this recommendation are in part the result of a federal reporting system limitation, and a federal system conversion. The legacy reporting system, FSRS, had a system limitation, which prevented the full amount of the award being reported in the case of three awards. Additionally, this conversion resulted in some data conversion issues impacting one additional award B. Agree Implementation Date: June 2026 The Department agrees with this finding and will provide any training needed to staff members to ensure that all components of the FFATA are completed accurately, timely and with proper reviews. This training will include leadership reviewing NHTSA/Federal guidelines and SAM.Gov training on FFATA reporting and requirements, documenting controls and ensuring the approvers have access to all supporting schedules, forms and systems and that they understand the subawards, and process for late submissions if needed. C. Agree Implementation Date: June 2026 The Department agrees with the finding and will ensure that staff follow all internal policies and procedures to maintain accurate and complete FFATA reporting. To achieve this, staff will review existing procedures and make any necessary updates regarding report compilation. Additionally, we will review control points to ensure they are consistently followed and approved by the team supervisor or team manager.
Finding 2025-048 Compliance with Period of Performance for the Highway Safety Cluster The objective of the federal National Highway Traffic Safety Administration’s Highway Traffic Safety Grant Programs (Highway Safety Cluster) is to provide a coordinated national highway safety program to reduce traffic crashes, deaths, injuries, and property damage. Non-federal entities apply for federal Highway Safety Cluster funds to add or improve safety features on highways and roads around the country. A condition of receiving these federal dollars is that the recipient must comply with various rules on how and when the money can be spent. The recipient must also establish and maintain effective internal controls to ensure compliance with federal statutes, regulations, and the terms and conditions of the federal award. One of these requirements is that the Department must spend the funds within the period of performance identified in the grant award. For Fiscal Year 2025, the periods of performance for the Department’s grant awards for this program were each 4-year periods, as follows: October 1, 2022 through September 30, 2026; October 1, 2023 through September 30, 2027; and October 1, 2024 through September 30, 2028; depending on the year of grant funding. The Department requires a minimum of two staff that are a different reviewer and approver for all costs charged to the grant. Expenditures charged to the grant are reviewed and entered into the Department’s enterprise resource planning system, Systems, Applications, and Products in Data Processing (SAP), by grant coordinators, and then reviewed and approved by the Department’s headquarters business office staff. Grant coordinators that provide a first-level review of the grant expenditures entered into SAP and the Department’s headquarters business office staff should all be knowledgeable in allowable costs and period of performance requirements for the Highway Safety Cluster. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether: the Department had adequate internal controls over federal period of performance requirements for the Highway Safety Cluster; the Department recorded Highway Safety Cluster expenditures during the approved period of performance for the Highway Safety Cluster during Fiscal Year 2025; and costs were allowable under the grant. As part of our audit work, we selected all seven expenditure transactions charged to the Highway Safety Cluster grant during the first 30 calendar days of the period of performance for the four grant awards in place during Fiscal Year 2025. For example, for the Fiscal Year 2025 grant awards, the beginning date of the period of performance was October 1, 2024, so we reviewed expenditures charged to the grant from October 1 through October 30, 2024. We reviewed the Department’s supporting documentation to support the date each expense was incurred and evidence of internal controls related to approval of the expense. Another purpose of our audit work was to determine whether the Department implemented our Fiscal Year 2024 audit recommendations to: • Enforce its existing policies and procedures that require that grant expenditures be allowable, and that two individuals review the related supporting documentation for compliance with grant requirements. This should include monitoring to ensure that Department personnel performing the reviews review the related supporting documentation for incurred dates in order to verify that expenditures comply with the applicable award period of performance; adjustments should be made for any expenditures charged to an award outside the proper period of performance. • Provide additional training to Department personnel on period of performance compliance requirements. The Department agreed with these recommendations and planned to implement them by June 2025. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: • Federal regulations [2 CFR 200.308, 200.309, and 200.403(h)] state that a non-federal entity may charge only allowable costs incurred during the approved budget period of a federal award’s period of performance and any costs incurred before the federal awarding agency or passthrough entity made the federal award that were authorized by the federal awarding agency or pass-through entity. A period of performance may contain one or more budget periods. A budget period represents the specific time frame approved by the federal awarding agency for using grant funds. • The Department’s internal control procedures over federal expenditure approval and processing require that all federal grant expenditures must have adequate supporting documentation, such as an invoice, purchase order, or reimbursement request, included with the transaction and the supporting documentation must be reviewed for allowability under the applicable federal grant program by two individuals. What problems did the audit work identify? Based on our audit work, we determined that the Department did not fully comply with the period of performance requirements for the Highway Safety Cluster during Fiscal Year 2025 and did not fully implement our prior audit recommendations. Based on our audit testwork, 2 of the 7 transactions selected for testing (29 percent) had expenses recorded to the grant that were incurred outside the period of performance; each expense was incurred one day prior to the start of the period of performance. We further verified with the Department that the expenditures were not specifically authorized by the federal awarding agency to be charged to the grant. These errors resulted in questioned costs totaling $347. Why did these problems occur? This problem occurred because the Department’s internal controls were not operating effectively to ensure that expenditures charged to the Highway Safety Cluster were incurred within the award’s period of performance. Specifically, the Department’s reviewers of the transactions for which the problems occurred did not ensure the transactions were fully within the period of performance. Both transactions related to employee reimbursements of travel expenses for the period September 30, 2024 through October 4, 2024. The Department’s reviewers did not identify that the expenses for September 30, 2024 should have been charged to a different grant award, and the Department did not split the invoice into two transactions to allocate the expenses to the appropriate grant award based on the period of performance of those grant awards. Department personnel did not appear to be sufficiently trained on the Highway Safety Cluster’s period of performance compliance requirements. Why do these problems matter? By failing to properly record expenditures to the Highway Safety Cluster within the grant award’s period of performance, the Department risks its costs being deemed unallowable by the federal awarding agency. See "Schedule of Findings and Questioned Costs" for table/chart. Recommendation 2025-048 The Department of Transportation (Department) should ensure that it complies with federal Highway Safety Cluster grant period of performance requirements by: A. Enforcing its existing policies and procedures that require that grant expenditures be allowable, and that two individuals review the related supporting documentation for compliance with grant requirements. This should include ensuring that Department personnel performing the reviews review the related supporting documentation for incurred dates in order to verify that expenditures comply with the applicable award period of performance and making adjustments for any expenditures charged to an award outside the proper period of performance. B. Providing training to Department personnel to ensure that staff understand and can apply the period of performance requirements. Response Department of Transportation A. Agree Implementation Date: April 2026 The Department agrees with the recommendation. The Center for Accounting (CFA) and the Office of Transportation Safety (OTS) have coordinated to implement updated reviews and controls. This implementation involves reviewing current processes to ensure supporting documentation is vetted and grant compliance is verified prior to payment. It also includes assessing the need for increased monitoring to ensure initial program reviews are complete and accurate. This remediation effort was finalized on June 30, 2025, following the September 2024 transaction in question. Additionally, the Department plans to review the remediation plan with all relevant staff again this season. This will ensure that all supporting documentation is thoroughly vetted and that expenditures comply with the applicable award period of performance B. Agree Implementation Date: April 2026 The Colorado Department of Transportation (CDOT) agrees with the recommendation. The Center for Accounting (CFA) and the Office of Transportation Safety (OTS) have coordinated on its implementation. The Department has assessed and updated training for staff responsible for reviewing and approving invoices for Highway Safety Cluster grants, with a specific focus on the period of performance. This training plan will be revisited and reviewed with all staff involved by April 2026.
The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department of Transportation (Department) in the previous year and has not been remediated as of June 30, 2025 because the original implementation date provided by the Department was in a subsequent fiscal year. This complete finding and recommendation can be found within the original report and the complete recommendation can be found within Section IV: Disposition of Prior Audit Recommendations of this report. Finding 2024-058 Compliance with Subrecipient Monitoring for the Formula Grants for Rural Areas and Tribal Transit Program, Highway Safety Cluster, and SLFRF The Department receives federal grant funds directly from the federal government for the Formula Grants for Rural Areas and Tribal Transit Program, Highway Safety Cluster, and the Coronavirus State and Local Fiscal Recovery Funds (SLFRF) program and then subgrants, or passes through, a portion of the funds to cities and counties and other organizations that are considered to be either a subrecipient or a contractor. For Fiscal Year 2024, the Department had the following transactions that were subject to subrecipient monitoring testing: • Formula Grants for Rural Areas and Tribal Transit Program – 783 subrecipient transactions totaling $23,075,270. • Highway Safety Cluster – 829 subrecipient transactions totaling $5,669,865. • SLFRF – 232 subrecipient transactions totaling $38,321,493. For the SLFRF program, Intergovernmental Agreements are executed between the Department and subrecipients to communicate all relevant federal award information. For both the Formula Grants for Rural Areas and Tribal Transit Program and Highway Safety Cluster, Subaward Agreements (subawards) are executed between the Department and subrecipients to communicate all relevant federal award information. Intergovernmental Agreements and subawards are signed by authorized State personnel, generally the State Controller and the Department’s Chief Engineer. The Department includes a “Subrecipient Risk Assessment” tool with its Intergovernmental Agreements or subawards, which must be completed by Department staff prior to making the award. The Department’s subrecipient monitoring procedures are dependent on the assessed risk level noted in the Subrecipient Risk Assessment tool. Federal regulations [2 CFR Part 200 Section F] state that a non-federal entity that expends $1,000,000 or more in federal awards during the non-federal entity’s fiscal year must have a Single Audit conducted in accordance with 2 CFR 200.514. The Department’s Internal Audit Division staff tracks and receives Single Audit reports from its subrecipients. As part of the Department’s monitoring procedures, the Internal Audit Division personnel complete a “Single Audit Report Review Summary” form to show they reviewed the subrecipient’s Single Audit report, summarized any findings, and concluded on any risks presented to the Department and any related future actions to be taken. The form is signed by a Department preparer and a Department reviewer. For those subrecipients not required to file a Single Audit, an “Audit Division Single Audit Certification Form” must still be submitted by the subrecipients to the Department. These forms note that the entity was exempt from a Single Audit. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine if the Department complied with federal requirements for subrecipient monitoring during Fiscal Year 2024 for the Formula Grants for Rural Areas and Tribal Transit Program, Highway Safety Cluster, and the SLFRF program and to determine whether the Department had adequate internal controls over subrecipient monitoring. As part of our audit work, we reviewed the Department’s internal controls over compliance for subrecipient monitoring and tested the Department’s compliance with federal subrecipient monitoring requirements. Specifically, we performed the following testwork related to each of the following federal programs: • Formula Grants for Rural Areas and Tribal Transit Program—We selected and reviewed a random sample of 40 subrecipient payment transactions. We reviewed subawards, amendments, and other supporting documentation provided by the Department. • Highway Safety Cluster—We selected and reviewed a random sample of 40 subrecipient payment transactions. We reviewed subawards, amendments, and other supporting documentation provided by the Department. • SLFRF—We selected and reviewed a random sample of 29 subrecipient payment transactions. We reviewed Intergovernmental Agreements, amendments, and other supporting documentation provided by the Department. How were the results of the audit work measured? Our audit work was designed to measure the Department’s compliance with the following criteria: • Federal regulation [2 CFR 200.303] states that the Department, as a federal grant recipient, must “establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.” • Federal regulation [2 CFR 200.332 (a)(1)] states that the Department’s subawards must clearly identify certain information, including but not limited to, the ALN, the Federal Award Date, and the FAIN. • Federal regulation [2 CFR 200.331] states that a pass-through entity, in this case the Department, must make case-by-case determinations as to whether each agreement it makes for the disbursement of federal program funds represents a payment of funds to a subrecipient or a contractor, depending on the role the entity plays. What problems did the audit work identify? We determined that the Department did not fully comply with subrecipient monitoring requirements during Fiscal Year 2024. Specifically, we noted the following: • Formula Grants for Rural Areas and Tribal Transit Program o For 10 of 40 (25 percent) subrecipient payment transactions selected for testing, we determined the subaward documents did not contain the federal award date in the subaward agreement, as required. The 10 transactions totaled $7,432,248 in subrecipient awards. • Highway Safety Cluster o For 1 of 40 (3 percent) subrecipient payment transactions selected for testing, we determined that the subrecipient should have been classified as a contractor, not a subrecipient. The transaction totaled $75,325. The Department had not made an adjusting entry in CORE to reclassify the transaction and correct this error by the end of our audit testwork. o For 5 of 40 (13 percent) subrecipient payment transactions selected for testing, we determined the subaward documents did not contain the federal award date in the subaward agreement. The 5 transactions totaled $25,100 in subrecipient awards. • SLFRF o For 2 of 29 (7 percent) subrecipient payment transactions selected for testing, we determined that the Intergovernmental Agreement did not include the FAIN and Federal Award Dates. The 2 transactions totaled $3,277,779 in subrecipient awards. o For 1 of 29 (3 percent) subrecipient payment transactions selected for testing, we determined the transaction did not include the ALN. This transaction totaled $1,851,279 in subrecipient awards. Why did these problems occur? The Department’s procedures and internal controls were not sufficient to ensure that Intergovernmental Agreements and subawards included all the required information to be included in the subaward, and internal controls did not prevent or detect errors. Department staff were not aware that this information was needed for the subaward to be in compliance with federal regulations. In some situations, the FAIN was only provided to the Department from the U.S. Department of Transportation subsequent to when the subaward was made. In these instances, the Department was not aware that they were required to provide the FAIN to their subrecipients once it was determined by the U.S. Department of Transportation. The Department’s procedures and internal controls were not sufficient to ensure that payments were properly classified as general disbursements or subrecipient payments, and internal controls did not prevent or detect errors. Department staff lacked the appropriate knowledge of the difference in contractors and subrecipients to ensure the proper classification of expenditures. The Department’s reviewers did not complete a sufficient review of the expense classifications to be able to identify the misclassification and propose a subsequent correction. Why do these problems matter? Based on the issues we identified, the Department is out of compliance with federal subrecipient requirements and could face sanctions or other penalties. In addition, by failing to properly report the required federal grant award information at the time of subaward issuance, subrecipients may be uninformed about what funding the subaward related to. This could result in misclassification of subaward information on the subrecipients’ Schedules of Expenditures of Federal Awards (SEFA) and the subrecipient may not know what federal requirements they need to follow as part of receiving the federal award funds. The Department’s improper classification of expenses as general disbursements versus subrecipient payments could lead to misstatements in the amounts reported on the SEFA, both for the State as a whole and at the subrecipient level. See "Schedule of Findings and Questioned Costs" for chart/table. Recommendation 2024-058 The Department of Transportation (Department) should strengthen its internal controls over and ensure that it complies with federal subrecipient monitoring requirements for the Formula Grants for Rural Areas and Tribal Transit Program, the Highway Safety Cluster, and the Coronavirus State and Local Fiscal Recovery Funds. Specifically, the Department should ensure that all required information is included in subawards or intergovernmental agreements or provide amendments to the subawards or intergovernmental once the Department receives the necessary information from the federal government, and that Department staff are sufficiently aware of the difference in subrecipients and contractors and properly classify general disbursements versus subrecipient payments. Response Department of Transportation Agree Implementation Date: June 2026 Department will strengthen controls to ensure that the required award information is provided, once available. Certain information such as Federal Award Identification Number and Federal Transit Administration and National Highway Traffic Safety Administration award date are not available at the time of contracting CDOT is working on a process to provide this information, once it is available in a publicly available format on CDOT’s website or on a subrecipient facing grant management site. We will add a note to the contract explaining where the information will be posted on our site when it becomes available. The Department will also identify staff requiring additional training on classification and coding for contractors vs. subrecipients.