Department of Agriculture Finding 2025 – 006: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster A Significant Deficiency and Noncompliance Exist in Pennsylvania Department of Agriculture Monitoring of Food Distribution Cluster Subrecipients (A Similar Condition Was Noted in Prior Year Finding 2024-005) Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 241PA825Y8105 (10/01/2023 – 9/30/2024), 241PA445Q2204 (10/01/2023 – 9/30/2024), 238PA000I1003 (5/25/2023 – 6/30/2025), 251PA825Y8105 (10/01/2024 – 9/30/2025) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), administers the operations of the Food Distribution Cluster (FDC). During the fiscal year ended June 30, 2025, subrecipient expenditures accounted for $92.6 million or approximately 95.9 percent of total federal program expenditures of $96.6 million. PDA performs on-site monitoring of subrecipients to ensure compliance with federal program regulations. For The Emergency Food Assistance Program (TEFAP), PDA must submit a report of review findings to the eligible agency and ensure that corrective action is taken to eliminate deficiencies identified if deficiencies are disclosed through their review. As part of our testing of subrecipient monitoring, we selected 20 TEFAP subrecipients, 14 soup kitchens and six lead agencies, out of 114 reviews conducted during the audit period to test PDA’s monitoring procedures which includes the corrective action process. Our testing disclosed that PDA failed to submit a report of review findings and ensure that corrective action was taken by the eligible recipient agency for four of 14 soup kitchen subrecipients reviewed until after auditor inquiry. Criteria: 7 CFR Section 251.11 (e) regarding TEFAP state monitoring system states: If deficiencies are disclosed through the review of an eligible recipient agency, the State agency must submit a report of the review findings to the eligible recipient agency and ensure that corrective action is taken to eliminate the deficiencies identified. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: PDA management did not provide a response as to why the deficiencies noted during the review of the soup kitchens were not completed in a timely manner. PDA subsequently communicated the deficiencies to the subrecipients and corrective action was taken. Finding 2025 – 006: (continued) Effect: When PDA does not ensure corrective action for deficiencies disclosed in their review are corrected timely, subrecipients may continue to operate in noncompliance with program regulations. Recommendation: We recommend that PDA implement procedures to communicate deficiencies to subrecipients to ensure timely corrective action is taken by the subrecipients to eliminate the deficiencies identified. Agency Response: The Department of Agriculture agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.
Office of Administration – Office for Information Technology Finding 2025 – 011: ALN 15.252 – Abandoned Mine Land Reclamation (AMLR) A Significant Deficiency Exists at the Department of Environmental Protection Related to Segregation of Duties Federal Grant Number(s) and Year(s): S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2026), S22AF00017 (1/01/2022 – 12/31/2026), S23AF00002 (11/01/2022 – 10/31/2027), S23AF00022 (10/01/2022 – 9/30/2026), S23AF00028 (11/01/2022 – 10/31/2026), S24AF00026 (11/01/2023 – 10/31/2028) Type of Finding: Significant Deficiency in Internal Control over Compliance Compliance Requirement: Other Condition: As part of testing internal controls over the AMLR program, we performed certain tests of information technology (IT) general controls over a computer application used by the Department of Environmental Protection, Bureau of Abandoned Mine Reclamation (BAMR) to record and process subrecipient expenditures. During our testing, we identified a lack of segregation of duties whereby 15 application developers had the ability to promote code to production on servers supported by Office of Administration – Office for Information Technology’s (OA-OIT’s) Enterprise Solutions Office and the Infrastructure and Economic Development (I&ED) Delivery Center. Details of this issue have been provided to OA-OIT’s Enterprise Solutions Office and I&ED Delivery Center for their information and corrective action. Criteria: Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). • Green Book Principle 10 – Design Control Activities, states in part: o 10.12 Management considers segregation of duties in designing control activity responsibilities so that incompatible duties are segregated and, where such segregation is not practical, designs alternative control activities to address the risk. • Green Book Principle 11 – Design Activities for the Information System, states in part: o 11.07 General controls facilitate the proper operation of information systems by creating the environment for proper operation of application controls. General controls include security management, logical and physical access, configuration management, segregation of duties, and contingency planning. o 11.09 Management designs control activities over the information technology infrastructure to support the completeness, accuracy, and validity of information processing by information technology. … Management evaluates the objectives of the entity and related risks in designing control activities for the information technology infrastructure. o 11.11 Management designs control activities for security management of the entity’s information system for appropriate access by internal and external sources to protect the entity’s information system. Finding 2025 – 011: (continued) o 11.12 Management designs control activities over access to protect an entity from inappropriate access and unauthorized use of the system. These control activities support appropriate segregation of duties. By preventing unauthorized use of and changes to the system, data and program integrity are protected from malicious intent (e.g., someone breaking into the technology to commit fraud, vandalism, or terrorism) or error. o 11.14 Management designs control activities to limit user access to information technology through authorization control activities…These control activities may restrict authorized users to the applications or functions commensurate with their assigned responsibilities, supporting an appropriate segregation of duties. A well-designed system of internal controls dictates effective IT general controls, which necessitates that adequate segregation of duties controls be established and functioning to ensure overall agency operations are conducted in accordance with management’s intent. Cause: The segregation of duties weakness occurred when IT support services for this application were being transitioned from an agency/delivery center-supported service to an OA-OIT Enterprise-supported service in July 2022. Prior to the transition, OA-OIT management was aware that developers had been accessing production servers to make deployments, and this process was retained temporarily until a new process with better segregation of duties could be put in place. In 2023, as outdated servers for the application were being replaced, all deployments became the responsibility of I&ED Delivery Center server and database administrators, and OA-OIT Enterprise management directed their application developers that they would no longer be able to log into production servers and perform direct deployments to production environments. However, due to an oversight when the servers were replaced, the Active Directory group containing 15 application developers remained on the servers with the ability to log into the servers and perform deployments. Effect: Lack of segregation of duties between development and production contributes to the risk that system actions can occur that are not in accordance with management’s intent, including unauthorized changes to the software and noncompliance with federal laws and regulations. Further, without properly functioning controls over segregation of duties, the auditors are precluded from reliance on computer controls in these agencies. Recommendation: We recommend that OA-OIT and I&ED Delivery Center management implement controls and procedures that segregate the responsibility for the development of programs from the promotion to production environment. Agency Response: The agency agrees with the facts of the finding. The details of the root cause have been provided in the Cause section above. Questioned Costs: None
Department of Military and Veterans Affairs Finding 2025 – 010: ALN 64.015 – Veterans State Nursing Home Care A Significant Deficiency Exists at the Department of Military and Veterans Affairs related to MatrixCare Application Federal Grant Number(s) and Year(s): D70314 (7/01/2024 – 6/30/2025), D75114 (7/01/2024 – 6/30/2025), D75214 (7/01/2024 – 6/30/2025), D75514 (7/01/2024 – 6/30/2025), D75814 (7/01/2024 – 6/30/2025), D77814 (7/01/2024 – 6/30/2025) Type of Finding: Significant Deficiency in Internal Control over Compliance Compliance Requirement: Other Condition: The Department of Military and Veterans Affairs (DMVA) uses MatrixCare to track data regarding daily bed counts, moves, additions, and subtractions of nursing home residents needed to calculate the federal reimbursement amount on the monthly invoice. MatrixCare is hosted by the vendor and has a System and Organization Control (SOC) report available. During our audit of the information technology (IT) controls implemented by DMVA we noted the following: • A current SOC report was not obtained and reviewed; and • A review of user accounts and associated permissions is not routinely performed. Criteria: Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Management Directive 325.13, Amended – Service Organization Controls states in part: Evaluate appropriate levels of oversight, as well as determine which monitoring requirements, independent audits, or assessments are needed to confirm the operating effectiveness of a Service Organization’s Internal Control system. Cause: Established policies and procedures were not followed consistently, which resulted in ineffective internal controls over MatrixCare. Effect: Inadequate oversight of the service organization increases the risk that residents’ records will not be accurate and complete for determining the monthly federal reimbursements. Recommendation: We recommend that DMVA implement procedures to complete the following: • Obtain and review the MatrixCare SOC report at least annually; and • Review all user accounts for appropriateness of access. Finding 2025 – 010: (continued) Agency Response: The agency concurs the SOC2 report was obtained in 2023, it was not obtained and reviewed during this audit period. The agency concurs no documented routine review of user accounts and associated permissions were performed. Questioned Costs: None
Department of Aging Finding 2025 – 003: ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Department of Aging Related to Subrecipient Monitoring (A Similar Condition Was Noted in Prior Year Finding 2024-003) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PASTPH (1/01/2022 – 9/30/2025), 2301PAOACM (10/01/2022 – 9/30/2025), 2301PAOAHD (10/01/2022 – 9/30/2025), 2301PAOASS (10/01/2022 – 9/30/2025), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2501PAOASS (10/01/2024 – 9/30/2026), 2501PAOACM (10/01/2024 – 9/30/2026), 2501PAOAHD (10/01/2024 – 9/30/2026), 2501PAOANS (10/01/2024 – 9/30/2026) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Within the Aging Cluster, the Pennsylvania Department of Aging (PDOA) contracts with 52 Area Agency on Aging subrecipients to provide various services that include cares support, preventive health, and nutrition services, among others. Our audit testing disclosed that PDOA performed subrecipient monitoring on 18 of the 52 subrecipients during the fiscal year ended June 30, 2025. The review period for the 18 subrecipients monitored was 2019 through 2023, representing old grant years. The monitoring performed did not include grants in years 2024 and 2025 to ensure timely compliance. The Aging Cluster subrecipients received $66.3 million, or 97 percent, of Aging Cluster Program expenditures totaling $68.1 million reported on the Schedule of Expenditures of Federal Awards (SEFA). Criteria: 45 CFR Section 1321.9 State agency policies and procedures, states in part: (a) The State agency on aging shall develop policies and procedures governing all aspects of programs operated as set forth in this part… The State agency is responsible for implementing, monitoring, and enforcing policies and procedures, where: (1) The policies and procedures developed by the State agency shall address how the State agency will monitor the programmatic and fiscal performance of all programs and activities initiated under this part for compliance with all requirements, and for quality and effectiveness. 2 CFR Section 200.332, Requirements for pass-through entities, states: (e) Monitor the activities of the subrecipient as necessary to ensure that the subrecipient complies with Federal statutes, regulations, and the terms and conditions of the subaward. The pass-through entity is responsible for monitoring the overall performance of a subrecipient to ensure that the goals and objectives of the subaward are achieved. In monitoring a subrecipient, a pass-through entity must: (1) Review financial and performance reports. Finding 2025 – 003: (continued) (2) Ensure that the subrecipient takes corrective action on all significant developments that negatively affect the subaward. Significant developments include Single Audit findings related to the subaward, other audit findings, site visits, and written notifications from a subrecipient of adverse conditions which will impact their ability to meet the milestones or the objectives of a subaward. When significant developments negatively impact the subaward, a subrecipient must provide the pass-through entity with information on their plan for corrective action and any assistance needed to resolve the situation. (3) Issue a management decision for audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity… (4) Resolve audit findings specifically related to the subaward. However, the pass-through entity is not responsible for resolving cross-cutting audit findings that apply to the subaward and other Federal awards or subawards. If a subrecipient has a current Single Audit report and has not been excluded from receiving Federal funding (meaning, has not been debarred or suspended), the pass-through entity may rely on the subrecipient's cognizant agency for audit or oversight agency for audit to perform audit follow-up and make management decisions related to cross-cutting audit findings in accordance with section § 200.513(a)(4)(viii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Depending upon the pass-through entity's assessment of the risk posed by the subrecipient (as described in paragraph (c) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program-related matters; (2) Performing site visits to review the subrecipient's program operations; and (3) Arranging for agreed-upon-procedures engagements as described in § 200.425. PDOA’s Policy and Procedures Manual, Section B. Roles and Responsibilities of the State Authority states: In accordance with the State’s administrative authority, the Department’s functions and responsibilities include the following: • The establishment and maintenance of policies and procedures for the fiscal and programmatic operation of the programs. • The establishment of minimum standards for the provision of services and benefits. • Enter into contracts or grants between the State and the Area Agencies on Aging (AAA) to set forth the responsibilities and performance requirements. • Provide oversight and monitoring of the AAAs for compliance with all program's standards. • Provide oversight and fiscal management of fund utilization based on funding source requirements. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Finding 2025 – 003: (continued) Cause: In response to the lack of monitoring procedures conducted in the prior year, PDOA has started monitoring subrecipients but continues to have a backlog. PDOA accelerated the monitoring schedule to include prior year review periods to bring the monitoring process current but did not monitor the current audit period. PDOA’s policy did not include a defined monitoring cycle of its subrecipients to ensure adequate monitoring was performed on a timely basis. We acknowledge that PDOA has implemented a new phase of their monitoring process. They enhanced the monitoring instrument used to monitor subrecipients and are working to eliminate the monitoring backlog. Effect: Without proper subrecipient monitoring, PDOA cannot ensure compliance with grant requirements and federal regulations, including allowable costs and other requirements. Recommendation: PDOA should perform adequate during-the-award monitoring procedures for all Aging Cluster subrecipients to ensure timely compliance with all applicable federal regulations. PDOA policy should include a defined monitoring cycle to ensure timely monitoring visits in addition to the compliance procedures. Monitoring by state officials should be supported by documentation to show the monitoring performed, areas examined, conclusions reached, and that the monitoring was performed in compliance with applicable regulations. Agency Response: PDOA agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.
Department of Aging Finding 2025 – 004: ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Department of Aging’s Maintenance of Effort Certification Reporting Process Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PASTPH (1/01/2022 – 9/30/2025), 2301PAOACM (10/01/2022 – 9/30/2025), 2301PAOAHD (10/01/2022 – 9/30/2025), 2301PAOASS (10/01/2022 – 9/30/2025), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2501PAOACM (10/01/2024 – 9/30/2026), 2501PAOAHD (10/01/2024 – 9/30/2026), 2501PAOASS (10/01/2024 – 9/30/2026) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Matching, Level of Effort, Earmarking, Reporting Condition: The Pennsylvania Department of Aging (PDOA) is required to spend at least the average amount of state funds for aging services and administration that it reported as spent under the state plan for these activities for the three previous fiscal years. The amount of state funds expended is subsequently required to be reported to the U.S. Department of Health and Human Services (HHS) on the Certification of Maintenance of Effort (MOE). Our testing confirmed that PDOA submitted the MOE Certification for federal fiscal year (FFY) ending September 30, 2024, for Title III, Parts B and C applicable to the Aging Cluster; however, the amount certified was incorrect. In addition, using information provided by PDOA to support state funds expended, it was determined that FFY 2024 state expenditures were less than the average of the previous three years and therefore, PDOA did not meet the required level of effort for FFY ending September 30, 2024. Criteria: 45 CFR Section 1321.9(c)(2)(vi), Maintenance of effort, states: Maintenance of effort. The State agency will meet expectations regarding maintenance of effort, where: (A) The State agency must expend for both services and administration at least the average amount of State funds reported and certified as expended under the State plan for these activities for the three previous fiscal years for Title III; (B) The amount certified must at least meet minimum match requirements from State resources; (C) Any amount of State resources included in the Title III maintenance of effort certification that exceeds the minimum amount mandated becomes part of the permanent maintenance of effort; and (D) Excess State match reported on the Federal financial report does not become part of the maintenance of effort unless the State agency certifies the excess. The Instructions for Maintenance of Effort for Title III and Certification of Long-Term Care Ombudsman Program Expenditures states in part: This instruction requires the Authorized Official in each State/Territory Agency on Aging to submit a certification on maintenance of effort for Title III and certification of minimum expenditures for Long-Term Ombudsman Programs under Title III and Title VII of the Older Americans Act (OAA) for the prior fiscal year. As required in OAA, the State/Territory maintenance of effort level is to be determined annually. Finding 2025 – 004: (continued) In addition, Commonwealth Management Directive 325.12 Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should design control activities to achieve objectives and respond to risk. Management should implement control activities through policies. Cause: PDOA changed their methodology for calculating the MOE, and the data used to calculate state expenditures for FFY 2024 was from a prior period representing FFY 2023. PDOA’s controls over meeting the required level of effort and calculating the required MOE were not effective in detecting noncompliance and errors on the Certification of Maintenance of Effort submitted to HHS. Effect: The MOE Certification submitted by PDOA was inaccurate. In addition, PDOA did not meet the required level of effort of state resources for FFY 2024. PDOA was not in compliance with the Level of Effort and reporting requirements. Recommendation: We recommend that PDOA implement procedures to monitor their level of effort to ensure state expenditures meet the required level for each FFY as required. In addition, procedures should be implemented to ensure the MOE Certification is calculated correctly using verifiable resources. Agency Response: PDOA agrees with the finding. Questioned Costs: None
Department of Aging Office of the Budget - Office of Comptroller Operations Finding 2025 – 005: ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Department of Aging’s Program Income and Reporting Process Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PASTPH (1/01/2022 – 9/30/2025), 2301PAOACM (10/01/2022 – 9/30/2025), 2301PAOAHD (10/01/2022 – 9/30/2025), 2301PAOASS (10/01/2022 – 9/30/2025), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2501PAOACM (10/01/2024 – 9/30/2026), 2501PAOAHD (10/01/2024 – 9/30/2026), 2501PAOASS (10/01/2024 – 9/30/2026) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Program Income, Reporting Condition: The Pennsylvania Department of Aging (PDOA) is required to submit a SF-425, Federal Financial Report to the United States Department of Health and Human Services (HHS) for the Aging Cluster of grants. The reports are due annually 90 days after the reporting period with a final submission due 120 days after the project period end date. The SF-425 report includes data related to federal cash receipts and disbursements, federal expenditures to date, the federal share of unliquidated obligations, the federal program income earned, the federal program income expended and unexpended, indirect charges to the grant, as well as other general information that is necessary to ensure compliance with program requirements. We selected two of 11 SF-425 reports submitted during the audit period for testing. Our testing disclosed that federal program income did not agree to supporting documentation and was incorrectly reported on the September 30, 2024 annual filing for the federal fiscal year (FFY) 2024 federal grant. Although the SF-425 report was certified by an authorized official, the overstatement of federal program income earned and expended went undetected by Commonwealth management until it was brought to their attention by the auditor. Our testing also disclosed that $2,983,034 of unexpended federal program income was reported on the September 30, 2024, final filing for the FFY 2021 federal grant. This amount agreed to supporting documentation; however, PDOA could not adequately explain what action was taken to ensure the balance was expended in the subsequent fiscal year, as required by federal regulations and Aging Program Directives. Our testing of federal program income included the review of cost sharing fees collected from services provided through Aging Cluster grants and PDOA provided reports from their accounting system used to track program income, but auditors were unable to determine the amount of federal cost sharing collections and if they were allowable. Criteria: The 2025 OMB Uniform Guidance Compliance Supplement, Part 4 – III. Compliance Requirements for Aging Cluster, L. Reporting states, in part: For State Agency- 1. Financial Reporting c. SF-425, Federal Financial Reports – Semi-Annual (OMB No. 4040-0014)- Applicable Finding 2025 – 005: (continued) 45 CFR Section 1321.9(c)(2)(xii), Use of program income, states: Program income is subject to the requirements in 2 CFR 200.307 and 45 CFR 75.307 and as follows: (A) Voluntary contributions and cost sharing payments are considered program income; (B) Program income collected must be used to expand a service funded under the Title III grant award pursuant to which the income was originally collected; (C) The State agency must use the addition alternative as set forth in 2 CFR 200.307(e)(2) and 45 CFR 75.307(e)(2) when reporting program income, and prior approval of the addition alternative from the Assistant Secretary for Aging is not required; (D) Program income must be expended or disbursed prior to requesting additional Federal funds; and (E) Program income may not be used to match grant awards funded by the Act without prior approval. 45 CFR Section 1321.9(c)(2)(xi), Cost Sharing states, in part: A State agency is permitted under section 315(a) of the Act (42 U.S.C. 3030c-2(a)), to implement cost sharing for services funded by the Act by recipients of the services, except as provided for in paragraph (c)(2)(xi)(D) of this section. (H) Collection of program income. All cost sharing contributions collected are considered program income and are subject to the requirements of 2 CFR 200.307, 45 CFR 75.307, and in § 1321.9(c)(2)(xii). 2 CFR Section 200.303(a), Internal controls, states: The recipient and subrecipient must: (a) Establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Aging Program Directive (APD) #25-01-03, Program Income, states in part: Federal Program Income - All program income generated from services funded, in whole or in part, by federal OAA funds on hand as of June 30, 2024, is to be budgeted and expended during SFY 2024-25… Failure to comply with these policies may result in the reduction of Block Grant funding to the AAA [Area Agency on Aging]… AAAs will comply with the provisions of APD #05-01-11 concerning excessive balances of program income collections. AAAs are advised that payments of funds on SFY 2024-25 Aging Block Grant contracts will be contingent upon the compliance of AAAs with the federal and state requirements for program income and cost sharing fund balances… Finding 2025 – 005: (continued) When a AAA has excessive balances of Federal Program Income, Local Program Income or OPTIONS Cost Sharing Funds as of June 30, 2024 (Fourth Quarter FRR), its SFY2024-25 Block Grant monthly payment(s)may be reduced or withheld until the AAA achieves compliance with the established program income balance requirements. Aging Program Directive #05-01-11, Area Agency on Aging (AAAs) Program Income Policies, states in part: Federal Program Income - All Federal program income generated from services funded, in whole or in part, by federal Older Americans Act funds that is on hand as of June 30 must be budgeted and expended during the following fiscal year. Failure to comply with this policy could result in the reduction of Block Grant funding to the AAA… The AAA must also ensure that appropriate financial records for program income are maintained by service provider. The purpose of such records is to ensure compliance with standards established by the Department of Aging, i.e. that program income collections are expended on a timely basis and no excessive balances for program income collections are accumulated. Records must be available that properly reflect beginning balances, receipts, expenditures and ending balances. In addition, Commonwealth Management Directive 325.12 Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should design control activities to achieve objectives and respond to risk. Management should implement control activities through policies. Cause: PDOA stated that management turnover, outdated policies, inconsistencies and timing of AAA reporting contributed to the incorrect reporting of program income. In addition, the accounting system, used by the AAAs to report program income to PDOA, reports federal program income as a single figure, commingling the reporting of program income of the various grant awards. As a result, the liquidation of program income by grant award could not be determined to ensure it was fully spent in compliance with federal requirements. Also, the report does not differentiate between voluntary contributions or cost sharing fees to determine compliance with federal program income requirements specific to cost sharing fees. Effect: Since PDOA’s controls over reporting program income and the preparation process for the SF-425 report were not effective, program income was incorrectly reported on the SF-425 report submitted to HHS. In addition, PDOA was not in compliance with federal regulations and their Aging Program Directives related to program income requirements. Recommendation: We recommend that PDOA update their written policies and procedures to ensure federal program income is accurately recorded, reported and in compliance with federal regulations. Program income should be monitored and reconciled to ensure that the balance on hand is budgeted and expended in accordance with federal regulations and PDOA’s policies. PDOA policy should allow for consistent accounting and reporting amongst the AAAs. PDOA and the Office of Comptroller Operations (OCO) should also develop a policy for the review, approval, and submission of the SF-425 reports to ensure the reports are prepared accurately and submitted timely in accordance with federal regulations. Finding 2025 – 005: (continued) PDOA Response: PDOA agrees with this finding. OCO Response: OCO agrees with this finding. Questioned Costs: None
Department of Agriculture Department of Aging Finding 2025 – 013: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2024-014) Federal Grant Number(s) and Year(s): 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 241PA445Q2204 (10/01/2023 – 9/30/2024), 251PA825Y8105 (10/01/2024 – 9/30/2025), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PASTPH (1/01/2022 – 9/30/2025), 2301PAOACM (10/01/2022 – 9/30/2025), 2301PAOAHD (10/01/2022 – 9/30/2025), 2301PAOASS (10/01/2022 – 9/30/2025), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2501PAOACM (10/01/2024 – 9/30/2026), 2501PAOAHD (10/01/2024 – 9/30/2026), 2501PAOANS (10/01/2024 – 9/30/2026), 2501PAOASS (10/01/2024 – 9/30/2026) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2025. Our testing disclosed that the Pennsylvania Department of Agriculture (PDA) did not identify the federal award information in subrecipient award documents. Additionally, PDA, and the Pennsylvania Department of Aging (PDOA) did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance. SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Finding 2025 – 013: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (b) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the information provided below. A pass-through entity must provide the best available information when some of the information below is unavailable. A pass-through entity must provide the unavailable information when it is obtained. Required information includes: (1) Federal award identification. (iii) Federal Award Identification Number (FAIN); (6) Appropriate terms and conditions concerning closeout of the subaward. (c) Evaluate each subrecipient's fraud risk and risk of noncompliance with a subaward to determine the appropriate subrecipient monitoring described in paragraph (f) of this section. When evaluating a subrecipient's risk, a pass-through entity should consider the following: (1) The subrecipient's prior experience with the same or similar subawards; (2) The results of previous audits. This includes considering whether or not the subrecipient receives a Single Audit in accordance with subpart F and the extent to which the same or similar subawards have been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of any Federal agency monitoring (for example, if the subrecipient also receives Federal awards directly from the Federal agency). Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, PDA’s (Commodity Supplemental Food Program) processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by PDA and PDOA were not properly documented or not performed. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Finding 2025 – 013: (continued) Recommendation: PDA should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, PDA should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. PDA and PDOA should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. PDA Response: PDA agrees with this finding. PDOA Response: PDOA agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies Finding 2025 – 014: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 66.458 – Clean Water State Revolving Fund ALN 84.425C – COVID-19 – Education Stabilization Fund – GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund – ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund – CRRSA EANS Program ALN 84.425U – COVID-19 – Education Stabilization Fund – ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund – ARP EANS Program ALN 84.425W – COVID-19 – Education Stabilization Fund – ARP ESSER HCY ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2024-015) Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 241PA445Q2204 (10/01/2023 – 9/30/2024), 238PA000I1003 (5/25/2023 – 6/30/2025), 251PA825Y8105 (10/01/2024 – 9/30/2025), 42000124-0-CS (7/01/2024 – 9/30/2026), 95324301-0-4C (7/01/2023 – 6/30/2023), 95325401-0-4X (7/01/2023 – 6/30/2030), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PASTPH (1/01/2022 – 9/30/2025), 2301PAOACM (10/01/2022 – 9/30/2025), 2301PAOAHD (10/01/2022 – 9/30/2025), 2301PAOASS (10/01/2022 – 9/30/2025), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2501PAOASS (10/01/2024 – 9/30/2026), 2501PAOACM (10/01/2024 – 9/30/2026), 2501PAOAHD (10/01/2024 – 9/30/2026), 2501PAOANS (10/01/2024 – 9/30/2026) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2025 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2024 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2025. We also evaluated the Commonwealth’s review of 47 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2025 and required management decisions by Commonwealth agencies. Finding 2025 – 014: (continued) Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have adequate procedures in place for tracking and making management decisions on findings timely. The time period for making management decisions on findings was approximately 13.4 months to over 19 months after the FAC acceptance date for four out of four audit reports with findings. For the four items selected for testing, PDOA had not completed SEFA reconciliations or performed alternative procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. • Department of Agriculture (PDA): The time period for making a management decision on findings was approximately eight months to over 15 months after the FAC acceptance date for four out of six audit reports with findings. There were also delays in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. In addition, our testing disclosed that PDA subgranted federal funds of approximately $8.9 million to one subrecipient during fiscal year ended June 30, 2024, for which the Single Audit was not submitted to the FAC as of our February 2026 testing date. This was over 10 months after the March 31, 2025 due date. • Department of Education (PDE): The time period for making a management decision on findings was approximately 6.9 months to over 12 months after the FAC acceptance date for nine out of 30 audit reports with findings selected for testing. Three of the 30 audits reports were improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Pennsylvania Infrastructure Investment Authority (PENNVEST): The time period for making a management decision on findings was over 15.9 months after the FAC acceptance date for one out of three audit reports with findings. For one out of three items selected for testing, PENNVEST had started but had not yet completed reconciling the SEFA to ensure the subrecipient SEFA was accurate so that major programs were properly determined and subject to audit. Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: A pass-through entity must: (e) Monitor the activities of a subrecipient as necessary to ensure that the subrecipient complies with Federal statutes, regulations, and the terms and conditions of the subaward. The pass-through entity is responsible for monitoring the overall performance of a subrecipient to ensure that the goals and objectives of the subaward are achieved. In monitoring a subrecipient, a pass-through entity must: (2) Ensure that the subrecipient takes corrective action on all significant developments that negatively affect the subaward. Significant developments include Single Audit findings related to the subaward, other audit findings, site visits, and written notifications from a subrecipient of adverse conditions which will impact their ability to meet the milestones or the objectives of a subaward. When significant developments negatively impact the subaward, a subrecipient must provide the pass-through entity with information on their plan for corrective action and any assistance needed to resolve the situation. (3) Issue a management decision for audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (g) Verify that a subrecipient is audited as required by Subpart F [Audit Requirements] of this part. (h) Consider whether the results of a subrecipient’s audit, site visits, or other monitoring necessitate adjustments to the pass-through entity’s records. Finding 2025 – 014: (continued) (i) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit, the data collection form, and the reporting package must be submitted within 30 calendar days after the auditee receives the auditor's report(s) or nine months after the end of the audit period (whichever is earlier). The cognizant agency for audit or oversight agency for audit (in the absence of a cognizant agency for audit) may authorize an extension when the nine-month timeframe would place an undue burden on the auditee. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments or take other action. (d) Time requirements. The Federal agency or pass-through entity responsible for issuing a management decision must do so within six months of the FAC’s acceptance of the audit report. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Remedies for audit noncompliance, states: In cases of continued inability or unwillingness of a non-federal entity to have an audit conducted in accordance with this part, Federal agencies or pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. 2 CFR Section 200.339, Remedies for noncompliance, states in part: The Federal agency or pass-through entity may implement specific conditions if the recipient or subrecipient fails to comply with the U.S. Constitution, Federal statutes, regulations, or terms and conditions of the Federal award. See §200.208 for additional information on specific conditions. When the Federal agency or pass-through entity determines that noncompliance cannot be remedied by imposing specific conditions, the Federal agency or pass-through entity may take one or more of the following actions: (a) Temporarily withhold payments until the recipient or subrecipient takes corrective action. (b) Disallow costs for all or part of the activity associated with the noncompliance of the recipient or subrecipient. (c) Suspend or terminate the Federal award in part or in its entirety. (d) Initiate suspension or debarment proceedings as authorized in 2 CFR Part 180 and the Federal agency’s regulations, or for pass-through entities, recommend suspension or debarment proceedings be initiated by the Federal agency. (e) Withhold further Federal funds (new awards or continuation funding) for the project or program. (f) Pursue other legally available remedies. Finding 2025 – 014: (continued) To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: a. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Finding 2025 – 014: (continued) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding the late and outstanding audit report submission, PDA did not take timely remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. PDA Response: PDA agrees with the finding. PDOA Response: PDOA agrees with the finding. PDE Response: PDE agrees with the finding. PENNVEST Response: PENNVEST agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.
Department of Human Services Finding 2025 – 007: ALN 10.551 and 10.561 – Supplemental Nutrition Assistance Program (SNAP) Cluster (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families A Material Weakness and Material Noncompliance Exist at the Department of Human Services Related to Electronic Benefits Transfer Card Security (A Similar Condition Was Noted in Prior Year Finding 2024-007) Federal Grant Number(s) and Year(s): 241PA405S2514 (10/01/2023 – 9/30/2024), 251PA405S2514 (10/01/2024 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2501PATANF (10/01/2024 – 9/30/2025) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Special Tests and Provisions related to EBT Card Security Condition: During our audit of the Supplemental Nutrition Assistance Program (SNAP) administered by the Department of Human Services (DHS), we evaluated the security over Electronic Benefits Transfer (EBT) cards, which includes both the physical security of EBT cards during the issuance process at County Assistance Offices (CAO), as well as the handling of EBT cards returned from the United States Postal Service as undeliverable, or those that have been lost or stolen. EBT cards are the method by which SNAP benefit payments are made available to recipients. Also, EBT cards are the primary method by which cash and special allowance benefit payments are made available to Temporary Assistance for Needy Families (TANF) recipients. Total benefit expenditures for SNAP for the fiscal year ended June 30, 2025, totaled $4.3 billion. Total benefit expenditures for TANF for the fiscal year ended June 30, 2025, totaled $97.2 million. Fourteen of the 86 CAO and district locations that issued EBT cards were selected for site testing in the current audit period. During our testing of the physical security over EBT cards, we noted exceptions at ten CAO and district locations selected for testing. These exceptions included the following: 1) The Roles/Permissions Report from the EBT Card Tracking Database provided by the EBT Project Office and CAO/district offices did not reconcile (1 district office and 5 CAO locations); 2) EBT cards were created outside of the hours of operations (1 CAO location); 3) The Daily Log Summary and Weekly Log Report from the EBT Card Tracking Database did not reconcile (1 CAO location); 4) Failure to perform the following: • Completion of EBT Card Paper Logs only in circumstances deemed an emergency (1 district office and 1 CAO location); • Designate a manager or supervisor to the Alternate EBT Coordinator role (1 CAO location); • Ensure that upon receipt of each shipment of EBT cards and related supplies, the shipping manifest is date stamped (1 CAO location); • Mail locally created EBT cards directly to customers (1 district office); • Maintain adequate security of EBT cards (1 CAO location); • Maintain adequate security of card printer (1 CAO location); • Maintain EBT Card Paper Logs for four years (1 CAO location); • Proper completion of EPPIC EBT Systems Application forms (1 CAO location); • Timely completion and submission of the EPPIC EBT Systems Application forms to the Office of Income Maintenance (OIM) EBT Security (1 district office and 4 CAO locations); Finding 2025 – 007: (continued) • Timely deactivation of user access in the EBT Card Tracking Database (2 CAO locations); • Timely enter a shipment received into the EBT Card Tracking Database (1 CAO location); and • Timely mail locally created EBT cards on the same day as card creation (1 district office). Criteria: The 2025 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the SNAP Cluster, Special Tests and Provisions – N.3 EBT Card Security, states: The state is required to maintain adequate security over, and documentation/records for, EBT cards to prevent their theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use (7 CFR Section 274.8(b)(3)). 7 CFR Section 274.5, Record retention and forms security, states: (c) Accountable Documents. (1) EBT cards shall be considered accountable documents. The State agency shall provide the following minimum security and control procedures for these documents: i. Secure storage; ii. Access limited to authorized personnel; iii. Bulk inventory control records; iv. Subsequent control records maintained through the point of issuance or use; and v. Periodic review and validation of inventory controls and records by parties not otherwise involved in maintaining control records. 45 CFR Section 75.302 applicable to TANF states: (b) The financial management system of each non-Federal entity must provide for the following (see also §75.361, 75.362, 75.363, 75.364, and 75.365): (4) Effective control over, and accountability for, all funds, property, and other assets. The non-Federal entity must adequately safeguard all assets and assure that they are used solely for authorized purposes. See §75.303. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Finding 2025 – 007: (continued) Cause: Established policies and procedures were not followed consistently across CAO and district locations, which resulted in ineffective internal controls over EBT card security. Effect: Without adequate security controls over EBT cards, there exists the possibility of misappropriation and/or abuse. Recommendation: We recommend that DHS monitor EBT card security at CAO and district locations on a regular basis to improve consistency in the execution of documented policies and procedures. Agency Response: DHS agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.
Department of Labor and Industry Finding 2025 – 009: ALN 93.558 – Temporary Assistance for Needy Families Department of Labor and Industry Did Not Perform Adequate Monitoring of Temporary Assistance for Needy Families Subrecipients (A Similar Condition Was Noted in Prior Year Finding 2024-009) Federal Grant Number(s) and Year(s): 2401PATANF (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: During the fiscal year ended June 30, 2025, the Department of Labor and Industry (L&I) paid $26.9 million in Temporary Assistance for Needy Families (TANF) funding to 22 subrecipients within the Youth Employment and Training (E&T) appropriation (or 6.7 percent) out of total federal TANF expenditures of $403.4 million reported on the June 30, 2025 Schedule of Expenditures of Federal Awards (SEFA). Our testing of L&I’s during-the-award monitoring of subrecipients for the fiscal year ended June 30, 2025, disclosed that L&I did not conduct on-site monitoring or perform desk reviews of the TANF Youth Development Program (TANF YDP) for three out of five subrecipients selected for testing. Although L&I performed monitoring of these subrecipients specific to another federal program, the monitoring did not include a review of the performance of the subrecipients’ TANF YDP programs. The TANF YDP operations transitioned from the Bureau of Workforce Development Administration (BWDA) to the Bureau of Workforce Partnership and Operations (BWPO) in December 2023. During the fiscal year ended June 30, 2025, BWPO began onsite monitoring of the TANF YDP program on a limited basis by developing a pilot program that BWPO used to monitor the TANF YDP program for three subrecipients. BWPO developed a written TANF YDP Monitoring Plan that outlines plans to expand the monitoring to other TANF YDP subrecipients; however, the plan was not fully implemented as of June 30, 2025. Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states: A pass-through entity must: (e) Monitor the activities of a subrecipient as necessary to ensure that the subrecipient complies with Federal statutes, regulations, and the terms and conditions of the subaward. The pass-through entity is responsible for monitoring the overall performance of a subrecipient to ensure that the goals and objectives of the subaward are achieved. In monitoring a subrecipient, a pass-through entity must: (1) Review financial and performance reports. (2) Ensure that the subrecipient takes corrective action on all significant developments that negatively affect the subaward. Significant developments include Single Audit findings related to the subaward, other audit findings, site visits, and written notifications from a subrecipient of adverse conditions which will impact their ability to meet the milestones or the objectives of a subaward. When significant developments negatively impact the subaward, a subrecipient must provide the pass-through entity with information on their plan for corrective action and any assistance needed to resolve the situation. Finding 2025 – 009: (continued) (3) Issue a management decision for audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by § 200.521. (4) Resolve audit findings specifically related to the subaward. However, the pass-through entity is not responsible for resolving cross-cutting audit findings that apply to the subaward and other Federal awards or subawards. If a subrecipient has a current Single Audit report and has not been excluded from receiving Federal funding (meaning, has not been debarred or suspended), the pass-through entity may rely on the subrecipient’s cognizant agency for audit or oversight agency for audit to perform audit follow-up and make management decisions related to cross-cutting audit findings in accordance with section § 200.513(a)(4)(viii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (c) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program-related matters; (2) Performing site visits to review the subrecipient's program operations; and (3) Arranging for agreed-upon-procedures engagements as described in §200.425. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: L&I recognized the need to perform during-the-award monitoring procedures for TANF funds passed through for the Youth E&T program, but the updated monitoring procedures were not fully incorporated during the fiscal year ended June 30, 2025. Effect: TANF subrecipients could be operating in noncompliance with federal regulations without timely detection and correction by L&I management. Recommendation: L&I should continue to strengthen controls to ensure during-the-award monitoring is being performed for all TANF subrecipients and that the monitoring includes procedures to ensure that subrecipients are in compliance with applicable federal regulations. This should include examining subrecipients’ financial records and ensuring that all required Single Audits were obtained by L&I subrecipients. Agency Response: L&I agrees with this finding. TANF YDP operations transitioned from BWDA to BWPO in January 2023. Due to this transition, BWPO did not conduct on site monitoring of the TANF YDP program in Program Year (PY) 22. BWPO did begin monitoring in PY 23 on a limited basis as a pilot with 3 local areas in September of 2024. BWPO expanded monitoring efforts in 2025 by conducting PY 24 TANF YDP monitoring in alignment with the WIOA Common Measures Data Validation cycle. This enhanced desk review monitoring effort concluded by January 2026. PY is defined as July 1st to June 30th. BWPO will further expand annual monitoring of TANF YDP in alignment with the requirement to monitor all TANF YDP grant subrecipients for PY 25 and moving forward. L&I does ensure single audits are obtained from the TANF YDP sub-recipients as a part of our single audit review. Finding 2025 – 009: (continued) Questioned Costs: The amount of questioned costs cannot be determined.
Department of Human Services Finding 2025 – 008: ALN 93.667 – Social Services Block Grant A Material Weakness and Material Noncompliance Exist in the Department of Human Services’ Program Monitoring of the Social Services Block Grant Subrecipients (A Similar Condition Was Noted in Prior Year Finding 2024-008) Federal Grant Number(s) and Year(s): 2501PASOSR (10/01/2024 – 9/30/2026), 2401PASOSR (10/01/2023 – 9/30/2025) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirements: Cash Management, Subrecipient Monitoring Condition: Our examination of the Department of Human Services’ (DHS) procedures for monitoring Social Services Block Grant (SSBG) subrecipients revealed that DHS did not adequately risk assess and monitor the SSBG Mental Health, Homeless Assistance, and Child Welfare subrecipients to ensure that SSBG awards are used in compliance with laws and regulations, which include allowable costs, period of performance, and other requirements. Although DHS performed risk assessments of these subrecipients, the risk assessments did not include a consideration of all of the items outlined in 2 CFR Section 200.332 (c) (1)-(4). Further, the risk assessments did not define the course of action to be taken for each assigned risk level. DHS program personnel indicated that they performed on-site monitoring of eight subrecipients with seven final monitoring reports issued and one report in progress. The remaining 67 subrecipients were not monitored during the audit period. Expenditures for Mental Health, Homeless Assistance, and Child Welfare subrecipient programs not monitored totaled $21.7 million (or approximately 23.2 percent) of total SSBG program expenditures of $93.6 million reported on the Schedule of Expenditures of Federal Awards (SEFA). While we noted that DHS monitored eight of the 75 Mental Health County/County Joinder subrecipients which included Mental Health, Homeless Assistance and Child Welfare services, this coverage was not adequate. In addition, our review of the risk assessments completed for all of the aforementioned subrecipients identified several instances where subrecipient monitoring was warranted but was not conducted, including several subrecipients assessed as high risk for which no monitoring procedures were performed. In addition, for the compliance requirement related to cash management, we noted that DHS advanced funds to SSBG subrecipients in four of nine program areas, representing $34.0 million (or approximately 36.3 percent) of SSBG program expenditures, without adequately monitoring the reasonableness of the subrecipient cash balances. In particular, for the program areas related to Mental Health, Intellectual Disabilities, Homeless Assistance, and Child Welfare, DHS advanced funds to subrecipients on a quarterly basis. Our inquiries with applicable DHS program administrators disclosed that DHS did not adequately monitor the four program areas’ subrecipients for cash management compliance either at the time of payment or at any other time during the fiscal year ended June 30, 2025. Furthermore, while Single Audits of SSBG subrecipients may be conducted each year, this auditing activity does not compensate for the lack of during-the-award program monitoring, since the timing, focus, and scope of subrecipient auditing activities after year end are different than compliance monitoring to be performed by program officials during the year. Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states: (c) Evaluate each subrecipient's fraud risk and risk of noncompliance with a subaward to determine the appropriate subrecipient monitoring described in paragraph (f) of this section. When evaluating a subrecipient's risk, a pass-through entity should consider the following: Finding 2025 – 008: (continued) (1) The subrecipient's prior experience with the same or similar subawards; (2) The results of previous audits. This includes considering whether or not the subrecipient receives a Single Audit in accordance with subpart F and the extent to which the same or similar subawards have been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of any Federal agency monitoring (for example, if the subrecipient also receives Federal awards directly from the Federal agency). (e) Monitor the activities of a subrecipient as necessary to ensure that the subrecipient complies with Federal statutes, regulations, and the terms and conditions of the subaward. The pass-through entity is responsible for monitoring the overall performance of a subrecipient to ensure that the goals and objectives of the subaward are achieved. In monitoring a subrecipient, a pass-through entity must: (1) Review financial and performance reports. (2) Ensure that the subrecipient takes corrective action on all significant developments that negatively affect the subaward. Significant developments include Single Audit findings related to the subaward, other audit findings, site visits, and written notifications from a subrecipient of adverse conditions which will impact their ability to meet the milestones or the objectives of a subaward. When significant developments negatively impact the subaward, a subrecipient must provide the pass-through entity with information on their plan for corrective action and any assistance needed to resolve the situation. (3) Issue a management decision for audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by § 200.521. (4) Resolve audit findings specifically related to the subaward. However, the pass-through entity is not responsible for resolving cross-cutting audit findings that apply to the subaward and other Federal awards or subawards. If a subrecipient has a current Single Audit report and has not been excluded from receiving Federal funding (meaning, has not been debarred or suspended), the pass-through entity may rely on the subrecipient's cognizant agency for audit or oversight agency for audit to perform audit follow-up and make management decisions related to cross-cutting audit findings in accordance with section § 200.513(a)(4)(viii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Depending upon the pass-through entity's assessment of the risk posed by the subrecipient (as described in paragraph (c) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program-related matters; (2) Performing site visits to review the subrecipient's program operations; and (3) Arranging for agreed-upon-procedures engagements as described in § 200.425. Finding 2025 – 008: (continued) 2 CFR Section 200.305 (b)(1), applicable for recipients and subrecipients, states in part: …Advance payments to a recipient or subrecipient must be limited to the minimum amounts needed and be timed with actual, immediate cash requirements of the recipient or subrecipient in carrying out the purpose of the approved program or project. The timing and amount of advance payments must be as close as is administratively feasible to the actual disbursements by the recipient or subrecipient for direct program or project costs and the proportionate share of any allowable indirect costs. The recipient or subrecipient must make timely payments to contractors in accordance with the contract provisions. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: DHS management indicated that risk assessment and monitoring documents were created for use during on-site monitoring of SSBG subrecipients. However, due to staffing issues, on-site monitoring was not performed for all SSBG subrecipients. Consistent with prior year audits, DHS management noted that there have been no changes to the payment methodology for the Homeless Assistance, Mental Health, Intellectual Disabilities, and Child Welfare components of SSBG. These programs provide subrecipients with advances to comply with Commonwealth law and also to ensure that adequate funds are available to provide services to participants on a timely basis. DHS officials believe that their in-house payment review procedures for the SSBG program are as efficient as administratively feasible and that controls exist in each of the program areas. Without on-site program monitoring visits by funding agency officials, we consider DHS’s limited in-house reviews of subrecipient status reports or other documents to be insufficient to detect potential subrecipient noncompliance, including excess cash violations. DHS does not adjust payments to the subrecipients based on in-house reviews. Effect: Since DHS does not adequately perform during-the-award monitoring of subrecipients, including the monitoring of subrecipient cash on hand, subrecipients may not be complying with applicable grant requirements and federal regulations, including cash management standards. Recommendation: DHS should perform risk based during-the-award monitoring procedures for all SSBG subrecipients to ensure timely compliance with all applicable federal regulations. On-site monitoring visits by state officials should be supported by documentation to show the monitoring performed, areas examined, conclusions reached, and that the monitoring was performed in compliance with applicable regulations. As recommended in previous Single Audits and supported by the United States Department of Health and Human Services, DHS should either consider changing their current subrecipient payment procedures from advancement basis to reimbursement basis or establish procedures to adequately monitor subrecipient cash on hand to ensure it is limited to immediate needs, but no longer than one month. The implementation and strengthening of these controls should provide DHS with reasonable assurance as to compliance with cash management requirements at the subrecipient level. Agency Response: DHS agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.
Office of the Budget – Office of Comptroller Operations Finding 2025 – 012: ALN 15.252 – Abandoned Mine Land Reclamation (AMLR) ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families ALN 93.667 – Social Services Block Grant ALN 97.036 – Disaster Grants – Public Assistance (Presidentially Declared Disasters) (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s FFATA Reporting Process Federal Grant Number(s) and Year(s): S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2026), S22AF00017 (1/01/2022 – 12/31/2026), S23AF00002 (11/01/2022 – 10/31/2027), S23AF00022 (10/01/2022 – 9/30/2026), S23AF00028 (11/01/2022 – 10/31/2026), S24AF00026 (11/01/2023 – 10/31/2028) 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PASTPH (1/01/2022 – 9/30/2025), 2301PAOACM (10/01/2022 – 9/30/2025), 2301PAOAHD (10/01/2022 – 9/30/2025), 2301PAOASS (10/01/2022 – 9/30/2025), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2501PAOASS (10/01/2024 – 9/30/2026), 2501PAOACM (10/01/2024 – 9/30/2026), 2501PAOAHD (10/01/2024 – 9/30/2026), 2501PAOANS (10/01/2024 – 9/30/2026) 2501PATANF (10/01/2024 – 9/30/2025), 2401PATANF (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021) 2501PASOSR (10/01/2024 – 9/30/2026), 2401PASOSR (10/01/2023 – 9/30/2025) 4408DRPAP00000001 (11/27/2018 – 10/31/2026), 4506DRPAP00000001 (1/20/2020 – 12/30/2025), 4618DRPAP00000001 (8/31/2021 – 9/30/2026), 4815DRPAP00000001 (9/11/2024 – 9/11/2028) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Reporting – Federal Funding Accountability and Transparency Act Condition: The Federal Funding Accountability and Transparency Act (FFATA) requires the Commonwealth of Pennsylvania to report first-tier subawards of $30,000 or more to the federal government’s FFATA reporting system. The federal government reporting system was replaced during the audit period. The FFATA Subaward Reporting System (FSRS) was replaced with the System for Award Management (SAM.gov) on March 8, 2025. Necessary FFATA reporting details including the contract amount, contract date, federal award identification number, internal order number, and other information are entered into the Commonwealth’s SAP accounting system when the Commonwealth agencies award subrecipient contracts in order to ensure compliance with the FFATA reporting requirements. Each month, Commonwealth information technology personnel run an extract in SAP to populate a FFATA database and generate a report that summarizes the contract information required for that month’s FFATA reporting. The Office of the Budget, Bureau of Accounting and Financial Management (BAFM), is responsible for overseeing FFATA reporting, including reviewing the summary report to ensure the contract data is complete. Once reviewed, the information is uploaded into the FFATA reporting system to meet reporting requirements. Due to complications with the upgrade to SAM.gov, the Commonwealth was unable to upload the data to the system from March 8 until October 1 when they were able to start filing catch-up submissions. As a result, the Commonwealth was unable to report subawards in compliance with the reporting requirement timeframe. Finding 2025 – 012: (continued) Our testing of the FFATA reporting requirements for 40 subaward transactions totaling $258.9 million from five major programs disclosed that 37 transactions totaling $227.9 million, or 93 percent of transactions tested, were not reported or reported untimely to SAM.gov as follows: SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Criteria: 2 CFR Section 170, Appendix A to Part 170, Award Term, states in part: I. Reporting Subawards and Executive Compensation (a) Reporting of first-tier subawards — (1) Applicability. Unless the recipient is exempt as provided in paragraph (d) of this award term, the recipient must report each subaward that equals or exceeds $30,000 in Federal funds for a subaward to an entity or Federal agency. The recipient must also report a subaward if a modification increases the Federal funding to an amount that equals or exceeds $30,000. All reported subawards should reflect the total amount of the subaward. (2) Reporting Requirements. (i) The recipient must report each subaward described in paragraph (a)(1) of this award term to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) at http://www.fsrs.gov. (ii) For subaward information, report no later than the end of the month following the month in which the subaward was issued. (For example, if the subaward was made on November 7, 2025, the subaward must be reported by no later than December 31, 2025). Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: As of March 8, 2025, the FSRS system was replaced with SAM.gov for reporting subaward data. BAFM indicated that with the transition to SAM.gov, the federal government encountered errors and complications that resulted in delay with reporting subaward data timely. As of February 2026, BAFM continues to refine the interface upload process and identify and file previously unfiled reports. Finding 2025 – 012: (continued) Effect: BAFM was unable to timely file subaward information in SAM.gov to satisfy FFATA Reporting requirements. Further, noncompliance with FFATA reporting requirements may recur in future periods if control deficiencies are not corrected to ensure completeness of the subaward information reported in SAM.gov. Recommendation: We recommend that BAFM continue to work with the federal government to ensure accurate reporting in SAM.gov. Also, BAFM should continue efforts to develop and implement procedures to ensure reporting in SAM.gov is accurate and complete in accordance with FFATA reporting requirements. Agency Response: BAFM agrees with this finding. Questioned Costs: None