Activities Allowed or Unallowed, Allowable Costs/ Cost Principles, Cash Management, Eligibility, Suspension and Debarment, Reporting, Special Tests and Provisions – Information Technology – User Access Federal Agency: U.S. Department of Agriculture (USDA) Federal Program Title: Food Distribution Cluster Texas 1944 Water Treaty Grant ALN: 10.565, 10.568, 10.560 10.126 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: Food Distribution Cluster 246TX816Y8105, 256TX816Y7105, 246TX818Y8613, 238TX000I1003, 246TX816Q2204 October 1, 2023 - September 30, 2024, October 1, 2024 - September 30, 2025, November 3, 2023 - November 2, 2024, May 23, 2023 - June 30, 2025, October 1, 2023 - September 30, 2024 Texas 1944 Water Treaty Grant FSA25GRA0012028 March 19, 2025 - March 31, 2026 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance Criteria or specific requirement: Per 2 CFR §200.303(a), Texas Department of Agriculture (TDA) must establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Additionally, 2 CFR §200.303(e) requires taking reasonable cybersecurity and other measures to safeguard information including protected personally identifiable information (PII) and other types of information. Condition: During testing of user termination controls, we identified two instances, out of a sample of 14 terminated users, in which access was not removed within the timeframe required by TDA’s System Administrator separation process (i.e., application access removed on the date of the ticket/same day of termination and network access within one business day): Application (TX‑UNPS): User A was terminated on 06/13/2025. Network access was removed on 06/16/2025 (within one business day), but TX‑UNPS application access remained active until 06/19/2025 (removed after four business days), which does not meet the same‑day requirement for application access. Network: User B was terminated on 09/13/2024. Network access was removed on 09/17/2024 (removed after one business day due to weekend/holiday schedule), which does not meet the requirement for removal within one business day. Questioned costs: None. Context: See “Condition.” Cause: The delays appear to be the result of breakdowns in the coordination between HR separation processes and IT access revocation procedures, including delays in communication or gaps in the automated termination workflow. Effect: Failure to remove user access promptly increases the risk of: • Unauthorized access to confidential or sensitive information; • Potential manipulation, loss, or misuse of program data; • Increased exposure to operational and security risks. Although no misuse of access was identified, the presence of active credentials after termination represents a significant control deficiency. Repeat Finding: No Recommendation: We recommend that TDA: • Strengthen coordination between HR and IT functions to ensure immediate notification upon employee separation. • Implement automated workflows that disable all user access promptly upon termination. • Conduct periodic reconciliations of HR separation lists against active user accounts to detect and remove any lingering access. • Enhance monitoring controls, including reporting dashboards or alerts triggered when access is not removed within a defined timeframe. Views of responsible officials: TDA agrees with the finding. TDA acknowledges that improvements can be made to the separation process.
Cash Management, Eligibility, Matching and Earmarking, Period of Performance, Suspension and Debarment, Reporting, Subrecipient Monitoring, Special Tests and Provisions – Information Technology – Change Management Federal Agency: U.S. Department of Justice Federal Program Title: Crime Victim Assistance ALN: 16.575 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: 15POVC-25-GG-00366-ASSI, 15POVC-24-GG-00728-ASSI, 15POVC-23-GG- 00468-ASSI, 15POVC-22-GG-00468-ASSI, 2020-V2-GX-0040 October 1, 2024 – September 30, 2028, October 1, 2023 – September 30, 2027, October 1, 2022 – September 30, 2026, October 1, 2021 – September 30, 2025, October 1, 2020 – September 30, 2025, October 1, 2019 – September 30, 2024 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance Criteria or specific requirement: Per 2 CFR §200.303(a), Office of the Governor must establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that it is managing the Federal award in compliance with federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Additionally, 2 CFR §200.303(e) requires taking reasonable cybersecurity and other measures to safeguard information including protected personally identifiable information (PII) and other types of information. Condition: During our review of information technology general controls related to network change management, we noted that the organization does not have a formal, documented change control process governing changes and approvals to the network hardware components and systems. As a result, network changes may not be consistently documented, reviewed, or formally approved. For purposes of this control, network changes include any additions, modifications, or removals affecting the network infrastructure, including but not limited to: • Network hardware (e.g., routers, switches, firewalls, wireless devices) • Network device configurations • Network related software, firmware, or operating system components Questioned costs: None. Context: See “Condition.” Cause: Management is aware of this matter and a draft policy initiative is already underway and targeted for completion during fiscal year 2026. Effect: In the absence of a formal documented change management process, there is an increased risk that unauthorized or untested network changes could adversely impact the confidentiality, integrity, or availability of systems and data. Repeat Finding: No Recommendation: We recommend that management finalize and implement the formal, documented network change management process to ensure all changes to network hardware, configurations, and related software are properly requested, reviewed, approved, tested, and documented. Views of responsible officials: A formal but not documented process has been utilized which requires CIO approval of all changes. A Project was instigated in 2024 to formalize and embed the verbal process into a written process with auditable execution logs. The project is in its final stages
Reporting – Financial, Performance and Special Reporting Federal Agency: U.S. Department of Labor (DOL) Federal Program Title: Unemployment Insurance (UI) ALN: 17.225 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: UI372522255A48, UI380082260A48, UI382492255A48, 23A03UI0389351, 23A60UR000007, 23A60UB000060, 24A55UI000051, 24A55UT000017, 24A60UR000091, 24A60UD000038, 25A55UE000005, 25A60UB000137, 25A60UB000149, 25A60UB000176, 25A60UB000187, 25A60UD000047, 25A55UI000094, 25A55UT000066, 25A60UR000102 October 1, 2021 – December 31, 2024, January 1, 2022 – September 30, 2024, January 1, 2022 – March 31, 2025, October 1, 2022 – December 31, 2025, January 1, 2023 – September 30, 2025, April 1, 2023 – May 22, 2025, October 1, 2023 – December 31, 2026, October 1, 2023 – September 30, 2024, January 1, 2024 – September 30, 2026, May 17, 2024 – May 17, 2027, July 1, 2024 – December 31, 2025, July 1, 2024 – September 30, 2025, July 1, 2024 – September 30, 2025, July 1, 2024 – September 30, 2025, July 9, 2024 – July 9, 2027, October 1, 2024 – December 31, 2027, October 1, 2024 – September 30, 2025, January 1, 2025 – September 30, 2026 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance Criteria or specific requirement: "Per 2 CFR §200.303(a), Texas Workforce Commission (TWC) must establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that it is managing the Federal award in compliance with federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: During our testing of financial, performance, and special reporting, we identified gaps in TWC’s documentation and oversight of its reporting processes. Specifically, for the ETA 2112 – UI Financial Transaction Summary, we tested three monthly reports, and none contained evidence of review or approval prior to submission. Similarly, for the ETA 9050 – Time Lapse of All First Payments Except Workshare and the ETA 9052 – Nonmonetary Determination Time Lapse Detection performance reports, we tested three monthly submissions for each report type, and all lacked documentation demonstrating that a formal accuracy and completeness review was performed. In addition, our testing of two quarterly ETA 2208A – Quarterly UI Above-Base Reports identified a lack of segregation of duties. For both reports tested, the individual responsible for preparing the report also performed the review function. Questioned costs: None. Context: See “Condition.” Cause: The absence of documented reviews and approvals appears to result from insufficient internal controls over the reporting process, including unclear staff responsibilities. These control gaps contributed to inconsistent application of review procedures and allowed instances where documentation of required oversight did not occur or was performed by the same individual responsible for report preparation. Repeat Finding: No Recommendation: TWC should strengthen internal controls over the reporting process by establishing clear roles and responsibilities for the preparation, review, and approval of all required ETA reports. Management should ensure that each report undergoes a documented, independent review to verify accuracy and completeness before submission. Additionally, TWC should provide targeted training to staff on reporting requirements and internal control expectations to reinforce consistent application of review procedures and prevent situations where the preparer and reviewer are the same individual. Views of responsible officials: Management agrees on the importance of the ETA reports and the accuracy of the information in the reports.
Activities Allowed or Unallowed, Allowable Costs/ Cost Principles, Eligibility, Reporting – Information Technology – User Access Federal Agency: U.S. Department of Veterans Affairs Federal Program Title: Veteran's State Nursing Home Care ALN: 64.015 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: N/A Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance Criteria or specific requirement: Per 2 CFR §200.303(a), The General Land Office (GLO) must establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Additionally, 2 CFR §200.303(e) requires taking reasonable cybersecurity and other measures to safeguard information including protected personally identifiable information (PII) and other types of information. Condition: During our assessment of access controls, we noted that while GLO performs user access reviews for accounts with privileged (elevated) access to the network. No periodic user access review is performed for all network users (non‑privileged/general users) within the audit period. As a result, there is no documented verification that standard user accounts retain only appropriate, job‑related access. Questioned costs: None. Context: See “Condition.” Cause: The condition appears to result from policy and process gaps that focus review efforts primarily on privileged accounts, coupled with the absence of a formalized, agency‑wide schedule and procedure for reviewing all network users’ access and retaining evidence of those reviews. Effect: Failure to conduct and document periodic access reviews for all network users increases the risk that: • Excessive or outdated access persists undetected; • Unauthorized access to systems or data may occur; • Potential security, operational, and compliance exposures are elevated. No instances of misuse were identified during our procedures; however, the lack of comprehensive reviews represents a significant control deficiency. Repeat Finding: No Recommendation: We recommend that GLO: • Establish a formal, documented access review program that covers all network users (privileged and non‑privileged) on at least an annual cadence. • Implement standardized templates and a central repository to capture review date, reviewer, population, exceptions identified, and remediation actions taken. • Periodically monitor adherence to the review schedule and report completion status and exceptions to management governance (e.g., IT leadership or an information security committee). Views of responsible officials: Management of the Texas General Land Office (GLO), Information Technology Services (ITS) Department, concurs with the audit finding and agrees that formalizing and documenting a periodic user access review process for all non-privileged network users will further strengthen the agency’s internal control framework and cybersecurity posture in alignment with 2 CFR §200.303 and applicable federal internal control standards.
Procurement and Suspension and Debarment Federal Agency: U.S. Environmental Protection Agency Federal Program Title: Drinking Water State Revolving Fund (DWSRF) ALN: 66.468 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: 2521902915 September 1, 2024 - August 31, 2025 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance and Noncompliance Criteria or specific requirement: "Per 2 CFR §200.303(a), Texas Commission on Environmental Quality (TCEQ) must establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that it is managing the Federal award in compliance with federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Per 2 CFR §200.318, the recipient or subrecipient must maintain and use documented procedures for procurement transactions under a federal award or subaward, including for acquisition of property or services. These documented procurement procedures must be consistent with State, local, and tribal laws and regulations and the standards identified in §§ 200.317 through 200.327. Per 2 CFR §200.214, recipients and subrecipients are subject to the non-procurement debarment and suspension regulations implementing Executive Orders 12549 and 12689, as well as 2 CFR part 180. The regulations in 2 CFR part 180 restrict making Federal awards, subawards, and contracts with certain parties that are debarred, suspended, or otherwise excluded from receiving or participating in Federal awards. Condition: Audit procedures included a review of five procurements conducted during the fiscal year to assess whether TCEQ adhered to required procurement procedures and performed vendor eligibility verifications prior to entering into covered transactions. For one procurement, totaling $16,175, the required procurement processes were not followed, and the necessary vendor compliance checks, including verification of suspension and debarment status, were not completed before executing the transaction. Questioned costs: None. Context: See “Condition.” Cause: The procurement was initiated directly by the program area without notifying or coordinating with the Procurement and Contracts Section. Program staff proceeded with the purchase under the assumption that procurement involvement was unnecessary because the selected vendor was the sole provider of the required item. As a result, established procurement procedures and vendor compliance verification processes were not followed. Effect: Failure to follow procurement procedures and complete proper vendor compliance checks prior to entering into a covered transaction may lead to entering contracts with suspended or debarred vendors that could result in noncompliance and questioned costs. Repeat Finding: No Recommendation: TCEQ should provide targeted training to program staff on federal procurement requirements, including the necessity of coordinating all purchases through the P&C Section and completing required vendor compliance checks. Training should emphasize procedures for sole‑source or limited‑source procurements and reinforce staff responsibilities under 2 CFR procurement and internal control standards. Regular refresher sessions and documented guidance will help ensure consistent understanding and adherence to required procurement practices across all program areas. Views of responsible officials: The Financial Administration Division (FAD) will implement the audit’s recommendations. FAD will reinforce the guidance provided through continuous training, documentation, and improved internal controls.
Cash Management, Eligibility, Level of Effort, Earmarking, Period of Performance, Subrecipient Monitoring – Information Technology – User Access Federal Agency: U.S. Department of Education (USDE) Federal Program Title: Career and Technical Education - Basic Grants to States ALN: 84.048 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: V048A220043, V048A230043, V048A240043 July 1, 2022 - September 30, 2023, July 1, 2023 - September 30, 2024, July 1, 2024 - September 30, 2025 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance Criteria or specific requirement: Per 2 CFR §200.303(a), Texas Higher Education Coordinating Board (THECB) must establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Additionally, 2 CFR §200.303(e) requires taking reasonable cybersecurity and other measures to safeguard information including protected personally identifiable information (PII) and other types of information. Condition: During testing of access controls, we noted that while THECB performs user access reviews for individuals with network access, the reviews were not documented. The absence of documented evidence prevents verification that the reviews were completed, who performed them, when they were performed, and whether identified issues were appropriately resolved. Questioned costs: None. Context: See “Condition.” Cause: The lack of documented access reviews appears to result from informal review processes and insufficient procedures requiring reviewers to maintain written evidence of the review. Additionally, there may be no standardized template or centralized repository for retention of such documentation. Effect: Without documentation of the network access review, THECB cannot demonstrate that: • Reviews were performed within the applicable audit period • Access rights were validated for appropriateness • Unauthorized or outdated access was identified and removed This lack of documentation increases the risk of unauthorized system access, potential misuse of systems or data, and noncompliance with federal internal control requirements. Repeat Finding: No Recommendation: We recommend that THECB: • Develop and implement a standardized documentation process for all user access reviews, including a required template documenting review date, reviewer identity, scope, results, and remediation actions. • Maintain all documentation in a centralized repository accessible to IT management and audit personnel. • Implement periodic monitoring to ensure reviews are performed timely and documentation is consistently retained. • Consider using automated access review tools to support completeness, timeliness, and auditability of reviews. Views of responsible officials: THECB ITS agrees with the finding.
Reporting – ACF-196R Federal Agency: U.S. Department of Health and Human Services Federal Program Title: Temporary Assistance for Needy Families (TANF) ALN: 93.558 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: 2401TXTANF October 1, 2023 – September 30, 2024 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance and Noncompliance Criteria or specific requirement: Per 2 CFR §200.303(a), Health and Human Services Commission (HHSC) must establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that it is managing the Federal award in compliance with federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Pursuant to 45 CFR §265.3(a)(1) each State must collect on a monthly basis, and file on a quarterly basis, the data specified in the TANF Data Report and the TANF Financial Report (or, as applicable, the Territorial Financial Report). More specifically, Form ACF-196R is used by States administering the Temporary Assistance for Needy Families (TANF) program to report quarterly expenditure data and to request quarterly grant funds. The ACF-204 report (Annual Report on State Maintenance-of-Effort Programs) must be completed and submitted in accordance with the requirements at 45 CFR §265.9(c). The report includes several line items that contain critical information, including “Total State MOE Expenditures.” Input for the Total State MOE expenditures line item is provided by the Texas Education Agency (TEA), the Texas Workforce Commission (TWC), and HHSC. The MOE amounts in the ACF-204 report are to agree to the amounts in the final ACF-196R report. For the FY2024 ACF-196R report, the contributing agencies reported State MOE expenditures on various line items including but not limited to: HHSC – Line 6a (Basic Assistance (excluding Relative Foster Care Maintenance Payments and Adoption and Guardianship Subsidies) TEA – Line 11b (Pre-Kindergarten/Head Start) Condition: All key line items in the FY 2024 ACF‑204 report were tested and agreed to supporting documentation without exception. However, the Total State Maintenance of Effort (MOE) Expenditures reported in the ACF‑204 by HHSC and the Texas Education Agency (TEA) did not reconcile to the amounts reported in the ACF‑196R as shown below: Amounts reported in the ACF‑204 were accurate and supported; the variances occurred because the ACF‑196R reflected higher MOE expenditures than those reported on the ACF‑204. Questioned costs: None. Context: See “Condition.” Cause: The variance in line 11b was due to miscommunication between the relevant HHSC personnel regarding revisions to an initial submission. The variance in line 6a was due to the HHSC Federal Reporting Team incorrectly including period 1 of 2025 in the MOE calculation. The agency did not perform a complete reconciliation between the ACF‑204 and ACF‑196R prior to submission, resulting in inconsistent MOE reporting across the required reports. Effect: Inaccurate or inconsistent reporting of MOE expenditures increases the risk of noncompliance with federal reporting requirements under 2 CFR §200.302 (financial management) and 2 CFR §200.329 (performance and financial reporting). These discrepancies may impair the federal awarding agency’s ability to evaluate program performance, assess State MOE compliance, and rely on the accuracy of reported financial information. Repeat Finding: No. Recommendation: HHSC should strengthen their financial reporting controls to ensure consistency between the ACF‑204 and ACF‑196R reports. Specifically, the agency should implement a formal reconciliation process that: • Compares all MOE expenditure amounts reported on the ACF‑204 to those reported on the ACF‑196R prior to submission; • Requires documented review and approval of the reconciliation by management; and • Ensures any discrepancies are researched, resolved, and corrected before the reports are finalized. Views of responsible officials: HHSC concurs with the recommendation.
Special Tests and Provisions – Child Support Non-Cooperation Federal Agency: U.S. Department of Health and Human Services Federal Program Title: Temporary Assistance for Needy Families (TANF) ALN: 93.558 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: 2401TXTANF, 2501TXTANF October 1, 2023 – September 30, 2024, October 1, 2024 – September 30, 2025 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance and Noncompliance Criteria or specific requirement: Per 2 CFR §200.303(a), Health and Human Services Commission (HHSC) must establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that it is managing the Federal award in compliance with federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Per 42 U.S.C 608 (a)(2), if the agency responsible for administering the State plan approved under part D determines that an individual is not cooperating with the State in establishing paternity or in establishing, modifying, or enforcing a support order with respect to a child of the individual, and the individual does not qualify for any good cause or other exception established by the State pursuant to section 654(29) of this title, then the State: (1) shall deduct from the assistance that would otherwise be provided to the family of the individual under the State program funded under this part an amount equal to not less than 25 percent of the amount of such assistance; and (2) may deny the family any assistance under the State program. The State’s policy is to reduce benefits 100% for non-cooperation. HHSC policy requires that when the Office of the Attorney General (OAG) identifies a TANF recipient who has failed to cooperate with child support requirements, OAG must notify HHSC within seven days of the non‑cooperation date. Upon receipt, HHSC must apply the sanction within five working days. Condition: A sample of 40 TANF beneficiaries who were reported as non‑cooperating with program requirements during fiscal year 2025 was selected for testing. Two instances of untimely sanction application were identified: • One case in which HHSC reduced benefits one month late, resulting in an overpayment of $320. • One case in which HHSC reduced benefits two months late, resulting in an overpayment of $890. Questioned costs: $1,210 Context: See “Condition.” Cause: HHSC’s internal controls did not consistently ensure timely processing of sanctions upon receipt of non‑cooperation referrals from OAG. Existing monitoring and workflow procedures were insufficient to detect or prevent delays in applying benefit reductions. Effect: Failure to apply sanctions within required timeframes can lead to inaccurate benefit issuance, questioned costs, and weakened program integrity. Repeat Finding: No. Recommendation: HHSC should strengthen internal controls over the processing of TANF non‑cooperation sanctions to ensure timely application in accordance with program requirements. Specifically, HHSC should: • Implement an automated or workflow‑based tracking mechanism to monitor the timeliness of sanctions received from OAG. • Provide refresher training to eligibility staff on timely sanction procedures and the importance of preventing improper payments. Views of responsible officials: HHSC concurs with the recommendation.
Special Tests and Provisions – Penalty for Failure to Comply with Work Verification Plan Federal Agency: U.S. Department of Health and Human Services Federal Program Title: Temporary Assistance for Needy Families (TANF) ALN: 93.558 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: 2401TXTANF, 2501TXTANF October 1, 2023 – September 30, 2024 and October 1, 2024 – September 30, 2025 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance and Noncompliance Criteria or specific requirement: Per 2 CFR §200.303(a), Texas Workforce Commission (TWC) must establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that it is managing the Federal award in compliance with federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Per 45 CFR §261.60(a)-(c), a State must report the actual hours that an individual participates in an activity. It is not sufficient to report the hours an individual is scheduled to participate in an activity. For unsubsidized employment, subsidized employment, and on-the-job training, the State may report projected actual hours of employment participation for up to six months based on current, documented actual hours of work. Any time the State receives information that the client's actual hours of work have changed, or no later than the end of any six-month period, the agency must re-verify the client's current actual average hours of work and may report these projected actual hours of participation for another six-month period. Condition: Audit procedures included independently recalculating average work participation hours for a sample of 40 TANF cases and comparing those results to the hours reported to the U.S. Department of Health and Human Services on the ACF‑199 report. For one of the 40 cases tested, the recalculated average work hours did not agree with the hours reported on the ACF‑199. This discrepancy resulted in a net overstatement of 9 hours on the ACF‑199 report. Questioned costs: No. Context: See “Condition.” Cause: The variance in reported hours for the affected case resulted from a system processing error by the third‑party vendor. During extraction from the WorkInTexas (WIT) system, TWC’s case management system, and file creation for transmission to HHSC, certain hour entries were inadvertently duplicated, leading to the double‑counting of participation hours and, consequently, an overstatement in the ACF‑199 reporting. Effect: Inaccurate reporting of work participation hours affects the reliability of the State’s TANF data submitted to the federal government and may compromise the accuracy of the State’s calculated work participation rates. Such reporting inaccuracies increase the risk of noncompliance with federal work verification requirements and may expose the State to potential penalties if similar errors are systemic or not promptly addressed. Repeat Finding: No. Recommendation: TWC, in coordination with the system vendor, should strengthen controls over the extraction, translation, and transmission of work participation hour data used in the ACF‑199 report. Specifically, TWC should: • Require the third-party vendor to implement system safeguards that prevent the duplication of hour entries during data extraction from the WIT system and subsequent file creation. • Establish automated validation checks to detect anomalies such as duplicate lines, unexpected variances, or irregular hour totals prior to ingesting vendor files into TWC systems. • Enhance supervisory review procedures to ensure that data received from third‑party vendors is reconciled to source records and verified for completeness and accuracy before inclusion in federal reporting. Views of responsible officials: TWC’s Divisions of Workforce Development, Information Technology, and Information, Innovation and Insight agree with the recommendations.
Cash Management – Cash Management Improvement Act Federal Agency: U.S. Department of Health and Human Services Federal Program Title: Low-Income Home Energy Assistance Program (LIHEAP) ALN: 93.568 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: 2301TXLIEA, 2301TXLIEE, 2401TXLIEA, 2401TXLIEI, 2501TXLIEA, 2501TXLIEI October 1, 2022 – September 30, 2024, October 1, 2023 – September 30, 2025, October 1, 2024 – September 30, 2026 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance and Noncompliance Criteria or specific requirement: Per 2 CFR §200.303(a), the Texas Department of Housing and Community Affairs (TDHCA) must establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that it is managing the Federal award in compliance with federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Per 31 CFR §205.20, states use clearance patterns to project when funds are paid out, given a known dollar amount and a known date of disbursement. A state must ensure that clearance patterns meet the following standards: (a) A clearance pattern must be auditable. (b) A clearance pattern must accurately represent the flow of Federal funds under the Federal assistance programs to which it is applied. (c) A clearance pattern must include seasonal or other periodic variations in clearance activity. (d) A clearance pattern must be based on at least three consecutive months of disbursement data, unless additional data is required to accurately represent the flow of Federal funds. (e) If a State uses statistical sampling to develop a clearance pattern, the sample size must be sufficient to ensure a 96 percent confidence interval no more than plus or minus 0.25 weighted days above or below the estimated mean. (f) A clearance pattern must extend, at a minimum, until 99 percent of the dollars in a disbursement have been paid out for Federal assistance program purposes. (g) We and a State may agree to other procedures, such as estimates to project when funds are paid out when the dollar amount and/or the timing of disbursements are not known. Condition: The LIHEAP program is included in the Treasury-State Agreement effective for the fiscal year ending August 31, 2025, and it meets the threshold for inclusion under the Cash Management Improvement Act (CMIA). As such, TDHCA is required to prepare Period 1 clearance pattern calculations supported by verifiable disbursement data to ensure federal funds are drawn in accordance with the program’s required average clearance pattern of three days. TDHCA did not prepare a Period 1 clearance pattern calculation for LIHEAP based on at least three consecutive months of disbursement data as required. Although the Treasury-State Agreement specifies a three‑day average clearance pattern for the program, TDHCA did not maintain or provide documentation supporting how this clearance pattern was developed. As a result, the clearance pattern was not auditable, and we were unable to determine whether TDHCA’s practices for drawing federal funds aligned with the CMIA requirements. Questioned costs: None. Context: See “Condition.” Cause: Management noted their clearance pattern reflected their established funding techniques and prior reports; therefore, they overlooked the specific Treasury-State Agreement documentation requirements. Effect: Although we were able to perform testing over TDHCA’s cash management practices for LIHEAP and concluded that no federal interest was earned as a result of timing differences, the absence of a documented Period 1 clearance pattern calculation prevented us from validating the accuracy of the three‑day clearance pattern prescribed in the Treasury–State Agreement. Without an auditable calculation, TDHCA cannot demonstrate that the established clearance pattern is supported by actual disbursement data, which limits assurance that the methodology used for federal draws fully complies with CMIA requirements. Repeat Finding: No Recommendation: TDHCA should establish and implement procedures to ensure that a Period 1 clearance pattern calculation is completed and retained for LIHEAP in accordance with CMIA and Treasury–State Agreement requirements. This calculation should be based on at least three consecutive months of actual disbursement data and documented in a manner that is readily auditable. TDHCA should also provide training to staff responsible for CMIA compliance to ensure they are aware of the requirement to prepare and maintain this calculation. Views of responsible officials: The Texas Department of Housing and Community Affairs acknowledges and agrees with the finding.
Reporting – Quarterly Performance and Management Report Federal Agency: U.S. Department of Health and Human Services Federal Program Title: Low-Income Home Energy Assistance Program (LIHEAP) ALN: 93.568 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: 2501TXLIEI October 1, 2024 – September 30, 2026 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance and Noncompliance Criteria or specific requirement: Per 2 CFR §200.303(a), the Texas Department of Housing and Community Affairs (TDHCA) must establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that it is managing the Federal award in compliance with federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Per 45 CFR §96.82(a), each grantee which is a State or an insular area which receives an annual allotment of at least $200,000 shall submit to the Department, as part of its LIHEAP grant application, the data required by section 2605(c)(1)(G) of Public Law 97-35 (42 U.S.C. 8624(c)(1)(G)) for the 12-month period corresponding to the Federal fiscal year (October 1-September 30) preceding the fiscal year for which funds are requested. The data shall be reported separately for LIHEAP heating, cooling, crisis, and weatherization assistance. Key Line Items containing critical information include: 1. Section 1 – Total Households Assisted 2. Section 2 – Performance Management 3. Section 3 – Estimated Use of Funds 4. Section 4 – LIHEAP Program Implementation and Support Condition: As part of our testing of the Quarterly Performance and Management Report for award 2501TXLIEI, we selected 2 of the 4 reports submitted during the fiscal year. During our review, we identified a discrepancy in the quarter 1 report (October 1 – December 31). The report stated that $159,463,428 in LIHEAP funds had been obligated by funding source in Section 3 – Estimated Use of Funds; however, supporting documentation reflected obligated funds totaling $174,447,109, resulting in a variance of $(14,983,681). Questioned costs: None. Context: See “Condition.” Cause: An error was made when TDHCA staff entered the amount of funds obligated into the report, and existing internal controls did not detect the error before the report was submitted to U.S. Department of Health and Human Services (HHS) Effect: Inaccurate reporting may lead to misstated financial information at the federal level, hinder management’s ability to make informed decisions, and could affect federal oversight and monitoring of program activity. These discrepancies increase the risk of noncompliance with federal reporting requirements and may impact the integrity of cumulative statewide LIHEAP reporting. Repeat Finding: No Recommendation: We recommend that TDHCA strengthen its review and reconciliation procedures for quarterly LIHEAP reporting to ensure that amounts reported are fully supported by accurate and complete documentation. This should include implementing a formal review process that requires verification of reported obligation amounts against source records prior to submission, as well as enhanced training for staff responsible for report preparation. Views of responsible officials: The Texas Department of Housing and Community Affairs acknowledges and agrees with the finding.
Activities Allowed or Unallowed, Allowable Costs/ Cost Principles, Cash Management, Eligibility, Period of Performance, Reporting, Subrecipient Monitoring – Information Technology – User Access Federal Agency: U.S. Department of Health and Human Services Federal Program Title: Temporary Assistance for Needy Families Social Services Block Grant ALN: 93.558 93.667 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: Temporary Assistance for Needy Families 2401TXTANF, 2501TXTANF October 1, 2023 - September 30, 2024, October 1, 2024 - September 30, 2025 Social Services Block Grant 2301TXSOSR, 2401TXSOSR, 2501TXSOSR October 1, 2022 - September 30, 2024, October 1, 2023 - September 30, 2025, October 1, 2025 - September 30, 2026 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance Criteria or specific requirement: Per 2 CFR §200.303(a), the Department of Family and Protective Services (DFPS) must establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Additionally, 2 CFR §200.303(e) requires taking reasonable cybersecurity and other measures to safeguard information including protected personally identifiable information (PII) and other types of information. Condition: During testing of user access termination controls, we identified two instances, out of a sample of 25 terminated users, in which individuals were not removed from the Network and IMPACT in a timely manner. In both cases, the users’ accounts remained active well beyond their documented termination dates, resulting in unauthorized active credentials during the post‑termination period. The two exceptions were as follows: User A: Termination date 11/05/2024; access not removed until 11/22/2024. User B: Termination date 11/17/2024; access not removed until 02/20/2025. Questioned costs: None. Context: See “Condition.” Cause: The delays appear to be the result of breakdowns in the coordination between HR separation processes and IT access revocation procedures, including delays in communication or gaps in the automated termination workflow. Effect: Failure to remove user access promptly increases the risk of: • Unauthorized access to confidential or sensitive information; • Potential manipulation, loss, or misuse of program data; • Increased exposure to operational and security risks. Although no misuse of access was identified, the presence of active credentials after termination represents a significant control deficiency. Repeat Finding: No Recommendation: We recommend DFPS: • Strengthen coordination between HR and IT functions to ensure immediate notification upon employee separation. • Implement automated workflows that disable all user access promptly upon termination. • Conduct periodic reconciliations of HR separation lists against active user accounts to detect and remove any lingering access. • Enhance monitoring controls, including reporting dashboards or alerts triggered when access is not removed within a defined timeframe. Views of responsible officials: Management agrees with the findings.
Reporting – Post-Expenditure Report Federal Agency: U.S. Department of Health and Human Services Federal Program Title: Social Services Block Grant ALN: 93.667 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: 2401TXSOSR October 1, 2023 – September 30, 2025 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance and Noncompliance Criteria or specific requirement: Per 2 CFR §200.303(a), Health and Human Services Commission must establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that it is managing the Federal award in compliance with federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The 42 USC 1397e requires states and territories to submit to the federal administering agency, the Office of Community Services, an annual Post Expenditure Report no later than six months following the close of the fiscal year. The report includes certain critical key line information including: • TANF Funds Transferred into SSBG –Amount reported on this line item should be consistent with the TANF federal financial report (ACF-196R). The Federal Funds Office (FFO) is responsible for the completeness, accuracy, and timely submission of the Post Expenditure Report. Federal Reporting Fiscal Management personnel are responsible for proper reporting and submission of the ACF-196R Report. Condition: During testing of key line items for the FY2024 Post Expenditure Report submitted in March 2025, we noted that TANF Funds Transferred into SSBG was reported as $41,623,634. However, the amount reported on the ACF-196R report was $38,778,521, resulting in a variance of $2,845,113. Questioned costs: None Context: See “Condition.” Cause: FFO did not properly coordinate efforts with the Federal Reporting personnel to ensure the amounts noted on the ACF-196R report were consistent with the amount on the Post Expenditure Report. Effect: Improperly designed internal controls over reporting may result in a misstatement of amounts reported on federal reports. Repeat Finding: 2023-013, 2024-008 Recommendation: We recommend the FFO coordinate with the appropriate Federal Reporting Team personnel regarding amounts noted for the TANF Funds Transferred into SSBG to ensure the amount in the Post Expenditure Report matches with the amount in the ACF-196R. Views of responsible officials: HHSC concurs with the recommendation.
Earmarking – Administrative Expenses Federal Agency: U.S. Department of Health and Human Services Federal Program Title: Block Grants for Community Mental Health Services ALN: 93.958 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: 1B09SM087322 October 17, 2022 – October 16, 2024 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance and Noncompliance Criteria or specific requirement: Per 2 CFR §200.303(a), Health and Human Services Commission (HHSC) must establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that it is managing the Federal award in compliance with federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Per 42 U.S.C 300x-5(b), a funding agreement for a grant under section 300x of this title is that the State involved will not expend more than 5 percent of the grant for administrative expenses with respect to the grant. Condition: HHSC expended $1,069,086 of the total grant award amount of $3,690,918 as of the end of the project period. Administrative expenditures for the grant totaled $54,672, which represents 5.11 percent of the federal funds expended, exceeding the allowable 5 percent threshold. Questioned costs: $1,217. Context: See “Condition.” Cause: The overage resulted from a delay in the grant’s start date, which subsequently postponed the initiation of related projects and led to lower overall expenditures. Effect: By exceeding the 5 percent administrative cap, HHSC did not comply with the statutory limitation on administrative costs, resulting in unallowable administrative expenditures charged to the grant. This noncompliance may require reimbursement to the federal agency and increases the risk of future questioned costs. Repeat Finding: No Recommendation: We recommend HHSC make necessary adjustments to federal expenditures in the event of program delays to ensure the agency stays within required percentage maximums. Views of responsible officials: HHSC concurs with the recommendation.
Earmarking – Evidence Based Programs Federal Agency: U.S. Department of Health and Human Services Federal Program Title: Block Grants for Community Mental Health Services ALN: 93.958 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: 1B09SM085385 September 1, 2021 – March 24, 2025 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Noncompliance Criteria or specific requirement: Per 42 USC 300x-9(c), (1) except as provided in paragraph (2), a State shall expend not less than 10 percent of the amount the State receives for carrying out this section for each fiscal year to support evidence-based programs (EBP) that address the needs of individuals with early serious mental illness (ESMI), including psychotic disorders, regardless of the age of the individual at onset. (2) In lieu of expending 10 percent of the amount the State receives under this section for a fiscal year as required under paragraph (1), a State may elect to expend not less than 20 percent of such amount by the end of such succeeding fiscal year. Condition: HHSC expended $4,114,245 on evidence‑based programs related to ESMI out of $86,184,653 in total grant expenditures as of the end of the project period, representing 4.77% of total expenditures. This percentage is below the required 10% annual EBP set‑aside and also does not meet the 20% by the end of the succeeding fiscal year alternative as the grant ended March 24, 2025. Consequently, expenditures under this award did not meet statutory EBP set‑aside requirements. Questioned costs: Unknown. Context: See “Condition.” Cause: The noncompliance occurred because the grant was abruptly terminated by the federal government on March 24, 2025, approximately six months earlier than the original end date of September 30, 2025. The early termination limited HHSC’s ability to fully implement planned activities and make the remaining expenditures necessary to meet the statutory minimum EBP set‑aside requirement. Had the grant period continued as originally awarded, HHSC may have had sufficient time to achieve the required expenditure level. Effect: Because the grant was terminated earlier than anticipated, HHSC was unable to expend the statutorily required minimum amount on evidence‑based programs for early serious mental illness. As a result, HHSC did not meet the expenditure requirements under 42 U.S.C. § 300x‑9(c), creating a condition of federal noncompliance. This may expose HHSC to potential corrective actions by the federal awarding agency and limits assurance that the intended level of evidence‑based services for individuals with early serious mental illness was fully delivered during the grant period. Repeat Finding: No Recommendation: HHSC should consider formally requesting a waiver or exception from the federal awarding agency for the unmet evidence‑based program expenditure requirement, given that the early termination of the grant was outside the agency’s control and materially limited its ability to meet the statutory set‑aside. In addition, HHSC should document the impact of the shortened project period, including planned but unspent EBP activities, to support the waiver request. Seeking this relief will help ensure that HHSC is not penalized for circumstances beyond its control and will provide federal officials with the necessary context to evaluate compliance in light of the unexpected grant termination. Views of responsible officials: HHSC concurs with the recommendation.
Subrecipient Monitoring – Missing Contract Elements Federal Agency: U.S. Department of Education U.S. Department of Health and Human Services Federal Program Title: Special Education – Grants for Infants and Families Temporary Assistance for Needy Families (TANF) Block Grants for Prevention and Treatment of Substance Abuse ALN: 84.181 93.558 93.959 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: Special Education – Grants for Infants and Families H181A200171, H181A210171, H181A220171, H181A230171, H181A240171, H181A250171 July 1, 2020 – September 30, 2021, July 1, 2021 – September 30, 2022, July 1, 2022 – September 30, 2023, July 1, 2023 – September 30, 2024, July 1, 2024 – September 30, 2025, July 1, 2025 – September 30, 2026 TANF 2001TXTANF, 2101TXTANF, 2201TXTANF, 2301TXTANF, 2401TXTANF and 2501TXTANF October 1, 2019 – September 30, 2020, October 1, 2020 – September 30, 2021, October 1, 2021 – September 30, 2022, October 1, 2022 – September 30, 2023, October 1, 2023 – September 30, 2024 and October 1, 2024 – September 30, 2025 Block Grants for Prevention and Treatment of Substance Abuse 1B08TI083969, 1B08TI084609, 1B08TI083054, 1B08TI083478, 1B08I084673, 1B08TI085835, 1B08TI087067, 1B08TI088134 September 1, 2021 – March 24, 2025, September 1, 2021 – March 24, 2025, October 1, 2019 – September 30, 2021, October 1, 2020 – September 30, 2022, October 1, 2021 – September 30, 2023, October 1, 2022 – September 30, 2024, October 1, 2023 – September 30, 2025, October 1, 2024 – September 30, 2026 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance and Noncompliance Criteria or specific requirement: Per 2 CFR §200.303(a), Health and Human Services Commission must establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that it is managing the Federal award in compliance with federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Per 2 CFR §200.332(a), all pass-through entities must ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the certain required information provided. A pass-through entity must provide the best available information when some of the required information is unavailable. A pass-through entity must provide the unavailable information when it is obtained. Required information includes the subrecipient’s unique entity identifier (UEI), assistance listings numbers (ALN), and title of the program. Condition: Audit procedures included a review of subaward agreements for required information. We noted the following instances of noncompliance: Special Education – Grants for Infants and Families (SEGIF) –The UEI was not included in the base subaward agreement for seven of the eight agreements selected for testing. The last amendment to the original agreement included the UEI number, however, it did not reference the ALN and title of the program. The start and end dates for the agreements were September 1, 2020 – August 31, 2025. Temporary Assistance for Needy Families – The ALN and title of the program was not included in four of the seven subaward agreements selected for testing. The start and end dates for the agreements were September 1, 2020 – August 31, 2025. Block Grants for Prevention and Treatment of Substance Abuse –The UEI was not included in one of the 18 agreements selected for testing. The start and end dates for the agreement was September 1, 2020 – August 31, 2025. Questioned costs: None. Context: See “Condition.” Cause: The current contract review process to ensure all required elements are included per 2 CFR §200.332 prior to execution is not at the correct precision level. Effect: Because required subaward information was omitted, HHSC increased the risk that subrecipients were not fully informed of the federal award details necessary to properly administer the funds in compliance with the applicable statutes, regulations, and award terms. Missing UEI, ALN, and program titles may impede subrecipients’ ability to accurately identify the federal program, appropriately report activities, and meet federal requirements, including those related to financial management, performance, subrecipient monitoring, and audit preparation. Repeat Finding: No Recommendation: We recommend management enhance existing controls around the review of all subaward agreements to ensure that all pass-through agreements include each of the required elements noted in 2 CFR §200.332. Views of responsible officials: HHSC concurs with the recommendation.
Level of Effort - Supplement not Supplant Federal Agency: U.S. Department of Health and Human Services Federal Program Title: Aging Cluster ALN: 93.044, 93.045, 93.053 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: 2201TXOASS, 2201TXOANS, 2201TXOACM, 2201TXOAHD October 1, 2021 – September 30, 2024 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance and Noncompliance Criteria or specific requirement: Per 2 CFR §200.303(a), Health and Human Services Commission must establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that it is managing the Federal award in compliance with federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Per 45 CFR §1321.9(c)(2)(xvi), funds awarded under Title III of the Older Americans Act for services provided under section 321(d) (42 U.S.C 3030d(d)) must be used to supplement, not supplant existing Federal, State, and local funds expended to support those activities. Condition: A comparison of supportive services and senior center funding between fiscal years 2023 and 2024 showed that total service levels increased by approximately 5 percent, rising from $40,354,713 in FY2023 to $42,267,130 in FY2024. During the same period, federal expenditures increased by 8 percent, from $31,170,863 to $33,755,005, while non‑federal expenditures decreased by 7 percent, from $9,183,850 to $8,512,125. Because the increase in federal funding outpaced the increase in total services, and was accompanied by a reduction in non‑federal contributions, federal funds effectively replaced rather than supplemented state or other non‑federal resources. Accordingly, HHSC supplanted non‑federal funds with federal funds for the 2024 grant. To quantify the financial impact, total services increased by 5 percent; therefore, the federal contribution would be expected to increase proportionally by 5 percent. Applying a 5 percent growth rate to the FY2023 federal amount of $31,170,863 yields an expected level of $32,729,406 for FY2024. However, actual federal expenditures totaled $33,755,005, resulting in excess federal funding of $1,025,599 beyond what would be needed to support the observed service increase. Questioned costs: $1,025,599. Context: See “Condition.” Cause: HHSC has followed supplement not supplant policies and procedures that were implemented based on compliance with total level of services (i.e., all services) and not specifically for supportive services and senior centers, as required. Effect: HHSC has supplanted non-federal funds used for supportive services and senior centers, resulting in questioned costs and noncompliance. Repeat Finding: No Recommendation: HHSC should revise existing policies and procedures to ensure they are not supplanting nonfederal funds specifically related to supportive services and senior centers. Views of responsible officials: HHSC concurs with the recommendation.
Reporting – FFATA Subawards Federal Agency: U.S. Department of Health and Human Services Federal Program Title: Aging Cluster Temporary Assistance for Needy Families (TANF) Social Services Block Grant Block Grants for Community Mental Health Services Block Grants for Prevention and Treatment of Substance Abuse ALN: 93.044, 93.045, 93.053 93.558 93.667 93.958 93.959 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: Aging Cluster 2101TXSSC6, 2101TXCMC6, 2101TXHDC6, 2201TXOASS, 2201TXOANS, 2201TXOACM, 2201TXOAHD, 2201TXSTPH, 2301TXOAHD, 2301TXOACM, 2301TXOASS, 2301TXOANS, 2401TXOACM, 2401TXOAHD, 2401TXOANS, 2401TXOASS, 2501TXOASS, 2501TXOAHD, 2501TXOACM, 2501TXOANS April 1, 2021 – September 30, 2025, October 1, 2021 – September 30, 2024, January 1, 2022 – September 30, 2024, October 1, 2022 – September 30, 2025, October 1, 2023 – September 30, 2025, October 1, 2024 – September 30, 2026 TANF 2401TXTANF and 2501TXTANF October 1, 2023 – September 30, 2024, October 1, 2024 – September 30, 2025 Social Services Block Grant 2301TXSOSR, 2401TXSOSR, 2501TXSOSR October 1, 2022 – September 30, 2024, October 1, 2023 – September 30, 2025, October 1, 2024 – September 30, 2026 Block Grants for Community Mental Health Services 1B09SM085913, 1B09SM085385, 1B09SM087345, 1B09SM087322, 1B09SM089380, 1B09SM089610, 1B09SM089984 September 1, 2021 – March 24, 2025, October 1, 2022 – September 30, 2024, October 17, 2022 – October 16, 2024, September 30, 2023 – September 29, 2025, October 1, 2023 – September 30, 2025, September 30, 2024 – September 29, 2026 Block Grants for Prevention and Treatment of Substance Abuse 1B08TI083969, 1B08TI084609, 1B08TI085835, 1B08TI087067, 1B08TI088134 September 1, 2021 – March 24, 2025, September 1, 2021 – March 24, 2025, October 1, 2022 – September 30, 2024, October 1, 2023 – September 30, 2025, October 1, 2024 – September 30, 2026 Nonmajor programs Opioid STR 6H79TI083288, 5H79TI085747 September 30, 2020 – September 29, 2023, September 30, 2022 – September 29, 2024 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Material Weakness in Internal Control over Compliance and Material Noncompliance Criteria or specific requirement: Per 2 CFR §200.303(a), Health and Human Services Commission must establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that it is managing the Federal award in compliance with federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Under the requirements of the Federal Funding Accountability and Transparency Act (FFATA) (Pub. L. No. 109- 282), as amended by Section 6202 of Public Law 110-252, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) no later than the last day of the month following the month in which the subaward/subaward amendment obligation was made or the subcontract award/subcontract modification was made. As of March 8, 2025, fsrs.gov was retired, and all subaward reporting data and functionality are now on SAM.gov. Condition: The HHSC Federal Funds Office (FFO) is responsible for submitting all required subawards on FSRS.gov or SAM.gov. A standard FFATA Reporting template has been created by the FFO that includes all required elements to be submitted. Program departments must complete and submit the template to the FFO for all federal subawards with amounts over $30,000 by the 15th of every month to be included in that month’s submission. Currently, it is the responsibility of the individual program departments to ensure that each obligation at or over $30,000 is reported in the FFATA Reporting Template no later than the end of the next month in which the obligation was made. Due to system limitations, there is no central tracking of award obligations. Thus, HHSC was unable to provide a population of first-tier subawards of $30,000 or more that were obligated during the fiscal year and required to be submitted in FSRS.gov or SAM.gov. Accordingly, we were unable to select a sample and test for internal controls over compliance or compliance. Questioned costs: None. Context: See “Condition.” Cause: CAPPS-FIN, HHSC’s system of record, does not have the capability to track the date of obligation of federal awards. Effect: Failure to report all subawards $30,000 or greater in FSRS will result in noncompliance with terms of the federal grant guidelines. Repeat Finding: 2024-005, 2023-010, 2022-013, 2021-007 Views of responsible officials: HHSC concurs with the recommendation.
Special Provisions- Fraud Detection and Repayment Federal Agency: U.S. Department of Health and Human Services Federal Program Title: Child Care and Development Cluster (CCDF) ALN: 93.489, 93.575, 93.596 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: 2101TXCDC6, 2201TXCCDD, 2201TXCCDF, 2301TXCCDF, 2301TXCCDD, 2501TXCCDF, 2401TXCCDM, 2401TXCCDF, 2401TXCCDD, 2501TXCCDD, 2501TXCCDM, 2501TXCCDY October 1, 2020 – September 30, 2024, October 1, 2021 – September 30, 2024, October 1, 2022 – September 30, 2025, October 1, 2023 – September 30, 2025, October 1, 2023 – September 30, 2026, October 1, 2024 – September 30, 2026, October 1, 2024 – September 30, 2027, and December 21, 2024 – September 30, 2028. Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance and Noncompliance Criteria or specific requirement: Per 2 CFR §200.303(a), Texas Workforce Commission (TWC) must establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that it is managing the Federal award in compliance with federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Per 45 CFR §98.60(i), Lead Agencies shall recover childcare payments that are the result of fraud. These payments shall be recovered from the party responsible for committing fraud. In order to identify and recover payments, pursuant to TWC’s Childcare Services Guide (November 2024), section G.600: Recovery of Improper Payments, Local Workforce Development Boards (Boards) must attempt recovery of all improper payments. TWC must not pay for improper payments. Board recovery of improper payments must be managed in accordance with TWC policies and procedures. Condition: According to the TWC Division of Fraud Deterrence and Compliance Monitoring’s Standard Operating Procedures for Workforce Board PIRTS Audits, when a Workforce Development Board identifies an improper payment, the Board is required to issue a Notice of Determination informing the participant of their ineligibility, the amount and time period of the improper payment, and the reason for the determination. If the improper payment results from fraud, the Board must issue a first collection letter within 30 days of sending the determination notice to initiate recoupment of the ineligible amount. If repayment is not received or an active payment plan is not established, the Board must issue a final collection letter and refer the participant to TWC for a warrant hold, which restricts the individual from receiving future services until the outstanding amount is recovered. All correspondence is to be documented and maintained in the Program Integrity Reporting Tracking System (PIRTS), the system used by Boards to report and track childcare fact‑finding, fraud determinations, and recoupment activities. As part of our audit procedures, we tested 40 of the 297 closed cases reported to TWC in fiscal year 2025 to verify that TWC followed its procedures related to authenticating that a payment was fraudulent and subsequently recovered payment, if applicable. Of the 40 cases tested, 12 cases did not follow the prescribed procedures and lacked evidence that the Workforce Boards issued the required 1st collection letter within the 30‑day timeframe. Questioned costs: None. Context: See “Condition.” Cause: The exceptions identified occurred because TWC did not provide adequate oversight or monitoring of Workforce Board compliance with established PIRTS procedures. Without routine monitoring, follow‑up, or enforcement mechanisms to ensure Boards issued collection letters within required timeframes, lapses in adherence to the 30‑day requirement went undetected. This lack of oversight contributed to inconsistent application of required fraud‑recovery processes across Boards. Effect: Failure to ensure that Workforce Development Boards issued required first collection letters within the prescribed 30‑day timeframe impeded timely initiation of recoupment efforts for fraudulent childcare payments. This condition increases the risk that improper payments resulting from fraud may not be recovered in a timely manner and that individuals with outstanding fraudulent overpayments may continue to seek or receive services. Repeat Finding: No Recommendation: TWC should strengthen its oversight of Workforce Board compliance with PIRTS requirements by implementing routine monitoring procedures to verify that Boards issue first collection letters within the required 30‑day timeframe. This may include periodic reviews of PIRTS documentation, automated tracking or alerts for timeliness, and follow‑up with Boards when deadlines are missed. Additionally, TWC should provide guidance or refresher training to reinforce expectations and ensure consistent application of improper payment recovery procedures across all Boards. Strengthening these oversight mechanisms will help reduce the risk of delayed collection efforts and improve adherence to established fraud‑deterrence processes. Views of responsible officials: The Texas Workforce Commission (TWC) acknowledges and agrees with the finding and concurs with the recommendation. TWC’s Division of Fraud Deterrence and Compliance Monitoring’s Office of Investigations (FDCM/OI) oversees all matters related to fraud, waste, and abuse with respect to Federal programs TWC passes to its subrecipients, primarily the 28 local workforce development boards (Board). This includes the subsidized childcare program provided for in the above-cited Federal awards. FDCM/OI has historically maintained rigorous internal controls to address fraud in all programs. Additionally, TWC’s Subrecipient Monitoring Department (SRM) tests Board compliance with respect to childcare improper payment reporting and recoupment. TWC currently conducts routine monitoring and follow-up to ensure Boards issue collections letters in a timely fashion. That being said, TWC does agree that our objectives would be better served with more robust measures. Currently, FDCM/OI investigators review a sample of PIRTS reports on a monthly basis to ensure that Boards are uploading all required documentation related to childcare improper payments and undertaking collection efforts. Investigators review two randomly selected cases for each Board per month on a rolling basis for the prior three months. FDCM/OI also conducts periodic PIRTS training and retraining with Board staff. Additionally, the PIRTS system sends automated reminder notifications for Board staff to issue collection letters. FDCM/OI realizes the importance of issuing collection letters in a timely matter. Doing so not only increases the likelihood that important child care funds are remitted, but also assists with additional enforcement activities including prosecution of substantiated fraud. FDCM/OI takes the integrity of child care funds very seriously and will aid prosecution where appropriate.
Special Tests and Provisions – ADP Risk Analysis and System Security Review Federal Agency: U.S. Department of Health and Human Services Federal Program Title: Medicaid Cluster CFDA Number: 93.775, 93.777, 93.778 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: 2405TXIMPL, 2405TX5000, 2505TXPACT, 2505TX5000, 2405TX5001, 2505TX5021, 2505TX5MAP, 2505TX5ADM October 1, 2023 – September 30, 2024, October 1, 2023 – September 30, 2024, October 1, 2024 – September 30, 2024, October 1, 2024 – September 30, 2025, July 1, 2024 – September 30, 2024, October 1, 2023 – September 30, 2025, October 1, 2024 – December 31, 2024, October 1, 2024 – December 31, 2024 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance and Noncompliance Criteria or specific requirement: Per 2 CFR §200.303(a), Health and Human Services Commission (HHSC) must establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that it is managing the Federal award in compliance with federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Per 45 CFR §95.621, State agencies must establish and maintain a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. State agencies must perform risk analyses whenever significant system changes occur. State agencies shall review the ADP system security installations involved in the administration of Health and Human Services (HHS) programs on a biennial basis. At a minimum, the reviews shall include an evaluation of physical and data security operating procedures and personnel practices. The State agency shall maintain reports on its biennial ADP system security reviews, together with pertinent supporting documentation, for HHS on-site reviews. Condition: HHSC maintains a total of 35 in-house and third-party systems that are used in the administration of Medicaid, which are required to be reviewed each biennial period. During the fiscal year 2024-2025 biennial, only 15 risk assessments were executed based on internal methodology or third-party assessments. HHSC did not perform risk assessments over the remaining 20 systems during the two-year period. Questioned costs: None Context: See “Condition.” Cause: HHSC is not adhering to it’s current policies and procedures regarding completion of the biennial ADP system security reviews. Effect: Failure to perform risk analyses increases the risk that safeguards will not be in place over physical and data security. Repeat finding: 2024-012, 2023-017 Recommendation: HHSC should ensure all systems are reviewed in a two-year period. HHSC should also implement oversight controls to ensure progress toward the plan is executed during the two-year period, including resolution of remediation items. Views of responsible officials: HHSC concurs with the recommendation.
Special Tests and Provisions – Provider Health and Safety Standards Federal Agency: U.S. Department of Health and Human Services Federal Program Title: Medicaid Cluster ALN: 93.775, 93.777, 93.778 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: 2405TXIMPL, 2405TX5000, 2505TXPACT, 2505TX5000, 2405TX5001, 2505TX5021, 2505TX5MAP, 2505TX5ADM October 1, 2023 – September 30, 2024, October 1, 2023 – September 30, 2024, October 1, 2024 – September 30, 2024, October 1, 2024 – September 30, 2025, July 1, 2024 – September 30, 2024, October 1, 2023 – September 30, 2025, October 1, 2024 – December 31, 2024, October 1, 2024 – December 31, 2024 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance Criteria or specific requirement: Per 2 CFR §200.303(a), Health and Human Services Commission (HHSC) must establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that it is managing the Federal award in compliance with federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: HHSC policies require the completion of Form 2567 Statement of Deficiencies and Plan of Correction to include the prefix tag, the deficiency that contains the code of federal regulations (CFR) or life safety code (LSC) reference for each health and safety survey conducted. HHSC is required to mail a copy of the completed form to the provider within ten business days after the exit date of the survey to ensure any deficiencies noted are addressed timely. For one of 40 health surveys conducted during the fiscal year, Form 2567 was mailed out to the provider 162 business days after the exit date of the survey. While the form was mailed after the required timeline per HHSC policy, it did not include any cited deficiencies. Questioned costs: None. Context: See “Condition.” Cause: After the provider's exit date, HHSC regional staff subsequently determined, several months later, that the required notice had not been issued to the facility. This oversight occurred during a period of transition within the ICF team. Effect: Failure to notify a provider of identified deficiencies in a timely manner may prevent the provider from implementing corrective actions within the required timeframe to meet compliance deadlines. Such delays increase the risk of continued noncompliance and may result in inappropriate payments for new admissions before the provider agreement is terminated. Repeat Finding: No. Recommendation: HHSC should enhance and/or reinforce existing internal controls to ensure timely completion and mailing of Form 2567 to meet standards in 42 CFR Part 442 and related policy requirements. This could include developing automated tracking systems or checklists to monitor survey deadlines and/or providing refresher training for all regional staff involved in the survey and notification process. Views of responsible officials: HHSC concurs with the recommendation.
Activities Allowed or Unallowed, Allowable Costs/ Cost Principles, Cash Management, Eligibility, Equipment and Real Property Management, Matching, Level of Effort and Earmarking, Period of Performance, Procurement and Suspension and Debarment, Reporting, Subrecipient Monitoring, Special Tests and Provisions – Information Technology – User Access Federal Agency: U.S. Department of Agriculture (USDA) U.S. Department of Education (USDE) U.S. Department of Health and Human Services Social Security Administration Federal Program Title: SNAP Cluster Special Education Grants for Infants and Families Temporary Assistance for Needy Families Social Services Block Grant Block Grants Community Mental Health Services Block Grants for Prevention and Treatment of Substance Abuse Aging Cluster Medicaid Cluster Disability Insurance/ SSI Cluster ALN: 10.551, 10.561 84.181 93.558 93.667 93.958 93.959 93.044, 93.045, 93.053 93.775, 93.777, 93.778 96.001, 96.006 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: SNAP Cluster 6TX400105, 6TX400106, USDA-FNS-SNAP-24-EVS-TX October 1, 2023 - September 30, 2024, October 1, 2024 - September 30, 2025, September 25, 2024 - September 30, 2025 Special Education Grants for Infants and Families H181A220171, H181A230171, H181A240171, H181A250171 July 1, 2022 - September 30, 2023, July 1, 2023 - September 30, 2024, July 1, 2024 - September 30, 2025, July 1, 2025 - September 30, 2025 Temporary Assistance for Needy Families 1601TXTANF, 1801TXTANF, 2101TXTANF, 2201TXTANF, 2301TXTANF, 2401TXTANF, 2501TXTANF October 1, 2015 - September 30, 2016, October 1, 2017 - September 30, 2018, October 1, 2020 - September 30, 2022, October 1, 2021 – September 30, 2022, October 1, 2022 - September 30, 2023, October 1, 2023 - September 30, 2024, October 1, 2024 - September 30, 2025 Social Services Block Grant 2301TXSOSR, 2401TXSOSR, 2501TXSOSR October 1, 2022 - September 30, 2024, October 1, 2023 - September 30, 2025, October 1, 2025 - September 30, 2026 Block Grants Community Mental Health Services B09SM089610, B09SM087322, B09SM087345, B09SM085385, B09SM089380, B09SM089984, B09SM085913 October 1, 2023 - September 30, 2025, October 17, 2022 - October 16, 2024, October 1, 2022 - September 30, 2024, September 1, 2021 - March 24, 2025, September 30, 2023 - September 29, 2025, September 30, 2024 - September 29, 2026, September 1, 2021 - March 24, 2025 Block Grants For Prevention and Treatment of Substance Abuse B08TI087067, B08TI085835, B08TI084609, B08TI088134, B08TI083969 October 1, 2023 - September 30, 2025, October 1, 2022 - September 30, 2024, September 1, 2021 - March 24, 2025, October 1, 2024 - September 30, 2026, September 1, 2021 - March 24, 2025 Aging Cluster 2101TXSSC6, 2101TXCMC6, 2101TXHDC6, 2201TXOASS, 2201TXOANS, 2201TXOACM, 2201TXOAHD, 2201TXSTPH, 2301TXOAHD, 2301TXOACM, 2301TXOASS, 2301TXOANS, 2401TXOASS, 2401TXOACM, 2401TXOAHD, 2401TXOANS, 2501TXOASS, 2501TXOAHD, 2501TXOAHD, 2501TXOANS April 1, 2021 - September 30, 2025, October 1, 2021 - September 30, 2024, January 1, 2022 - September 30, 2024, October 1, 2022 – September 30, 2025, October 1, 2023 - September 30, 2025, October 1, 2024 - September 30, 2026 Medicaid Cluster 2405TXIMPL, 2405TX5000, 2505TXPACT, 2505TX5000, 2405TX5021, 2505TX5MAP, 2505TX5ADM October 1, 2023 - September 30, 2024, October 1, 2024 - September 30, 2024, October 1, 2024 - September 30, 2024, October 1, 2024 – September 30, 2025, October 1, 2023 - September 30, 2025, October 1, 2024 - December 31, 2024 Disability Insurance/ SSI Cluster 2304TXDI00, 2404TXDI00, 2504TXDI00 October 1, 2023 - February 2, 2024, October 1, 2023 - September 30, 2024, October 1, 2024 - September 30, 2025 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance Criteria or specific requirement: Per 2 CFR §200.303(a), Health and Human Services Commission must establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that it is managing the Federal award in compliance with federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Additionally, 2 CFR §200.303(e) requires taking reasonable cybersecurity and other measures to safeguard information including protected personally identifiable information (PII) and other types of information. Condition: During testing of user access within the CAPPS FIN (PeopleSoft Financials) system, we identified two user accounts, out of 17 tested, that had been granted inappropriate access to the PeopleSoft Administrator role. This role provides elevated privileges beyond those required for their job duties and should be limited to authorized system administrators. Management remediated the inappropriate access on November 10, 2025. Questioned costs: None. Context: See “Condition.” Cause: The inappropriate access assignments appear to result from gaps in privileged access provisioning and periodic re‑certification controls within the CAPPS FIN environment. Effect: Improper assignment of elevated PeopleSoft Administrator access in CAPPS FIN increases the risk of: • Unauthorized changes to system configuration, accounting rules, or financial data; • Data modification or exposure, including information related to federal program expenditures; • Bypassing of compensating controls intended to maintain data integrity and separation of duties; Although management removed access on 11/10/2025, the presence of improper administrator‑level access before remediation represents a significant control deficiency. Repeat Finding: No Recommendation: We recommend HHSC: • Strengthen privileged access provisioning by requiring documented approval, business justification, and periodic revalidation for all elevated roles in CAPPS FIN. • Implement a formal, recurring privileged access review across all CAPPS FIN modules, with documented results and timely remediation of exceptions. • Utilize identity governance tools or CAPPS FIN security reporting to automatically flag unauthorized assignments of administrator roles. Views of responsible officials: HHSC concurs with the recommendation.