2025-066: Improve Web Application Security Applicable to: Department of Health Assigned Topic: Access Control; Configuration Management; System and Communications Protection Prior Finding Number: N/A Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: Yes Federal Awards Finding: Yes ALPT - ALN: WIC Special Supplemental Nutrition Program for Women, Infants, and Children - 10.557 Federal Award ID (Year): 251VA707W1006 (2025) Federal Agency: U.S. Department of Agriculture Compliance Requirement: Other - 2 CFR §200.303(e) Known Questioned Costs: $0 Health does not secure the web application, which supports its system used for eligibility determination for the WIC Special Supplemental Nutrition Program for Women, Infants, and Children federal grant program, with the minimum-security controls required by the Security Standard. We communicated the weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. The weaknesses identified resulted from limited management oversight and staffing constraints within OIM. Health should dedicate the resources necessary to develop and maintain adequate documentation and implement all security controls required by the Security Standard. Addressing these weaknesses will help ensure the confidentiality, integrity, and availability of data and support compliance with the Security Standard. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-027: Ensure Subrecipients are not Suspended or Debarred Applicable to: Department of Agriculture and Consumer Services Assigned Topic: Federal Grants Management Prior Finding Number: N/A Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: No Federal Awards Finding: Yes ALPT - ALN: Commodity Supplemental Food Program - 10.565; Emergency Food Assistance Program (Administrative Costs) - 10.568; Emergency Food Assistance Program (Food Commodities) - 10.569 Federal Award ID (Year): 251VA827Y8005 (2025), 251VA447Q2204 (2025), 251VA827Y8105 (2025) Federal Agency: U.S. Department of Agriculture Compliance Requirement: Procurement and Suspension and Debarment - 2 CFR § 180.300 Known Questioned Costs: $0 During the annual subaward agreement renewal process, the Virginia Department of Agriculture and Consumer Services (Agriculture) did not verify its subrecipients for the Food Distribution federal grant program were not suspended or debarred. Although Agriculture maintains comprehensive signed agreements and communicates grant award provisions to subrecipients, it did not comply with any of the three verification methods prescribed in Title 2 of the Code of Federal Regulations (CFR) § 180.300. Title 2 CFR § 180.200 defines covered transactions to include contracts for goods and services awarded in a non-procurement transaction and requires a nonfederal entity to verify parties at the next lower tier are not excluded or disqualified before entering such transactions. Title 2 CFR § 180.300 permits nonfederal entities to meet this requirement by (a) reviewing exclusions in the System for Award Management (SAM), (b) obtaining a certification from the subrecipient, or (c) including a clause or condition in the covered transaction addressing suspension and debarment. Although Agriculture was aware of these requirements, it did not formalize suspension and debarment verification procedures within its subaward guidance or agreement documents and, as a result, did not perform the required verification during the annual renewal process. Consequently, Agriculture increases the risk of entering covered transactions with suspended or debarred parties. Agriculture should update its grant award guidance and related subaward documents to ensure it verifies suspension and debarment status during the annual subaward agreement renewal process. In addition, management should implement oversight controls to ensure the sub-awarding process consistently complies with the requirements of Title 2 CFR Part 180. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-041: Obtain, Review, and Document System and Organization Control Reports of Third-Party Service Providers Applicable to: Department of Social Services Assigned Topic: Third-Party Service Providers (Non-Information Systems) Prior Finding Number: 2024-010; 2023-085; 2022-089; 2021-019 Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: Yes Federal Awards Finding: Yes ALPT - ALN: Supplemental Nutrition Assistance Program – 10.551; Summer Electronic Benefit Transfer Program for Children - 10.646 Federal Award ID (Year): 251VA407Q3903 (2025); 251VA407N1175 (2025) Federal Agency: U.S. Department of Agriculture Compliance Requirement: Other - 2 CFR § 200.303(a) Known Questioned Costs: $0 Social Services continues to implement its corrective actions for obtaining, reviewing, and documenting System and Organization Control (SOC) reports of third-party service providers, specifically SOC 1, Type 2 reports. In response to prior audit recommendations, Social Services created a policy and procedure outlining the expectations for obtaining, reviewing, and documenting SOC 1, Type 2 reports and designated contract administrators as the party responsible for implementing the policies and procedures. Additionally, Social Services created training and a questionnaire that will guide contract administrators when conducting their review of the SOC 1, Type 2 report. However, because of the extent of its corrective actions, Social Services was unable to fully implement its policy and procedure as of the end of fiscal year 2025. SOC 1, Type 2 reports address the operating effectiveness of third-party service providers’ internal controls and the effect those internal controls may have on a user entity’s financial statements. Social Services uses third-party service providers to perform functions that are significant to its financial operations such as administering the electronic benefit transfer (EBT) process for several of its public assistance programs. During fiscal year 2025, Social Services’ third-party service provider issued nearly $2 billion in financial assistance to beneficiaries on EBT cards. Commonwealth Accounting Policies and Procedures (CAPP) Manual Topic 10305 requires agencies to have adequate interaction with third-party service providers to appropriately understand their internal control environment and maintain oversight over them to gain assurance over outsourced operations. Additionally, 2 CFR § 200.303(a) requires pass-through entities to establish, document, and maintain effective internal control over federal awards to ensure compliance with applicable laws, regulations, and award terms. Without fully implementing its policy and procedure, Social Services may not fully assess whether its complementary user entity controls are sufficient to support reliance on the third-party service providers’ controls. Additionally, by not obtaining the necessary SOC 1, Type 2 reports timely or properly documenting its review of the reports, Social Services may not timely detect a weakness in a third-party service provider’s environment. Social Services should continue to implement its corrective actions for obtaining, reviewing, and documenting SOC 1, Type 2 reports to comply with the CAPP Manual provisions and federal regulations. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-012: Strengthen Controls Over Payroll Costs Charged to Federal Grants Applicable to: Department of Energy Assigned Topic: Federal Grants Management Prior Finding Number: N/A Finding Type: Internal Control and Compliance Finding Severity: Material Weakness Financial Statement Finding: No Federal Awards Finding: Yes ALPT - ALN: Abandoned Mine Land Reclamation (AMLR) - 15.252 Federal Award ID (Year): S24AF00004 (2022); S24AF00039 (2023); S24AF00050 (2024) Federal Agency: U.S. Department of the Interior Compliance Requirement: Activities Allowed or Unallowed - 2 CFR § 200.430(g) Known Questioned Costs: $0 The Department of Energy (Energy) does not have sufficient controls to ensure employee compensation (payroll costs) charged to the Abandoned Mine Land Reclamation (AMLR) federal grant program accurately reflects actual work employees perform. Energy allocates and charges payroll costs to the AMLR grant program based on predetermined percentages assigned to each position. Energy’s management establishes these percentages at the beginning of each grant during the budget development process. However, Energy does not perform and document after-the-fact reviews or reconciliations to verify the allocation methodology reasonably reflects employees’ actual activities related to the federal program. Title 2 Code of Federal Regulations (CFR) § 200.430(g)(1) requires management to maintain records supporting charges to federal awards be supported by a system of internal control that provides reasonable assurance the charges are accurate, allowable, and properly allocated. In addition, when payroll costs are charged to a federal award based on budget estimates, 2 CFR § 200.430(g)(1)(vii) requires an entity’s system of internal control to include processes to review after-the-fact interim charges and adjust the final amounts charged, as necessary. Energy has not established formal written policies or procedures governing the allocation of payroll costs it charges to federal programs, nor has it implemented processes to periodically validate whether payroll charges based on management’s budget estimates are consistent with actual work employees perform due to resource restrictions. As a result, management cannot ensure payroll costs it charges to the AMLR federal grant program are accurate, allowable, and properly allocated. Due to the pervasiveness of this condition and the absence of complementary controls, we consider this deficiency to be a material weakness in internal control. Additionally, because payroll costs are approximately 21 percent of Energy’s total expenses charged to the AMLR grant program, this condition represents material noncompliance with the provisions of 2 CFR § 200.430. Because Energy does not maintain sufficient documentation to demonstrate payroll costs it charges to the AMLR program reflect actual work employees perform, we determined that known questioned costs exist related to employee compensation. However, we cannot determine the dollar amount of questioned costs, as Energy allocated payroll charges based on predetermined percentages without after-the-fact validation, which prevents us from quantifying and reporting known questioned costs for this finding. Energy management should allocate the necessary resources to establish and implement written policies and procedures, supported by an adequate system of internal control, to ensure payroll costs it charges to the AMLR program reflect actual work employees perform in compliance with the requirements of 2 CFR § 200.430. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-013: Improve Financial Management of Federal Grants Applicable to: Department of Wildlife Resources Assigned Topic: Federal Grants Management Prior Finding Number: N/A Finding Type: Internal Control and Compliance Finding Severity: Material Weakness Financial Statement Finding: No Federal Awards Finding: Yes ALPT - ALN: Sport Fish Restoration - 15.605; Wildlife Restoration and Basic Hunter Education and Safety - 15.611; Enhanced Hunter Education and Safety - 15.626 Federal Award ID (Year): F20AF10048 (2020); F20AF11897 (2020); F21AF02409 (2021); F22AF01121 (2022); F23AF00654 (2023); F23AF03173 (2023); F23AF03185 (2023); F24AF02770 (2024); F24AF02896 (2024); F24AF02903 (2024) Federal Agency: U.S. Department of the Interior Compliance Requirement: Allowable Costs/Cost Principles - 2 CFR § 200.302; 2 CFR § 200.303(a); 2 CFR § 200.305; 2 CFR § 200.510(b); 31 CFR § 205.33 Known Questioned Costs: $0 The Department of Wildlife Resources (Wildlife Resources) should improve its financial management of federal grants and documentation of internal controls to ensure compliance with state and federal requirements. Wildlife Resources has experienced recent turnover in its grants staff positions. Wildlife Resources has hired new staff; however, there was no transition period with the previous staff, and the previous grants staff did not sufficiently document internal controls over the federal programs. Staff have started documenting desk procedures, but agency-wide policies and procedures remain lacking. As such, grants staff did not appear to have sufficient knowledge of statewide policies and procedures to adequately perform the federal grants management processes in accordance with federal regulations and the Commonwealth Accounting Policies and Procedures (CAPP) Manual. We identified the following issues: Wildlife Resources should amend its procedures to comply with CAPP Manual requirements for cash management of federal funds. CAPP Manual Topic 20605 states that two methods of recording "split" funded expenses are acceptable. The method preferred by the State Comptroller is to establish procedures to "split code" the expenses by allocating the disbursement between a state fund and the federal fund at the matching ratio prescribed by the grant or contract. A second, and temporary, funding method allows the agency to charge the original expense to a state fund and subsequently, within seven business days, prepare and submit a general ledger journal in the Commonwealth’s accounting and financial reporting system to charge the federal fund for the federal portion of the original expense, referencing the original voucher in the journal reference line for transparency. If a state agency cannot comply, the agency must request approval from the State Comptroller. Wildlife Resources follows the temporary funding method to record its federal expenses. Wildlife Resources spends from state funds and then performs journal entries to move transactions to the federal fund in bulk with some journal entries representing hundreds of individual transactions, which does not allow for transparency regarding the nature of Wildlife Resources federal expenses. Further, our analysis found that Wildlife Resources enters journal entries for federal drawdowns up to three months after the original transaction date which is not consistent with the seven-day requirement in CAPP Manual Topic 20605. Per 2 Code of Federal Regulations (CFR) § 200.302, a recipient must comply with state laws and procedures for expending and accounting for the State's funds. Additionally, the untimely performance of these extensive journal entries may result in Wildlife Resources recording journal entries in the wrong fiscal year, which could result in inaccurate information within the Commonwealth’s Annual Comprehensive Financial Report. Wildlife Resources does not maintain adequate support for its journal entries. CAPP Manual Topic 20405 requires the agency to retain sufficient supporting documentation to provide auditable records containing evidence of required coding elements for journal entries. Wildlife Resources’ journal entries lack documentation related to changes in coding. Further, Wildlife Resources does not maintain supporting documentation for journal entries in one accessible location which would allow for sufficient supervisory review. Not maintaining adequate supporting documentation over journal entries increases the risk of inaccurate or fraudulent transactions. Wildlife Resources also does not have policies and procedures in place that detail how it creates the journal entries, what type of documentation to retain to support journal entries, or how Wildlife Resources ensures it only moves allowable costs to the federal fund. Title 2 CFR § 200.303(a) requires recipients to establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the recipient or subrecipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. During fiscal year 2025, in response to our Office’s 2024 Internal Control Questionnaire Review, Wildlife Resources established a bimonthly drawdown and journal entry schedule to ensure timely drawdown of federal funds to reimburse expenses originally incurred within state funds and to assist in remediation of its cash flow issues. Per 31 CFR § 205.33, a state must minimize the time between the drawdown of federal funds from the federal government and their disbursement for federal program purposes in accordance with the actual, immediate cash requirements of the state. The timing and amount of funds transfers must be as close as is administratively feasible to a state's actual cash outlay for direct program costs and the proportionate share of any allowable indirect costs. However, based on our analysis of drawdowns, while Wildlife Resources has made progress in the rate of drawdowns since the previous review, due to staff shortages, Wildlife Resources has not fully followed its drawdown schedule to ensure timely drawdowns of federal funds, which could exacerbate the agency’s cash flow issues. Specifically, the drawdown schedule included twenty planned drawdowns, however Wildlife Resources completed only eleven (55%) in accordance with that schedule. Furthermore, Wildlife Resources does not have policies and procedures in place over the completion of drawdowns as required by 2 CFR § 200.302, which requires a recipient to have written procedures to implement the requirements of 2 CFR § 200.305 regarding federal drawdowns. Wildlife Resources did not record program income revenue of approximately $2.3 million in the correct fiscal year for the Fish and Wildlife Cluster. Wildlife Resources recorded the program income received in fiscal year 2025 in a suspense account and did not distribute the income to the proper revenue account until fiscal year 2026. CAPP Manual Topic 20205 requires recording of all state receipts in the Commonwealth’s accounting and financial reporting system in a timely manner within three business days of the deposit. Additionally, the Department of Accounts (Accounts) Fiscal Year-End Closing Procedures require agencies to certify that they properly distributed balances to the correct accounts before final close of Commonwealth’s accounting and financial reporting system. By not properly recording program income, Wildlife Resources may misrepresent financial information to the federal government and report information that does not agree with its accounting records. Wildlife Resources reported federal expenses on its Schedule of Expenditures of Federal Awards (SEFA), a schedule that details Wildlife Resources’ federal expenses for fiscal year 2025, that did not agree to its underlying accounting records. Wildlife Resources reported federal expenses in the SEFA that it recorded as state funds in the Commonwealth’s accounting and financial reporting system due to considering journal entries that they did not record in the system until the next fiscal year. Due to these issues and preparation of the SEFA by a member of management on long-term leave who was not available during the audit, Wildlife Resources could not support amounts totaling over $660,000 in its SEFA. Additionally, Wildlife Resources does not have documented procedures outlining its process for preparing the SEFA in accordance with 2 CFR § 200.510(b), which states that the auditee must prepare a schedule of expenditures of federal awards for the period covered by the auditee’s financial statements which must include the total federal awards expended as determined in accordance with 2 CFR § 200.502. Accounts’ Office of the Comptroller’s Directive No. 1-25 (Comptroller’s Directive) also provides specific directions for compiling the SEFA and supporting schedules to support its preparation of the Commonwealth’s SEFA and related disclosures. Furthermore, the Comptroller’s Directive states that an agency must ensure that it has internal controls in place to avoid material misstatements and/or misclassifications in the attachments and other financial information submitted to Accounts for inclusion in the Commonwealth’s Single Audit. By not implementing adequate internal controls over financial reporting, Wildlife Resources cannot provide reasonable assurance that the financial information it submits to Accounts for inclusion in the Commonwealth’s Single Audit is free of material misstatements. Because of the scope of the matters and errors noted above, we consider this finding to be a material weakness in internal control. Wildlife Resources should improve its financial management of federal funds and documentation of internal controls to ensure compliance with state and federal requirements. The need for strong internal controls is especially important given that Wildlife Resources is exploring additional federal funding opportunities. Wildlife Resources should work with Accounts to develop and implement a federal grants management process that complies with the CAPP Manual. Wildlife Resources should improve its process and controls related to federal fund drawdowns to ensure timely reimbursement of expenses within federal limitations. Further, Wildlife Resources should also improve its controls and procedures related to journal entry processing to ensure it retains adequate support for all entries and enters the entries timely. Additionally, Wildlife Resources should perform a thorough review of its SEFA before submitting it to Accounts and retain supporting documentation to support the SEFA. Finally, Wildlife Resources should develop policies and procedures over all federal grants processes including all compliance requirements. These improvements combined are necessary to ensure accurate accounting and financial reporting in accordance with the CAPP Manual, the Code of Federal Regulations, the Comptroller’s Directives, and applicable accounting standards. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-024: Comply with Period of Performance Requirements for Vocational Rehabilitation Grants Applicable to: Department for Aging and Rehabilitative Services Assigned Topic: Federal Grants Management Prior Finding Number: N/A Finding Type: Compliance Finding Severity: N/A Financial Statement Finding: No Federal Awards Finding: Yes ALPT - ALN: Rehabilitation Services Vocational Rehabilitation Grants to States - 84.126 Federal Award ID (Year): H126A240070 (2024) Federal Agency: U.S. Department of Education Compliance Requirement: Period of Performance - 2 CFR § 200.403(h); 34 CFR § 76.707 Known Questioned Costs: $166,000 Aging and Rehabilitative Services’ Finance Division inappropriately applied $166,000 in expenses to its federal fiscal year 2024 VR grant. Since this amount exceeded $25,000 for the period of performance compliance requirement, we are required to report the known questioned cost identified during the audit through an audit finding in accordance with 2 CFR § 200.516(a)(4). The objective of this federal grant program is to assist states in operating a VR program that is designed to assess, plan, develop, and provide services to individuals with disabilities so that they may prepare for and engage in gainful employment. During state fiscal year 2025, the Commonwealth of Virginia incurred approximately $109 million in expenses under the VR federal grant program. Aging and Rehabilitative Services received a vendor invoice in August 2024 for pre-employment transition services related to an obligation incurred in July 2023. However, the contract administrator inadvertently indicated that this expense should be applied to the federal fiscal year 2024 VR grant, which began on October 1, 2023, instead of the federal fiscal year 2023 VR grant when Aging and Rehabilitative Services incurred the obligation to the federal award. Aging and Rehabilitative Services’ Finance Division did not consider the obligation date when reviewing the vendor invoice and as a result, did not identify that the contract administrator incorrectly applied this expense to the project code for the federal fiscal year 2024 VR grant. Aging and Rehabilitative Services uses project codes in its financial system to track and record expenses for its various federal grant programs and monitor compliance with the period of performance requirements. Title 34 CFR § 76.707 states that an obligation for performance of work other than personal services occurs on the date on which the State makes a binding written commitment to obtain the services. Further, 2 CFR § 200.403(h) stipulates that costs must be incurred during the approved budget period or period of performance to be considered allowable. Finally, the United States Department of Education’s Rehabilitative Service Administration’s Frequently Asked Questions for Period of Performance for Formula Grant Awards mandates that States must track all expenditures against their obligation to ensure they are incurred during the period of performance and are properly reported to the federal government. Without tracking expenses against their obligation date and verifying use of correct project codes, Aging and Rehabilitative Services risks posting expenses to incorrect award periods and risk having to return monies to the federal government. Aging and Rehabilitative Services’ Finance Division should strengthen its review processes to ensure that it applies transactions to the correct project code applying to the award’s period of performance. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-070: Continue to Strengthen Internal Controls over the Vocational Rehabilitation Case Management System Applicable to: Department for Aging and Rehabilitative Services Assigned Topic: Access Control; Audit and Accountability; Information Security Roles and Responsibilities; Personnel Security; Planning; Risk Assessment Prior Finding Number: N/A Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: No Federal Awards Finding: Yes ALPT - ALN: Rehabilitation Services Vocational Rehabilitation Grants to States - 84.126 Federal Award ID (Year): H126A240069 (2024); H126A250069 (2025); H126A240070 (2024); H126A250070 (2025) Federal Agency: U.S. Department of Education Compliance Requirement: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 The Department for Aging and Rehabilitative Services (Aging and Rehabilitative Services) continues to strengthen internal controls over its Vocational Rehabilitation (VR) case management system. To comply with the provisions in the Commonwealth’s IT Security Audit Standard, SEC502 (IT Audit Standard), Aging and Rehabilitative Services’ Internal Audit Division (Internal Audit) conducted an audit over the agency’s VR case management system and concluded fieldwork in December 2024. The audit included a risk-based selection of security controls from the Commonwealth’s Information Security Standard, SEC530 (Security Standard) sections and control families, in addition to the controls in the IT Audit Standard. Internal Audit identified 25 total findings affecting several control families and sections in the Security Standard and IT Audit Standard. We elected not to disclose the specific findings because they are considered to be Freedom of Information Act exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to containing descriptions of security mechanisms. Aging and Rehabilitative Services developed corrective action plans to remediate the findings Internal Audit communicated in its report and has resolved two of the 25 findings (8%) as of the end of fiscal year 2025. Internal Audit noted that many of the reported findings were the result of insufficient agency resources and/or a lack of formal policies and procedures. The Security Standard requires that system owners maintain compliance with Commonwealth of Virginia information security policies and standards in all IT system activities. Additionally, Title 2 Code of Federal Regulations (CFR) § 200.303(e) requires federal grant recipients to take reasonable cybersecurity and other measures to safeguard information including protected personally identifiable information (PII) and other types of information. Inadequate or lacking IT security controls could potentially lead to a data breach or unauthorized access to confidential and mission-critical data, resulting in data corruption, data loss, or system disruption, if accessed by either internal or external malicious attacker. We recommend that Aging and Rehabilitative Services’ management continue to dedicate the necessary resources to remediate the internal control deficiencies noted in the Internal Audit report covering the VR case management system. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-015: Implement Internal Controls over TANF Federal Performance Reporting Applicable to: Department of Social Services Assigned Topic: Federal Grants Management Prior Finding Number: 2024-101; 2023-105; 2022-103 Finding Type: Internal Control and Compliance Finding Severity: Material Weakness Financial Statement Finding: No Federal Awards Finding: Yes ALPT - ALN: Temporary Assistance for Needy Families (TANF) - 93.558 Federal Award ID (Year): 2501VATANF (2025) Federal Agency: U.S. Department of Health and Human Services Compliance Requirement: Reporting - 45 CFR § 265.7(b) Known Questioned Costs: $0 Benefit Programs does not have adequate internal controls in place to ensure accurate reporting in the Administration for Children and Families’ (ACF) 199 TANF Data Report (ACF-199) and 209 Separate State Programs – Maintenance-of-Effort Data Report (ACF-209). Social Services submits this data to ACF quarterly, and ACF uses the data to determine whether the Commonwealth met the minimum work participation requirements for the Temporary Assistance for Needy Families (TANF) federal grant program. Benefit Programs uses a third-party service provider to produce the ACF-199 and ACF-209 reports and relies solely on their internal controls during the data extraction and data reporting process as of the end of fiscal year 2025. In response to the prior audit findings, Benefit Programs made significant revisions to its planned corrective actions to better address the weaknesses identified in prior audits. Benefit Programs’ revised planned corrective actions include inventorying and documenting the ACF-199 and ACF-209 reporting requirements, researching previous reporting errors to determine their cause, developing change requests to address reporting format adjustments, and partnering with their Business Operations Unit to develop internal controls for validating data from its third-party service provider. However, because of the extent of its corrective actions, Benefit Programs was unable to implement all of them by the end of fiscal year 2025. Benefit Programs anticipates completing its corrective actions for this audit finding by the end of fiscal year 2026. We audited 60 cases and identified 30 instances (50%) where the third-party service provider did not report one or more key line items accurately based on the data Social Services maintains in its case management system or other supporting data, and Benefit Programs did not detect or correct these errors before the third-party service provider submitted the data to ACF. Specifically, we noted that Benefit Programs did not accurately report the following key line items for the ACF-199 and ACF-209 reports submitted during fiscal year 2025: Benefit Programs did not accurately report the “Work Participation Status” key line item for 29 out of 60 (48%) cases tested. Benefit Programs did not accurately report the “Hours of Participation (Job Search and Job Readiness Assistance)” key line item for five out of 57 (9%) cases tested. Benefit Programs did not accurately report the “Type of Family for Work Participation” key line item for one out of 57 (2%) cases tested. Benefit Programs did not accurately report the “TANF Family Exempt from Time Limits” key line item for one out of 57 (2%) cases tested. Benefit Programs did not accurately report the “Number of Months Countable Toward the Federal Time Limit” key line item for one out of 57 (2%) cases tested. Benefit Programs did not accurately report the “Unsubsidized Employment” key line item for one out of 57 (2%) cases tested. Title 45 CFR § 265.7(b) requires States to have complete and accurate reports, which means that the reported data accurately reflects information available in case records, are free of computational errors, and are internally consistent. Additionally, 2 CFR § 200.303(a) requires pass-through entities to establish, document, and maintain effective internal control over federal awards to ensure compliance with applicable laws, regulations, and award terms. Reporting potentially inaccurate or incomplete information prevents ACF from adequately monitoring the Commonwealth’s work participation rates and the overall performance for the TANF federal grant program. Further, ACF can impose a penalty if it finds Social Services did not meet statutory required work participation rates. Because of the scope of this matter and errors noted above, we consider it to be a material weakness in internal control. Additionally, we believe this matter represents material noncompliance since Social Services did not fully comply with the provisions at 45 CFR § 265.7(b). Benefit Programs should continue to implement its planned corrective actions to ensure accurate reporting in the ACF-199 and ACF-209 TANF federal performance reports. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-020: Monitor Case Management System Records to Ensure Compliance with TANF Eligibility Requirements Applicable to: Department of Social Services Assigned Topic: Federal Grants Management Prior Finding Number: 2024-103; 2023-103 Finding Type: Compliance Finding Severity: N/A Financial Statement Finding: No Federal Awards Finding: Yes ALPT - ALN: Temporary Assistance for Needy Families (TANF) - 93.558 Federal Award ID (Year): 2501VATANF (2025) Federal Agency: U.S. Department of Health and Human Services Compliance Requirement: Eligibility - 45 CFR § 260.3; 45 CFR § 261.13; 45 CFR § 264.1; 42 USC § 604(a)(1); 42 USC § 608(a)(3) Known Questioned Costs: $10,192 Social Services did not comply with certain federal eligibility requirements for the TANF federal grant program, resulting in known questioned costs of $10,192. When projecting the known questioned costs to the population of questionable payments tested during the audit, we estimated likely questioned costs to be approximately $86,000 and had to report an audit finding in accordance with 2 CFR § 200.516(a)(4) since the likely questioned costs projection exceeded $25,000. The TANF federal grant program provided over $89 million in assistance to approximately 25,000 needy families during fiscal year 2025. During the audit, we reperformed the eligibility determinations using the information from Social Services’ case management system for all needy families that received assistance during the fiscal year and identified the following 27 instances (<1%) where the eligibility determination was not supported by facts in the recipient's case record: For 19 payments, Social Services did not properly evaluate whether individuals were already counted as eligible for TANF benefits under an existing case, which allowed these individuals to receive multiple benefit payments exceeding the Standards of Assistance and maximum program benefit amounts. Title 42 United States Code (USC) § 604(a)(1) mandates that a State may use the grant in any manner that is reasonably calculated to accomplish the purpose of TANF where Social Services’ reasonable calculation is defined by its Standard of Assistance and maximum program benefit amounts within its TANF Program Manual. For four payments, Social Services did not verify that the individual assigned the rights that they may have to child support to the state. As a result, these amounts were not excluded from the individual’s countable income and they were underpaid TANF benefits. Title 42 USC § 608(a)(3) mandates that the State shall require, as a condition of providing assistance, recipients to assign their rights to support from any other person (e.g. child support), not to exceed the amount of assistance provided by the State. For two payments, Social Services did not properly reduce or terminate assistance for individuals not complying with their individual responsibility plan for the TANF program. Title 45 CFR § 261.13 mandates that if an individual fails without good cause to comply with an individual responsibility plan that he or she has signed, the State may reduce the amount of assistance otherwise payable to the family, by whatever amount it considers appropriate. For one payment, Social Services did not properly evaluate the age criteria for an individual, resulting in an overpayment due to the individual not meeting the definition of a minor child as defined in Title 45 CFR § 260.30. For one payment, Social Services did not properly reduce or terminate TANF assistance to a head-of-household that received federal assistance for over 60 months. Title 45 CFR 264.1 mandates that states may not use any of its federal TANF funds to provide assistance to a family that includes an adult head-of-household or a spouse of the head-of-household who has received federal assistance for a total of five years, or 60 cumulative months (whether or not consecutive). Social Services relies on its case management system to properly determine eligibility, correctly calculate benefit payments, and achieve the federal requirements of the TANF federal grant program. Of the exceptions noted above, four of the 27 (15%) were the result of local Department of Social Services eligibility workers mistakenly reporting child support payments as unearned revenue beyond the acceptable timeframe instead of assigning these payments to the Commonwealth for referral to the Division of Child Support Enforcement, as required by the USC. The remaining 23 exceptions (85%) resulted from local Department of Social Services eligibility workers not including sufficient documentation to justify the rationale for their eligibility determinations. Social Services did not identify these exceptions because it did not have a mechanism to identify risky transactions in its case management system that deviate from Social Services’ policies and procedures and warrant further follow-up. Non-compliance with these provisions increases Social Services’ risk of incurring disallowed costs and having to repay grant funds to the federal government. Social Services should continue to provide additional training to local Department of Social Services eligibility workers on how to properly determine and document eligibility determinations in its case management system. Additionally, Social Services should continue to develop and implement a data-driven approach to monitor and analyze data from its case management system to identify risky transactions that deviate from Social Services’ policies and procedures. By providing additional training and developing and implementing risk-based data analytics, Social Services will be able to ensure that each decision in its case management system regarding eligibility is supported by the facts in the applicant’s or recipient’s case record and complies with federal requirements. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-017: Evaluate Subrecipients’ Risk of Noncompliance in Accordance with Federal Regulations Applicable to: Department of Social Services Assigned Topic: Federal Grants Management Prior Finding Number: 2024-085; 2023-100; 2022-016; 2021-071 Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: Yes Federal Awards Finding: Yes ALPT - ALN: Supplemental Nutrition Assistance Program – 10.551; State Administrative Matching Grants for the Supplemental Nutrition Assistance Program – 10.561; Temporary Assistance for Needy Families (TANF) - 93.558; Child Care and Development Block Grant - 93.575; Federal Award ID (Year): 251VA407S2514 (2025); 2501VATANF (2025); 2502VACCDD (2025); 2502VACCDM (2025) Federal Agency: Various Compliance Requirement: Subrecipient Monitoring - 2 CFR § 200.332(b) Known Questioned Costs: $0 As in prior years, Benefit Programs is still not confirming that program consultants evaluate each subrecipient’s risk of noncompliance in accordance with its subrecipient monitoring plan. Benefit Programs oversees the Medicaid, SNAP, TANF, and CCDF Cluster federal grant programs. Benefit Programs disbursed over $425 million in grant funding during fiscal year 2025 from these federal grant programs to over 260 subrecipients. In response to prior audit recommendations, Benefit Programs hired a subrecipient monitoring coordinator in fiscal year 2025 and began creating new materials for managing risk assessments and monitoring reviews, including developing a memorandum detailing the schedule and operation for monitoring activities. Additionally, Benefit Programs developed tracking tools to monitor completion of risk assessments and follow-up activities. However, due to the extent of its corrective actions, Benefit Programs did not complete all corrective actions by the end of fiscal year 2025. As a result, we noted the following deviations while auditing Benefit Programs’ fiscal year 2025 subrecipient monitoring activities: Program consultants did not complete programmatic risk assessments for 17 of 42 (40%) non-locality subrecipients with fiscal year payments. Program consultants did not provide an adequate justification for not conducting monitoring reviews for 11 of 76 (14%) locality risk assessments rated high or medium. Program consultants did not complete 15 of 316 (5%) locality programmatic risk assessments. Title 2 CFR § 200.332(b) requires pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Additionally, Benefit Programs’ subrecipient monitoring plan requires that all staff follow its procedures which guides the process and frequency for ongoing subrecipient monitoring of public assistance programs at local departments. Without appropriate oversight of program consultants, Benefit Programs cannot demonstrate proper monitoring of subrecipient activity, including whether the subrecipient used the subawards for authorized purposes and in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Benefit Programs should continue to implement its planned corrective actions to evaluate subrecipient’s risk of noncompliance in accordance with federal regulations. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-021: Monitor Case Management System Records to Ensure Compliance with CCDF Eligibility Requirements Applicable to: Department of Social Services Assigned Topic: Federal Grants Management Prior Finding Number: N/A Finding Type: Compliance Finding Severity: N/A Financial Statement Finding: No Federal Awards Finding: Yes ALPT - ALN: Child Care and Development Block Grant - 93.575; Child Care Mandatory and Matching Funds of the Child Care and Development Fund - 93.596 Federal Award ID (Year): 2502VACCDD (2025); 2502VACCDM (2025) Federal Agency: U.S. Department of Health and Human Services Compliance Requirement: Eligibility - 45 CFR § 98.21(1) Known Questioned Costs: $218 Social Services did not comply with certain federal eligibility requirements for the CCDF Cluster, resulting in known questioned costs of $218. When projecting the known questioned costs to the population of questionable payments tested during the audit, we estimated likely questioned costs to be approximately $2.2 million and had to report an audit finding in accordance with 2 CFR § 200.516(a)(4) since the likely questioned costs projection exceeded $25,000. The CCDF Cluster served over 33,000 needy families in the Commonwealth during fiscal year 2025 and Social Services authorized and disbursed over $428 million in subsidy payments during this timeframe. During the audit, we re-performed eligibility determinations, using the information from Social Services’ case management system, for all needy families that received assistance during fiscal year 2025 and identified five instances (<1%) where Social Services did not discontinue benefits when the period of eligibility expired. Social Services relies on its case management system to properly determine eligibility and achieve the federal requirements of the CCDF Cluster. Social Services did not identify these exceptions because it did not have a mechanism to identify potentially ineligible payments where benefits continued past their redetermination review due date without eligibility workers completing an eligibility redetermination. Title 45 CFR 98.21(a)(1) mandates that a lead agency shall periodically redetermine a child's eligibility for child care services. Further, Virginia’s Child Care Subsidy Program Manual requires an eligibility redetermination at the end of the annual eligibility period and approval or denial of the application by a child care worker by the last day of the redetermination month, as long as the recipient has been given at least 10 days to provide all required verifications. Noncompliance with these provisions increases the Commonwealth’s risk of incurring ineligible costs. Social Services should provide additional training to eligibility workers to properly determine and document child care eligibility redeterminations in its case management system in accordance with Virginia’s Child Care Subsidy Program Manual. Additionally, Social Services should consider developing a mechanism, using the data in its case management system, to identify instances where benefits continue past their respective redetermination review due date without eligibility workers completing eligibility redetermination. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-022: Comply with Period of Performance Requirements for Child Care Related Grants Applicable to: Department of Education - Direct Aid to Public Education Assigned Topic: Federal Grants Management Prior Finding Number: N/A Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: Yes Federal Awards Finding: Yes ALPT - ALN: Child Care and Development Block Grant - 93.575; Child Care Mandatory and Matching Funds of the Child Care and Development Fund - 93.596 Federal Award ID (Year): 2102VACDC6 (2021); 2302VACCDM (2023); 2402VACCDM (2024) Federal Agency: U.S. Department of Health and Human Services Compliance Requirement: Period of Performance - 45 CFR § 98.60(d)(4) Known Questioned Costs: $1,048,734 Education improperly applied a total of $28.6 million in expenses to the 2023 and 2024 Child Care and Development Fund (Child Care Fund) matching grant awards and the 2021 American Rescue Plan (ARP) Child Care Fund Discretionary grant after the respective grants’ obligation period ended. Education subsequently corrected $27.6 million in Child Care Fund grant expenses by reclassifying them to open grants. However, approximately $1 million that Education originally applied to the ARP grant remains noncompliant because the respective grant closed before we brought the error to Education’s attention. 45 CFR § 98.60(d)(4) specifies that Child Care Fund Matching awards “shall be obligated in the fiscal year in which the funds are granted,” and 45 CFR § 98.60(d)(1) states that Child Care Fund Discretionary awards “shall be obligated in the fiscal year in which funds are awarded or in the succeeding fiscal year.” In addition, the Child Care Fund Matching award’s terms and conditions also specify that funds must be obligated by the end of the award’s first federal fiscal year. While the United States Department of Health and Human Services granted an extension that allowed ARP Child Care Fund Discretionary awards to be obligated until September 30, 2023, this date is before fiscal year 2025; thus, obligations in state fiscal year 2025 that Education made from the ARP Child Care Fund Discretionary award are considered outside of the period of performance for the respective grant. As a result, these are considered questioned costs, which will require Education to seek resolution options from the federal government. Education uses project codes in their financial system to record and track federal fund expenses. Education assigns a grant award to each project code, and each year sets the applicable default codes, which aids in ensuring expenses are applied to the proper grant award. In fiscal year 2025, Education did not update the default grant award assigned to Child Care Fund project codes resulting in Education applying expenses to the Child Care Fund grant after the award’s obligation period ended. Additionally, Education did not perform a thorough and timely review of expenses to ensure it obligated the awards within their applicable period. Child Care program staff review transaction details to identify miscoding of expenses based on obligation dates prior to the end of the federal fiscal year or award closeout, rather than reviewing expenses before posting in the financial system. Education should implement procedures to link grant awards to the proper project codes by default and update the default codes as needed. Additionally, program staff should be involved in reviewing expenses before staff approve the expenses in the financial system to ensure compliance with grant award terms and develop periodic monitoring procedures to identify and correct expenses that staff have improperly obligated and/or liquidated outside of the period of performance. Lastly, Education should seek resolution options from the federal government for any questioned costs resulting from this finding. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-016: Review Non-Locality Subrecipient Single Audit Reports Applicable to: Department of Social Services Assigned Topic: Federal Grants Management Prior Finding Number: 2024-084; 2023-098; 2022-013; 2021-072; 2020-075; 2019-091; 2018-092 Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: Yes Federal Awards Finding: Yes ALPT - ALN: State Administrative Matching Grants for the Supplemental Nutrition Assistance Program – 10.561; MaryLee Allen Promoting Safe and Stable Families Program - 93.556; Temporary Assistance for Needy Families (TANF) - 93.558; Social Services Block Grant - 93.6 Federal Award ID (Year): 251VA407Q3903 (2025); 2501VATANF (2025); 2502VAFPSS (2025); 2501VASOSR (2025) Federal Agency: Various Compliance Requirement: Subrecipient Monitoring - 2 CFR § 200.332(d)(3); 2 CFR § 200.332(f) Known Questioned Costs: $0 Compliance continues to not review non-locality subrecipient Single Audit reports as set forth within Compliance’s Agency Monitoring Plan. Non-locality subrecipients are subrecipients who are not local governments (primarily non-profit organizations). During fiscal year 2025, Social Services disbursed approximately $125 million in federal funds to 252 non-locality subrecipients. Of the 11 non-locality subrecipients that received more than $750,000 in federal funds from Social Services, we identified two (18%) that did not have a Single Audit reporting package available in the Federal Audit Clearinghouse (Clearinghouse) for the most recent audit period; one of which appeared to have never filed a Single Audit reporting package. Since the prior audit, Compliance adopted a policy regarding how to obtain and review information from the Clearinghouse, compiled a list of non-locality subrecipients receiving federal funds, and worked with Social Services’ Contract and Procurement Team to update contract language that requires the non-locality to communicate anticipated federal spending to Social Services so Compliance can monitor adherence with the Single Audit requirements. However, because of the extent of its corrective actions, Compliance was unable to fully implement its corrective action and review all non-locality subrecipient Single Audit reports by fiscal year end. Title 2 CFR § 200.332(f) requires pass-through entities to verify that subrecipients expending $750,000 or more in federal awards during the fiscal year obtain a Single Audit. Additionally, Compliance’s Agency Monitoring Plan requires the subrecipient monitoring coordinator to reference a comprehensive list of non-locality subrecipients and corresponding federal expenditures, identify subrecipients required to obtain a Single Audit, verify submission of those audits to the Clearinghouse, and follow up with subrecipients that have not complied. Without verifying whether non-locality subrecipients receive a Single Audit, Compliance is unable to provide assurance that Social Services is fulfilling its responsibilities as a pass-through entity. By not reviewing non-locality subrecipient Single Audit reports, Social Services may be unaware of a potential liability to the Commonwealth. Not complying with federal regulations could result in federal awarding agencies temporarily withholding payments until Social Services takes corrective action; disallowing costs for all or part of the activity associated with the noncompliance; suspending or terminating the federal award in part or in its entirety; initiating initial suspension or debarment proceedings; and/or withholding further federal funds for the project or program. Compliance should continue its corrective action efforts and begin reviewing non-locality subrecipient Single Audit reports. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-019: Perform Analysis to Identify Service Provider Agencies That Perform Significant Fiscal Processes Applicable to: Department of Social Services Assigned Topic: Federal Grants Management Prior Finding Number: 2022-104 Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: No Federal Awards Finding: Yes ALPT - ALN: Social Services Block Grant - 93.667 Federal Award ID (Year): 2501VASOSR (2025) Federal Agency: U.S. Department of Health and Human Services Compliance Requirement: Other - 2 CFR § 200.303(a) Known Questioned Costs: $0 Consistent with prior years, Social Services is not performing a comprehensive analysis of service provider agencies during its Agency Risk Management and Internal Control Standards (ARMICS) review to determine if they perform significant fiscal processes. Significant fiscal processes include, but are not limited to, programs or activities that have a high-degree of public visibility; represent areas of concern and high risk to mission-critical business processes for agency managers and stakeholders; or have a significant effect on general ledger account balances. Social Services transferred approximately $53 million to other state agencies or institutions from various federal grant programs during the fiscal year to administer certain grants management functions on its behalf. CAPP Manual Topic 10305 states an agency (primary agency) may use another agency (service provider agency) to perform significant fiscal processes for the primary agency. ARMICS states that decisions about significance should consider not only quantitative, but also qualitative factors, and managers should define any fiscal process as significant if errors or misstatements in the process could have adverse consequences for legal or regulatory obligations. Further, CAPP Manual Topic 10305 states that if a primary agency identifies a service provider agency that performs significant fiscal processes, the primary agency must have adequate interaction with the service provider agency to gain an appropriate understanding of the service provider agency’s control environment and obtain assurances from the service provider agency regarding the state of internal control applicable to the significant fiscal processes performed. Finally, 2 CFR §200.303(a) requires pass-through entities to establish, document, and maintain effective internal control over federal awards to ensure compliance with applicable laws, regulations, and award terms. During its analysis of service provider agencies, Social Services only considered service provider agencies that have a significant effect on general ledger account balances but did not consider qualitative factors like degree of public visibility, areas of concern, or risk to mission-critical business processes. Additionally, Social Services inadvertently indicated that corrective action for this finding was complete during its transition of corrective action plan responsibilities. Without performing a comprehensive analysis of service provider agencies during its ARMICS review, Social Services cannot provide assurance that it obtained adequate coverage over service provider agency operations that are quantitatively or qualitatively significant to its operations. Social Services should identify all service provider agencies and determine which entities provide significant fiscal processes. Thereafter, Social Services should perform a comprehensive analysis to determine if it has an appropriate understanding of the agency’s control environment and obtain assurance from the service provider agency regarding the state of internal control applicable to the significant fiscal processes performed. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-025: Strengthen Internal Controls over FFATA Reporting Applicable to: Department of Social Services Assigned Topic: Federal Grants Management Prior Finding Number: 2024-106; 2023-107; 2022-106 Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: No Federal Awards Finding: Yes ALPT - ALN: Temporary Assistance for Needy Families (TANF) - 93.558; Foster Care-Title IV-E - 93.658; Social Services Block Grant - 93.667 Federal Award ID (Year): 2501VATANF (2025); 2501VASOSR (2025); 2501VAFOST (2025) Federal Agency: U.S. Department of Health and Human Services Compliance Requirement: Reporting - 2 CFR Part 170 Appendix A; 2 CFR § 200.303(a) Known Questioned Costs: $0 Social Services Division of Finance (Finance) continues to lack adequate internal control over Federal Funding Accountability and Transparency Act (FFATA) reporting. FFATA reports disclose how entities and organizations are obligating federal funds. During fiscal year 2025, Social Services disbursed over $700 million in federal funds from roughly 4,800 subawards. In response to prior audit recommendations, Finance revised its FFATA reporting policy to establish procedures for the timely completion and submission of required reports and began submitting FFATA reports to the federal government. However, we noted the following deviations from Finance’s FFATA reporting policy while auditing new subawards granted for the Foster Care, Social Services Block Grant, and TANF federal grant programs during fiscal year 2025: Finance’s Federal Reporting Unit did not file any FFATA reporting submissions for non-locality subrecipients that received TANF funds from the Division of Family Services and the Division of Community and Volunteer Services. These divisions disbursed approximately $10.4 million from 39 new TANF subawards during fiscal year 2025. In a sample of seven report submissions, we identified the following inaccuracies in the System for Award Management (SAM.gov) for TANF subawards that Benefit Programs awarded to non-locality subrecipients: The Federal Reporting Unit reported an inaccurate subaward obligation/action date for four (57%) report submissions. The Federal Reporting Unit reported an inaccurate subaward Unique Entity Identifier (UEI) for one (14%) report submission. The Federal Reporting Unit reported an inaccurate subaward name for one (14%) report submission. The Federal Reporting Unit did not submit FFATA reporting submissions timely for the TANF, Social Services Block Grant, and Foster Care Title IV-E federal grant programs. The Federal Reporting Unit’s delays in FFATA reporting ranged from three months to over one year. Title 2 CFR Part 170 Appendix A requires non-federal entities to report each obligating action that equals or exceeds $30,000 to SAM.gov by the end of the month following the obligating action. This requirement also applies to any subaward modification that increases the award amount to equal or exceed $30,000. Additionally, 2 CFR §200.303(a) requires pass-through entities to establish, document, and maintain effective internal control over federal awards to ensure compliance with applicable laws, regulations, and award terms. Finance uses a decentralized approach to fulfil its FFATA reporting responsibilities since it does not determine which subrecipients will receive federal funding. To mitigate the risk of reporting incomplete and inaccurate information to SAM.gov, Finance and the programmatic divisions developed a Budget Solicitation Form to track and monitor Social Services’ subaward obligations. Additionally, Finance’s Contract and Procurement Team maintains a list of subawards that it makes available to all parties on Social Services’ intranet. Finally, Finance’s Financial Systems Team developed a report from Social Services’ financial accounting and reporting system that reports expenditures by federal program and subaward. However, Finance’s FFATA reporting policy did not indicate how the Federal Reporting Unit should use this information to monitor FFATA reporting compliance. As a result, the Federal Reporting Unit did not use this information, in its entirety, and did not identify the deviations noted above during the normal course of its operations. When Social Services does not upload all obligating actions meeting the reporting threshold to SAM.gov, as required, a citizen or federal official may have a distorted view of how Social Services is obligating federal funds. Finance should update its FFATA reporting policy to document what sources of information the Federal Reporting Unit should use to monitor compliance with the FFATA reporting requirements and apply appropriate oversight to ensure the Federal Reporting Unit submits complete and accurate information to SAM.gov. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-014: Perform Responsibilities Outlined in the Agency Monitoring Plan Applicable to: Department of Social Services Assigned Topic: Federal Grants Management Prior Finding Number: 2024-082; 2023-097; 2022-011; 2021-070; 2020-074; 2019-090; 2018-093 Finding Type: Internal Control and Compliance Finding Severity: Material Weakness Financial Statement Finding: Yes Federal Awards Finding: Yes ALPT - ALN: Grants to States for Medicaid – 93.778 Federal Award ID (Year): 2505VA5MAP (2025) Federal Agency: U.S. Department of Health and Human Services Compliance Requirement: Subrecipient Monitoring - 2 CFR § 200.303(a); 2 CFR § 200.332 Known Questioned Costs: $0 The Department of Social Services (Social Services) Compliance Division (Compliance) continues not to adhere to its established approach for overseeing agency-wide subrecipient monitoring, as outlined in its Agency Monitoring Plan. In response to the prior audit recommendations, Compliance made significant revisions to its Agency Monitoring Plan to include tools for tracking and monitoring division-level subrecipient monitoring reviews, began meeting monthly with division-level subrecipient monitoring coordinators, and developed a quarterly variance report that it will use to report the status of the agency’s subrecipient monitoring activities to Social Services’ Executive Team. Compliance adopted its revised Agency Monitoring Plan in July 2025 and anticipates completing the remainder of its corrective actions by the end of fiscal year 2026. Additionally, Social Services hired a director to lead Compliance in fiscal year 2025. Social Services engaged a consultant in April 2025 to help develop remediation plans for its previous audit findings. However, because of the extent of its corrective actions, Compliance could not design and implement its corrective actions by the end of fiscal year 2025. As a result, we identified the following deviations from the Agency Monitoring Plan: Compliance did not review programmatic division annual subrecipient monitoring plans to ensure they implement a risk-based approach. The Agency Monitoring Plan states that Compliance will use a monitoring plan checklist to evaluate and determine if all the required elements for subrecipient monitoring are present in each division’s plan. As a result, Compliance was not aware that the Division of Benefit Programs' (Benefit Programs) non-locality risk assessment template did not include all required risk factors outlined in the Agency Monitoring Plan. Compliance did not confirm that division-level subrecipient monitoring coordinators are maintaining monitoring documentation in Compliance’s centralized repository. As a result, Compliance could not confirm the completeness of the centralized repository. The Agency Monitoring Plan requires that Compliance monitor whether divisions post monitoring review reports to the centralized repository. Compliance did not review each division’s monitoring activities nor provide the required quarterly reports of variances and noncompliance from the Agency Monitoring Plan to Social Services’ Executive Team. As a result, Compliance and the Executive Team were not aware that Benefit Programs did not comply with certain aspects of its subrecipient monitoring plan, such as maintaining complete sampling documentation, monitoring records and reports, and documenting subsequent corrective action. Title 2 U.S. Code of Federal Regulations (CFR) § 200.303(a) requires pass-through entities to establish, document, and maintain effective internal control over federal awards to ensure compliance with applicable laws, regulations, and award terms. Further, 2 CFR § 200.332 requires pass-through entities to monitor subrecipients to ensure they meet federal requirements. Finally, the Agency Monitoring Plan establishes Compliance’s responsibility to centrally coordinate, review, and report on subrecipient monitoring activities across all divisions. Compliance is responsible for agency-wide compliance and risk mitigation that helps ensure adherence to state and federal legal and regulatory standards. During fiscal year 2025, Social Services disbursed approximately $700 million in federal funds to roughly 350 subrecipients from 37 federal grant programs. Without performing the responsibilities in the Agency Monitoring Plan, Compliance cannot provide the Executive Team with assurance that Social Services’ subrecipient monitoring efforts are adequate to comply with the regulations at 2 CFR § 200.332. Additionally, Compliance places Social Services at risk of disallowed expenditures and/or suspension or termination of its federal awards by not monitoring the agency’s subrecipient monitoring activities. Because of the scope of this matter and the magnitude of Social Services’ subrecipient monitoring responsibilities, we consider these weaknesses collectively to create a material weakness in internal controls since Compliance did not implement its corrective actions by the end of fiscal year 2025. Compliance should continue to implement its planned corrective actions to perform the responsibilities outlined in its Agency Monitoring Plan. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-018: Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan Applicable to: Department of Social Services Assigned Topic: Federal Grants Management Prior Finding Number: 2024-086; 2023-102; 2022-014 Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: Yes Federal Awards Finding: Yes ALPT - ALN: Supplemental Nutrition Assistance Program – 10.551; State Administrative Matching Grants for the Supplemental Nutrition Assistance Program – 10.561; Temporary Assistance for Needy Families (TANF) - 93.558; Child Care and Development Block Grant - 93.575; Federal Award ID (Year): 2501VATANF (2025); 2505VA5MAP (2025); 251VA407Q3903 (2025); 2502VACCDD (2025); 2502VACCDM (2025) Federal Agency: Various Compliance Requirement: Subrecipient Monitoring - 2 CFR § 200.332(e) Known Questioned Costs: $0 Benefit Programs continues to not confirm that program consultants complete required subrecipient monitoring procedures and/or document their work in accordance with its subrecipient monitoring plan. Benefit Programs oversees the Medicaid, SNAP, TANF, and CCDF Cluster federal grant programs. Benefit Programs disbursed over $425 million in grant funding during fiscal year 2025 from these federal grant programs to over 260 subrecipients. In response to prior audit recommendations, Benefit Programs hired a subrecipient monitoring coordinator in fiscal year 2025 and began creating new materials for managing risk assessments and monitoring reviews, including developing a memorandum detailing the schedule and operations for monitoring activities. However, due to the extent of its corrective actions, Benefit Programs did not complete its corrective actions by the end of fiscal year 2025. As a result, Benefit Programs did not identify incomplete sampling documentation, missing monitoring records, untimely locality notifications, incomplete monitoring reports, or insufficient documentation of corrective actions across multiple locality reviews. While reviewing fiscal year 2025 monitoring activities, we noted the following deviations from Benefit Programs’ subrecipient monitoring plan: Benefit Programs did not confirm that program consultants uploaded all required monitoring records to the data repository. As a result, Benefit Programs could not provide complete documentation for six out of 20 locality reviews (30%). Benefit Programs did not confirm that program consultants maintained complete sampling documents and final locality review reports for five out of 20 locality reviews (25%). Benefit Programs did not confirm that program consultants fully documented corrective actions for five out of 20 locality reviews (25%). Benefit Programs did not confirm that program consultants selected and documented sampling units appropriately. As a result, three out of 20 locality reviews (15%) lacked sufficient documentation of sampling units, and one out of 20 reviews (5%) did not include the required number of sampled cases. Benefit Programs did not confirm that program consultants included all required elements in their final monitoring review reports in two out of the 20 locality reviews (10%). Benefit Programs did not confirm that program consultants provided timely notification to localities for the monitoring review for one out of 20 locality reviews (5%). Title 2 CFR § 200.332(e) requires pass-through entities to monitor subrecipients use of subawards for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the award. Benefit Programs’ subrecipient monitoring plan outlines the required monitoring steps, documentation standards, and timelines necessary to comply with this regulation. Without confirming that program consultants complete monitoring activities in accordance with its monitoring plan, Benefit Programs cannot provide reasonable assurance that it complied with federal monitoring requirements. These deficiencies can increase the risk of undetected noncompliance, disallowed expenditures, and potential suspension or termination of federal awards. Benefit Programs should continue to implement its planned corrective actions to confirm that program consultants conduct subrecipient monitoring activities in accordance with its monitoring plan. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-043: Improve IT Third-Party Oversight Process Applicable to: Department of Medical Assistance Services Assigned Topic: Third-Party Service Providers (Information Systems) Prior Finding Number: 2024-017; 2023-086; 2022-090 Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: Yes Federal Awards Finding: Yes ALPT - ALN: Grants to States for Medicaid – 93.778 Federal Award ID (Year): 2505VA5MAP (2025) Federal Agency: U.S. Department of Health and Human Services Compliance Requirement: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Medical Assistance Services is continuing its efforts to implement its formal process to maintain oversight for three of its information technology (IT) third-party service providers that manage and support its Medicaid management system. The Medicaid management system encompasses different functions, such as member and provider reporting, financial reporting, and federal reporting. Medical Assistance Services has collected data since the prior audit to implement its IT Third Party Risk Management Procedure, which was effective in February 2024, and comply with its IT System and Services Acquisition Policy. However, Medical Assistance Services is still determining the best method to consistently capture the necessary data, which has resulted in the agency not yet verifying the following required controls and processes for one of the Medicaid management system IT service providers not covered by the Virginia Information Technologies Agency’s (VITA) Commonwealth of Virginia Risk and uthority Management Program. Medical Assistance Services does not confirm the geographic location of sensitive data monthly for the IT service providers. Without confirming the geographic location of sensitive data, Medical Assistance Services may be unable to enforce contract requirements, laws, and standards due to the data falling outside the United States’ jurisdiction. Medical Assistance Services does not confirm whether IT service providers perform vulnerability scans every 90 days. By not obtaining and analyzing the vulnerability scan results from the IT service provider, Medical Assistance Services increases the risk that the IT service providers are not remediating legitimate vulnerabilities in a timely manner. Medical Assistance Services has required additional time to collaborate with its IT service provider to adjust its data collection methods and verification processes. Medical Assistance Services also had to prioritize its resources to remediate ongoing findings from previous audits. Medical Assistance Services should continue its efforts to implement its IT Third Party Risk Management Procedure and ensure those tasked with monitoring IT service providers confirm the geographic location of sensitive data, the provider’s performance of vulnerability scanning, and remediation efforts per the Security Standard. Medical Assistance Services should also ensure the individuals responsible for monitoring consistently perform formal oversight processes in a timely manner, which will help maintain the confidentiality, integrity, and availability of sensitive and mission critical data. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-048: Improve Information Security Program and IT Governance Applicable to: Department of Social Services Assigned Topic: Information Security Roles and Responsibilities Prior Finding Number: 2024-035; 2023-027; 2022-022 Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: Yes Federal Awards Finding: Yes ALPT - ALN: Grants to States for Medicaid – 93.778 Federal Award ID (Year): 2505VA5MAP (2025) Federal Agency: U.S. Department of Health and Human Services Compliance Requirement: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services continues to improve its information security program and information technology (IT) governance structure to address the weaknesses identified in prior audits. In August 2024, Social Services established the Innovation, Architecture, and Governance (IAG) Team to coordinate efforts among the Technology Services Division (TSD), the Cybersecurity Team, the Information Security Risk Management (ISRM) Division, and the Executive Team. The IAG Team established a roadmap to track the tasks, task owners, and target dates to bring the information security program in compliance with the Commonwealth’s Information Security Standard, SEC530 (Security Standard). The IAG Team also oversees regularly scheduled coordination working sessions to obtain updates from the owners assigned to each task in the roadmap. Additionally, Social Services changed the reporting structure for the ISRM Division, including the Information Security Officer (ISO). The ISO now reports directly to Social Services’ Commissioner. However, because of the extent of its corrective actions, Social Services has not yet accomplished all the tasks in the established roadmap to complete corrective actions to bring the information security program in compliance with the Security Standard. Although Social Services continues to make significant progress towards prioritizing and implementing IT governance changes to address existing control deficiencies, the IAG Team needed time to establish a roadmap and coordinate efforts among the Cybersecurity Team, the TSD, the IRSM Division, and the Executive Team to be able to ensure effective implementation of the information security program and controls. Due to the number and magnitude of the issues, it will take time for Social Services to complete remediation efforts initiated according to the established roadmap. The Security Standard requires agency heads to maintain a documented and effectively communicated information security program that is sufficient to protect the agency’s IT systems. Unidentified or unresolved vulnerabilities in Social Services’ IT environment could result in a data breach or unauthorized access to confidential and mission-critical data, leading to data corruption, data loss, or system disruption, if accessed by either internal or external malicious attackers. The TSD, the Cybersecurity Team, the ISRM Division, and Social Services’ Executive Team should continue to work together and follow the direction of the IAG Team to improve compliance with the Security Standard. As part of the continued effort, the Cybersecurity Team, the TSD, and the IRSM Division should continue to evaluate IT resource levels to ensure sufficient resources are available and dedicated to prioritizing and implementing the planned IT governance structure changes. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-049: Identify and Assign Security Roles for Each Sensitive IT System Applicable to: Department of Social Services Assigned Topic: Information Security Roles and Responsibilities Prior Finding Number: N/A Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: Yes Federal Awards Finding: Yes ALPT - ALN: Grants to States for Medicaid – 93.778 Federal Award ID (Year): 2505VA5MAP (2025) Federal Agency: U.S. Department of Health and Human Services Compliance Requirement: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services’ ISO did not identify a system owner for each sensitive IT system and ensure system owners assigned a data owner, system administrator, and data custodian for each sensitive IT system. Social Services manages and maintains 80 sensitive IT systems that require security role assignments. Specifically, our audit identified: The ISO did not identify a system owner for two of its 80 (3%) sensitive systems. The ISO did not confirm that system owners assigned a data owner for five of 80 (6%) sensitive systems. The ISO did not confirm that system owners assigned a system administrator for 40 of 80 (50%) sensitive systems. The ISO did not confirm that system owners assigned a data custodian for ten of 80 (13%) sensitive systems. The Security Standard requires that the agency head or designee identify a system owner for each agency sensitive IT system and requires the system owner to assign a data owner, data custodian, and system administrator for each agency sensitive IT system. Without assigning security roles, Social Services lacks accountability, which may lead to a failure to enforce security policies and lead to a higher risk of security incidents. Social Services designated the ISO with the responsibility for ensuring that it assigns security roles for each sensitive IT system. However, due to an oversight, the ISO did not assign security roles for each sensitive IT system. The ISO should identify a system owner for each sensitive IT system and ensure system owners assign a data owner, system administrator, and data custodian for each sensitive IT system to meet the Security Standard requirements and to maintain the confidentiality, integrity, and availability of sensitive and mission-critical data. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-050: Continue Improving IT Risk Management Program Applicable to: Department of Social Services Assigned Topic: Planning; Risk Assessment Prior Finding Number: 2024-024; 2023-014; 2022-030; 2021-026; 2020-027; 2019-063; 2018-025 Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: Yes Federal Awards Finding: Yes ALPT - ALN: Grants to States for Medicaid – 93.778 Federal Award ID (Year): 2505VA5MAP (2025) Federal Agency: U.S. Department of Health and Human Services Compliance Requirement: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services continues to not have a formal and effective IT Risk Management program that aligns with the requirements in the Security Standard. Specifically, Social Services does not: verify and validate the data and system sensitivity ratings of its systems to ensure proper IT system sensitivity ratings. ensure that its sensitive systems list aligns with completed data classifications. create or annually review risk assessments for each sensitive system. create or annually review system security plans for each sensitive system. implement risk treatment plans to mitigate risks following its sensitive systems’ risk assessments. We communicated the details of these weaknesses to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing descriptions of security mechanisms. The Security Standard requires Social Services to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ IT mission-critical systems and data. Social Services’ IT Risk Management program has a complex workflow, along with a complex IT environment, which has slowed the process of remediation and contributed to the identified weaknesses. By not meeting the minimum requirements in the Security Standard, Social Services cannot ensure the confidentiality, integrity, and availability of data within its systems. Social Services should obtain and dedicate the necessary resources to ensure that its IT Risk Management program aligns with the Security Standard. Additionally, Social Services should implement the controls required to address the weaknesses identified in the FOIAE communication. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-051: Improve Database Security Applicable to: Department of Social Services Assigned Topic: Access Control; Identification and Authentication Prior Finding Number: N/A Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: Yes Federal Awards Finding: Yes ALPT - ALN: Grants to States for Medicaid – 93.778 Federal Award ID (Year): 2505VA5MAP (2025) Federal Agency: U.S. Department of Health and Human Services Compliance Requirement: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services does not require and has not implemented certain requirements in accordance with the Security Standard and industry best practices for its database. We identified two control weaknesses and communicated them to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing descriptions of security mechanisms. The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ IT mission critical systems and data. By not meeting the minimum requirements in the Security Standard, Social Services cannot ensure the confidentiality, integrity, and availability of data within its systems. Due to an oversight, Social Services’ management did not identify that the database was not configured according to Security Standard requirements. Social Services began testing and applying the configurations needed to resolve the weaknesses identified in the database during the audit. Social Services should dedicate the necessary resources to ensure database configurations align with the requirements of the Security Standard and industry best practices. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-052: Improve Change Management Process Applicable to: Department of Social Services Assigned Topic: Configuration Management; System and Services Acquisition Prior Finding Number: N/A Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: Yes Federal Awards Finding: Yes ALPT - ALN: Grants to States for Medicaid – 93.778 Federal Award ID (Year): 2505VA5MAP (2025) Federal Agency: U.S. Department of Health and Human Services Compliance Requirement: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services does not consistently follow its IT change management process to include elements required by its IT Change Management Process Procedure and the Security Standard. Specifically, our review found: Social Services did not track changes to application code and maintain version control in one of its three (33%) development projects. Social Services did not perform a risk and impact analysis for one of 40 (3%) changes. Social Services did not review the risk and impact analysis and validate the change for four of 40 (10%) changes. Social Services did not establish and document a backout plan for one of 40 (3%) changes. Social Services did not update and attach supporting documentation for the change for 40 of 40 (100%) changes. Social Services did not complete user acceptance testing for six of 40 (15%) changes. Social Services did not validate the change to confirm complete and successful execution for one of 40 (3%) changes. Social Services’ IT Change Management Process Procedure requires that each change include a documented risk and impact rating validated through ISRM oversight; an implementation plan (also known as the Playbook, which verifies technical testing and roles and responsibilities); a clearly defined backout plan; post-implementation validation to verify all acceptance criteria were met (including testing evidence); and attached closure documents that include user acceptance testing and updated supporting documentation, such as technical diagrams and baselines. The Security Standard requires that Social Services document and implement configuration change control processes that involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades and modifications. Additionally, the Security Standard requires agencies to employ tools and processes for maintaining trusted generations of source code. Social Services established and implemented its current change management procedure and process in September 2024; however, the process has not matured to include the necessary oversight to ensure employees adhere to each of the steps in the procedure. Without consistently implementing a formal change management process that aligns with the requirements of its IT Change Management Process Procedure and the Security Standard, Social Services increases the risk of implementing unauthorized changes to its production environment that may negatively affect the confidentiality, integrity, and availability of its IT systems and data. Social Services should implement an oversight capability to consistently implement and systematically record all changes according to its IT Change Management Process Procedure and the Security Standard. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-053: Improve Identity and Access Management Oversight and Controls Applicable to: Department of Social Services Assigned Topic: Access Control; Identification and Authentication; Information Security Roles and Responsibilities Prior Finding Number: N/A Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: Yes Federal Awards Finding: Yes ALPT - ALN: Grants to States for Medicaid – 93.778 Federal Award ID (Year): 2505VA5MAP (2025) Federal Agency: U.S. Department of Health and Human Services Compliance Requirement: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services does not conduct organization-wide oversight to ensure the performance of identity and access management (IAM) controls that protect sensitive information in its critical systems in accordance with organizational policies and procedures and the Security Standard. Social Services manages sensitive systems that require strong IAM controls. As a result of not conducting organization-wide oversight, Social Services does not: Examine and evaluate risk for critical IAM elements and maintain risk assessments to capture changes in risk and the control environment to ensure Social Services implements appropriate controls to reduce risk to an acceptable level. Define processes and practices to collect, monitor, and evaluate performance metrics that Social Services has implemented for IAM functions to evaluate how the functions are performing against agreed-upon performance expectations and report results to stakeholders. Revoke access for terminated users timely. Maintain an inventory of service accounts, document the purpose of each account, and centrally manage the service accounts to minimize the potential for misuse. Provide access to users only after the asset owner authorizes access. Social Services Access Control Policy states that the System Owner shall require the implementation team to enforce approved authorizations. The Security Standard states that the agency head is responsible for the security of the agency’s IT systems and data, including designating an ISO for the agency that reports directly to the agency head. The Security Standard states that the ISO is responsible for developing and managing the agency’s information security program. By not conducting organization-wide oversight of IAM controls, Social Services cannot rely on the controls to effectively reduce the risk of compromise to confidentiality, integrity, and availability of sensitive data in its IT environment. Social Services’ decentralized approach to ensuring IAM control compliance contributes to the lack of oversight and lack of efficient and effective implementation of the individual IAM findings outlined above. Social Services should assign oversight of organizational IAM controls to a central person or team. The person or team responsible should subsequently establish and implement a centralized process to oversee IAM controls to ensure Social Services consistently implements access and account management controls. A centralized oversight IAM function will help Social Services manage IAM controls to protect the confidentiality, integrity, and availability of sensitive and mission-critical data. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-068: Improve Database Security Applicable to: Department of Medical Assistance Services Assigned Topic: Access Control; Audit and Accountability; Identification and Authentication; System and Information Integrity Prior Finding Number: 2024-023 Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: Yes Federal Awards Finding: Yes ALPT - ALN: Grants to States for Medicaid – 93.778 Federal Award ID (Year): 2505VA5MAP (2025) Federal Agency: U.S. Department of Health and Human Services Compliance Requirement: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 The Department of Medical Assistance Services (Medical Assistance Services) has made significant progress improving security for the database supporting its primary system for financial accounting and reporting in accordance with its internal procedures, the Commonwealth’s Information Security Standard, SEC530 (Security Standard), and industry best practices, such as the Center for Internet Security Benchmarks (CIS Benchmark). Since the prior year audit, Medical Assistance Services remediated four of the eight weaknesses previously identified. However, Medical Assistance Services does not define deviations from recommended and expected security configurations in its baseline configuration, leading to some weaknesses still existing in the database. We communicated the remaining weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. The Security Standard requires Medical Assistance Services to develop, document, and disseminate information security policies and procedures that align with the control requirements in the Security Standard. Additionally, the Security Standard requires Medical Assistance Services to develop, document, and maintain a current baseline configuration of the system; apply more restrictive security configurations for sensitive systems; and monitor systems for security baseline and policy compliance. Without aligning the database’s settings and configurations with its policies and procedures, the Security Standard, and industry best practices, Medical Assistance Services cannot ensure data integrity within the database. Additionally, without documenting details and the justification for approved deviations, Medical Assistance Services increases the risk that it will not meet minimum-security requirements and recommendations to protect its sensitive data from malicious parties. A lack of resources led to Medical Assistance Services experiencing delays in resolving the remaining weaknesses. Medical Assistance Services should dedicate the resources necessary to review and update its procedures to define deviations from recommended and expected security configurations as well as business justification and approval for any deviations. Additionally, Medical Assistance Services should develop a process to review the database’s configuration against its established procedures on a scheduled basis and after major changes occur to help detect and address potential misconfigurations timely. Furthermore, Medical Assistance Services should implement the security controls and processes communicated in the FOIAE document to address the risks present in the database to ensure the configuration aligns with its procedures, the Security Standard, and CIS Benchmark. These actions will help maintain the confidentiality, availability, and integrity of Medical Assistance Services’ sensitive and mission-critical data. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-084: Improve Web Application Security Applicable to: Department of Social Services Assigned Topic: Audit and Accountability Prior Finding Number: 2024-025; 2023-015; 2022-029; 2021-025; 2020-026; 2019-037 Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: Yes Federal Awards Finding: Yes ALPT - ALN: Grants to States for Medicaid – 93.778 Federal Award ID (Year): 2505VA5MAP (2025) Federal Agency: U.S. Department of Health and Human Services Compliance Requirement: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services continues to not configure a sensitive web application in accordance with its internal policies and the Security Standard. Social Services remediated four of the five previously communicated weaknesses but still has not remediated one weakness. We communicated the control weakness to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing descriptions of security mechanisms. The Security Standard requires Social Services to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ IT mission-critical systems and data. By not meeting the minimum requirements in the Security Standard, Social Services cannot ensure the confidentiality, integrity, and availability of data within its systems. Social Services prioritized other projects which contributed to the weakness persisting. Social Services’ TSD, ISRM Division, and business owners should work together to remediate the remaining weakness to secure the web application and meet the minimum requirements in Social Services’ internal policies and the Security Standard. Addressing this weakness will help to ensure that Social Services secures its IT environment and systems to protect its sensitive and mission-critical data and achieve compliance with both internal policies and the Security Standard. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-085: Conduct Information Technology Security Audits Applicable to: Department of Social Services Assigned Topic: Audit and Accountability Prior Finding Number: 2024-058; 2023-056 Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: Yes Federal Awards Finding: Yes ALPT - ALN: Grants to States for Medicaid – 93.778 Federal Award ID (Year): 2505VA5MAP (2025) Federal Agency: U.S. Department of Health and Human Services Compliance Requirement: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services is making progress in conducting a comprehensive IT security audit on each sensitive IT system at least once every three years. Social Services identified 78 sensitive IT systems which currently require an IT security audit and completed audits for 30 of these systems during calendar years 2022 and 2023. These systems are due to be audited again during the three-year audit period covering calendar years 2024 to 2026. Additionally, Social Services completed audits for 31 sensitive IT systems during calendar year 2024. However, 17 sensitive IT systems (22%) remain unaudited, including one system that has not been audited since 2017. Social Services hired a contractor to complete an audit over each of the remaining unaudited systems and those due for audit during the audit period covering calendar years 2024 to 2026. Social Services did not perform the remaining IT security audits due to prioritizing required federal audits and needing additional funding to contract out the remaining sensitive system audits. Lack of a documented procedure and process for conducting IT security audits also contributed to the lapse in IT security audits conducted over the last three years. Additionally, Social Services drafted an IT Audit Policy for conducting IT security audits over each sensitive system but has not implemented it since it is pending management’s approval. Social Services indicates it is on track to approve the draft policy and complete the remaining IT security audits by the end of calendar year 2026. The Security Standard requires that each IT system classified as sensitive undergo an IT security audit as required by and in accordance with the current version of the Commonwealth’s IT Security Audit Standard, SEC502 (IT Audit Standard). The IT Audit Standard requires that IT systems containing sensitive data, or systems with an assessed sensitivity of high on any of the criteria of confidentiality, integrity, or availability, receive an IT security audit at least once every three years. Without conducting full IT security audits for each sensitive system once every three years, Social Services increases the risk that IT staff will not detect and mitigate existing weaknesses. Malicious parties taking advantage of continued weaknesses could compromise sensitive and confidential data. Further, such security incidents could lead to mission-critical systems being unavailable. Social Services should finalize and implement its IT Audit Policy then complete all outstanding IT security audits to ensure it meets its IT Audit Policy and Security Standard requirements. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-093: Evaluate Separation of Duty Conflicts within the Case Management System Applicable to: Department of Social Services Assigned Topic: Access Control Prior Finding Number: 2024-041; 2023-034 Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: Yes Federal Awards Finding: Yes ALPT - ALN: Grants to States for Medicaid – 93.778 Federal Award ID (Year): 2505VA5MAP (2025) Federal Agency: U.S. Department of Health and Human Services Compliance Requirement: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Benefit Programs continues to implement corrective actions pertaining to evaluating separation of duties conflicts within its case management system. In response to the prior audit findings, Benefit Programs developed a collaborative strategy to address separation of duties conflicts in the case management system and generated a complete listing of current roles and responsibilities. However, because of the extent of its corrective actions, Benefit Programs could not fully develop and implement all corrective actions by the end of fiscal year 2025. Benefit Programs intends to create a matrix to identify individual conflicts, generate a report of users with conflicting roles, and develop justifications and internal controls for these instances by the end of fiscal year 2026. Social Services, in conjunction with local departments of social services, other state agencies, and numerous contractors, uses the case management system to determine applicant eligibility and authorize benefit payments for the Medicaid, SNAP, CCDF Cluster, LIHEAP, and TANF federal grant programs. Social Services authorized over $18 billion in assistance payments to beneficiaries from these federal programs through its case management system during fiscal year 2025. The Security Standard requires the agency to separate duties of individuals as necessary, document separation of duties of individuals, and define information system access authorizations to support the separation of duties. Further, Social Services’ Information Security Policy states that the system owner is responsible for identifying and documenting separation of duties for individuals and defining system access authorizations to support separation of duties. Without identifying and evaluating separation of duties conflicts, Benefit Programs does not know which combination of roles may pose a separation of duties conflict in its case management system. As a result, Benefit Programs is unable to implement compensating controls, which increases the possibility of a system breach or other malicious attack on Social Services’ data and places Social Services’ reputation at risk. Benefit Programs should continue to implement its corrective actions pertaining to evaluating separation of duties within its case management system. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-100: Continue Developing Record Retention Requirements and Processes for Electronic Records Applicable to: Department of Social Services Assigned Topic: Contingency Planning Prior Finding Number: 2024-067; 2023-066; 2022-064; 2021-047; 2020-041; 2019-049; 2018-054 Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: Yes Federal Awards Finding: Yes ALPT - ALN: Grants to States for Medicaid – 93.778 Federal Award ID (Year): 2505VA5MAP (2025) Federal Agency: U.S. Department of Health and Human Services Compliance Requirement: Other - 2 CFR § 200.303(e); 45 CFR § 155.1210 Known Questioned Costs: $0 Social Services continues to operate without an adequate data retention process that ensures consistent compliance with retention requirements for its case management system and adherence to federal regulations and state law. Social Services’ case management system stores several types of federal benefit program records with varying retention requirements supporting ten programs and services, such as the Medical Assistance (Medicaid), Supplemental Nutrition Assistance (SNAP), Child Care and Development Fund (CCDF) Cluster, Low-Income Home Energy Assistance (LIHEAP), and TANF federal grant programs. Social Services’ case management system authorized over $18 billion in public assistance payments to beneficiaries from these federal programs during fiscal year 2025. Social Services encountered delays with its record purge and retention project because of the magnitude and complexities associated with effectively implementing a retention and purge process for an integrated eligibility system. Additionally, Social Services identified an additional required element of the purge and retention project following its Release 1 implementation in February 2024. For these reasons, Social Services’ plan includes updating the purge and retention design document and implementing Release 2 in August 2025, then completing the purge and retention project with the final releases, Release 3 and Release 4, by February 2026. Title 45 CFR § 155.1210 governs record retention for Medicaid and requires state agencies to maintain records for ten years. Additionally, the Virginia Public Records Act, outlined in § 42.1-91 of the Code of Virginia, makes an agency responsible for ensuring that its public records are preserved, maintained, and accessible throughout their lifecycle, including converting and migrating electronic records as often as necessary so that the agency does not lose information due to hardware, software, or media obsolescence or deterioration. Further, the Virginia Public Records Act (§ 42.1-76 et seq. of the Code of Virginia) details requirements for the disposition of records. Section § 42.1-86.1 requires that records created after July 1, 2006, and authorized to be destroyed or discarded, must be discarded in a timely manner and such records that contain identifying information as defined by subsection C of § 18.2 - 186.3 of the Code of Virginia shall be destroyed within six months of the expiration of the records retention period. Finally, the Security Standard requires agencies to implement backup and restoration plans that address the retention of the data in accordance with the records retention policy for every IT system identified as sensitive relative to availability. Without implementing records retention requirements, Social Services increases the risk of a data or privacy breach. Additionally, destroying documents that should be available for business processes or audit, or keeping data longer than stated, could expose Social Services to fines, penalties, or other legal consequences. Further, Social Services may not be able to ensure that backup and restoration efforts will provide mission-critical information according to recovery times. Finally, retaining records longer than necessary causes the Commonwealth to spend additional resources to maintain, back-up, and protect information that no longer serves a business purpose. Social Services should complete the record purge and retention project for its case management system and should subsequently implement consistent records retention and destruction processes across business divisions to ensure compliance with laws and regulations. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-101: Upgrade End-of-Life Technology Applicable to: Department of Social Services Assigned Topic: System and Information Integrity Prior Finding Number: 2024-064; 2023-058; 2022-060 Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: Yes Federal Awards Finding: Yes ALPT - ALN: Grants to States for Medicaid – 93.778 Federal Award ID (Year): 2505VA5MAP (2025) Federal Agency: U.S. Department of Health and Human Services Compliance Requirement: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services continues to use end-of-life technologies in its IT environment and maintains technologies that support mission-essential data on IT systems running software that its vendors no longer support. We communicated the control weaknesses to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing descriptions of security mechanisms. The Security Standard prohibits agencies from using software that is end-of-life and which the vendor no longer supports to reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ information systems and data. By not meeting the minimum requirements in the Security Standard, Social Services cannot ensure the confidentiality, integrity, and availability of data within its systems. Project delays, including prioritizing other initiatives, slowed remediation efforts. Social Services should dedicate the necessary resources to evaluate and implement the controls and recommendations discussed in the communication marked FOIAE in accordance with the Security Standard. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-026: Complete FFATA Reporting for First Tier SABG Subawards Applicable to: Department of Behavioral Health and Developmental Services Assigned Topic: Federal Grants Management Prior Finding Number: 2022-107 Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: No Federal Awards Finding: Yes ALPT - ALN: Block Grants for Prevention and Treatment of Substance Abuse - 93.959 Federal Award ID (Year): 1B08TI088137-01 (2025) Federal Agency: U.S. Department of Health and Human Services Compliance Requirement: Reporting - 2 CFR Part 170 Appendix A Known Questioned Costs: $0 The DBHDS Office of Fiscal and Grants Management (Fiscal and Grants Management) is not fully completing Federal Funding Accountability and Transparency Act (FFATA) reporting for all first tier subaward recipients that received funding from the Substance Abuse Block Grant (SABG) federal program. Specifically, Fiscal and Grants Management did not complete FFATA reporting for all Community Service Boards (CSBs) and for one non-CSB entity tested. During fiscal year 2025, DBHDS disbursed approximately $49.4 million in SABG funds to CSBs. This total represents approximately 79 percent of the SABG federal program’s expenses for the fiscal year. Title 2 U.S. Code of Federal Regulations (CFR) Part 170 Appendix A requires a non-federal entity to report each obligating action, exceeding $30,000, to the FFATA Subaward Reporting System. Fiscal and Grants Management identified the reporting requirements in its FFATA reporting policies and procedures and completed FFATA reporting for other first tier subaward recipients tested. Fiscal and Grants Management created a query to run a report in the DBHDS grants management system which pulls all required information to ensure completeness of FFATA reporting. However, Fiscal and Grants Management did not complete FFATA reporting for CSBs as the query did not include a necessary field to pull information for the CSBs. Furthermore, Fiscal and Grants Management did not complete FFATA reporting for one non-CSB entity tested due to lack of management oversight. Not properly completing FFATA reporting could result in a citizen or federal official having a distorted view as to how DBHDS is obligating federal funds from the SABG federal program. Fiscal and Grants Management should correct errors noted in the query within the grants management system to retrieve the necessary FFATA report information for CSBs. Additionally, Fiscal and Grants Management should incorporate sufficient management review into its reporting processes to ensure accurate and complete FFATA reporting for all first tier subaward recipients for the SABG federal program. Finally, Fiscal and Grants Management should evaluate whether it is fulfilling its FFATA reporting responsibilities for other federal grant programs, as applicable. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-094: Improve Access Controls for the Grants Management System Applicable to: Department of Behavioral Health and Developmental Services Assigned Topic: Access Control Prior Finding Number: N/A Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: Yes Federal Awards Finding: Yes ALPT - ALN: Block Grants for Prevention and Treatment of Substance Abuse - 93.959 Federal Award ID (Year): 1B08TI088137-01 (2025) Federal Agency: U.S. Department of Health and Human Services Compliance Requirement: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 DBHDS has not implemented adequate access controls for its grants management system. DBHDS has created an administrative manual for its grants management system, which includes information such as granting and approving user access, properly removing user access, and outlining an annual review, as well as roles and responsibilities for individuals within the agency and the grants management system’s service provider. However, DBHDS is not adhering to the controls outlined in this manual nor does it have sufficient documentation of these access controls. As a result, we identified the following deficiencies: DBHDS management does not monitor the activity of system administrators who have privileged role assignments. DBHDS management does not have a formal process for periodically reviewing system access for all users. For four of four (100%) terminated employees tested, DBHDS did not remove access within 24 hours of the employee’s separation with access removal ranging from 144 to 265 days after termination. For nine of 13 (69%) users tested, DBHDS management did not retain supporting documentation to verify the user’s level of access or the supervisor’s approval. For three of 13 (23%) active users tested, DBHDS did not deactivate the user’s account after the employee’s termination. The Security Standard requires reviewing accounts for compliance with account management requirements on an annual basis and following an environmental change; disabling user accounts within 24 hours of when users are terminated or transferred; monitoring privileged role assignments; and creating and enabling accounts in accordance with the agency-defined logical access control policy. By not properly approving system access or terminating access timely, DBHDS increases the risk of unauthorized individuals entering or approving transactions which could affect the integrity of the information within the grants management system. Without a review of user access levels on an annual basis or a process to monitor the activity of privileged users, DBHDS cannot verify that each user’s access is appropriate based on job function, does not violate the principle of least privilege or separation of duties, and has not been used for inappropriate activity. Due to lack of training and management oversight, DBHDS did not perform all access control requirements as outlined by the Security Standard. In addition, users gain access to the grants management system by submitting a ticket to the DBHDS help desk; however, the ticketing system does not require supervisory approval before granting access. DBHDS should improve the design and implementation of access controls for the grants management system to ensure they align with the DBHDS administrative manual and the Security Standard. Specifically, DBHDS should provide training regarding the administrative manual. DBHDS should also ensure supervisors approve access before granting access; remove access timely when employees terminate; and retain all supporting documentation regarding system access including approving, granting, and removing new and existing access. In addition, DBHDS should develop a formal process for periodically reviewing system access as well as reviewing activity for privileged users. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-023: Strengthen Internal Controls over Payroll Processes Applicable to: Department for Aging and Rehabilitative Services Assigned Topic: Federal Grants Management Prior Finding Number: N/A Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: No Federal Awards Finding: Yes ALPT - ALN: Social Security Disability Insurance - 96.001 Federal Award ID (Year): 04-2404VADI00 (2024); 04-2504VADI00 (2025) Federal Agency: U.S. Social Security Administration Compliance Requirement: Allowable Costs/Cost Principles - 2 CFR § 200.303(a); 2 CFR 200.430(g)(1)(i) Known Questioned Costs: $0 Aging and Rehabilitative Services’ Finance Division is not maintaining adequate internal control over several of its key payroll processes. During fiscal year 2025, Aging and Rehabilitative Services spent approximately $213 million in federal funds, of which about $85 million (40%) was for personal service expenses. We identified the following specific weaknesses: Aging and Rehabilitative Services’ Finance Division does not have written, agency-specific payroll policies and procedures governing all critical payroll processes, including payroll reconciliations and payroll certifications. The Department of Accounts’ (Accounts) Commonwealth Accounting Policies and Procedures (CAPP) Manual Topic 10305 requires agencies to develop and maintain their own written policies over critical processes, including payroll, rather than relying solely on system guidance or the CAPP Manual. Aging and Rehabilitative Services’ Finance Division was unable to provide documentation supporting the completion and review of payroll (pay period) reconciliations for five out of the five (100%) payroll (pay period) reconciliations selected. CAPP Manual Topic 50905 requires agencies to complete payroll (pay period) reconciliations to ensure payroll transactions are accurate, complete, and properly reviewed. Aging and Rehabilitative Services’ Finance Division relies on the Accounts’ Cardinal Human Capital Management (HCM) materials and CAPP Manual provisions to support its payroll activities. While the use of Accounts’ guidance provides a foundation for internal control, it is not intended to be a substitute for the agency’s own internal policies and procedures. The absence of documented internal policies and procedures limits consistency, accountability, and management oversight and increases the risk that Aging and Rehabilitative Services will not prevent and/or detect errors or discrepancies in a timely manner. Title 2 CFR § 200.303(a) requires that federal grant recipients establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the recipient or subrecipient is managing the federal award in compliance with Federal statutes, regulations, and the terms and conditions of the federal award. Further, 2 CFR 200.430(g)(1)(i) states that charges to federal awards for salaries and wages must be supported by a system of internal control that provides reasonable assurance that the charges are accurate, allowable, and properly allocated. Aging and Rehabilitative Services’ Finance Division experienced staffing shortages during the period under review because of turnover and was unable to devote the resources necessary to establish internal controls over several of its key payroll processes. Aging and Rehabilitative Services’ management should devote the necessary resources to establish and maintain proper internal control over its payroll processes. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.