U.S. DEPARTMENT OF AGRICULTURE Finding Number 2025-003 Assistance Listing Number and Title 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster Compliance Requirement Activities Allowed or Unallowed, Allowable Costs/Cost Principles, Eligibility, and Reporting State Entity Florida Department of Agriculture and Consumer Services (FDACS) Federal Grant/Contract Number and Grant Year 245FL915N1099 2024, 245FL915N1199 2024, 245FL915L1603 2024, 255FL915N1099 2025, 255FL915N1199 2025, and 255FL915L1603 2005 Statistically Valid Sample N/A Finding Type Significant Deficiency Finding Certain security controls related to user authentication for the Florida Automated Nutrition System (FANS) need improvement to ensure the confidentiality, integrity, and availability of FANS data and related information technology (IT) resources. Criteria Security controls are intended to protect the confidentiality, integrity, and availability of data and related IT resources. Condition FDACS utilizes FANS to maintain a listing of all sponsor applications, claims, and other financial data to support the programs within the Child Nutrition Cluster. Our audit disclosed that certain security controls related to FANS user authentication need improvement. We are not disclosing the specific details of the issues in this report to avoid the possibility of compromising FANS data and related IT resources. However, we have notified appropriate FDACS management of the specific issues. Cause We are not disclosing the specific details of the issues in this report to avoid the possibility of compromising FANS data and related IT resources. Effect Appropriate FANS user authentication controls are necessary to decrease the risk that unauthorized individuals may gain access to the system and compromise the confidentiality, integrity, and availability of FANS data and related IT resources. Recommendation We recommend that FDACS management improve certain security controls related to FANS user authentication to ensure the confidentiality, integrity, and availability of FANS data and related IT resources. State Entity Response FDACS acknowledges this finding. To address it, FDACS immediately implemented a temporary solution. On or about September 8, 2025, FDACS created a ticket to commence work on a permanent solution to address the audit finding. The solution deployed on March 18, 2026.
U.S. DEPARTMENT OF AGRICULTURE Finding Number 2025-004 Assistance Listing Number and Title 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster Compliance Requirement Reporting State Entity Florida Department of Agriculture and Consumer Services (FDACS) Federal Grant/Contract Number and Grant Year 245FL915N1099 2024, 255FL915N1099 2025, 245FL915L1603 2024, and 255FL915L1603 2025 Statistically Valid Sample No Finding Type Noncompliance and Significant Deficiency Finding The FDACS did not accurately report subaward information required by the Federal Funding Accountability and Transparency Act (FFATA) in the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) or in SAM.gov, as applicable. Criteria 2 CFR 170, Appendix A – Reporting Subawards and Executive Compensation – Unless otherwise exempt, the recipient must report each subaward that equals or exceeds $30,000 in Federal funds for a subaward to an entity or Federal agency. For subaward information, reporting must occur no later than the end of the month following the month in which the subaward was issued. Condition During the 2024-25 fiscal year, the FDACS expended approximately $1.73 billion in Child Nutrition Cluster funds, including approximately $1.59 billion for expenditures related to subawards. According to FDACS records, 545 subawards were reported in the FSRS or SAM.gov, as applicable, during the 2024-25 fiscal year. According to FDACS management, each month the FDACS created a report that included actual Child Nutrition Cluster funds paid to subrecipients during the month. Due to the nature of the Child Nutrition Cluster program, the amount of the subaward is not known at the time that the subaward agreement is obligated by the FDACS. To comply with FFATA reporting requirements, the FDACS updated subaward information monthly in the FSRS or SAM.gov with actual Child Nutrition Cluster expenditures for each subaward. Our inquiries of FDACS management and review of FDACS records disclosed that the FDACS process for reporting the subaward amount did not result in the accurate reporting of subawards in accordance with FFATA. Specifically, the FDACS reported the accumulated amount of the subaward each month, instead of amending the amount of the originally reported subaward, causing the amount reported to be overstated. For example, the FDACS made payments totaling approximately $85.1 million to one subrecipient during the period July 2024 through May 2025; however, the amounts reported as the subaward amount in SAM.gov for the subrecipient during that same period totaled approximately $572.9 million. Cause According to FDACS management, the FDACS reported subaward information in the FSRS using the methodology noted; however, they were unaware that it would cause duplicate reporting when transitioned to SAM.gov. Effect The FDACS did not accurately report required subaward information in accordance with FFATA, inhibiting accountability and transparency. Recommendation We recommend that FDACS management revise the process for reporting subaward amounts in SAM.gov to ensure that the subaward amount is accurately reported in accordance with FFATA. State Entity Response FDACS acknowledges this finding and has taken corrective action to address it and prevent future findings of this nature. During training on the new Federal Funding Accountability and Transparency Act (FFATA) reporting system, FDACS understood federal guidance to require the creation of a new report each month, consistent with the process used in the previous system. However, FDACS later discovered that the new system aggregates amounts cumulatively across reports. As a result, generating new reports each month inadvertently created the appearance of overstated expenditures. The correct procedure is to update the existing report rather than create a new one. This issue was identified and resolved within three months (three reporting periods). The correct procedure was implemented June 2025, and since its implementation, reporting has been accurate and compliant. FDACS will continue to follow the current procedure, which has proven effective and ensures the integrity of its reporting. The updated FFATA Reporting SOP has been provided as part of FDACS's corrective aciton plan.
U.S. DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT Finding Number 2025-005 Assistance Listing Number and Title 14.228 – Community Development Block Grants/State’s Program and Non-Entitlement Grants in Hawaii (CDBG) (Includes COVID-19 Awards) Compliance Requirement Reporting State Entity Florida Department of Commerce (FCOM) Federal Grant/Contract Number and Grant Year B-22-DC-12-0001 2022, B-20-DC-12-0001 2020, and B-20-DW-12-0001 2020 Statistically Valid Sample No Finding Type Noncompliance and Significant Deficiency Prior Year Finding Report No. 2025-162, Finding No. 2024-006 Finding FCOM did not always timely report subaward information required by the Federal Funding Accountability and Transparency Act (FFATA) in the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) or in SAM.gov, as applicable. Criteria 2 CFR 170, Appendix A – Reporting Subawards and Executive Compensation – Unless otherwise exempt, the recipient must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency. In addition, the recipient must report the information about each obligating action, including the subaward obligation/action date. For subaward information, reporting must occur no later than the end of the month following the month in which the obligation was made. Condition During the 2024-25 fiscal year, FCOM issued 40 subawards and made 11 subaward amendments totaling approximately $29.1 million in CDBG funds that were required to be reported in the FSRS or SAM.gov, as applicable. Our review of FCOM records for 6 selected subawards and 4 selected subaward amendments found that, for 2 subawards and 3 subaward amendments, FCOM did not timely report the subaward information in the FSRS or SAM.gov, as applicable. Specifically, while the subaward information was required to be reported no later than the end of the month following the month in which the obligation was made, the subawards and subaward amendments were reported 28 to 223 days (an average of 133 days) late. Cause According to FCOM management, subaward information was not timely reported due to FCOM reconciliation measures taken to address unreported items noted in the prior audit and due to complications associated with the FSRS retirement and conversion to SAM.gov in March 2025. Effect FCOM did not timely report required CDBG subaward information in accordance with FFATA, inhibiting accountability and transparency. Recommendation We recommend that FCOM management enhance reporting controls to ensure that all applicable CDBG subaward information is timely reported in accordance with FFATA. State Entity Response Effective July 1, 2025, FCOM implemented new processes and procedures to enhance FFATA reporting controls and ensure the accuracy and timeliness of the subaward data reported in the SAM.GOV.
U.S. DEPARTMENT OF LABOR Finding Number 2025-007 Assistance Listing Number and Title 17.225 – Unemployment Insurance (UI) (Includes COVID-19 Awards) Compliance Requirement Activities Allowed or Unallowed, Allowable Costs/Cost Principles, Eligibility, Reporting, and Special Tests and Provisions – UI Benefit Payments, UI Program Integrity – Overpayments, and UI Reemployment Programs: Worker Profiling and Reemployment Services (WPRS) and Reemployment Services and Eligibility Assessments (RESEA) State Entity Florida Department of Commerce (FCOM) Federal Grant/Contract Number and Grant Year Various Statistically Valid Sample N/A Finding Type Significant Deficiency Prior Year Finding Report No. 2025-162, Finding No. 2024-009 Finding In our information technology (IT) operational audit report No. 2021-169, dated March 2021, we noted in Finding 6 that processing defects related to claimant benefit payments, claimant overpayments, and employer charges still exist in RECONNECT. As of June 2025, FCOM had not corrected the identified deficiencies. Criteria Automated application controls promote the consistent treatment of data and help to ensure that data processing consistently adheres to management’s intention and requirements. Information systems process groups of identical transactions similarly; therefore, any inaccuracies arising from erroneous computer programming or design will occur consistently in similar transactions. Condition FCOM processes all UI benefit payment transactions through RECONNECT, a Web-based claims management system that allows UI claimants to apply for weekly UI benefits, monitor their accounts, and communicate with FCOM staff. RECONNECT also allows employers and third parties to manage UI claims and appeals, update and monitor UI accounts, and communicate with FCOM staff. RECONNECT is designed to be used by FCOM staff to evaluate claims information, authorize and process payments, adjudicate issues, and maintain claimant and employer data. To evaluate the adequacy of RECONNECT application processing controls in preventing overpayments and erroneous charges, as part of our IT operational audit, we conducted inquiries of FCOM management and staff and examined FCOM records. Our examination of FCOM defect tickets found that FCOM opened a high priority defect ticket for a defect detected on March 13, 2015, related to the creation of an uncollectable claimant overpayment. This defect erroneously increases the claimant’s available balance by the amount of the overpayment, permitting the claimant to collect the amount of the overpayment twice. While the defect ticket has been intermittently worked on since March 2015, and the severity level was changed to severe in February 2018, the last action taken was in April 2019, and the defect ticket remained open (in process) as of January 2021. Additionally, we noted other defect tickets for erroneous employer charges caused by claimant overpayments that were created in 2018 and remained unresolved as of January 2021. Although we inquired, FCOM management was unable to provide records demonstrating the monetary impact of the overpayment defect and the related employer charge errors. According to FCOM management, as of June 2025, the deficiencies were not corrected. Consequently, the uncorrected deficiencies remained a significant deficiency for the 2024-25 fiscal year. Cause According to FCOM management, FCOM was actively working on the defect and anticipated that the issue would be resolved by December 2025. Effect Effective system controls that promote the consistent and accurate processing of data would prevent inaccurate claimant benefit payments and erroneous employer charges that may affect the integrity of RECONNECT data. Recommendation We recommend that FCOM management correct the RECONNECT processing defects related to claimant benefit payments, claimant overpayments, and employer charges. State Entity Response FCOM submitted a Legislative Budget Request to obtain funding for resources to ensure system code changes are corrected; however, FCOM is continuing development of the functional design documentation. The anticipated completion date is June 30, 2027.
U.S. DEPARTMENT OF LABOR Finding Number 2025-008 Assistance Listing Number and Title 17.225 – Unemployment Insurance (UI) (Includes COVID-19 Awards) Compliance Requirement Activities Allowed or Unallowed, Allowable Costs/Cost Principles, Eligibility, Reporting, and Special Tests and Provisions – UI Benefit Payments, UI Program Integrity – Overpayments, and UI Reemployment Programs: Worker Profiling and Reemployment Services (WPRS) and Reemployment Services and Eligibility Assessments (RESEA) State Entity Florida Department of Commerce (FCOM) Federal Grant/Contract Number and Grant Year Various Statistically Valid Sample N/A Finding Type Significant Deficiency Finding A periodic FCOM review of the appropriateness of RECONNECT user access privileges was incomplete and FCOM did not always ensure the timely deactivation of RECONNECT user access privileges. Criteria Florida Department of Management Services Rule 60GG-2.003(1), Florida Administrative Code – Agency information owners are to review access rights (privileges) periodically based on system categorization or assessed risk. Additionally, each agency shall ensure that access to information technology (IT) resources is limited to authorized users and ensure that IT access is removed when access to the IT resource is no longer required. Periodic reviews of access privileges help ensure that only authorized users have access and that the access privileges provided to each account remain appropriate. Condition FCOM processes all UI benefit payment transactions through RECONNECT, a Web-based claims management system that allows UI claimants to apply for weekly UI benefits, monitor their accounts, and communicate with FCOM staff. RECONNECT also allows employers and third parties to manage UI claims and appeals, update and monitor UI accounts, and communicate with FCOM staff. RECONNECT is designed to be used by FCOM staff to evaluate claims information, authorize and process payments, adjudicate issues, and maintain claimant and employer data. According to FCOM management, semiannual RECONNECT user access privilege reviews are to be conducted. To obtain an understanding of RECONNECT user access privilege review processes, we inquired of FCOM management and examined records related to the February 25, 2025, user access privilege review. For that review, FCOM management distributed to management of the RECONNECT user groups on February 26 and 27, 2025, user access lists that included 3,948 RECONNECT user accounts, with a response due by March 6, 2025. The user access review directions required management of the RECONNECT user groups to confirm whether the users’ access was still required. Our examination of the user access privilege review records found that, for 401 of the RECONNECT user accounts included on the access lists, management did not complete the review and, for 71 other RECONNECT user accounts, while management submitted responses, the responses did not indicate whether the users’ access was still required. Additionally, according to FCOM records, as of April 16, 2025, 710 FCOM employees had an active RECONNECT user account. Our comparison of the list of 710 active user accounts to employment records disclosed 5 instances where FCOM did not timely deactivate a user account upon employment separation. Specifically, the 5 employees’ user accounts were deactivated 2 to 159 days (an average of 60 days) after employment separation. In addition, our review of user access and employment records for 109 FCOM employee RECONNECT user accounts whose access privileges were deactivated during the period July 1, 2024, through April 16, 2025, found 36 instances where FCOM did not timely deactivate access privileges. Specifically, the access privileges were deactivated 2 to 631 days (an average of 85 days) after the users separated from FCOM employment. Cause According to FCOM management, the user access review was incomplete due to staffing shortages. In addition, the RECONNECT user access privileges were not timely deactivated because the employees’ supervisors did not promptly complete and submit a request for the users’ access to be deactivated. Effect Periodic reviews of the appropriateness of RECONNECT user access privileges and prompt deactivations of RECONNECT users access privileges upon an employee’s separation from FCOM employment would provide FCOM management assurance that user access privileges are authorized and remain appropriate and limit the potential for unauthorized disclosure, modification, or destruction of FCOM data and IT resources by former employees or others. Recommendation We recommend that FCOM management enhance controls to ensure that complete periodic reviews of the appropriateness of all RECONNECT user access privileges are performed and documented in FCOM records and RECONNECT user access privileges are deactivated immediately upon a user’s separation from FCOM employment. State Entity Response FCOM Internal Security Unit (ISU) will implement a tracking mechanism to manage accountability and improve account management timeliness. Improvements will include prompt communication with the respective program managers regarding any incidents not meeting defined expectations, and repeated offenses will lead to FCOM ISU replacing the Departmental Security officers (DSO) and Regional Security officers (RSO). FCOM ISU will lead random sample reviews of at least ten Reconnect users -- internal and external -- each month. Subsequently, FCOM will implement an automated process to review and validate all users access privileges monthly, document results, and take appropriate action to manage accurate access. In the 2026 Legislative Session, FCOM submitted a Legislative Budget Request to obtain funding for resources to implement an Identity Access Management tool which would resolve this finding. The estimated cost is $990,550. The estimated resolution date is June 30, 2027, provided FCOM receives funding to resolve the issue.
U.S. DEPARTMENT OF LABOR Finding Number 2025-009 Assistance Listing Number and Title 17.225 – Unemployment Insurance (UI) (Includes COVID-19 Awards) Compliance Requirement Activities Allowed or Unallowed, Allowable Costs/Cost Principles, Eligibility, Reporting, and Special Tests and Provisions – UI Benefit Payments, UI Program Integrity – Overpayments, and UI Reemployment Programs: Worker Profiling and Reemployment Services (WPRS) and Reemployment Services and Eligibility Assessments (RESEA) State Entity Florida Department of Commerce (FCOM) Federal Grant/Contract Number and Grant Year Various Statistically Valid Sample N/A Finding Type Significant Deficiency Prior Year Finding Report No. 2025-162, Finding No. 2024-011 Finding Certain security controls related to user authentication for RECONNECT need improvement to ensure the confidentiality, integrity, and availability of RECONNECT data and related information technology (IT) resources. Criteria Security controls are intended to protect the confidentiality, integrity, and availability of system data and related IT resources. Condition FCOM process all UI benefit payment transactions through RECONNECT, a Web-based claims management system that allows UI claimants to apply for weekly UI benefits, monitor their accounts, and communicate with FCOM staff. RECONNECT also allows employers and third parties to manage UI claims and appeals, update and monitor UI accounts, and communicate with FCOM staff. RECONNECT is designed to be used by FCOM staff to evaluate claims information, authorize and process payments, adjudicate issues, and maintain claimant and employer data. Our audit disclosed that certain security controls related to RECONNECT user authentication need improvement. We are not disclosing the specific details of the issues in this report to avoid to possibility of compromising RECONNECT data and related IT resources. However, we have notified appropriate FCOM management of the specific issues. Cause We are not disclosing the specific details of the issues in this report to avoid the possibility of compromising RECONNECT data and related IT resources. Effect Appropriate user authentication controls for RECONNECT are necessary to decrease the risk that unauthorized individuals may gain access to the system and compromise the confidentiality, integrity, and availability of RECONNECT data and related IT resources. Recommendation We recommend that FCOM management improve certain security controls related to RECONNECT user authentication to ensure the confidentiality, integrity, and availability of RECONNECT data and related IT resources. State Entity Response FCOM is working with the development team to remediate the listed security controls and will develop the necessary changes by June 30, 2026.
U.S. DEPARTMENT OF LABOR Finding Number 2025-010 Assistance Listing Number and Title 17.225 – Unemployment Insurance (UI) (Includes COVID-19 Awards) Compliance Requirement Special Tests and Provisions – UI Reemployment Programs: Worker Profiling and Reemployment Services (WPRS) and Reemployment Services and Eligibility Assessments (RESEA) State Entity Florida Department of Commerce (FCOM) Federal Grant/Contract Number and Grant Year Various Statistically Valid Sample No Finding Type Opinion Qualification and Material Weakness Questioned Costs – $4,344 Prior Year Finding Report No. 2025-162, Finding No. 2024-013 Finding FCOM records did not always evidence whether UI claimants complied with RESEA program participation requirements nor did FCOM ensure that all claimants who did not participate in required RESEA program activities were referred for adjudication. Criteria U.S. Department of Labor Employment and Training Administration – UI Program Letter No. 02-23 – RESEA staff must refer any failures to report or participate in any aspect of the RESEA program to the UI agency for adjudication under the applicable state law. Section 443.091(1)(b), Florida Statutes, Benefit eligibility conditions – An unemployed individual is eligible to receive UI benefits for any week only if FCOM finds that the individual completed FCOM’s online work registration and reported to the one-stop career center as directed by the local workforce development board for reemployment services. Florida Elements of an UI RESEA Grant State Plan – Each state must provide assurance that, and description of how, the planned RESEA program will strengthen program integrity and reduce improper payments of unemployment compensation by states through the detection and prevention of such payments to individuals who are not eligible for such compensation. To accomplish this purpose, FCOM staff are required to timely initiate the fact-finding process to determine why the claimant did not attend the appointment. Condition FCOM contracts with Local Workforce Development Boards (LWDBs) to provide RESEA program services to UI claimants. Once a claimant is approved for UI benefits, the claimant is profiled to determine whether the claimant is likely to exhaust regular UI benefits and need reemployment services. If the claimant is identified to participate in the RESEA program, the claimant is notified that they have been selected and that participation is mandatory. FCOM and the LWDBs use the Employ Florida system to record information regarding the claimant’s participation in the RESEA program. Claimants and FCOM staff use RECONNECT as the UI claims management system. If a claimant does not participate in the RESEA program as required, LWDB staff are to record the non-attendance in the Employ Florida system, the information is to be shared with FCOM via the RECONNECT data exchange, and the claimant is to be referred to FCOM for adjudication. According to FCOM records, during the 2024-25 fiscal year, 31,486 claimants were scheduled to receive RESEA program services. Our examination of FCOM records for 60 selected claimants disclosed that RECONNECT did not evidence whether 32 claimants participated in the required RESEA program activities. Further, the cases for 9 of 27 applicable claimants who had not participated in required RESEA program activities had not been referred for adjudication because RECONNECT did not indicate that the claimants had not participated. For 6 of the 9 claimant cases, FCOM paid UI benefits totaling $4,344 after the claimants missed appointments. Cause According to FCOM management, the claimants’ participation in the RESEA program was not recorded in RECONNECT and the claimants’ cases were not referred for adjudication due to data exchange issues between the Employ Florida system and RECONNECT. Effect Absent accurate records in RECONNECT regarding a claimant’s participation in the RESEA program and adjudication of claimant cases after notification of nonparticipation in the RESEA program, FCOM cannot demonstrate that only eligible claimants receive UI benefits. Recommendation We recommend that FCOM resolve the data exchange issues between the Employ Florida system and RECONNECT to ensure that RESEA program participation is accurately documented in RECONNECT and that RESEA program participation issues are timely communicated and referred for adjudication to determine if UI benefits should continue. State Entity Response FCOM worked with its Employ Florida vendor and deployed a fix for the connectivity issue between Reconnect and Employ Florida in January 2025. A follow up meeting in April of 2025 where the issue was discussed did not reveal that the issue persisted. In February 2026, the Auditor General notified FCOM that the fiscal year 2024/2025 audit revealed that the connectivity issue raised previously may still persist. FCOM is currently conducting an evaluation of the Auditor General’s sample and its larger datasets to isolate the variables causing these inconsistencies to determine if the issue has been resolved or if there is potentially a new connectivity issue to be resolved. The updated resolution will be completed by December 31, 2026.
U.S. DEPARTMENT OF LABOR Finding Number 2025-011 Assistance Listing Number and Title 17.225 – Unemployment Insurance (UI) (Includes COVID-19 Awards) Compliance Requirement Special Test and Provisions – UI Reemployment Programs: Worker Profiling and Reemployment Services (WPRS) and Reemployment Services and Eligibility Assessments (RESEA) State Entity Florida Department of Commerce (FCOM) Federal Grant/Contract Number and Grant Year Various Statistically Valid Sample N/A Finding Type Significant Deficiency Finding A periodic FCOM review of the appropriateness of Employ Florida (EF) system user access privileges was not timely in all respects or complete, and FCOM did not always ensure the timely deactivation of EF users access privileges. Criteria Florida Department of Management Services Rule 60GG-2.003(1), Florida Administrative Code – Agency information owners are to review access rights (privileges) periodically based on system categorization or assessed risk. Additionally, each agency shall ensure that access to information technology (IT) resources is limited to authorized users and ensure that IT access is removed when access to the IT resource is no longer required. Periodic reviews of access privileges help ensure that only authorized users have access and that the access privileges provided to each account remain appropriate. Condition FCOM uses the EF system for case management and for the referral of UI claimants to local workforce boards for reemployment assistance services. According to FCOM management, semiannual EF system user access reviews are to be conducted. To obtain an understanding of EF system user access privilege review processes, we inquired of FCOM management and examined records related to the user access privilege review initiated on February 24, 2025. For that review, FCOM management distributed to management of the EF system user groups on February 24, March 3, and March 4, 2025, user access lists that included 2,158 EF system user accounts, with a response due by February 28 or March 7, 2025. The user access review directions required management of the EF system user groups to confirm whether the users’ access was still required. Our examination of the user access privilege review records found that, for 309 of the EF system user accounts included on the access lists, FCOM management did not complete the review until September 2025, subsequent to our audit inquiry. We also noted that FCOM management did not complete the review of 60 EF system user accounts associated with one EF user group. Additionally, according to FCOM records, as of June 10, 2025, 97 FCOM employees had an active EF system user account. Our comparison of the list of 97 active user accounts to employment records disclosed 2 instances where FCOM did not timely deactivate the user account upon employment separation. Specifically, the 2 employees’ users accounts were deactivated 58 and 71 days after employment separation. Cause According to FCOM management, the user access review was not timely completed and incomplete due to staffing shortages. In addition, the EF system user access privileges were not timely deactivated because the employees’ supervisors did not complete and submit a request for the access to be deactivated. Effect Periodic reviews of the appropriateness of EF system user access privileges and prompt deactivation of EF system user access privileges upon an employee’s separation from FCOM employment would provide FCOM management assurance that user access privileges are authorized and remain appropriate and limit the potential for unauthorized disclosure, modification, or destruction of FCOM data and IT resources by former employees or others. Recommendation We recommend that FCOM management enhance controls to ensure that complete periodic reviews of the appropriateness of all EF system user access privileges are performed and documented in FCOM records and EF system user access privileges are deactivated immediately upon a user’s separation from FCOM employment. State Entity Response FCOM Internal Security Unit (ISU) will implement a tracking mechanism to manage accountability and improve account management timeliness. Improvements will include prompt communication with the respective program managers regarding any incidents not meeting defined expectations, and repeated offenses will lead to FCOM ISU replacing the Departmental Security officers (DSO) and Regional Security officers (RSO). FCOM ISU will lead random sample reviews of at least ten Reconnect users (internal and external) each month. Subsequently, FCOM will implement an automated process to review and validate all user access privileges monthly, document results, and take appropriate action to manage accurate access. FCOM submitted a Legislative Budget Request to obtain funding for resources to implement an Identity Access Management tool. The estimated cost is $990,550. The estimated resolution date is June 30, 2027, provided FCOM receives funding to resolve the issue.
U.S. DEPARTMENT OF LABOR Finding Number 2025-012 Assistance Listing Number and Title 17.225 – Unemployment Insurance (UI) (Includes COVID-19 Awards) Compliance Requirement Special Tests and Provisions – Employer Experience Rating and Match with Internal Revenue Service 940 Federal Unemployment Tax Act Tax Form State Entity Florida Department of Revenue (FDOR) Federal Grant/Contract Number and Grant Year Various Statistically Valid Sample N/A Finding Type Significant Deficiency Prior Year Finding Report No. 2025-162, Finding No. 2024-014 Finding Certain security controls related to user authentication for the System for Unified Taxation (SUNTAX) need improvement to ensure the confidentiality, integrity, and availability of SUNTAX data and related information technology (IT) resources. Criteria Security controls are intended to protect the confidentiality, integrity, and availability of system data and related IT resources. Condition The FDOR uses SUNTAX to register and monitor taxpayers, collect tax payments, and enforce State tax law. Additionally, SUNTAX is used as a case and tax refund management system that produces reports and distributes funds. Our audit disclosed that certain security controls related to SUNTAX user authentication need improvement. We are not disclosing the specific details of the issues in this report to avoid the possibility of compromising SUNTAX data and related IT resources. However, we have notified appropriate FDOR management of the specific issues. Cause We are not disclosing the specific details of the issues in this report to avoid the possibility of compromising SUNTAX data and related IT resources. Effect Appropriate user authentication controls for SUNTAX are necessary to decrease the risk that unauthorized individuals may gain access to the system and compromise the confidentiality, integrity, and availability of SUNTAX data and related IT resources. Recommendation We recommend that FDOR management improve certain security controls related to SUNTAX user authentication to ensure the confidentiality, integrity, and availability of SUNTAX data and related IT resources. State Entity Response We concur with this recommendation. Security controls will be implemented at the Department’s secure remote access gateway by June 30, 2027 and at the application/system level by December 31, 2028 for all users and essential IT workers as defined by 60GG-2, F.A.C.
U.S. DEPARTMENT OF LABOR Finding Number 2025-013 Assistance Listing Number and Title 17.258, 17.259, 17.278 – Workforce Innovation and Opportunity Act (WIOA) Cluster Compliance Requirement Reporting State Entity Florida Department of Commerce (FCOM) Federal Grant/Contract Number and Grant Year 24A55AY000073 2024, 24A55AT000058 2024, 24A55AW000057 2024, 23A55AW000012 2023, 23A55AT000009 2023, 23A55AY000003 2023, AA385232255A12 2022, AA363132155A12 2021 Statistically Valid Sample No Finding Type Noncompliance and Significant Deficiency Prior Year Finding Report No. 2025-162, Finding No. 2024-016 Finding FCOM did not always accurately or timely report subaward information required by the Federal Funding Accountability and Transparency Act (FFATA) in the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Criteria 2 CFR 170, Appendix A – Reporting Subawards and Executive Compensation – Unless otherwise exempt, the recipient must report each subaward that equals or exceeds $30,000 in Federal funds for a subaward to an entity or Federal agency. In addition, the recipient must report the information about each obligating action, including the subaward obligation/action date. For subaward information, reporting must occur no later than the end of the month following the month in which the subaward was issued. Condition During the 2024-25 fiscal year, FCOM issued 252 subawards and made 40 subaward amendments totaling approximately $130.5 million in WIOA funds that were required to be reported in the FSRS. Our review of FCOM records for 53 selected subawards and 7 subaward amendments found that, for 51 subawards and 5 subaward amendments, FCOM reported the incorrect subaward obligation/action date and, for 27 subawards and 2 subaward amendments, FCOM did not timely report the subaward activity in the FSRS. Specifically, while the subaward information was required to be reported no later than the end of the month following the month in which the obligation was made, the subawards and subaward amendments were reported 11 to 205 days (an average of 92 days) late. Cause According to FCOM management, incorrect subaward obligation/action dates were reported due to employee error and subaward information was not timely reported due to FCOM reconciliation measures taken to address unreported items noted in the prior audit. Effect FCOM did not accurately or timely report required WIOA subaward information in accordance with FFATA, inhibiting accountability and transparency. Recommendation We recommend that FCOM management enhance reporting controls to ensure that all applicable WIOA subaward information is accurately and timely reported in accordance with FFATA. State Entity Response Effective July 1, 2025, FCOM implemented new processes and procedures to enhance FFATA reporting controls and ensure the accuracy and timeliness of the subaward data reported in the SAM.GOV.
U.S. DEPARTMENT OF LABOR Finding Number 2025-006 Assistance Listing Number and Title 17.207 and 17.801 – Employment Service Cluster Compliance Requirement Reporting State Entity Florida Department of Commerce (FCOM) Federal Grant/Contract Number and Grant Year 24A55WP000080 2024 and ES387242255A12 2022 Statistically Valid Sample No Finding Type Noncompliance and Significant Deficiency Prior Year Finding Report No. 2025-162, Finding No. 2024-007 Finding FCOM did not always accurately or timely report subaward information required by the Federal Funding Accountability and Transparency Act (FFATA) in the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Criteria 2 CFR 170, Appendix A – Reporting Subawards and Executive Compensation – Unless otherwise exempt, the recipient must report each subaward that equals or exceeds $30,000 in Federal funds for a subaward to an entity or Federal agency. In addition, the recipient must report the information about each obligating action, including the subaward obligation/action date. For subaward information, reporting must occur no later than the end of the month following the month in which the subaward was issued. Condition During the 2024-25 fiscal year, FCOM issued 79 subawards and made 24 subaward amendments totaling approximately $23.4 million in Employment Services Cluster funds that were required to be reported in the FSRS or SAM.gov, as applicable. Our review of FCOM records for 11 selected subawards found that, for 9 subawards, FCOM reported the incorrect subaward obligation/action date and did not timely report the subawards in the FSRS. Specifically, while the subawards were required to be reported in the FSRS by September 30, 2024, the subawards were not reported until December 4, 2024, 65 days late. Cause According to FCOM management, incorrect subaward obligation/action dates were reported due to employee error and the subawards were not timely reported due to FCOM reconciliation measures taken to address unreported items noted in the prior audit. Effect FCOM did not accurately or timely report required Employment Services Cluster subaward information in accordance with FFATA, inhibiting accountability and transparency. Recommendation We recommend that FCOM management enhance reporting controls to ensure that all applicable Employment Services Cluster subaward information is accurately and timely reported in accordance with FFATA. State Entity Response Effective July 1, 2025, FCOM implemented new processes and procedures to enhance FFATA reporting controls and ensure the accuracy and timeliness of the subaward data reported in the SAM.GOV.
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES Finding Number 2025-014 Assistance Listing Number and Title 93.069 – Public Health Emergency Preparedness Program (PHEP) Compliance Requirement Period of Performance State Entity Florida Department of Health (FDOH) Federal Grant/Contract Number and Grant Year NU90TU000041 2025 Statistically Valid Sample No Finding Type Noncompliance and Significant Deficiency Questioned Costs – $5,306.46 Finding FDOH expenditures charged to the PHEP program were not always incurred during the authorized period of performance. Criteria 45 CFR 75.309(a) – Period of performance and availability of funds – A non Federal entity may charge to the Federal award only allowable costs incurred during the period of performance. Condition During the 2024-25 fiscal year, the FDOH expended approximately $30.4 million in Federal funds for the PHEP program. Our analysis and examination of records related to 40 selected PHEP program expenditures paid by the FDOH during the 2024-25 fiscal year disclosed 14 expenditures totaling $5,306.46 that were incurred before the authorized period of performance. Cause According to FDOH management, some payments were automatically charged to the Federal award in error and employee errors during the payment authorization and approval process also contributed to the incorrect Federal award being charged. Effect Expenditures charged to a Federal award that were not incurred during the authorized period of performance could be subject to disallowance by the Federal grantor agency. Recommendation We recommend that the FDOH enhance payment authorization and approval process controls to ensure that costs are attributable to the authorized period of performance and are charged to the correct Federal award. State Entity Response Expenditures reviewed were for services or travel that occurred in June at the end of the grant budget period/state fiscal year but were paid by the FDOH in July. During this time new Other Cost Accumulators (OCA) are created to match the new budget period/state fiscal year. Of the 16 expenditures provided to the PHEP for review, 11 were for purchasing card (Pcard) charges for travel that occurred at the end of June but cleared in July. Previous year’s codes are not available when clearing Pcard charges from a previous fiscal year. The remaining expenditures were for payments that were re-distributed by finance and accounting and could not be charged to current fiscal year OCAs once the new fiscal year began. Language has been added to the PHEP’s checkbook review process to specifically identify expenses that occur at the end of a budget period/fiscal year but are cleared or paid at the beginning of the next fiscal year. A correction will be submitted to move those expenses to the previous fiscal year as appropriate.
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES Finding Number 2025-015 Assistance Listing Number and Title 93.069 – Public Health Emergency Preparedness Program (PHEP) Compliance Requirement Reporting State Entity Florida Department of Health (FDOH) Federal Grant/Contract Number and Grant Year NU90TP922058 2024 Statistically Valid Sample N/A Finding Type Noncompliance and Significant Deficiency Finding The FDOH did not ensure that the Federal Financial Report (FFR) was timely submitted to the Centers for Disease Control and Prevention (CDC). Criteria 45 CFR 75.341 – Financial reporting – Financial information must be collected with the frequency required by the terms and conditions of the Federal award. CDC – Notice of Award – Annual Federal Financial Report (FFR SF-425) – A completed FFR SF-425 covering the original final budget period of July 1, 2023, to June 30, 2024, must be submitted to the CDC by September 30, 2024. Condition During the 2024-25 fiscal year, the FDOH expended approximately $30.4 million in Federal funds for the PHEP program. Our inquiries of FDOH management and review of the FFR disclosed that, although it was due September 30, 2024, the FDOH did not submit the FFR to the CDC until July 16, 2025, and subsequent to our audit request. Cause According to FDOH management, the oversight occurred during a period of internal transition, specifically due to changes in staff positions within the Grants Management Unit. During this time, responsibilities were reassigned, which inadvertently led to a lapse in the reporting schedule. Effect Absent timely financial reporting, the FDOH cannot demonstrate to the CDC that grant award funds were expended in accordance Federal laws and the terms and conditions of grant awards. Recommendation We recommend that the FDOH enhance controls to ensure that required FFRs are timely prepared and submitted to the CDC. State Entity Response To prevent future late submissions, FDOH will strengthen communication on grant closeout timelines, implement a formal tracking tool for FFR deadlines, cross train staff, establish written procedures, and increase management oversight through routine compliance reviews.
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES Finding Number 2025-016 Assistance Listing Number and Title 93.268 – Immunization Cooperative Agreements (Includes COVID-19 Awards) Compliance Requirement Period of Performance State Entity Florida Department of Health (FDOH) Federal Grant/Contract Number and Grant Year NH23IP922607 2025 Statistically Valid Sample No Finding Type Noncompliance and Significant Deficiency Questioned Costs – $5,159.84 Finding FDOH expenditures charged to the Immunization Cooperative Agreements program were not always incurred during the authorized period of performance. Criteria 45 CFR 75.309(a) – Period of performance and availability of funds – A non Federal entity may charge to the Federal award only allowable costs incurred during the period of performance. Condition During the 2024-25 fiscal year, the FDOH expended approximately $363 million in Federal funds for the Immunization Cooperative Agreements program. Our analysis and examination of records related to 25 selected Immunization Cooperative Agreements program expenditures paid by the FDOH during the 2024-25 fiscal year disclosed 3 expenditures totaling $5,159.84 that were incurred after the authorized period of performance. Cause According to FDOH management, the payments were charged to the Federal award in error. Effect Expenditures charged to a Federal award that were not incurred during the authorized period of performance could be subject to disallowance by the Federal grantor agency. Recommendation We recommend that the FDOH enhance controls to ensure that costs are attributable to the authorized period of performance and are charged to the correct Federal award. State Entity Response Immunization Section staff will implement a second level review on all expenditures to ensure they occurred in the authorized period of performance and make corrections when errors are identified.
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES Finding Number 2025-017 Assistance Listing Number and Title 93.268 – Immunization Cooperative Agreements (Includes COVID-19 Awards) Compliance Requirement Specials Tests and Provisions – Control, Accountability, and Safeguarding of Vaccine and Record of Immunization State Entity Florida Department of Health (FDOH) Federal Grant/Contract Number and Grant Year NH23IP922607 2025 Statistically Valid Sample No Finding Type Noncompliance and Significant Deficiency Finding The FDOH did not always conduct enrollment and compliance site visits for providers participating in the Immunization Cooperative Agreements Vaccine for Children (VFC) program. Criteria U.S. Department of Health and Human Services, Centers for Disease Control and Prevention (CDC), Vaccines for Children (VFC) Program Operations Guide – Awardees must use the CDC Provider Education, Assessment, and Reporting (PEAR) system to document provider enrollment information and to conduct and document provider enrollment and compliance site visits. An enrollment site visit must be completed before a provider location can receive VFC program vaccines. In addition, every VFC program provider location must have a compliance site visit covering areas of provider details, eligibility, documentation, storage and handling (per unit and sitewide), and inventory management every 24 months. Condition During the 2024-25 fiscal year, the FDOH completed compliance site visits for 1,092 VFC program providers. As part of our audit, we analyzed FDOH records for VFC program providers who received VFC program vaccines during the 2024 25 fiscal year and found that the FDOH did not timely conduct compliance site visits for 28 VFC program providers. Specifically: • For 16 VFC program providers, the FDOH completed the compliance site visits 18 to 356 days (an average of 89 days) late. • For 4 VFC program providers that unenrolled in the VFC program during the quarter ended June 30, 2025, the FDOH had not conducted a compliance site visit, which were 96 to 261 days (an average of 149 days) overdue at the time of unenrollment. • For 8 VFC program providers, according to FDOH records the providers were not enrolled in the PEAR system, although as of June 30, 2025, the providers had been receiving VFC program vaccines for approximately 1 to almost 9 years (an average of over 4 years). Consequently, no enrollment or compliance site visit had been conducted. Cause According to FDOH management, delays in completing compliance site visits were due to scheduling challenges and employee oversights. In addition, the VFC program providers were not enrolled in the PEAR system due to employee oversights. Effect Absent the timely completion of enrollment and compliance site visits, the FDOH cannot ensure that proper control over and accountability for vaccines is maintained, vaccines are properly safeguarded, VFC program eligibility screening is conducted, or required information has been recorded for vaccine recipients. Recommendation We recommend that FDOH management ensure that enrollment site visits are conducted for all VFC program providers who receive VFC program vaccines and that compliance site visits are timely completed in accordance with VFC program requirements. State Entity Response Beginning in the 2025-26 fiscal year, the Immunization Section implemented a policy requiring field staff to complete a compliance site visit to all providers in their assigned areas at least annually, rather than the two-year requirement established by the CDC VFC. Spreadsheets were created to track assigned sites and due dates. Completion of compliance visits has also been added to field staff performance standards. The new policy also updated the process for conducting and documenting Orientation Site Visits (OSR). The program requires staff to conduct OSRs in person. Documentation is uploaded in CDC’s PEAR system, and back-up documentation is uploaded to a FDOH shared drive and reviewed by the field staff’s supervisor. The supervisor maintains a spreadsheet with information on site visits and OSRs and follows up with staff on any missing documentation.
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES Finding Number 2025-018 Assistance Listing Number and Title 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) (Includes COVID-19 Awards) Compliance Requirement Equipment and Real Property Management State Entity Florida Department of Health (FDOH) Federal Grant/Contract Number and Grant Year NU50CK000554 2021, 2022, 2023 and NU51CK000339 2024 Statistically Valid Sample No Finding Type Noncompliance and Significant Deficiency Finding The FDOH did not always include all ancillary charges, such as freight and packaging, as part of equipment acquisition costs recorded in FDOH property records. Criteria 45 CFR 75.320(b) – Equipment – A state must use, manage and dispose of equipment acquired under a Federal award in accordance with state laws and procedures. Florida Department of Financial Services Rule 69I-72.003(3)(l) – Recording of Property – Regardless of acquisition method, the cost or value of a property item shall include ancillary charges. Ancillary charges are costs that are directly attributable to placing the asset into its intended location and condition for use, such as freight and transportation charges, site preparation costs, and professional fees. Condition During the 2024-25 fiscal year, the FDOH expended approximately $3 million in ELC program funds to purchase equipment. Our examination of FDOH property records related to 95 selected equipment items, totaling $2,360,183, purchased during the 2024-25 fiscal year found that the recorded acquisition cost for 32 of the tested equipment items did not include ancillary charges totaling $70,996. Cause According to FDOH management, ancillary charges were omitted from the recorded acquisition amounts because the methodology used to record the ancillary charges did not associate the additional charges with the equipment purchases. Effect Absent accurate recording of equipment purchase costs in the property records, FDOH management cannot demonstrate that the property records are maintained in accordance with State law and procedures. Recommendation We recommend that FDOH management enhance procedures to ensure that equipment purchased with ELC program funds is recorded in the property records inclusive of all ancillary charges. State Entity Response For the property identified in the audit, we made the necessary adjustments in the Property Master file to include the ancillary charges and have implemented the following process for future property purchases: • Implement procedures to review all ancillary charges associated with property items appearing in the Property Pending file. • Where appropriate, and in accordance with Rule 69I-72.003, Florida Administrative Code, manually add these charges to the acquisition cost when entering the property into the Property Master file.
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES Finding Number 2025-019 Assistance Listing Number and Title 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) (Includes COVID-19 Awards) Compliance Requirement Period of Performance State Entity Florida Department of Health (FDOH) Federal Grant/Contract Number and Grant Year NU51CK000339 2024 Statistically Valid Sample No Finding Type Noncompliance and Significant Deficiency Questioned Costs – $9,076 Finding FDOH expenditures charged to the ELC program were not always incurred during the authorized period of performance. Criteria 45 CFR 75.309(a) – Period of performance and availability of funds – A non Federal entity may charge to the Federal award only allowable costs incurred during the period of performance. Condition During the 2024-25 fiscal year, the FDOH expended approximately $44.6 million in Federal funds for the ELC program. Our analysis and examination of records related to 20 selected ELC program expenditures paid by the FDOH during the 2024-25 fiscal year disclosed 2 expenditures totaling $9,076 that were incurred before the authorized period of performance. Cause According to FDOH management, the payments were charged to the Federal award in error. Effect Expenditures charged to a Federal award that were not incurred during the authorized period of performance could be subject to disallowance by the Federal grantor agency. Recommendation We recommend that the FDOH enhance controls to ensure that costs are attributable to the authorized period of performance and are charged to the correct Federal award. State Entity Response Bureau of Epidemiology staff will implement a second level review on all expenditures to ensure they occurred in the authorized period of performance and make corrections when errors are identified.
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES Finding Number 2025-020 Assistance Listing Number and Title 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) (Includes COVID-19 Awards) Compliance Requirement Reporting State Entity Florida Department of Health (FDOH) Federal Grant/Contract Number and Grant Year 6NU50CK000554 2023 Statistically Valid Sample No Finding Type Noncompliance and Significant Deficiency Prior Year Finding Report No. 2025-162, Finding No. 2024-027 Finding The FDOH did not accurately report certain COVID accounts data in a quarterly financial report to the Centers for Disease Control and Prevention (CDC). Criteria 45 CFR 75.341 – Financial reporting – The Federal awarding agency must collect financial information with the frequency required by the terms and conditions of the Federal award. CDC – Notice of Award – Financial Reporting Requirement – Quarterly financial reporting of Core and COVID accounts is due no later than the 20th of the month following the end of the quarter. Condition As part of our audit, we reviewed FDOH financial reports for the Core and COVID accounts for the quarters November 2024 through January 2025 and February 2025 through April 2025. Our review of the COVID accounts report for the February 2025 through April 2025 quarter found that the FDOH did not accurately report certain amounts. Specifically: • The FDOH reported expending $2,519,165.67 in Contractual expenditures, while actual expenditures totaled $2,598,716.85 (an understatement of $79,551.18). • The FDOH reported expending $193,842.25 in Other expenditures, while actual expenditures totaled $25,092.25 (an overstatement of $168,750). Cause According to FDOH management, the incorrectly reported amounts were due to employee error. Effect The quarterly financial report for the COVID accounts submitted by the FDOH to the CDC included incorrect data. Recommendation We recommend that FDOH management enhance controls to ensure that quarterly financial reports submitted to the CDC include accurate data. State Entity Response Bureau of Epidemiology budget staff worked with the Department’s Office of Budget & Revenue Management (OBRM) to enhance controls to ensure compliance. Moving forward, staff will ensure the following: • Prior to sending the financial reports for approval if any adjustments are needed, send email of the correction (TR58/TR51) for OBRM to record on their reconciliation report. • Any notes that are made in the Cooperative Agreement Management Platform that are not seen on the financial reports extracted for approval will need to be also noted on the financial reports next to the appropriate project. • Send the financial reports with our recommendations to receive approval from OBRM. • The authorized official in OBRM will then sign off next to the amounts to show that there was an agreement of numbers.
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES Finding Number 2025-026 Assistance Listing Number and Title 93.558 – Temporary Assistance for Needy Families (TANF) Compliance Requirement Subrecipient Monitoring State Entity Florida Department of Children and Families Federal Grant/Contract Number and Grant Year 2301FLTANF 2023, 2401FLTANF 2024, and 2501FLTANF 2025 Statistically Valid Sample N/A Finding Type Opinion Qualification and Material Weakness Finding The FDCF did not evaluate each subrecipient’s risk of noncompliance to determine the appropriate monitoring nor conduct any subrecipient monitoring. Criteria 45 CFR 75.352(b) and (d) – Requirements for pass-through entities – All pass through entities must evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. The pass through entity must also monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Section 402.7305(4)(a), Florida Statutes – The FDCF shall establish a contract monitoring process that includes performing a risk assessment at the start of each fiscal year and preparing an annual contract monitoring schedule that considers the level of risk assigned. FDCF Policies and Procedures of Financial Monitoring (CF Operating Procedure No. 55-1) – The risk assessment factors will be evaluated annually and, based on its risk assessment score, each contract will be assigned a relative rating of high, medium, or low that is used to schedule the annual on-site financial monitoring of subrecipients (lead agencies). Condition The FDCF contracts with lead agencies to provide child welfare services, including case management for children in out-of-home care, in-home removal prevention services, and foster care maintenance payments, with managing entities to coordinate behavioral health services, and other subrecipients for services such as domestic violence and homeless prevention and services to improve childhood outcomes and increase family self-sufficiency. During the 2024-25 fiscal year, the FDCF expended approximately $378.8 million in TANF funds. According to FDCF records, approximately $144.8 million was related to 92 subawards, of which approximately $126.6 million was related to 25 lead agency or managing entity subawards. According to FDCF management, separate FDCF departments were responsible for financial and programmatic monitoring of the lead agencies and managing entities and for monitoring of other subrecipients. Financial monitoring was to consist of desk reviews and on-site activities and include an evaluation of whether the lead agency’s and managing entity’s use of funds was for authorized purposes and complied with Federal and State laws and rules and the terms and conditions of the subaward. Programmatic monitoring was to include monitoring of nonstandard subaward requirements. Our inquiries of FDCF management disclosed that the FDCF neither evaluated each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate programmatic monitoring to be conducted during the 2024-25 fiscal year nor conducted any programmatic monitoring during the year. In addition, although the FDCF completed a risk assessment that identified 6 lead agencies and 1 managing entity that required on-site financial monitoring during the 2024-25 fiscal year, the FDCF neither performed the on-site financial monitoring nor completed any financial monitoring during the year. Cause According to FDCF management, the FDCF is in the process of allocating staff resources to strengthen monitoring efforts to focus on programmatic oversight of subawards. FDCF management also indicated that neither onsite nor desk review financial monitoring activities were completed during the 2024-25 fiscal year because the FDCF was reassessing its financial monitoring processes. Effect Absent an evaluation of each subrecipient’s risk of noncompliance with subaward programmatic requirements and monitoring of all subrecipients for compliance with programmatic and financial requirements, based on the results of comprehensive risk assessments, the FDCF is not adequately minimizing the risk of program fraud, waste, and abuse and cannot ensure that subawards, particularly to high-risk subrecipients, are used for authorized purposes in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Recommendation We recommend that the FDCF conduct required financial and programmatic monitoring. Such monitoring should be performed based on a comprehensive risk assessment of each subrecipient’s risk of noncompliance with subaward programmatic and financial requirements. State Entity Response The Florida Department of Children and Families (DCF) acknowledges the finding regarding subrecipient risk assessment and monitoring requirements. DCF recognizes the requirements set forth in 45 CFR 75.352(b) and (d) and section 402.7305(4), Florida Statutes, which require pass-through entities to evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward, and to conduct monitoring activities commensurate with the assessed level of risk. DCF has developed a standardized assessment tool to determine the risk level for each subrecipient. Risk assessments and monitoring activities have begun, and DCF will complete a comprehensive risk assessment of all active contracts using this tool. Based on the results, DCF will develop a risk-based schedule for contract monitoring site visits. DCF continues to evaluate its monitoring processes and allocate resources to strengthen oversight of subawards. The Department conducts oversight activities across multiple offices, including financial and programmatic monitoring, contract manager oversight, and administrative compliance reviews, to support accountability and compliance. There are ongoing efforts focused on evaluating approaches to implement documented risk assessments and monitoring activities that incorporate administrative, fiscal, and programmatic considerations, as applicable, and support the development of risk-informed monitoring schedules and improved documentation of oversight activities. Specifically, the Department will conduct administrative, fiscal, and programmatic monitoring using appropriate monitoring tools. The Department will develop a monitoring schedule for each Managing Entity, with monitoring informed by a comprehensive risk assessment that examines the risk of noncompliance with subaward programmatic and fiscal requirements. Additionally, DCF is developing a broader monitoring roadmap to assess existing monitoring practices across programs and identify opportunities to enhance consistency, coordination, and documentation of monitoring activities aligned with federal requirements.
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES Finding Number 2025-027 Assistance Listing Number and Title 93.558 – Temporary Assistance for Needy Families (TANF) Compliance Requirement Special Tests and Provisions – Income Eligibility and Verification System State Entity Florida Department of Children and Families (FDCF) Federal Grant/Contract Number and Grant Year 2401FLTANF 2024 and 2501FLTANF 2025 Statistically Valid Sample N/A Finding Type Opinion Qualification and Material Weakness Prior Year Finding Report No. 2025-162, Finding No. 2024-032 Finding The FDCF did not always timely review and process Income Eligibility and Verification (IEVS) data exchange responses. Criteria 42 USC 1320b-7 – Income and eligibility verification system – A State must have in effect an income and eligibility verification system. 45 CFR 205.55 – Requirements for requesting and furnishing eligibility and income information. 45 CFR 205.56 – Requirements governing the use of income and eligibility information. FDCF Program Policy Manual Section 3020.0100 – Data Exchange and Section 3020.0102 – Processing Time Standards – FDCF staff are to dispose of data exchange responses considered verified upon receipt within 10 calendar days and all other data exchange responses within 45 calendar days. Condition During the 2024-25 fiscal year, the FDCF made TANF cash benefit payments totaling approximately $80.8 million. Federal regulations require the FDCF to verify certain eligibility information through electronic data exchanges with other State and Federal agencies. Eligibility information is maintained in the Florida Online Recipient Integrated Data Access (FLORIDA) system. As part of the IEVS data exchange process, the FLORIDA system compares the data exchange response to eligibility information in the FLORIDA system; however, resolving data exchange responses requires employee action. As part of our audit, we obtained the IEVS Data Exchange Report for the 2024 25 fiscal year to determine whether data exchange responses were timely reviewed and processed by the FDCF. Our evaluation of the IEVS Data Exchange Report found that, of the 18,715 data exchange responses received during the 2024-25 fiscal year, 8,819 data exchange responses were not timely reviewed and processed. Specifically, 5,924 responses that were considered verified upon receipt were reviewed and processed 1 to 353 days (an average of 49 days) late and 2,895 other data exchange responses were reviewed and processed 1 to 303 days (an average of 41 days) late. Cause According to FDCF management, IEVS data exchange responses were not timely reviewed and processed due to the FDCF’s prioritization of timely processing applications for government assistance programs. Effect Failure to timely review and process data exchange information may preclude the FDCF from promptly identifying changes in client eligibility status. Recommendation We recommend that the FDCF take action, including necessary control enhancements, to ensure that data exchange responses are reviewed and processed within established time frames. State Entity Response FDCF continues the phased approach of modernizing its eligibility (ACCESS) system. The modernization of the FLORIDA legacy eligibility system started development in State Fiscal Year 2025-2026 and includes the operational analysis of the state’s data exchange processes.
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES Finding Number 2025-028 Assistance Listing Number and Title 93.558 – Temporary Assistance for Needy Families (TANF) Compliance Requirement Special Tests and Provisions – Child Support Non-Cooperation State Entity Florida Department of Children and Families (FDCF) Federal Grant/Contract Number and Grant Year 2401FLTANF 2024 and 2501FLTANF 2025 Statistically Valid Sample No Finding Type Noncompliance and Significant Deficiency Questioned Costs – $95 Prior Year Finding Report No. 2025-162, Finding No. 2024-033 Finding FDCF records did not always evidence that Florida Department of Revenue (FDOR) Child Support Enforcement (CSE) sanction requests for uncooperative TANF recipients were reviewed, timely processed, or appropriately imposed. Criteria 42 USC 608(a)(2) – Reduction or elimination of assistance for noncooperation in establishing paternity or obtaining child support – If the agency responsible for administering the CSE program determines that an individual is not cooperating with the State in establishing paternity or in establishing, modifying, or enforcing a support order with respect to a child of the individual, then the State shall deduct an amount not less than 25 percent of the TANF assistance amount or deny the TANF assistance that would otherwise be provided to the family of the individual. 45 CFR 264.30 – What procedures exist to ensure cooperation with the child support enforcement requirements? – A State agency must refer all appropriate individuals in the family of a child, for whom paternity has not been established or for whom a child support order needs to be established, modified, or enforced, to the CSE agency. Referred individuals must cooperate in establishing paternity and in establishing, modifying, or enforcing a child support order. If the CSE agency determines that an individual is not cooperating, and the individual does not qualify for a good cause exception, the CSE agency must then take appropriate action by reducing or denying the family any assistance under the TANF program. Section 414.095(6), Florida Statutes, Child Support Enforcement – As a condition of eligibility for public assistance, the family must cooperate with the State agency responsible for administering the CSE program. Program Policy Manual Section 3020.0100 – Data Exchange and Section 3020.0102 – Processing Time Standards – As part of the application or review process, FDCF staff are to process sanction responses considered verified upon receipt within 10 calendar days. Condition The FDOR, as the State agency responsible for the CSE Program, must refer individuals who do not cooperate with the FDOR in establishing paternity or in establishing, modifying, or enforcing a support order to the FDCF as the State agency responsible for the TANF program. During the public assistance application process, FDCF personnel obtain absent parent information from the TANF recipient and inform the recipient of their responsibility to cooperate with the CSE program. The FDCF utilizes the Florida Online Recipient Integrated Data Access (FLORIDA) system to forward absent parent and other pertinent information to the FDOR CSE program for confirmation that the TANF recipient has complied with CSE program requirements. When the FDOR determines that a recipient has not cooperated with the CSE program, the FDOR initiates a request in the FLORIDA system notifying the FDCF to impose TANF sanctions against the recipient. During the 2024-25 fiscal year, the FDCF made TANF cash benefit payments totaling approximately $81 million and the FDOR referred 10,699 requests to the FDCF to impose sanctions for uncooperative TANF recipients. Our examination of FDOR sanction requests and FDCF records for 60 selected TANF program recipient cases disclosed that: • The FDCF did not timely impose a sanction request for 1 case, resulting in a $95 overpayment. • For 11 cases, the FDCF did not process the sanction requests within the established 10-day time frame. Specifically, the requests were processed 3 to 98 days late (an average of 35 days late). Cause FDCF management indicated that processing of CSE program sanction requests in the FLORIDA system requires employee action. Due to the FDCF’s prioritization of timely processing government assistance applications, actions were not timely performed for this process for the remaining cases. Effect Failure to timely review and process CSE program sanction requests may preclude the FDCF from promptly identifying changes in client eligibility status. Additionally, a TANF program recipient continued to receive TANF benefits although they were not eligible. Recommendation We recommend that the FDCF make efforts to ensure that CSE program sanction requests are timely reviewed and processed within established time frames, and TANF benefits are promptly discontinued, if necessary. State Entity Response FDCF will perform periodic monitoring and issue a policy refresher to ensure child support sanctions are timely reviewed and properly imposed.
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES Finding Number 2025-029 Assistance Listing Number and Title 93.558 – Temporary Assistance for Needy Families (TANF) Compliance Requirement Special Tests and Provisions – Child Support Non-Cooperation State Entity Florida Department of Revenue (FDOR) Federal Grant/Contract Number and Grant Year 2401FLTANF 2024 and 2501FLTANF 2025 Statistically Valid Sample N/A Finding Type Significant Deficiency Prior Year Finding Report No. 2025-162, Finding No. 2024-036 Finding Certain security controls related to user authentication for the Child Support Enforcement Automated Management System (CAMS) need improvement to ensure the confidentiality, integrity, and availability of CAMS data and related information technology (IT) resources. Criteria Security controls are intended to protect the confidentiality, integrity, and availability of system data and related IT resources. Condition The FDOR Child Support Enforcement program uses CAMS for the creation and closure of child support cases and disbursement of funds. Our audit disclosed that certain security controls related to CAMS user authentication need improvement. We are not disclosing the specific details of the issues in this report to avoid the possibility of compromising CAMS data and related IT resources. However, we have notified appropriate FDOR management of the specific issues. Cause We are not disclosing the specific details of the issues in this report to avoid the possibility of compromising CAMS data and related IT resources. Effect Appropriate user authentication controls for CAMS are necessary to decrease the risk that unauthorized individuals may gain access to the system and compromise the confidentiality, integrity, and availability of CAMS data and related IT resources. Recommendation We recommend that FDOR management improve certain security controls related to CAMS user authentication to ensure the confidentiality, integrity, and availability of CAMS data and related IT resources. State Entity Response We concur with this recommendation. The security controls will be implemented at the application/system level by June 30, 2028 for all users and essential IT workers as defined by 60GG-2, F.A.C.
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES Finding Number 2025-030 Assistance Listing Number and Title 93.566 – Refugee and Entrant Assistance – State/Replacement Designee – Administered Programs (REAP) Compliance Requirement Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Eligibility State Entity Florida Department of Health (FDOH) Federal Grant/Contract Number and Grant Year 2301FLRCMA 2023, 2401FLRCMA 2024, and 2501FLRCMA 2025 Statistically Valid Sample N/A Finding Type Significant Deficiency Finding Certain security controls related to Health Management System (HMS) user authentication need improvement to ensure the confidentiality, integrity, and availability of HMS data and related information technology (IT) resources. Criteria Security controls are intended to protect the confidentiality, integrity, and availability of data and related IT resources. Condition State County Health Departments use the HMS, electronic health record software, to support daily business functions and clinical operations. Our audit disclosed that certain security controls related to HMS user authentication need improvement. We are not disclosing the specific details of the issues in this report to avoid the possibility of compromising HMS data and related IT resources. However, we have notified appropriate FDOH management of the specific issues. Cause We are not disclosing the specific details of the issues in this report to avoid the possibility of compromising HMS data and related IT resources. Effect Appropriate HMS user authentication controls are necessary to decrease the risk that unauthorized individuals may gain access to the system and compromise the confidentiality, integrity, and availability of HMS data and related IT resources. Recommendation We recommend that FDOH management improve certain security controls related to HMS user authentication to ensure the confidentiality, integrity, and availability of HMS data and related IT resources. State Entity Response As part of continuous process improvement, the Office of Information Technology (OIT) is in the process of implementing additional improvement measures.
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES Finding Number 2025-031 Assistance Listing Number and Title 93.566 – Refugee and Entrant Assistance State/Replacement Designee – Administered Programs (REAP) Compliance Requirement Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Eligibility State Entity Florida Department of Health (FDOH) Federal Grant/Contract Number and Grant Year 2301FLRCMA 2023, 2401FLRCMA 2024, and 2501FLRCMA 2025 Statistically Valid Sample N/A Finding Type Significant Deficiency Finding The FDOH did not conduct periodic reviews of the appropriateness of all Health Management System (HMS) user access privileges to ensure that access to the HMS was limited to authorized users. Criteria Florida Department of Management Services Rule 60GG-2.003(1), Florida Administrative Code – Agency information owners are to review access rights (privileges) periodically based on system categorization or assessed risk. Additionally, each agency shall ensure that access to information technology (IT) resources is limited to authorized users and ensure IT access is removed when access to the IT resource is no longer required. Periodic reviews of access privileges help ensure that only authorized users have access and that the access privileges provided to each account remain appropriate. Condition The HMS is health record software used by the FDOH and State County Health Departments for planning, budgeting, management, administration, and reporting activities. According to FDOH records, as of October 2, 2025, there were 19,225 active HMS system user accounts. To obtain an understanding of FDOH user access privilege review processes for the HMS, we inquired of FDOH management who indicated that a periodic user access review of all HMS user accounts was not performed during the 2024-25 fiscal year. In addition, our review of HMS user account access records for 4,363 HMS user accounts disclosed that it appeared that 6 of the user accounts were used to access the HMS subsequent to the users’ employment separation. Cause According to FDOH management, complete user access reviews were not conducted due to employee oversight. In addition, although we inquired, the FDOH was unable to explain why the HMS users’ accounts appeared to be accessed subsequent to the six users’ termination dates. Effect Periodic reviews of all HMS user access privileges and adequate controls over user account access post-employment separation would provide FDOH management assurance that user access privileges are authorized and remain appropriate and limit the potential for unauthorized disclosure, modification, or destruction of FDOH data and IT resources by former employees or others. Recommendation We recommend that FDOH management complete periodic reviews of the appropriateness of all HMS user access privileges and enhance controls to limit the potential for unauthorized user account access post-employment separation. State Entity Response As part of continuous process improvement, the Office of Information Technology (OIT) is in the process of implementing additional improvement measures.
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES Finding Number 2025-032 Assistance Listing Number and Title 93.566 – Refugee and Entrant Assistance – State/Replacement Designee – Administered Programs (REAP) Compliance Requirement Subrecipient Monitoring State Entity Florida Department of Children and Families (FDCF) Federal Grant/Contract Number and Grant Year 2201FLRSS 2022, 2301FLRSS 2023, 2401FLRSSS 2024, 2501FLRSSS 2025, 2401FLRCMA 2024, and 2501 FLRCMA 2025 Statistically Valid Sample N/A Finding Type Opinion Qualification and Material Weakness Finding The FDCF did not evaluate each subrecipient’s risk of noncompliance to determine the appropriate monitoring nor conduct any subrecipient monitoring. Criteria 45 CFR 75.352(b) and (d) – Requirements for pass-through entities – All pass through entities must evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. The pass through entity must also monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Section 402.7305(4)(a), Florida Statutes – The FDCF shall establish a contract monitoring process that includes performing a risk assessment at the start of each fiscal year and preparing an annual contract monitoring schedule that considers the level of risk assigned. Condition The FDCF contracts with subrecipients to provide employment and other social services to refugee/entrant families. During the 2024-25 fiscal year, the FDCF expended approximately $149.4 million in REAP funds and provided approximately $59.5 million to nine subrecipients. Our inquiries of FDCF management disclosed that the FDCF neither evaluated each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate monitoring to be conducted during the 2024-25 fiscal year nor conducted any subrecipient monitoring during the year. Cause According to FDCF management, the FDCF is in the process of allocating staff resources to strengthen monitoring efforts to focus on oversight of subawards. Effect Absent an evaluation of each subrecipient’s risk of noncompliance with subaward requirements and monitoring of all subrecipients based on the results of comprehensive risk assessments, the FDCF is not adequately minimizing the risk of program fraud, waste, and abuse, and cannot ensure that subawards are used for authorized purposes in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Recommendation We recommend that the FDCF conduct required subrecipient monitoring. Such monitoring should be performed based on a comprehensive risk assessment of each subrecipient’s risk of noncompliance with subaward requirements. State Entity Response FDCF recognizes the requirements set forth in 45 CFR 75.352(b) and (d) and section 402.7305(4), Florida Statutes, to perform documented annual risk assessments and to conduct monitoring commensurate with each subrecipient’s assessed level of risk. FDCF will develop and utilize a comprehensive risk assessment tool to evaluate subrecipient’s risk of noncompliance with subaward requirements. The Office of Economic Self Sufficiency’s Refugee Contract team will develop and utilize a comprehensive risk assessment tool to evaluate subrecipient’s risk of noncompliance with subaward requirements.
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES Finding Number 2025-033 Assistance Listing Number and Title 93.568 – Low-Income Home Energy Assistance Program (LIHEAP) Compliance Requirement Reporting State Entity Florida Department of Commerce (FCOM) Federal Grant/Contract Number and Grant Year 2402FLLIEI 2024, 2402FLLIEA 2024, 2302FLLIEE 2023, 2302FLLIEA 2023, and 2102FLLIEA 2021 Statistically Valid Sample No Finding Type Noncompliance and Significant Deficiency Prior Year Finding Report No. 2025-162, Finding No. 2024-037 Finding FCOM did not always accurately or timely report subaward information required by the Federal Funding Accountability and Transparency Act (FFATA) in the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Criteria 2 CFR 170, Appendix A – Reporting Subawards and Executive Compensation – Unless otherwise exempt, the recipient must report each subaward that equals or exceeds $30,000 in Federal funds for a subaward to an entity or Federal agency. In addition, the recipient must report the information about each obligating action, including the subaward obligation/action date. For subaward information, reporting must occur no later than the end of the month following the month in which the subaward was issued. Condition During the 2024-25 fiscal year, FCOM issued 9 subawards and made 36 subaward amendments totaling approximately $68.6 million in LIHEAP funds that were required to be reported in the FSRS. Our review of FCOM records for 4 selected subawards and 6 subaward amendments found that, for the 4 subawards and 5 subaward amendments, FCOM reported the incorrect subaward obligation/action date and, for 3 subaward amendments, FCOM did not timely report the subaward information in the FSRS. Specifically, while the subaward information was required to be reported in the FSRS no later than the end of the month following the month in which the obligation was made, the subaward amendments were reported 11, 65, and 221 days late. Cause According to FCOM management, incorrect subaward obligation/action dates were reported due to employee error and subaward information was not timely reported due to FCOM reconciliation measures taken to address unreported items noted in the prior audit. Effect FCOM did not accurately or timely report required LIHEAP subaward information in accordance with FFATA, inhibiting accountability and transparency. Recommendation We recommend that FCOM management enhance reporting controls to ensure that all applicable LIHEAP subaward information is accurately and timely reported in accordance with FFATA. State Entity Response Effective July 1, 2025, FCOM implemented new processes and procedures to enhance FFATA reporting controls and ensure the accuracy and timeliness of the subaward data reported in the SAM.GOV.
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES Finding Number 2025-021 Assistance Listing Number and Title 93.489, 93.575, and 93.596 – Child Care and Development Fund (CCDF) Cluster (Includes COVID-19 Awards) Compliance Requirement Period of Performance State Entity Florida Department of Education (FDOE) Federal Grant/Contract Number and Grant Year 2501FLCCDM 2025 Statistically Valid Sample No Finding Type Noncompliance and Significant Deficiency Questioned Costs – $2,406,820.14 Finding FDOE expenditures charged to the CCDF program were not always incurred during the authorized period of performance. Criteria 45 CFR 75.309(a) – Period of performance and availability of funds – A non Federal entity may charge to the Federal award only allowable costs incurred during the period of performance. Condition During the 2024-25 fiscal year, the FDOE expended approximately $973.5 million in Federal funds for the CCDF program. Our analysis and examination of records related to 21 selected program expenditures paid by the FDOE during the 2024 25 fiscal year disclosed 5 expenditures totaling $1,634,110.86 that were incurred before the authorized period of performance. Subsequent to our audit inquiries, the FDOE identified additional expenditures totaling $772,709.28 that were incurred before the authorized period of performance. Cause According to FDOE management, the expenditures were charged to the incorrect Federal award due to a timing issue caused by the activation of the grant prior to receipt of the invoices. Effect Expenditures charged to a Federal award that were not incurred during the authorized period of performance could be subject to disallowance by the Federal grantor agency. Recommendation We recommend that the FDOE enhance controls to ensure that costs are attributable to the authorized period of performance and are charged to the correct Federal award. State Entity Response The Florida Department of Education will enhance its procedures to ensure expenditures are charged to the correct grant.
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES Finding Number 2025-022 Assistance Listing Number and Title 93.489, 93.575, and 93.596 – Child Care and Development Fund (CCDF) Cluster (Includes COVID-19 Awards) Compliance Requirement Subrecipient Monitoring State Entity Florida Department of Education (FDOE) Federal Grant/Contract Number and Grant Year 2101FLCCC5 2021, 2101FLCSC6 2021, 2101FLCDC6 2021, 2201FLCCDD 2022, 2201FLCCDF 2022, and 2001FLCCC3 2020 Statistically Valid Sample No Finding Type Noncompliance and Significant Deficiency Finding The FDOE did not issue management decisions for two subrecipients’ audit findings. Criteria 45 CFR 75.521 – Management decision – The pass-through entity must issue a management decision for audit findings that relate to Federal awards it makes to subrecipients within 6 months of acceptance of the audit report by the Federal Audit Clearinghouse. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. Condition During the 2024-25 fiscal year, the FDOE provided approximately $935 million in CCDF program funds to subrecipients. According to FDOE records, audit reports for 32 subrecipients were due by March 31, 2024, and management decisions were due by September 30, 2024, if required. Our examination of the audit reports for 2 of 4 selected subrecipients disclosed findings reported for the CCDF program; however, according to FDOE management, the FDOE did not issue management decisions addressing the audit findings. Cause According to FDOE management, the management decisions were not issued due to inexperienced staff. Additionally, FDOE procedures for reviewing subrecipient audit reports pertaining to CCDF program funds did not include the requirement to issue management decisions addressing any audit findings in accordance with Federal regulations, which may have contributed to the management decisions not being issued. Effect Absent the issuance of management decisions for all audit findings pertaining to a Federal award, the FDOE cannot demonstrate compliance with Federal regulations providing for subrecipients to be notified of whether an audit finding is sustained, the reasons for the decision, and the expected auditee corrective action. Recommendation We recommend that the FDOE enhance procedures for reviewing subrecipient audit reports pertaining to CCDF program funds to include the requirement to issue management decisions addressing any audit findings in accordance with Federal regulations. We also recommend that the FDOE ensure that management decisions are timely issued for all audit findings pertaining to the CCDF program in accordance with Federal regulations. State Entity Response The Florida Department of Education will enhance its procedures regarding the review and resolution of subrecipient audits.
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES Finding Number 2025-034 Assistance Listing Number and Title 93.667 Social Services Block Grant (SSBG) Compliance Requirement Subrecipient Monitoring State Entity Florida Department of Children and Families (FDCF) Federal Grant/Contract Number and Grant Year 2401FLSOSR 2024 and 2501FLSOSR 2025 Statistically Valid Sample N/A Finding Type Opinion Qualification and Material Weakness Prior Year Finding Report No. 2025-162, Finding No. 2024-048 Finding The FDCF did not evaluate each subrecipient’s risk of noncompliance to determine the appropriate programmatic monitoring nor conduct any subrecipient monitoring. Criteria 45 CFR 75.352(b) and (d) – Requirements for pass-through entities – All pass through entities must evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. The pass through entity must also monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Section 402.7305(4)(a), Florida Statutes – The FDCF shall establish a contract monitoring process that includes performing a risk assessment at the start of each fiscal year and preparing an annual contract monitoring schedule that considers the level of risk assigned. FDCF Policies and Procedures of Financial Monitoring (CF Operating Procedure No. 55-1) – The risk assessment factors will be evaluated annually and, based on its risk assessment score, each contract will be assigned a relative rating of high, medium, or low that is used to schedule the annual on-site financial monitoring of subrecipients (lead agencies). Condition The FDCF contracts with lead agencies to provide child welfare services, including case management for children in out-of-home care, in-home removal prevention services, and foster care maintenance payments. During the 2024-25 fiscal year, the FDCF expended approximately $87.7 million in SSBG funds. According to FDCF records, approximately $42.2 million was subaward-related expenditures, of which approximately $41.2 million related to 18 lead agency subawards. According to FDCF management, separate FDCF departments were responsible for financial and programmatic monitoring of the lead agencies. Financial monitoring was to consist of desk reviews and on-site activities and include an evaluation of whether the lead agency’s use of funds was for authorized purposes and complied with Federal and State laws and rules and the terms and conditions of the subaward. Programmatic monitoring was to include monitoring of nonstandard subaward requirements. Our inquiries of FDCF management disclosed that the FDCF neither evaluated each lead agency’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate programmatic monitoring to be conducted during the 2024-25 fiscal year nor conducted any programmatic monitoring during the year. In addition, although the FDCF completed a risk assessment that identified 6 lead agencies that required on-site financial monitoring during the 2024-25 fiscal year, the FDCF neither performed the on-site financial monitoring nor completed any financial monitoring during the year. Cause According to FDCF management, the FDCF is in the process of allocating staff resources to strengthen monitoring efforts to focus on programmatic oversight of subawards. FDCF management also indicated that neither onsite nor desk review financial monitoring activities were completed during the 2024-25 fiscal year because the FDCF was reassessing its financial monitoring processes. Effect Absent an evaluation of each lead agency’s risk of noncompliance with subaward programmatic requirements and monitoring of all lead agencies for compliance with programmatic and financial requirements, based on the results of comprehensive risk assessments, the FDCF is not adequately minimizing the risk of program fraud, waste, and abuse, and cannot ensure that subawards, particularly to high-risk lead agencies, are used for authorized purposes in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Recommendation We recommend that the FDCF conduct required financial and programmatic monitoring. Such monitoring should be performed based on a comprehensive risk assessment of each lead agency’s risk of noncompliance with subaward programmatic and financial requirements. State Entity Response The Florida Department of Children and Families (DCF) acknowledges the finding regarding subrecipient risk assessment and monitoring requirements. DCF recognizes the requirements set forth in 45 CFR 75.352(b) and (d) and section 402.7305(4), Florida Statutes, which require pass-through entities to evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward, and to conduct monitoring activities commensurate with the assessed level of risk. DCF has developed a standardized assessment tool to determine the risk level for each subrecipient. Risk assessments and monitoring activities have begun, and DCF will complete a comprehensive risk assessment of all active contracts using this tool. Based on the results, DCF will develop a risk-based schedule for contract monitoring site visits. DCF continues to evaluate its monitoring processes and allocate resources to strengthen oversight of subawards. While oversight activities occur across a variety of Department offices including financial monitoring, contract manager oversight, and administrative compliance reviews, those activities are not currently documented within a single, clearly defined risk-based monitoring framework aligned with the federal requirements referenced above. DCF is exploring opportunities to strengthen and further formalize its subrecipient monitoring framework. These efforts include implementing documented risk assessments and monitoring activities that incorporate administrative, fiscal, and programmatic considerations, as applicable, and support development of risk-informed monitoring schedules and improved documentation of oversight activities. Additionally, DCF is developing a broader monitoring roadmap to assess existing monitoring practices across programs and identify opportunities to enhance consistency, coordination, and documentation of monitoring activities aligned with federal requirements.
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES Finding Number 2025-035 Assistance Listing Number and Title 93.767 – Children’s Health Insurance Program (CHIP) Compliance Requirement Reporting State Entity Florida Agency for Health Care Administration (FAHCA) Federal Grant/Contract Number and Grant Year 2405FL5021 2024 and 2505FL5021 2025 Statistically Valid Sample N/A Finding Type Opinion Qualification and Material Weakness Prior Year Finding Report No. 2025-162, Finding No. 2024-049 Finding The FAHCA did not report subaward information required by the Federal Funding Accountability and Transparency Act (FFATA) in the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Criteria 2 CFR 170, Appendix A – Reporting Subawards and Executive Compensation – Unless otherwise exempt, the recipient must report each subaward that equals or exceeds $30,000 in Federal funds for a subaward to an entity or Federal agency. All reported subawards should reflect the total amount of the subaward. For subaward information, reporting must occur no later than the end of the month following the month in which the subaward was issued. Condition During the 2024-25 fiscal year, the FAHCA disbursed approximately $245 million in CHIP funds to one subrecipient to administer CHIP. The FAHCA amended the subaward amount on June 28, 2024, and December 30, 2024. As part of our audit, we determined that the FAHCA was required to report in the FSRS the subaward information associated with the two amendments by the end of July 2024 and January 2025. Our inquiries of FAHCA management, however, disclosed that the FAHCA did not report the subaward information associated with the two amendments in the FSRS. Cause FAHCA management indicated that the subaward information was not reported in the FSRS due to a misunderstanding regarding the required submission timeline. Effect The FAHCA did not timely report required CHIP subaward information in accordance with FFATA, inhibiting accountability and transparency. Recommendation We recommend that FAHCA management enhance reporting controls to ensure that all applicable CHIP subaward action information is timely reported in accordance with FFATA. State Entity Response FAHCA management will enhance reporting controls to ensure that all applicable CHIP subaward action information is timely reported in accordance with FFATA.
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES Finding Number 2025-036 Assistance Listing Number and Title 93.767 – Children’s Health Insurance Program (CHIP) Compliance Requirement Subrecipient Monitoring State Entity Florida Agency for Health Care Administration (FAHCA) Federal Grant/Contract Number and Grant Year 2405FL5021 2024 and 2505FL5021 2025 Statistically Valid Sample No Finding Type Noncompliance and Significant Deficiency Prior Year Finding Report No. 2025-162, Finding No. 2024-050 Finding The FAHCA did not provide all required subaward information to a subrecipient. Criteria 45 CFR 75.352 – Requirements for pass-through entities – All pass-through entities must ensure that every subaward is clearly identified to the subrecipient as a subaward and include certain information at the time of the subaward. Condition During the 2024-25 fiscal year, the FAHCA disbursed approximately $245 million in CHIP funds to one subrecipient. Our review of the subaward agreement with the subrecipient found that the FAHCA did not include in the agreement the Federal Award Identification Number, Federal award date, subaward period of performance start and end date, subaward budget period start and end date, the indirect cost rate for the Federal Award at the time of disbursement, the amount of Federal funds obligated in the subaward, or the total amount of Federal funds obligated and committed to the subrecipient. Cause According to FAHCA management, the FAHCA had not established a process for ensuring that all required subaward information is communicated to its subrecipient in accordance with Federal regulations. Effect Without providing required information to the subrecipient, the subrecipient has an increased risk of improperly administering the Federal award. Recommendation We recommend that the FAHCA establish a process for ensuring that all required information is correctly included in CHIP subrecipient agreements. State Entity Response FAHCA Bureau of Medicaid Policy has taken steps to ensure that all required subaward information is adequately communicated to the subrecipient. A process has been established to ensure the contract manager provides a written notice to the subrecipient. Additionally, the FAHCA has reviewed the current contract with the subrecipient and is routing an amendment to ensure the CHIP subaward is clearly defined and the responsibilities of both the FAHCA and subrecipient are defined. Specific grant information, if identified in the contract or attachments, shall be updated when received by the FAHCA.
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES U.S. DEPARTMENT OF AGRICULTURE Finding Number 2025-023 Assistance Listing Number and Title 93.558 – Temporary Assistance for Needy Families (TANF) 93.767 – Children’s Health Insurance Program (CHIP) 93.775, 93.777, and 93.778 – Medicaid Cluster 10.551 and 10.561 – Supplemental Nutrition Assistance Program (SNAP) Cluster 93.566 – Refugee and Entrant Assistance – State/Replacement Designee – Administered Programs (REAP) Compliance Requirement Activities Allowed or Unallowed, Allowable Costs/Cost Principles, Eligibility, Reporting, and Special Tests and Provisions – Child Support Non-Cooperation, Income Eligibility and Verification System, Penalty for Refusal to Work, Penalty for Failure to Comply with Work Verification Plan, and Automated Data Processing System for SNAP State Entity Florida Department of Children and Families (FDCF) Federal Grant/Contract Number and Grant Year 2401FLTANF 2024 and 2501FLTANF 2025 2405FL5021 2024 and 2505FL5021 2025 2405FL5MAP 2024 and 2505FL5MAP 2025 5FL430422 2023 and 2024, 5FL430412 2024 and 2025, and 5FL400402 2024 and 2025 2301FLRCMA 2023, 2401FLRCMA 2024, and 2501FLRCMA 2025 Statistically Valid Sample N/A Finding Type Significant Deficiency Prior Year Finding Report No. 2025-162, Finding No. 2024-029 Finding Certain security controls related to user authentication for the Florida Online Recipient Integrated Data Access (FLORIDA) system need improvement to ensure the confidentiality, integrity, and availability of FLORIDA system data and related information technology (IT) resources. Criteria Security controls are intended to protect the confidentiality, integrity, and availability of data and related IT resources. Condition The FDCF uses the FLORIDA system as a public assistance eligibility determination system. Our audit disclosed that certain security controls related to FLORIDA system user authentication need improvement. We are not disclosing the specific details of the issues in this report to avoid the possibility of compromising FLORIDA system data and related IT resources. However, we have notified appropriate FDCF management of the specific issues. Cause We are not disclosing the specific details of the issues in this report to avoid the possibility of compromising FLORIDA system data and related IT resources. Effect Appropriate user authentication controls for the FLORIDA system are necessary to decrease the risk that unauthorized individuals may gain access to the system and compromise the confidentiality, integrity, and availability of FLORIDA system data and related IT resources. Recommendation We recommend that FDCF management improve certain security controls related to FLORIDA system user authentication to ensure the confidentiality, integrity, and availability of FLORIDA system data and related IT resources. State Entity Response FDCF concurs with the finding. The Office of Information Technology Services (OITS) ACCESS application team that supports the FLORIDA system is in year four of a multi-year modernization initiative. Through this effort, FLORIDA (mainframe) front-end functionality is being migrated to the ACCESS Management Portal (a web application that requires Department network credentials). The ACCESS Management Portal authentication configuration complies with Florida Administrative Code (F.A.C.) 60GG-2 confidentiality, integrity, and availability (CIA) standards for account management controls. During this transition period, users access FLORIDA in one of two ways: 1. Direct access to FLORIDA: Users must first authenticate to the Department network, either on-premises or via VPN. Both methods require authorization prior to accessing Department resources. 2. Access via the ACCESS Management Portal: Users access FLORIDA functionality through the portal using Department network credentials. By the end of 2027, all FLORIDA front-end functionality is expected to be available through the ACCESS Management Portal, and staff will no longer have direct access to the FLORIDA mainframe. Given the current modernization progress and the planned elimination of direct mainframe access by the end of 2027, the Department acknowledges and accepts the residual risk during this transition.
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES U.S. DEPARTMENT OF AGRICULTURE Finding Number 2025-024 Assistance Listing Number and Title 93.558 – Temporary Assistance for Needy Families (TANF) 93.767 – Children’s Health Insurance Program (CHIP) 93.775, 93.777, and 93.778 – Medicaid Cluster 10.551 and 10.561 – Supplemental Nutrition Assistance Program (SNAP) Cluster 93.566 – Refugee and Entrant Assistance – State/Replacement Designee – Administered Programs (REAP) Compliance Requirement Activities Allowed or Unallowed, Allowable Costs/Cost Principles, Eligibility, Reporting, and Special Tests and Provisions – Child Support Non-Cooperation, Income Eligibility and Verification System, Penalty for Refusal to Work, Penalty for Failure to Comply with Work Verification Plan, and Automated Data Processing System for SNAP State Entity Florida Department of Children and Families (FDCF) Federal Grant/Contract Number and Grant Year 2401FLTANF 2024 and 2501FLTANF 2025 2405FL5021 2024 and 2505FL5021 2025 2405FL5MAP 2024 and 2505FL5MAP 2025 5FL430422 2023 and 2024, 5FL430412 2024 and 2025, and 5FL400402 2024 and 2025 2301FLRCMA 2023, 2401FLRCMA 2024, and 2501FLRCMA 2025 Statistically Valid Sample N/A Finding Type Significant Deficiency Prior Year Finding Report No. 2025-162, Finding No. 2024-028 Finding The FDCF did not conduct periodic reviews of the appropriateness of Florida Online Recipient Integrated Data Access (FLORIDA) system user access privileges to ensure that access to the FLORIDA system was limited to authorized users. Additionally, FDCF records did not always evidence the timely deactivation of FLORIDA system access privileges upon an employee’s separation from FDCF employment. Criteria Florida Department of Management Services Rule 60GG-2.003(1), Florida Administrative Code – Agency information owners are to review access rights (privileges) periodically based on system categorization or assessed risk. Additionally, each agency shall ensure that access to information technology (IT) resources is limited to authorized users and ensure IT access is removed when access to the IT resource is no longer required. Periodic reviews of access privileges help ensure that only authorized users have access and that the access privileges provided to each account remain appropriate. FDCF Information Technology Services Standard Operating Procedure B 12 FLORIDA System Access Procedures – Supervisors must periodically review the access levels of current employees to ensure that the level of access granted remains appropriate to perform their duties. The FDCF is to conduct an internal access review audit at least annually. Condition The FDCF uses the FLORIDA system as a public assistance eligibility determination system. According to FDCF records, as of May 19, 2025, there were 6,872 active FLORIDA system user accounts. To obtain an understanding of FDCF user access privilege review processes for the FLORIDA system, we inquired of FDCF management who indicated that a periodic user access review was not performed during the 2024-25 fiscal year. In addition, our review of the user access and employment records for 2,556 FLORIDA system user accounts whose FLORIDA system user access was deactivated during the period July 1, 2024, through May 19, 2025, found 398 instances where it appeared that the FDCF did not timely deactivate the access privileges for the FLORIDA system user account. Specifically, the access privileges appeared to be deactivated 1 to 180 days (an average of 7 days) after the users’ employment separation. Additionally, although requested, the FDCF did not provide documentation evidencing the date that the users had last accessed the FLORIDA system. Consequently, the FDCF could not demonstrate, and we could not determine, if the users’ accounts were accessed subsequent to employment termination. Cause According to FDCF management, user access reviews were not performed as the FDCF was in the process of implementing a new user access review methodology. Additionally, although we inquired, the FDCF did not explain or otherwise provide documentation demonstrating why the access privileges for the 398 FLORIDA system user accounts were not timely deactivated. Effect Periodic reviews of FLORIDA system user access privileges and prompt deactivation of FLORIDA system user access privileges upon an employee’s separation from FDCF employment would provide FDCF management assurance that user access privileges are authorized and remain appropriate and limit the potential for unauthorized disclosure, modification, or destruction of FDCF data and IT resources by former employees or others. Recommendation We recommend that FDCF management timely complete periodic reviews of the appropriateness of FLORIDA system user access privileges. We also recommend that FDCF management enhance controls to ensure that FDCF records evidence that FLORIDA system user access privileges are deactivated immediately upon a user’s separation from FDCF employment. State Entity Response FDCF concurs with the finding. During State Fiscal Year (SFY) 2025–26, FDCF conducted a periodic review of FLORIDA system accounts and established an ongoing review schedule in accordance with Florida Administrative Code (F.A.C.) requirements. The Department will also review internal processes to identify mechanisms for documenting the deactivation of user access privileges.
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES Finding Number 2025-037 Assistance Listing Number and Title 93.767 – Children’s Health Insurance Program (CHIP) 93.775, 93.777, and 93.778 – Medicaid Cluster Compliance Requirement Activities Allowed or Unallowed, Allowable Costs/Cost Principles, Eligibility, Matching, Level of Effort, and Earmarking, Reporting, and Special Tests and Provisions – Automated Data Processing Risk Analysis and System Security Review; and Provider Eligibility (Screening and Enrollment) State Entity Florida Agency for Health Care Administration (FAHCA) Federal Grant/Contract Number and Grant Year 2405FL5021 2024 and 2505FL5021 2025 2405FL5MAP 2024 and 2405FL5ADM 2024 2505FL5MAP 2025 and 2505FL5ADM 2025 Statistically Valid Sample N/A Finding Type Significant Deficiency Prior Year Finding Report No. 2025-162, Finding No. 2024-052 Finding Certain security controls related to user authentication for the Florida Medicaid Management Information System (FMMIS) need improvement to ensure the confidentiality, integrity, and availability of FMMIS data and related information technology (IT) resources. Criteria Security controls are intended to protect the confidentiality, integrity, and availability of system data and related IT resources. Condition FMMIS is used to enroll and reimburse providers and maintain eligibility and provider enrollment data for the CHIP and Medicaid program. Our audit disclosed that certain security controls related to FMMIS user authentication need improvement. We are not disclosing the specific details of the issues in this report to avoid to possibility of compromising FMMIS data and related IT resources. However, we have notified appropriate FAHCA management of the specific issues. Cause We are not disclosing the specific details of the issues in this report to avoid the possibility of compromising FMMIS data and related IT resources. Effect Appropriate user authentication controls for FMMIS are necessary to decrease the risk that unauthorized individuals may gain access to the system and compromise the confidentiality, integrity, and availability of FMMIS data and related IT resources. Recommendation We recommend that FAHCA management improve certain security controls related to FMMIS user authentication to ensure the confidentiality, integrity, and availability of FMMIS data and related IT resources. State Entity Response The FAHCA concurs that appropriate user authentication controls for FMMIS are necessary to decrease the risk that unauthorized individuals may gain access to the system and compromise the confidentiality, integrity, and availability of FMMIS data and related IT resources.
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES Finding Number 2025-038 Assistance Listing Number and Title 93.775, 93.777, and 93.778 – Medicaid Cluster Compliance Requirement Eligibility State Entity Florida Department of Children and Families (FDCF) Federal Grant/Contract Number and Grant Year 2405FL5MAP 2024 and 2505FL5MAP 2025 Statistically Valid Sample No Finding Type Opinion Qualification and Material Weakness Questioned Costs – $6,595.58 (Federal Share $702.20; Federal Grant No. 2405FL5MAP) (Federal Share $3,078.07; Federal Grant No. 2505FL5MAP) Prior Year Finding Report No. 2025-162, Finding No. 2024-053 Finding The FDCF did not always terminate Medicaid benefits after determining recipients to be ineligible nor consider all required information in continuing Medicaid eligibility. Criteria 42 CFR 435.930(b) – Furnishing Medicaid – The agency must continue to furnish Medicaid regularly to all eligible individuals until they are found to be ineligible. 42 CFR 435.945(d) – General requirements – All State eligibility determination systems must conduct data matching through the Public Assistance Reporting Information System (PARIS). 42 CFR 435.952(a) – Use of information and requests of additional information from individuals – The agency must promptly evaluate information received or obtained by it in accordance with regulations under 2 CFR 435.940 through 2 CFR 435.960 to determine whether such information may affect the eligibility of an individual or the benefits to which he or she is entitled. Condition Medicaid eligibility is determined by the FDCF using the Florida Online Recipient Integrated Data Access (FLORIDA) system. Medicaid client eligibility information is transmitted to the Florida Agency for Health Care Administration (FAHCA), the State agency responsible for administering Medicaid payments. According to FAHCA records, during the 2024 25 fiscal year, the FAHCA made payments for Medicaid services totaling approximately $19.8 billion on behalf of approximately 4.7 million Medicaid clients whose eligibility was determined by the FDCF. As part of our audit, we examined FDCF records for 60 selected Medicaid clients and found that the FDCF did not always terminate Medicaid benefits after determining recipients to be ineligible nor consider all required information in continuing Medicaid eligibility. Specifically: • For two Medicaid recipients determined to be ineligible prior to the 2024-25 fiscal year, the FDCF did not terminate the clients’ Medicaid benefits. Consequently, the FAHCA made improper capitation payments on behalf of the recipients totaling $5,068.47 during the 2024-25 fiscal year. • The quarterly PARIS match flagged one Medicaid recipient as potentially receiving Medicaid benefits in both the State of Florida and another state during the 2024-25 fiscal year; however, the FDCF did not consider the PARIS match information prior to the continuation of Medicaid benefits. As a result, the FAHCA made capitation payments on behalf of the recipient totaling $1,527.11 subsequent to the receipt of the PARIS match information. Cause For the two recipients with Medicaid coverage not terminated and the one recipient with an unreviewed PARIS match, employee action is required. Due to the FDCF’s prioritization of timely processing government assistance applications, some actions were not timely performed. Effect Absent effective eligibility determination processing controls, the FDCF cannot ensure that only eligible individuals are enrolled in the Medicaid program and that Medicaid payments are only made on behalf of eligible Medicaid recipients. Recommendation We recommend that the FDCF enhance eligibility determination processing controls to ensure that Medicaid payments are only made on behalf of eligible Medicaid recipients. State Entity Response FDCF acknowledges there were two recipients where Medicaid eligibility was not terminated, these recipients are part of a vulnerable population and are excluded from the auto-closure process requiring a worker to complete a manual review. For the recipient with a Public Assistance Reporting Information System (PARIS) match, response/verification was not received by FDCF from the household after the 11/4/2024 PARIS contact notice. In these cases, a worker must complete a manual review. FDCF will evaluate its manual closure process and if necessary, make adjustments to ensure appropriate action is taken when a manual review is required.
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES Finding Number 2025-039 Assistance Listing Number and Title 93.775, 93.777 and 93.778 – Medicaid Cluster Compliance Requirement Special Tests and Provisions – Provider Health and Safety Standards State Entity Florida Agency for Health Care Administration (FAHCA) Federal Grant/Contract Number and Grant Year 2405FL5MAP 2024 and 2505FL5MAP 2025 Statistically Valid Sample No Finding Type Opinion Qualification and Material Weakness Prior Year Finding Report No. 2025-162, Finding No. 2024-055 Finding The FAHCA did not always conduct health and life safety surveys in accordance with Federal regulations and established procedures. Criteria 42 CFR 442.109(a) – Certification period for ICF/IIDs: General Provisions – The State Survey Agency must conduct a survey of each intermediate care facility for individuals with intellectual disabilities (ICF/IID) not later than 15 months after the last day of the previous survey. 42 CFR 488.308 – Survey Frequency – The survey agency must conduct a standard survey of each nursing facility (NF) not later than 15 months after the last day of the previous survey. U.S. Department of Health and Human Services (USDHHS), Centers for Medicare and Medicaid Services (CMS), Fiscal Year 2025 Mission and Priorities document (MPD) – All NFs and ICF/IIDs are subject to a standard survey that is to be completed no later than 15.9 months after the previous standard survey. USDHHS CMS State Operations Manual – Chapter 3 – Additional Program Activities – Within 10 working days, the State agency is to deliver to the provider a warning letter and Form CMS 2567 containing the deficiencies. FAHCA Division of Health Quality Assurance Scheduling and Staffing Protocol – Survey Scheduling Criteria – Nursing homes and ICF/IIDs are to be surveyed no later than 15.9 months from the last survey date, and life safety surveys for hospitals are to be conducted no later than 27.9 months from the last survey date. Condition During the 2024-25 fiscal year, the FAHCA surveyed 696 facilities (422 nursing homes, 10 non-deemed hospitals, 189 deemed hospitals, and 75 ICF/IIDs). As part of our audit, we examined FAHCA records for 40 selected facilities (24 nursing homes, 1 non-deemed hospital, 11 deemed hospitals, and 4 ICF/IIDs) and found that the FAHCA did not always conduct health and life safety surveys in accordance with Federal regulations and established procedures. Specifically: • For 16 health surveys conducted at the 29 applicable facilities (non-deemed hospital, nursing homes, and ICF/IIDs), the FAHCA completed the health surveys 16 to 26.7 months (an average of 20 months) after the last day of the previous survey. • For 13 life safety surveys conducted at the 40 facilities (hospitals, nursing homes, and ICF/IIDs), the FAHCA completed the life safety surveys 16 to 78.2 months (an average of 24.1 months) after the last day of the previous survey. • For 17 of the 42 health and life safety surveys of the facilities with cited deficiencies, the FAHCA delivered the warning letter and Form CMS 2567 to the facilities 11 to 17 business days (an average of 13 business days) following the survey. Cause According to FAHCA management, employee oversights, State declared emergencies and staffing shortages, and other competing priorities resulted in longer survey intervals and noted delays. Effect Absent the timely completion of health and life safety surveys, the FAHCA cannot ensure that all hospitals, nursing homes, and ICF/IIDs that serve Medicaid recipients meet the prescribed health and safety standards or that noncompliant facilities take appropriate actions to timely correct deficiencies. Recommendation We recommend that FAHCA management timely complete health and life safety surveys and deliver warning letters and Form CMS 2567 to noncompliant facilities in accordance with Federal regulations and established procedures. State Entity Response FAHCA has worked diligently in reducing the number of overdue recertification surveys in nursing homes and Intermediate Care Facilities for Individuals with Intellectual Disabilities (ICF/IID) from SFY2024 to 2025. FAHCA had an 8% improvement in overdue NH recert surveys from SFY2023 to 2025. The current backlog in nursing home surveys started with CMS’s response to the 2020 Public Health Emergency, during which all federal survey work was halted at CMS’s direction for at least five months. This nursing home survey backlog has been further compounded by workload pressures over the past two years in FAHCA and multiple weather-related disruptions, such as major hurricanes and floods. Hurricanes Helen and Milton resulted in office closures and delayed survey activity in the fall of 2024. Moreover, survey staff shortages in two field offices remain a concern, particularly in critical roles such as nurses and generalists, despite concerted efforts to enhance compensation and expanding recruitment modalities. Vacant positions, especially among surveyors, continue to hinder the agency’s capacity to complete nursing home surveys efficiently and on schedule. However, the overall vacancy rate of health surveyors has improved substantially since the fall of 2025, which may result in more nursing home surveys conducted timely. Additionally, FAHCA has increased cross-training health surveyors to ensure that there are sufficient number of surveyors available for each program. Recruitment of Fire Protection Specialists (FPSs) continues to be a challenge for FAHCA since the beginning of the state fiscal year, despite substantial statewide salary increases for this position. These Fire Protection Specialist vacancies has hindered FAHCA’s ability to complete timely life safety code surveys in two areas of the state. The field offices have been working collaboratively to provide staffing support for the field offices that have FPS shortages. While Florida did not meet the Centers for Medicare & Medicaid (CMS) State Performance Standard (SPSS) for Frequency of Nursing Home Recertification Surveys (S8), it was “On Track”, for 2024 and 2025. This means that at least 80% of nursing homes in the state had received a recertification survey in the last 15.9 months, as the end of the federal fiscal year. For States with a score of “On Track” that did not meet the S8 State Performance for the last two years will have to address this measure in their SPSS Corrective Action Plans. FAHCA is continuing to come up with new strategies to improve the backlog of nursing home surveys. One of those strategies is to increase the number of surveyor trainings so that health surveyors may become qualified faster. The sampled Intermediate Care Facilities for Individuals with Intellectual Disabilities (ICF/IIDs) health and life safety code surveys were late during this review period due to the lack of QIDPs and high priority complaints that needed to be conducted at the same time as the scheduled ICF/IID survey. This is not pervasive throughout the state. FAHCA has been actively recruiting and Qualified Intellectual Disability Professionals (QIDPs) in field offices where there are shortages, borrowing QIDPs to help with surveys, and cross training non-QIDP surveyors in the ICF/IID programs. The volume of high priority complaints submitted to FAHCA has increased each year. This growth can occasionally impact the scheduling of recertification surveys for nursing homes, ICF/IIDs, hospitals, and other programs. While we make every effort to prevent high priority complaints from delaying scheduled surveys, our staffing capacity is limited. As with many state survey agencies, FAHCA is just not structured to manage a significant surge in high priority complaints should one occur. The three sampled Life Safety hospital surveys were late due to working on higher priority federal workload that we are completing due to the 2020 Public Health Emergency and the shortage of FPS surveyors in the past year. This occurred in one field office and although FAHCA has a shortage of FPS surveyors in a few field offices, these field offices are collaborating with other field offices to cover the workload as much as possible. FAHCA has always strived to send providers the Statement of Deficiencies (SODs) within 10 business days after the survey exit date. Some of the SODs were late because there was one surveyor on the team who cited the majority of the tags on the survey and after the survey, the surveyor was on approved leave that could not be changed. Another reason the SODs were late is because sometimes our field offices had competing priorities, such as high priority complaints and other survey reports to process at the same time with limited resources. It is also important to note that the Centers for Medicare & Medicaid Services also reviews these same audit standards annually; therefore, this audit duplicates the federal CMS review of Florida’s State Performance Standards for survey workload completion.
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES Finding Number 2025-040 Assistance Listing Number and Title 93.767 – Children’s Health Insurance Program (CHIP) 93.775, 93.777, and 93.778 – Medicaid Cluster Compliance Requirement Special Tests and Provisions – Provider Eligibility (Screening and Enrollment) State Entity Florida Agency for Healthcare Administration (FAHCA) Federal Grant/Contract Number and Grant Year 2405FL5021 2024 and 2505FL5021 2025 2405FL5MAP 2024 and 2505FL5MAP 2025 Statistically Valid Sample No Finding Type Opinion Qualification and Material Weakness Questioned Costs – Unknown (We could not determine whether the providers were excluded from participating in the CHIP or the Medicaid program) Prior Year Finding Report No. 2025-162, Finding No. 2024-054 Finding The FAHCA did not check all required Federal databases to confirm the identity of providers upon enrollment and reenrollment nor evidence that all Federal database matches were reviewed and resolved. Criteria 42 CFR 455.436 – Federal database checks – The State Medicaid agency must (a) confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases; (b) check the Social Security Administration (SSA) Death Master File (DMF), the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe; and (c) consult appropriate databases to confirm identity upon enrollment and reenrollment and check the LEIE and SAM no less frequently than monthly. Condition The FAHCA uses the Florida Medicaid Management Information System (FMMIS) to enroll and reimburse providers, maintain provider enrollment data, and perform Federal database checks for CHIP and Medicaid program providers. During the 2024-25 fiscal year, the FAHCA paid fee for service claims directly to providers and paid capitation payments to contracted managed care plans contracted. According to FAHCA records, these payments totaled approximately $28 billion in State and Federal (Medicaid and CHIP) funds to 51,047 providers enrolled in the CHIP and Medicaid program. As part of our audit, we examined FAHCA records for 80 providers enrolled in the CHIP and Medicaid program who received payments during the 2024-25 fiscal year to determine whether the FAHCA completed for the selected providers the required Federal database checks. Our examination disclosed that: • The FAHCA did not check the SSA DMF during enrollment or reenrollment for any providers seeking enrollment or reenrollment in the CHIP or Medicaid program. • FAHCA management indicated that manual NPPES checks were performed for providers seeking reenrollment beginning in July 2023. However, although requested, the FAHCA was unable to provide evidence that NPPES manual checks were performed for 70 of the 80 tested providers upon enrollment or reenrollment during the 2024-25 fiscal year. • For 2 selected months, September 2024 and May 2025, FAHCA records indicated that 1 provider had an LEIE match for both months, and another provider had an LEIE match in May 2025. Additionally, 4 providers had a SAM match in both months, and another provider had a SAM match in May 2025. Although requested, the FAHCA was unable to provide evidence that actions had been taken to determine whether the providers were eligible to participate in the CHIP or Medicaid program, even though the matches indicated that the providers may have been excluded from participating. Cause FAHCA management indicated that FMMIS has not been configured to perform the required SSA DMF checks. Also, although FMMIS performs a monthly provider screening process to identify LEIE and SAM matches, FAHCA management indicated that, due to the volume of providers and identified potential exclusions, potential match issues are researched during a provider’s new application process and each renewal period rather than monthly. Although requested, FAHCA management did not provide an explanation regarding the NPPES checks issues noted on audit. Effect Absent routine Federal database checks and review of matches, the FAHCA cannot ensure that new or enrolled providers are eligible to participate in the CHIP and Medicaid program. Recommendation We recommend that the FAHCA configure FMMIS to perform checks against the SSA DMF, retain records evidencing NPPES checks, and review and resolve all LEIE and SAM matches in accordance with Federal regulations. State Entity Response The FAHCA concurs that due to the absence of routine Federal database checks and review of matches, the FAHCA cannot ensure that new or enrolled providers are eligible to participate in the CHIP and Medicaid program.
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES Finding Number 2025-041 Assistance Listing Number and Title 93.775, 93.777, and 93.778 – Medicaid Cluster Compliance Requirement Special Tests and Provisions – Refunding of Federal Share of Medicaid Overpayments to Providers State Entity Florida Agency for Health Care Administration (FAHCA) Federal Grant/Contract Number and Grant Year 2505FL5MAP 2025 Statistically Valid Sample No Finding Type Noncompliance and Significant Deficiency Questioned Costs – $3,000,000 (ALN 93.778 – Federal share $2,030,100) Finding The FAHCA did not timely report and refund to the U.S. Department of Health and Human Services, Centers for Medicare and Medicaid Services (CMS), the Federal share of a $3,000,000 Medicaid overpayment made to a provider in accordance with Federal regulations. Criteria 42 CFR 433.320(a) – Procedures for refunds to CMS – Basic requirements – The State Medicaid agency must credit CMS with the Federal share of overpayments subject to recovery on the earlier of (i) the Form CMS-64 submission due to CMS for the quarter in which the State recovers the overpayment from the provider; or (ii) the Form CMS-64 due to CMS for the quarter in which the 1-year period following discovery ends. If the State does not refund the Federal share of such overpayment, the State will be liable for interest on the amount equal to the Federal share of the non recovered, non-refunded overpayment amount. FAHCA CMS-64 Reporting Operating Procedures Condition During the 2024-25 fiscal year, the FAHCA closed 94 overpayment cases, totaling $73,939,796, that were to be reported to CMS for refunding of overpayments on Form CMS-64. While Federal regulations require overpayments to be reported and refunded to CMS no later than 1 year following the overpayment discovery, FAHCA procedures required the total amount of identified overpayments to be reported and refunded within 60 days of the final order date, regardless of actual collection of overpayments. As part of our audit, we examined FAHCA records for 10 selected closed overpayment cases and found that, for a $3,000,000 overpayment with a final order dated May 30, 2024, the FAHCA did not report the overpayment to CMS within 60 days as required by FAHCA procedures. Our further evaluation of the overpayment disclosed that the FAHCA did not report and refund the overpayment to CMS by the required quarter ended June 2025 and, instead, reported and refunded it in the quarter ended September 2025. Cause According to FAHCA management, the reporting delay was due to staffing vacancies. Effect Absent timely reporting and refunding of all identified overpayments to CMS, the FAHCA cannot demonstrate compliance with Federal regulations and may be liable for interest on the amount equal to the Federal share of the non-recovered, non-refunded overpayment amount. Recommendation We recommend that FAHCA management enhance controls to ensure that all identified overpayments are timely reported to CMS for refunding of overpayments on Form CMS-64 in accordance with Federal regulations. State Entity Response FAHCA management will enhance controls to ensure that all identified overpayments are timely reported to CMS for refunding of overpayments on Form CMS-64 in accordance with Federal regulations.
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES Finding Number 2025-042 Assistance Listing Number and Title 93.767 – Children’s Health Insurance Program (CHIP) 93.775, 93.777, and 93.778 – Medicaid Cluster Compliance Requirement Special Tests and Provisions – Medical Loss Ratio (MLR) State Entity Florida Agency for Health Care Administration (FAHCA) Federal Grant/Contract Number and Grant Year 2405FL5021 2024 and 2505FL5021 2025 2405FL5MAP 2024 and 2505FL5MAP 2025 Statistically Valid Sample No Finding Type Noncompliance and Significant Deficiency Prior Year Finding Report No. 2025-162, Finding No. 2024-057 Finding The FAHCA did not obtain from managed care plans a report that included a comparison of MLR information to the audited financial report. Criteria 42 CFR 438.8(k) – Reporting requirements – The State, through its contracts, must require each Managed Care Organization (MCO), Prepaid Inpatient Health Plan (PIHP), or Prepaid Ambulatory Health Plan (PAHP) to submit for each MLR reporting year a report to the State that includes specified information, such as a comparison of MLR information in 42 CFR 438.8(k) with the audited financial report required by 42 CFR 438.3(m). Condition Contract provisions required FAHCA’s managed care plans to annually submit to the FAHCA Achieved Savings Rebate (ASR) Financial Reports containing required MLR information using a template provided by the FAHCA. The ASR Financial Report reporting period is based on a calendar year, with an unaudited annual ASR Financial Report due May 1st. Upon submission of the unaudited ASR Financial Reports by the managed care plans, Certified Public Accounting firms contracted by the FAHCA are to audit the Reports and submit an audit report to the FAHCA by September 30th. The FAHCA contracted with 13 managed care plans (8 MCOs, 3 PAHPs, and 2 PIHPs) during the 2023 MLR reporting period. As part of our audit, we requested documentation evidencing that the MLR information was compared to the audited financial report for 3 managed care plans (2 MCOs and 1 PIHP) whose audits were completed by September 2024. According to FAHCA management, the comparison of the MLR information to the audited financial report was not performed as required by Federal regulations. Cause According to FAHCA management, the managed care plans did not compare MLR information to the audited financial reports because the comparison was not required in the ASR Financial Report template. Effect Absent requiring the comparison of MLR information to the audited financial report in the ASR Financial Reports submitted by MCOs, PIHPs, and PAHPs, the FAHCA cannot demonstrate compliance with Federal regulations. Recommendation We recommend that the FAHCA ensure that a comparison of the reported MLR information to the audited financial report for each MCO, PIHP, and PAHP is performed in accordance with Federal regulations. State Entity Response The 2024 audited ASR, issued in September 2025, includes MLR comparison.
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES Finding Number 2025-043 Assistance Listing Number and Title 93.917 – HIV Care Formula Grants Compliance Requirement Eligibility State Entity Florida Department of Health (FDOH) Federal Grant/Contract Number and Grant Year X0700057 2024, 2025, X0832362 2024, 2025, X0932738 2024 Statistically Valid Sample N/A Finding Type Significant Deficiency Finding The FDOH did not review the appropriateness of Florida Ryan White Portal (FL RW Portal) system user access privileges to ensure that access to the FL RW Portal system was limited to authorized users. Additionally, FDOH records did not always evidence the timely deactivation of FL RW Portal system access privileges upon an employee’s separation from FDOH employment. Criteria Florida Department of Management Services Rule 60GG-2.003(1), Florida Administrative Code – Agency information owners are to review access rights (privileges) periodically based on system categorization or assessed risk. Additionally, each agency shall ensure that access to information technology (IT) resources is limited to authorized users and ensure IT access is removed when access to the IT resource is no longer required. Periodic reviews of access privileges help ensure that only authorized users have access and that the access privileges provided to each account remain appropriate. FDOH – Florida Ryan White Portal System Security Administration Policies and Procedures – An annual review of FL RW Portal system user accounts will be conducted before the end of the first quarter of every year. Condition The FDOH uses the FL RW Portal system to facilitate client eligibility screenings and enrollment and for the secure collection, storage, and management of detailed client data, including demographics, medical history, service utilization, and treatment outcomes. According to FDOH records, as of June 17, 2025, there were 212 active FL RW Portal system users, including 36 external users. To obtain an understanding of FDOH user access privilege review processes for the FL RW Portal system, we inquired of FDOH management who indicated that a user access review was not performed during the 2024-25 fiscal year. Additionally, according to FDOH records, as of June 17, 2025, 176 FDOH employees had an active FL RW Portal system user account. Our comparison of the list of 176 active user accounts to employment records disclosed 7 instances where the FDOH did not timely deactivate a user account upon employment separation. Specifically, the user accounts were deactivated subsequent to June 17, 2025, 72 to 98 days (an average of 85 days) after employment separation. Also, our review of the user access and employment records for 140 FDOH employees whose FL RW Portal system user access privileges were deactivated during the period July 1, 2024, through June 17, 2025, found 26 instances where the FDOH did not timely deactivate access privileges. Specifically, the access privileges were deactivated 6 to 265 days (an average of 56 days) after the users separated from FDOH employment. Cause According to FDOH management, the FDOH had not completed the establishment of procedures for conducting periodic reviews of FL RW Portal system user access privileges. In addition, the FL RW Portal system user access privileges were not timely deactivated because the employees’ supervisors did not promptly complete and submit requests for the access to be deactivated. Effect Periodic reviews of the appropriateness of FL RW Portal system user access privileges and prompt deactivation of FL RW Portal system user access privileges upon an employee’s separation from FDOH employment would provide FDOH management assurance that user access privileges are authorized and remain appropriate and limit the potential for unauthorized disclosure, modification, or destruction of FDOH data and IT resources by former employees or others. Recommendation We recommend that FDOH management enhance controls, including establishing procedures, to ensure that periodic reviews of the appropriateness of all FL RW Portal system user access privileges are performed and documented in FDOH records and that FL RW Portal system user access privileges are deactivated immediately upon a user’s separation from FDOH employment. State Entity Response Supervisors will be required to submit an email for employees whose scope of work requires access to the FL RW Portal with all required documents to a designated inbox. The email and forms will be evaluated and approved before the user is added to the FL RW Portal. Additionally, the employee gaining access or having access removed, will be logged with a time stamp and signoff of the employee providing/removing access. The onboarding/offboarding instructions will instruct all supervisors to submit an email for separated employees within one business day of separation requesting access removal from the FL RW Portal. In addition, there will be a process added to conduct quarterly reviews of user access to ensure employees have appropriate access.
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES Finding Number 2025-044 Assistance Listing Number and Title 93.917 – HIV Care Formula Grants (HIV) Compliance Requirement Matching, Level of Effort, and Earmarking State Entity Florida Department of Health (FDOH) Federal Grant/Contract Number and Grant Year X0700057 2024 Statistically Valid Sample N/A Finding Type Opinion Qualification and Material Weakness Finding FDOH financial records did not evidence that HIV program earmarking requirements were met. Criteria 42 USC 300ff-28(b) – Allocation of assistance by States – A state may not use more than 10 percent of amounts received for planning and evaluation activities or for administration. A state may not use more than a total of 15 percent of the amounts received for the combined costs for administration and planning and evaluation activities. The aggregate of expenditures for administrative expenses by subrecipients may not exceed 10 percent of the total amount of grant funds sub awarded by the state. A state shall establish a clinical quality management program to determine whether the services provided under the grant are consistent with the most recent Public Health Service guidelines for the treatment of HIV disease and related opportunistic infection and, as applicable, to develop strategies for bringing these services into conformity with the guidelines. Funds used for this purpose may not exceed the lesser of 5 percent of the amount received under the grant or $3,000,000. 42 USC 300ff-26(c) – State duties – A state shall use a portion of the funds awarded to establish a program to provide therapeutics to treat HIV/AIDS or prevent the serious deterioration of health arising from HIV/AIDS in eligible individuals, including measures for the prevention and treatment of opportunistic infections. The state may use not more than 5 percent to encourage, support, and enhance adherence to, and compliance with, treatment regimens. 42 USC 300ff-22(b) – Required funding for core medical services – Not less than 75 percent of the amount remaining after reserving amounts for state administration, planning and evaluation, and a clinical quality management program shall be used to provide core medical services to eligible people with HIV. Condition During the 2024-25 fiscal year, the FDOH expended approximately $164.2 million in HIV program funds. Our examination of records related to the allocation of HIV program funds for the HIV grant with a budget period ended March 31, 2025, found that FDOH financial records did not evidence that HIV program earmarking requirements were met. In addition, the FDOH had not established policies and procedures requiring the FDOH to maintain financial records demonstrating compliance with earmarking requirements. Cause According to FDOH management, the FDOH adjusted the financial records due to accounting and reporting limitations in the records. However, documentation supporting those adjustments was not maintained due to employee turnover and employee oversights. Effect- Absent financial records evidencing compliance with earmarking requirements, HIV program expenditures may be subject to disallowance by the grantor. Recommendation We recommend that the FDOH establish policies and procedures requiring documentation, including financial records and evidence of adjustments made to the financial records, be maintained supporting compliance with HIV program earmarking requirements. State Entity Response The Earmarking Expenditure Worksheet is an annual report that is prepared by the Bureau of Communicable Diseases utilizing data extracted from Patient Care Fiscal Monitoring and Reporting System along with the Florida Accounting Information Resource (FLAIR) expenditure/indirect data to provide cost by services for each earmark. Currently, FLAIR does not provide this level of detail by service and due to the limitations within the report, the Bureau of Communicable Diseases must adjust within the report to offset earmarks to reflect the use of federal funding expended in the program by the total federal authorized amount. The Department is working to enhance its processes and procedures to ensure there are adequate controls in place to validate that figures reported in the federal system are reconciled to FLAIR expenditures while identifying ways to meet the federal reporting requirements before reports are submitted. Additionally, the Department is working to ensure that documents/ data documents/data used to complete the report are maintained in a central repository with adequate procedures so that reported figures are memorialized.
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES Finding Number 2025-045 Assistance Listing Number and Title 93.917 – HIV Care Formula Grants (HIV) Compliance Requirement Subrecipient Monitoring State Entity Florida Department of Health (FDOH) Federal Grant/Contract Number and Grant Year X0700057 2022, 2024, and 2025 Statistically Valid Sample No Finding Type Noncompliance Finding The FDOH did not conduct required monitoring of one subrecipient nor timely issue a management decision for a subrecipient’s audit finding. Criteria 45 CFR 75.352(d) – Requirements for pass-through entities – The pass-through entity must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity; (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means; (3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity as required by 45 CFR 75.521. 45 CFR 75.521 – Management decision – The pass-through entity must issue a management decision for audit findings that relate to Federal awards it makes to subrecipients within 6 months of acceptance of the audit report by the Federal Audit Clearinghouse. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. U.S. Department of Health and Human Services, Health Resources and Services Administration, HIV/AIDS Bureau – Ryan White HIV/AIDS Program Part B Manual – Recipients must ensure that all Ryan White HIV/AIDS Program Part B subrecipients receive an annual monitoring site visit, unless otherwise exempted. Condition During the 2024-25 fiscal year, the FDOH expended approximately $164.2 million in HIV program funds and provided approximately $11 million to subrecipients. According to FDOH records, 5 lead agencies and 8 non-lead agency subrecipients were required to be monitored during the 2024-25 fiscal year. Our analysis of FDOH records and inquiries of FDOH management disclosed that the FDOH did not monitor one of the non lead agency subrecipients. In addition, our examination of FDOH records for four subrecipients where a management decision was required found that, for one subrecipient, the FDOH did not timely issue a management decision related to a finding reported for the HIV program. Specifically, the management decision was issued 67 days late. Cause According to FDOH management, personnel shortages and changes in FDOH leadership contributed to the monitoring not being conducted. Additionally, according to FDOH management, the management decision was not timely issued due to delays in resolving corrective actions. Effect Absent timely completion of all required monitoring activities, the FDOH cannot adequately ensure that the subaward is used for authorized purposes in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. In addition, the timely issuance of management decisions for all audit findings pertaining to a Federal award is necessary for the FDOH to demonstrate compliance with Federal regulations providing for subrecipients to be promptly notified of whether an audit finding is sustained, the reasons for the decision, and the expected auditee corrective action. Recommendation We recommend that FDOH management ensure that subrecipient monitoring is conducted as required for all applicable subrecipients and that management decisions are timely issued for all audit findings pertaining to the HIV program in accordance with Federal regulations. State Entity Response FDOH will be required to utilize Microsoft Planner to ensure timely completion of all required monitoring activities and issuance of management decisions. This will allow for multi-level leadership notification and visibility of monitoring activity status. Additionally, the utilization of this platform will engage various levels of leadership to provide the required management decisions.
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES Finding Number 2025-025 Assistance Listing Number and Title 93.558 – Temporary Assistance for Needy Families (TANF) 93.566 – Refugee and Entrant Assistance – State/Replacement Designee – Administered Programs (REAP) 93.667 – Social Services Block Grant (SSBG) 93.958 – Block Grants for Community Mental Health Services (CMHS) (Includes COVID-19 Awards) Compliance Requirement Reporting State Entity Florida Department of Children and Families (FDCF) Federal Grant/Contract Number and Grant Year 2301FLTANF 2023, 2401FLTANF 2024, and 2501 FLTANF 2025 2401FLRCMA 2024 and 2501FLRCMA 2025 2201FLRSS 2022, 2301FLRSS 2023, 2401FLRSS 2024 and 2501FLRSS 2025 2401FLSOSR 2024 and 2501FLSOSR 2025 21B1FLCHMSC6 2021, 23SCFLCMHS 2023, 24B1FLCMHS 2024, and 25B1FLCHMS 2025 Statistically Valid Sample No Finding Type Opinion Qualification and Material Weakness Finding The FDCF did not always accurately or timely report subaward information required by the Federal Funding Accountability and Transparency Act (FFATA) in the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) or in SAM.gov, as applicable. Criteria 2 CFR 170, Appendix A – Reporting Subawards and Executive Compensation – Unless otherwise exempt, the recipient must report each subaward that equals or exceeds $30,000 in Federal funds for a subaward to an entity or Federal agency. For subaward information, reporting must occur no later than the end of the month following the month in which the subaward was issued. Condition During the 2024-25 fiscal year, the FDCF expended approximately $338.4 million in TANF, REAP, SSBG, and CMHS program funds related to 117 subawards. Of the 117 subawards, 56 were entered into on or after July 1, 2024, and were required to be reported in the FSRS. Of the $338.4 million, approximately $149.5 million in TANF and SSBG program funds was expended for 18 lead agency subawards to provide child welfare services and approximately $102.9 million in TANF and CMHS program funds was expended for 7 managing entity subawards to coordinate behavioral health services. The FDCF entered into subawards with subrecipients, including multi-year subawards with lead agencies and managing entities and, as of September 17, 2025, the total value of the 117 subawards totaled $18 billion, of which $17.1 billion was for lead agency and managing entity subawards. Our inquiries of FDCF management and review of FDCF records found that FDCF processes did not allow for the timely and accurate reporting of all applicable subawards and subaward amounts in accordance with FFATA. Specifically: • The FDCF reported the actual expenditures for the lead agency and managing entity contracts as of June 30, 2025, instead of the subaward amounts. For example, the FDCF entered into a subaward agreement with a managing entity on July 1, 2010, with a subaward amount totaling $689,687,780. The subaward was subsequently amended, resulting in a subaward amount totaling $3,104,004,500, as of February 26, 2025. However, our review of the amounts reported in SAM.gov as of June 30, 2025, found that the FDCF had reported in SAM.gov $1,308,996,741 as the subaward amount. • Our analysis of FDCF expenditure data found that one subaward executed in July 2024 and funded with CMHS funds was not reported in the FSRS until December 2024. • Our review of 14 subawards, including 62 amendments that modified the subaward amount and were required to be reported pursuant to FFATA during the 2024-25 fiscal year, found that the FDCF did not timely revise in the FSRS or SAM.gov, as applicable, the subaward amount for at least one of each of the 14 subawards’ amendments. Cause According to FDCF management, subaward amounts were not always accurately reported due to a misunderstanding of FFATA reporting requirements. In addition, the subaward was not timely reported and the subaward amounts were not timely revised for amendments due to contract manager delays in notifying the FDCF staff responsible for FFATA reporting that the subaward had been issued or amended. Effect The FDCF did not accurately or timely report required subaward information in accordance with FFATA, inhibiting accountability and transparency. Recommendation We recommend that FDCF management enhance reporting controls to ensure that all applicable subaward information is accurately and timely reported in accordance with FFATA. State Entity Response DCF Revenue Management will collaborate with the Office of Contracted Client Services and Information Technology (IT) to address FFATA reporting deficiencies. DCF will evaluate and strengthen Post Award Notice (PAN) data management processes that support FFATA reporting, reduce reliance on manual data entry where feasible, strengthen coordination between and enhance staff training on federal FFATA requirements to improve reporting accuracy and reporting controls. Improvements and enhancements to ensure timely notification of subaward executions and amendments will include: • Automated or system-based notification workflows will be implemented, where feasible, to reduce reliance on manual communication between Budget, Contract Managers, and Revenue Management. • Contract Administration will reinforce internal procedures requiring prompt submission of executed subawards and amendments by Contract Managers and their supervisors. • Targeted training will be provided to Contract Managers on FFATA reporting triggers, including distinctions between total subaward amounts and expenditures, to address the misunderstanding identified in the audit by a sub-office in Administration. DCF will also enhance and expand monitoring tools, maintain ongoing reporting training, and strengthen internal communication to ensure compliance with federal regulations and reduce the time between subaward issuance and reporting in FSRS (SAM.gov). The Department has set an implementation completion target date of September 30, 2026, for development, testing, approval, updating procedures, and training on reports and federal requirements.
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES Finding Number 2025-046 Assistance Listing Number and Title 93.958 – Block Grants for Community Mental Health Services (CMHS) (Includes COVID-19 Awards) Compliance Requirement Subrecipient Monitoring State Entity Florida Department of Children and Families (FDCF) Federal Grant/Contract Number and Grant Year B09SM085351 2021, B09SM09143 2023, B09SM089616 2024, and B09SM09334 2025 Statistically Valid Sample N/A Finding Type Opinion Qualification and Material Weakness Finding The FDCF did not evaluate each subrecipient’s risk of noncompliance to determine the appropriate programmatic monitoring nor conduct any subrecipient monitoring. Criteria 45 CFR 75.352(b) and (d) – Requirements for pass-through entities – All pass through entities must evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. The pass through entity must also monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Section 402.7305(4)(a), Florida Statutes – The FDCF shall establish a contract monitoring process that includes performing a risk assessment at the start of each fiscal year and preparing an annual contract monitoring schedule that considers the level of risk assigned. FDCF Policies and Procedures of Financial Monitoring (CF Operating Procedure No. 55-1) – The risk assessment factors will be evaluated annually and, based on its risk assessment score, each contract will be assigned a relative rating of high, medium, or low that is used to schedule the annual on-site financial monitoring of subrecipients (managing entities). Condition The FCDF contracts with managing entities to coordinate behavioral health services. During the 2024-25 fiscal year, the FDCF expended approximately $87.4 million in CMHS funds and, according to FDCF records, approximately $84.6 million related to 7 managing entity subawards. According to FDCF management, separate FDCF departments were responsible for financial and programmatic monitoring of the managing entities. Financial monitoring was to consist of desk reviews and on-site activities and include an evaluation of whether the managing entity’s use of funds was for authorized purposes and complied with Federal and State laws and rules and the terms and conditions of the subaward. Programmatic monitoring was to include monitoring of nonstandard subaward requirements. Our inquiries of FDCF management disclosed that the FDCF neither evaluated each managing entity’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate programmatic monitoring to be conducted during the 2024-25 fiscal year nor conducted any programmatic monitoring during the year. In addition, although the FDCF completed a risk assessment that identified one managing entity that required on-site financial monitoring during the 2024-25 fiscal year, the FDCF neither performed the on-site financial monitoring nor completed any financial monitoring during the year. Cause According to FDCF management, the FDCF is in the process of allocating staff resources to strengthen monitoring efforts to focus on programmatic oversight of subawards. FDCF management also indicated that neither onsite nor desk review financial monitoring activities were completed during the 2024-25 fiscal year because the FDCF was reassessing its financial monitoring processes. Effect Absent an evaluation of each managing entity’s risk of noncompliance with subaward programmatic requirements and monitoring of all managing entities for compliance with programmatic and financial requirements, based on the results of comprehensive risk assessments, the FDCF is not adequately minimizing the risk of program fraud, waste, and abuse, and cannot ensure that subawards, particularly to high-risk managing entities, are used for authorized purposes in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Recommendation We recommend that the FDCF conduct required financial and programmatic monitoring. Such monitoring should be performed based on a comprehensive risk assessment of each managing entity’s risk of noncompliance with subaward programmatic and financial requirements. State Entity Response The Florida Department of Children and Families (Department) acknowledges the finding regarding subrecipient risk assessment and monitoring requirements. The Department recognizes the requirements set forth in 45 CFR 75.352(b) and (d) and section 402.7305(4), Florida Statutes, which require pass-through entities to evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward and to conduct monitoring activities commensurate with the assessed level of risk. As the single state authority for mental health and substance use disorders the Department is reassessing aspects of its monitoring processes and allocating resources to strengthen oversight of subawards. While oversight activities occur across a variety of Department offices including financial and programmatic monitoring, contract manager oversight, and administrative compliance reviews, those activities are not currently documented within a single, clearly defined risk-based monitoring framework aligned with the federal requirements referenced above. The Department is currently exploring opportunities to strengthen and further formalize its subrecipient monitoring framework. These efforts include evaluating approaches to implement documented risk assessments and monitoring activities that incorporate administrative, fiscal, and programmatic considerations, as applicable, and support development of risk-informed monitoring schedules and improved documentation of oversight activities. Specifically, the Department will conduct administrative, fiscal, and programmatic monitoring using appropriate monitoring tools. The Department will develop a monitoring schedule for each Managing Entity. Monitoring of each Managing Entity will be based on a comprehensive risk assessment that examines the risk of noncompliance with subaward programmatic and fiscal requirements.
U.S. DEPARTMENT OF HOMELAND SECURITY Finding Number 2025-047 Assistance Listing Number and Title 97.067 – Homeland Security Grant Program (HSGP) Compliance Requirement Reporting State Entity Florida Division of Emergency Management (FDEM) Federal Grant/Contract Number and Grant Year EMW-2023-SS-00058-S01 (2023) and EMW-2024-SS-05135 (2024) Statistically Valid Sample No Finding Type Noncompliance and Significant Deficiency Finding The FDEM did not report all subaward information required by the Federal Funding Accountability and Transparency Act (FFATA) in the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) or in SAM.gov, as applicable. Criteria 2 CFR 170, Appendix A – Reporting Subawards and Executive Compensation – Unless otherwise exempt, the recipient must report each subaward that equals or exceeds $30,000 in Federal funds for a subaward to an entity or Federal agency. For subaward information, reporting must occur no later than the end of the month following the month in which the subaward was issued. Condition During the 2024-25 fiscal year, the FDEM issued 77 subawards totaling approximately $38.9 million in HSGP funds that were to be reported in the FSRS or in SAM.gov, as applicable. Our inquiries of FDEM management and review of FDEM records for 8 selected subawards found that 2 of the subawards were not reported in the FSRS or in SAM.gov, as applicable. Cause According to FDEM management, the subawards were not reported in SAM.gov due to employee oversight and other errors. Effect The FDEM did not report required subaward information in accordance with FFATA, inhibiting accountability and transparency. Recommendation We recommend that FDEM management enhance reporting controls to ensure that all applicable HSGP subaward information is reported in accordance with FFATA. State Entity Response We concur. Our records suggest that 1 of the 2 subawards was entered into FSRS but did not come over to SAM.gov during the migration. However, the Office of Procurement and Contract Management was not able to provide back up documentation to avoid this audit finding.
U.S. DEPARTMENT OF HOMELAND SECURITY Finding Number 2025-048 Assistance Listing Number and Title 97.067 – Homeland Security Grant Program (HSGP) Compliance Requirement Subrecipient Monitoring State Entity Florida Division of Emergency Management (FDEM) Federal Grant/Contract Number and Grant Year EMW-2021-SS-00056 (2021) Statistically Valid Sample No Finding Type Noncompliance and Significant Deficiency Finding The FDEM did not always evaluate subrecipient risk to determine the appropriate subrecipient monitoring or conduct subrecipient monitoring. Criteria 2 CFR 200.332 – Requirements for pass-through entities – All pass-through entities must evaluate each subrecipient’s fraud risk and risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. The pass-through entity must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals and objectives are achieved. Condition According to FDEM management, subrecipients with subawards funded by the HSGP grant that closed on August 31, 2025, were to be monitored during the 2024-25 fiscal year. According to FDEM, 63 subrecipients with subawards totaling approximately $31.5 million in HSGP funds were monitored during the 2024 25 fiscal year. However, our inquiries of FDEM management and examination of FDEM monitoring records for 7 selected subrecipients disclosed that the FDEM neither evaluated fraud risk or the risk of noncompliance for 2 of the 7 subrecipients nor conducted required monitoring. Cause According to FDEM management, required risk assessment and monitoring activities were not completed due to an administrative oversight. Effect Absent an evaluation of each subrecipient’s fraud risk and risk of noncompliance, and monitoring of all subrecipients based on the results of the risk assessment, the FDEM cannot ensure that subawards are used for authorized purposes in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals and objectives are achieved. Recommendation We recommend that FDEM management enhance controls to ensure that subrecipient monitoring is performed based on an assessment of each subrecipient’s risk in accordance with Federal regulations. State Entity Response We concur. The risk assessment and monitoring activities did not occur for the 2 subrecipients identified. We will enhance internal controls to ensure monitoring is consistently performed and documented.