Audit 8503

Federal Agency: United States Department of Agriculture Federal Program: Child Nutrition Cluster (10.555, 10.559, and 10.582) Federal Award Numbers: 202323N119944, 202221N119944-SED Federal Award Years: 2022 and 2023 State Agency: State Education Department Reference: 2023-005 Criteria Special Reporting for Federal Funding Accountability and Transparency Act Under the requirements of the Federal Funding Accountability and Transparency Act (FFATA) (Pub. L. No. 109-282), as amended by Section 6202 of Public Law 110-252, (Transparency Act) that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Aspects of the Transparency Act that relate to subaward reporting (1) under grants and cooperative agreements were implemented in OMB in 2 CFR Part 170 and (2) under contracts, by the regulatory agencies responsible for the Federal Acquisition Regulation (FAR at 5 FR 39414 et seq., July 8, 2010). The requirements pertain to recipients (i.e., direct recipients) of grants or cooperative agreements who make first-tier subawards and contractors (i.e., prime contractors) that award first-tier subcontracts. Title 2 U.S. Code of Federal Regulations Part 200 (2 CFR 200), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards, section 200.2 defines Subaward as an award provided by a pass-through entity to a subrecipient for the subrecipient to carry out part of a federal award received by the pass-through entity. It does not include payments to a contractor or payments to an individual that is a beneficiary of a federal program. A subaward may be provided through any form of legal agreement, including an agreement that the pass-through entity considers a contract. Further, 2 CFR 200.2 defines Subrecipient as a non-federal entity that receives a subaward from a passthrough entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other federal awards directly from a federal awarding agency. Internal controls Lastly, 2 CFR 200.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition FFATA requires the State to report certain identifying information related to awards made to subrecipients in amounts greater than or equal to $30,000. Of the information to be reported, the following key data elements are required to be audited: 1. Subawardee name 2. Subawardee DUNS number 3. Amount of subaward 4. Subaward obligation/action date 5. Date of report submission 6. Subaward number 7. Subaward project description 8. Subawardee names and compensation of highly compensated officers During our testwork, we noted for the period of December 2022 through March 2023, the State Education Department (the Department) did not timely report any amounts passed-through to its subrecipients. During our testwork of 40 subawards, we noted the following exceptions: Cause The condition found was due to staffing shortages and the responsibility for FFATA reporting was not transferred between employees. Possible Asserted Effect Failure to submit all subawards passed-through to subrecipients and subcontractors under subawards as defined by 2CFR 200.2 in SED’s FFATA reporting could result in the Department reporting inaccurate and incomplete amounts to the federal government. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that the Department review and enhance its policies, procedures, and internal controls to ensure that all amounts passed-through to subrecipients and subcontractors under subawards as defined in 2 CFR 200.2 are reported in accordance with the FFATA federal regulations.

Federal Agency: United States Department of Housing and Urban Development Federal Program: CDBG – Disaster Recovery Grants – Pub. L. No. 113-2 Cluster (14.269, 14.272) Federal Award Number: B13DS360001 Federal Award Years: 2013 State Agency: Housing Trust Fund Corporation and Governor’s Office of Storm Recovery Reference: 2023-006 Criteria Special Reporting for Federal Funding Accountability and Transparency Act Under the requirements of the Federal Funding Accountability and Transparency Act (FFATA) (Pub. L. No. 109-282), as amended by Section 6202 of Public Law 110-252, herein referred to as the "Transparency Act" that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Aspects of the Transparency Act that relate to subaward reporting (1) under grants and cooperative agreements were implemented in OMB in 2 CFR Part 170 and (2) under contracts, by the regulatory agencies responsible for the Federal Acquisition Regulation (FAR at 5 FR 39414 et seq., July 8, 2010). The requirements pertain to recipients (i.e., direct recipients) of grants or cooperative agreements who make first-tier subawards and contractors (i.e., prime contractors) that award first-tier subcontracts. Title 2 U.S. Code of Federal Regulations Part 200 (2 CFR 200) Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards, section 200.1 defines Subaward as an award provided by a pass-through entity to a subrecipient for the subrecipient to carry out part of a federal award received by the pass-through entity. It does not include payments to a contractor or payments to an individual that is a beneficiary of a federal program. A subaward may be provided through any form of legal agreement, including an agreement that the pass-through entity considers a contract. Further, 2 CFR 200.1 defines Subrecipient as a non-federal entity that receives a subaward from a passthrough entity to carry out part of a federal program; but does not include an individual that is a beneficiary of such program. A subrecipient may also be a recipient of other federal awards directly from a federal awarding agency. Internal controls Lastly, 2 CFR 200.303(a) states, the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the Federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).  Condition The Housing Trust Fund Corporation (HTFC) did not report awards granted to subrecipients for the CDBG – Disaster Recovery Grants program for the period April 2022 through March 2023 as required by FFATA. FFATA requires the State to report certain identifying information related to awards made to subrecipients in amounts greater than or equal to $30,000. Of the information to be reported, the following key data elements are required to be audited: 1. Subawardee name 2. Subawardee DUNS number 3. Amount of subaward 4. Subaward obligation/action date 5. Date of report submission 6. Subaward number 7. Subaward project description 8. Subawardee names and compensation of highly compensated officers During our testing, we noted that HTFC did not establish control procedures to submit FFATA reports for all subawards as required by federal regulations. During our testwork of 7 subawards and 6 amendments, we noted the following exceptions: *For the 5 of 7 sampled subawards, the subaward amounts of $191,367,261 were incorrectly reported in FSRS as $7,757,484,755. **For one of the 7 sampled subawards the obligation date did not agree to FSRS and 7 of 7 subawards were missing the date of report submission (key data element). Cause The condition found was due to HTFC not reporting any amounts passed-through to subrecipients for the period April 2022 – March 2023 because the responsibility for FFATA reporting was not transferred between employees. Possible Asserted Effect Failure to submit all subaward amounts passed-through to subrecipients and subcontractors under subawards as defined by 2 CFR 200.1 in HTFC’s FFATA reporting could result in HTFC reporting inaccurate and incomplete amounts to the federal government. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that HTFC review and enhance its policies, procedures, and internal controls to ensure that all amounts passed-through to subrecipients and subcontractors under subawards as defined in 2 CFR 200.1 are reported in accordance with the FFATA federal regulations. In addition, we recommend that HTFC use obligation date for FFATA reporting.

Federal Agency: United States Department of Labor Federal Program: Unemployment Insurance (17.225) Federal Award Numbers: Not Applicable Federal Award Years : Not Applicable State Agency: Department of Labor Reference: 2023-007 Criteria Special Tests and Provisions – UI Benefit Payments The Payments Integrity Information Act (PIIA) of 2019 codified the requirement for valid statistical estimates of improper payments. by Title 20 Code of Federal Regulations Part 602 (20 CFR 602), Quality Control in the Federal-State Unemployment System, prescribes a Quality Control (QC) program for the Federal-State unemployment compensation (UC) system, which is appliable to the State UC programs and the Federal unemployment benefit and allowance programs administered by the State unemployment compensation agencies under agreements between the States and the Secretary of Labor. 20 CFR 602.11(d) states to satisfy the requirements of Section 303(a)(1) and (6) of the Social Security Act (SSA) (42 USC 503), a State law must contain a provision requiring, or which is construed to require, the establishment and maintenance of a QC program in accordance with the requirements of this part. The establishment and maintenance of such a QC program in accordance with this part shall not require any change in State law concerning authority to undertake redeterminations of claims or liabilities or the finality of any determination, redetermination or decision. Each State shall establish a QC unit independent of, and not accountable to, any unit performing functions subject to evaluation by the QC unit. The organizational location of this unit shall be positioned to maximize its objectivity, to facilitate its access to information necessary to carry out its responsibilities, and to minimize organizational conflict of interest. Per 20 CFR 602.21 – Standard methods and Procedures, Each State Shall: (a) Perform the requirements of this section in accordance with instructions issued by the Department, pursuant to § 602.30(a) of this part, to ensure standardization of methods and procedures in a manner consistent with this part; (b) Select representative samples for QC study of at least a minimum size specified by the Department to ensure statistical validity (for benefit payments, a minimum of 400 cases of weeks paid per State per year);   (c) Complete prompt and in-depth case investigations to determine the degree of accuracy and timeliness in the administration of the State UC law and Federal programs with respect to benefit determinations, benefit payments, and revenue collections; and conduct other measurements and studies necessary or appropriate for carrying out the purposes of this part; and in conducting investigations each State shall: (1) Inform claimants in writing that the information obtained from a QC investigation may affect their eligibility for benefits and inform employers in writing that the information obtained from a QC investigation of revenue may affect their tax liability, (2) Use a questionnaire, prescribed by the Department, which is designed to obtain such data as the Department deems necessary for the operation of the QC program; require completion of the questionnaire by claimants in accordance with the eligibility and reporting authority under State law, (3) Collect data identified by the Department as necessary for the operation of the QC program; however, the collection of demographic data will be limited to those data which relate to an individual's eligibility for UC benefits and necessary to conduct proportions tests to validate the selection of representative samples (the demographic data elements necessary to conduct proportions tests are claimants' date of birth, sex, and ethnic classification); and (4) Conclude all findings of inaccuracy as d(a) Perform the requirements of this section in accordance with instructions issued by the Department, pursuant to § 602.30(a) of this part, to ensure standardization of methods and procedures in a manner consistent with this part; (d) Classify benefit case findings resulting from QC investigations as: (1) Proper payments, underpayments, or overpayments in benefit payment cases, or (2) Proper denials or underpayments in benefit denial cases; (e) Make and maintain records pertaining to the QC program, and make all such records available in a timely manner for inspection, examination, and audit by such Federal officials as the Secretary may designate or as may be required or authorized by law; (f) Furnish information and reports to the Department, including weekly transmissions of case data entered into the automated QC system and annual reports, without, in any manner, identifying individuals to whom such data pertain; and (g) Release the results of the QC program at the same time each year, providing calendar year results using a standardized format to present the data as prescribed by the Department; States will have the opportunity to release this information prior to any release by the Department. Internal controls Additionally, Title 2 U.S. Code of Federal Regulations Part 200 (2 CFR 200) Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards, section 303(a) states, the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statues, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Benefit Accuracy Measurement (BAM) programs consists of reviews of Regular Unemployment Insurance (UI) payments, which are paid out of the Unemployment Insurance Trust Fund, and therefore are not associated with a Federal Award Number. For the period ending September 30, 2022, NYS failed the 90- and 120-day time lapse requirement for both Paid and Denied Claims. For the month of September 2022, for Paid Claims, 92.08% of cases were reviewed and closed within 90 days, less than 3% short of the required 95%. Similarly, 96.25% of cases were reviewed and closed within 120 days, less than 2% short of the required 98% federal benchmark. Also, for the month of September 2022, for Denied Claims, 96.66% of cases were reviewed and closed within 120 days, less than 2% short of the required 98%. Cause The condition related to the time lapse requirements results from a shortage of staff and backlogged cases. As a result, the Department was unable to meet all case allocation and timely review requirements. Possible Asserted Effect Failure to perform timely completion of investigations results in the inability of UI Program to appropriately assess the degree of accuracy and timeliness in the administration of the State UC law and federal programs with respect to benefit determinations, benefit payments, and revenue collections. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding A similar finding for the Department was included in the 2022 Single Audit Report as finding number 2022-004 at pages 25-27. Recommendation We recommend that the Department ensures that their polices and procedures are designed to review selected cases to ensure they meet the prescribed criteria and, if necessary, be replaced as part of the final sampling week for the PIIA year. Additionally, the Department should enhance its process to ensure the completion of Paid and Denied cases are reviewed and closed timely in accordance with State Law.

Federal Agency: United States Department of Education Federal Program: Federal Family Education Loans (Guaranty Agencies) (84.032) Federal Award Numbers: Not Applicable Federal Award Years: Not Applicable State Agency: Higher Education Services Corporation Reference: 2023-008 Criteria Special Tests and Provisions – Teacher Loan Forgiveness Claims In accordance with Title 34 CFR Section 682.216 (f)(3), the guaranty agency shall review a teacher loan forgiveness claim within 45 days of receiving the holder’s request for payment and must determine if the borrower meets the eligibility requirements for loan forgiveness under this section and must notify the holder of its determination of the borrower’s eligibility for loan forgiveness under this section. If the guaranty agency approves the loan forgiveness, it must, within the same 45-day period, pay the holder the amount of the loan forgiveness, up to $17,500, subject to paragraphs (c)(11), (d)(1), (d)(2), and (f)(2)(iii) of this section. Internal controls Additionally, Title 2 U.S. Code of Federal Regulations Part 200 (2 CFR 200) Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards, section 303(a) states, the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statues, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition For 3 out of 60 individual teacher loan forgiveness claims selected for testwork, management did not pay the lender within the required 45 day timeframe. The payments related to these 3 forgiveness claims occurred between 18 and 53 days beyond the 45 day requirement. Cause The condition related to management’s’ internal control to review and approve teacher loan forgiveness payment requests within 45 business days after receipt was not operating effectively. Specifically, there were delays in the determination of whether or not the borrower met its eligibility requirements for loan forgiveness.  Possible Asserted Effect Failure to timely remit payment to the lender for teacher loan forgiveness claims may result in noncompliance with federal laws and regulations. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding A similar finding was included in the separately issued Higher Education Services Corporation 2022 Single Audit Report as finding number 2022-002 on pages 59-60. Recommendation We recommend that management continue to monitor and review incoming teacher loan forgiveness claims from lenders and make any necessary payments for approved loan forgiveness within the 45 day period requirement.

Federal Agency: United States Department of Education Federal Program: Federal Family Education Loans (Guaranty Agencies) (84.032) Federal Award Numbers: Not Applicable Federal Award Years: Not Applicable State Agency: Higher Education Services Corporation Reference: 2023-009 Criteria Internal controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition Higher Education Services Corporation (HESC), with the support of New York State Information Technology Services (ITS) manages the IT environment for the Debt Management Collections Systems (DMCS) and Guaranteed Student Loan (GSL). IT application controls for DMCS and GSL are relied upon by Higher Education Services Corporation (HESC) for the administration of the Federal Family Education Loans (Guaranty Agencies) (FFEL). HESC utilizes DMCS, a legacy mainframe based system, for the accounting and debt management of the FFEL program and GSL to manage and monitor outstanding guaranteed loans. ITS management of DMCS and GSL includes maintaining the network, database, and operating system layers of the information technology control environment. During our testwork, we noted the following deficiencies in the implementation of the information technology general controls over DMCS and GSL: 1) For 3 out of 229 instances related to de-provisioning of access for terminated employees to the DMCS and GSL applications, user access rights were disabled more than 5 days after the user ended employment with the State or otherwise did not need access to the specified system. Upon audit inquiry, we obtained system documentation for the 3 users identified as exceptions indicating the related users did not logon to the app or the network past their termination date. 2) HESC did not perform a periodic user access review over GSL active users and their respective access rights. The system generated listings utilized in the access reviews were not generated and provided to the appropriate reviewers prior to the end of the audit period. Upon audit inquiry, we performed testing procedures over appropriateness of administrative access to the GSL application and noted it appeared appropriately provisioned and restricted. 3) For the periodic user access review for the DMCS application, HESC management did not consider the inclusion of external users of the application, including external users with more than read-only access, in the scope of the review. We noted that the entitlements for the users not included in the scope of the DMCS periodic user access review only included edit capabilities related to non-financial data, such demographic information. We performed testing procedures over appropriateness of administrative access to the DMCS application and noted it appeared appropriately provisioned and restricted. Cause The conditions above related to the following: 1) The exception occurred due to human oversight during the execution of the de-provisioning process. 2) The cause of the delay in the review process was due to internal prioritizations resulting in the review not being performed within the audit period. 3) External users were not considered by management in the access reviews. Possible Asserted Effect Failure to have a reliable general information technology control environment over logical access may result in unauthorized changes being made to DMCS and GSL, which may result in erroneous reliance on the operating effectiveness of automated information technology controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs Not applicable Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that management strengthen controls or add monitoring controls to ensure management personnel at HESC are notifying their IT department or ITS, as applicable, in a timely manner when a user of a system or application no longer requires access, whether due to changes in job responsibilities or termination of employment from HESC; or such notifications are timely executed. We also recommend that management implement additional monitoring controls to evaluate a complete population of terminated users against system user listings to ensure access is removed for terminated users, including performance of an impact assessment for instances where it is determined that access rights were not removed in a timely manner for terminated employees. Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication/documentation of reviewing and de-provisioning of users to the IT department during the user access review.

Federal Agency: United States Department of Education Federal Program: Rehabilitation Services — Vocational Rehabilitation Grants to States (84.126) Federal Award Numbers: H126A200047 – 20C (SED), H126A210047 (SED), H126A220047(SED), H126A200048 – 20D (OCFS), H126A210048 (OCFS), H126A220048 (OCFS) Federal Award Years: 2020, 2021, 2022 State Agency: Office of Children and Family Services and State Education Department Reference: 2023-010 Criteria Performance Reporting RSA-911, Case Service Report (RSA 911) (OMB No. 1820 0508). The RSA-911 is a set of data elements that state Vocational Rehabilitation (VR) agencies must submit to ED. The data elements obtained from state VR agency service records and case management systems document the application for and/or provision of VR services to individuals with disabilities, including program outcomes and demographic information. The RSA-911 data set instructions are available at https://rsa.ed.gov/sites/default/files/subregulatory/pd-19-03.pdf. Key Line Items – Supporting documentation must be included in the service record or case management system for the data elements listed below. Dates reported in the case management system must match the supporting documentation. The following data elements contain critical information: 1. Date of Application (element 7) 2. Date of Eligibility Determination (element 38) 3. Date of Most Recent or Amended Individualized Plan for Employment (IPE) (element 398)* 4. Start Date of Employment in Primary Occupation (element 350) 5. Employment Outcome at Exit (element 356) 6. Date of Exit (element 353) 7. Hourly Wage at Exit (element 359) *In accordance with the RSA-911 data set instructions available at https://rsa.ed.gov/sites/default/files/subregulatory/pd-19-03.pdf data element 398 above is listed as `Date of Initial IPE'. Internal controls Lastly, 2 CFR 200.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).  Condition New York State’s Office of Children and Family Services (OCFS) and State Education Department (SED) did not maintain complete and accurate data with the quarterly submissions of the RSA-911 report. A sample of 25 cases was selected from each department. For each case, the seven key line items were tested to verify the data reported in the case management system matched supporting documentation. During the audit we noted an inconsistency between the compliance supplement requirement and the RSA-911 data set instructions for data element 398 as included above in the Criteria. For testwork purposes the RSA-911 data set instructions were utilized. OCFS For the 25 cases selected for testing at OCFS, 6 samples within the RSA-911 were missing the Start Date of Employment in Primary Occupation (element 350) when compared to the supporting documentation. The VR counselor reviews the data entered into the electronic case management system prior to the submission of the RSA-911 report the missing information was not identified during the reviews of those 6 cases. SED For the 25 cases selected for testing at SED, the list below summarizes the key line elements the department could not provide supporting documentation or discrepancies were noted as follows: • Date of Application- 3 cases the data provided on the underlying application did not agree to data reported on the RSA-911 and 1 case no support was provided. • Date of Eligibility Determination- One case the date of eligibility provided by management on the eligibility determination worksheet did not agree to the date that was reported on the RSA-911. • Date of Initial IPE- 2 cases only an unsigned initial IPE was provided; 2 cases the IPE provided had a different date than the date that was reported on the RSA-911; and 5 cases no IPE was provided by management to support the cases selected. • Start date of employment in primary occupation- 3 cases the start date was not reported on the RSA-911 when it was readily available in the underlying support provided. • Date of Exit: 1 case the date of exit on underlying support provided did not agree to the date that was reported on the RSA-911. In addition, on a quarterly basis SED management performs a review on a sample of cases at the 15 local offices. Our testwork of this review noted for 2 cases the internal review checklists could not provided to evidence the review and for 6 cases outliers were identified in the review however management could not provide any evidence for resolution of the outlier, or support it was communicated or corrected. Lastly, we also noted the quarterly review process was not performed on any cases for the quarter ended March 31, 2023. Cause OCFS The condition related to a deficiency in the operation of the review process not occurring at a precision necessary to identify missing information during the review that is required to be reported on the RSA-911 report.   SED The condition related to a deficiency in the operation of the review process not occurring at a precision necessary to identify missing information during the review that is required to be reported on the RSA-911 report. Additionally, SED was preparing to transition to a new case management system and did not perform case reviews for the quarter ended March 31, 2023. Possible Asserted Effect Failure to perform proper review of the data recorded in the case management system prior to the submission of the RSA-911 report can result in incorrect and/or missing data elements of the seven key line items noted for the Case Service Report. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that OCFS and SED ensure its review process of the underlying cases operate at a precision necessary to identify missing and incorrect data to ensure complete and accurate data is submitted on the RSA-911 reports.

Federal Agency: United States Department of Health and Human Services Federal Program: CCDF Cluster (93.489, 93.575 and 93.596) Federal Award Numbers: 2001NYCCDD, 2101NYCCDD, 2201NYCCDD, 2001NYTANF, 2101NYTANF 2201NYTANF Federal Award Years: 2020, 2021, 2022 State Agency: Office of Children and Family Services Reference: 2023-011 Criteria Subrecipient monitoring Title U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards, section 75.352(d) states all pass-through entities must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved, including the requirements contained in 45 CFR section 98.60, related to the recovery of child care payments that are the result of fraud as these payments shall be recovered from the party responsible for committing the fraud. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. Additionally, 45 CFR 75.352(b) states all pass-through entities must evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring, which may include consideration of such factors as: (1) The subrecipient's prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with subpart F, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of HHS awarding agency monitoring (e.g., if the subrecipient also receives federal awards directly from a HHS awarding agency).  Further, 45 CFR 75.352(e) sates, depending upon the pass-through entity’s assessment of risk posed by the subrecipient, the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program-related matters; (2) Performing on-site reviews of the subrecipient’s program operations; and (3) Arranging for agreed-upon procedures engagements as described in 45 CFR 75.425. Internal controls Lastly, 45 CFR 75.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government,” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition During the fiscal year ended March 31, 2023, the Office of Children and Family Services (the Office) passed through approximately $530 million under the CCDF Cluster, to local districts (or subrecipients) to provide programmatic services under the CCDF Cluster. As part of the funding arrangement, the local districts are responsible for the administration of the federal program, including performing participant benefit eligibility determinations, payment of childcare subsidies, and monitoring for fraud. During our testwork over the subrecipient monitoring process we identified the following: 1. The Office prepared its annual risk assessment process and assessed risk related to its subrecipients/local districts. For the State fiscal year ended March 31, 2023, we noted that the Office did not select subrecipients/local districts based upon their risk assessment and only performed and completed one monitoring visit during the audit period. 2. The subrecipients/local districts are responsible for implementing policies and procedures related to fraud and improper payments. The Office requires each subrecipient/local district to have a plan in place for fraud detection that is reviewed and approved by the Office. As part of its monitoring procedures the Office has general inquiries it makes related to plan itself and will identify as part of its case review if the selected case was an improper payment. While these inquiries were made, we were not able to obtain any documented evidence that supports the results of those discussions, and the issued report for the one monitoring review selected for testwork also did not comment on these discussions. As a result, we could not verify through written documentation that the Office performed any monitoring to ensure that the subrecipient/local district is in compliance with its approved plan.  Cause The condition found was primarily due to the Office developing a new monitoring plan for the subrecipients/local districts during fiscal year 2023, of which would be implemented during fiscal year 2024. Additionally, the Office does not document the results of the monitoring procedures performed over the fraud and improper payment plans in place at the subrecipients/local districts. Possible Asserted Effect The lack of executed monitoring procedures over subawards provided to subrecipients/local districts could result in the use of federal funding provided under the federal award not being in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Questioned Costs Cannot be determined. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that the Office enhance its subrecipient monitoring policies, procedures and internal controls to ensure the Office is monitoring subrecipients/local districts in accordance with the federal requirements. The Office should also ensure its monitoring procedures include a review of the fraud and improper payment plans at the subrecipients/local districts.

Federal Agency: United States Department of Health and Human Services Federal Program: Temporary Assistance for Needy Families (93.558) Federal Award Numbers: 2101NYTANF, 2201NYTANF, 2301NYTAN3, 2301NYTANF Federal Award Years: 2021, 2022 and 2023 State Agency: Office of Temporary and Disability Assistance Reference: 2023-012 Criteria Special Reporting for Federal Funding Accountability and Transparency Act Under the requirements of the Federal Funding Accountability and Transparency Act (FFATA) (Pub. L. No. 109-282) (Transparency Act) that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements who make first tier subawards of $30,000 or more are required to register in the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) and report subaward data through FSRS. Aspects of the Transparency Act, as amended by Section 6202(a) of the Government Funding Transparency Act of 2008 (Pub. L. No. 111-252), that relate to subaward reporting (1) under grants and cooperative agreements were implemented in OMB in 2 CFR Part 170 and (2) under contracts, by the regulatory agencies responsible for the Federal Acquisition Regulation (FAR at 5 FR 39414 et seq., July 8, 2010). The requirements pertain to recipients (i.e., direct recipients) of grants or cooperative agreements who make first tier subawards and contractors (i.e., prime contractors) that award first-tier subcontracts. Title 45 U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards for HHS Awards, section 75.2 defines Subaward as an award provided by a pass-through entity to a subrecipient for the subrecipient to carry out part of a Federal award received by the pass-through entity. It does not include payments to a contractor or payments to an individual that is a beneficiary of a Federal program. A subaward may be provided through any form of legal agreement, including an agreement that the pass-through entity considers a contract. Further, 45 CFR 75.2 defines Subrecipient as a non-Federal entity that receives a subaward from a passthrough entity to carry out part of a Federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a Federal awarding agency. Internal controls Lastly, 45 CFR 75.303(a) states the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Office of Temporary and Disability Assistance (the Office) did not correctly report awards granted to some of its subrecipients for the Temporary Assistance for Needy Families program for the period April 2022 through March 2023 as required by FFATA. FFATA requires the State to report certain identifying information related to awards made to subrecipients in amounts greater than or equal to $30,000. Of the information to be reported, the following key data elements are required to be audited: 1. Subawardee name 2. Subawardee DUNS number 3. Amount of subaward 4. Subaward obligation/action date 5. Date of report submission 6. Subaward number 7. Subaward project description 8. Subawardee names and compensation of highly compensated officers For the period of April 2022 to March 2023, the Office of Temporary and Disability Assistance (the Office) incorrectly reported some of the subrecipient expenditures over $30,000. As a result of our testwork over this period we noted the following: During our testing, we noted the Office's control procedures did not identify incorrect amounts reported during its FFATA submission for some of its subrecipients. We noted the following exceptions: The Office incorrectly reported 11 subawards for a total of $22,013. For 5 of the 11 awards, the amount was incorrect due to a data entry error resulting in a $22,013 difference. For 6 of the 11 awards, the incorrect subaward number was reported due to a data entry error. The amount was reported correctly, however, the subaward was incorrect and therefore the net difference in the amount was $0. Cause The condition is due to oversight errors when submitting the reports. All information was entered and recorded, however the review was not at a level of precision to identify data entry errors prior to submission of the reports. Possible Asserted Effect Failure to correctly submit all subawards passed-through to subrecipients and subcontractors under subawards as defined by 45 CFR 75.2 in the Office's FFATA reporting could result in the Office reporting inaccurate and incomplete amounts to the federal government. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding A similar finding was included in the 2022 Single Audit Report as finding number 2022-012 on pages 45–47. Recommendation We recommend that the Office enhance its review of the submissions of the amounts passed-through to subrecipients and subcontractors under subawards as defined in 45 CFR 75.2 that are reported in accordance with the FFATA federal regulations to ensure its at a level of precision to identify data entry errors prior to submission.

Federal Agency: United States Department of Health and Human Services Federal Program: Temporary Assistance for Needy Families (93.558) CCDF Cluster (93.575 and 93.596) Adoption Assistance (93.659) Social Services Block Grant (93.667) Federal Award Numbers: 1701NYTANF, 1801NYTANF, 1901NYTANF, 2001NYTANF, 2101NYTANF, 2101NYTANFC6, 2201NYTAN3, 2201NYTANF, 2301NYTAN3, 2301NYTANF 1701NYCCDF, 2001NYCCC3, 2001NYCCDD, 2001NYTANF, 2101NYCCC5, 2101NYCCDD, 2101NYCCDF, 2101NYCCDM, 2101NYCDC6, 2101NYCSC6, 2101NYTANF, 2201NYCCDD, 2201NYTANF 1801NYADPT, 1901NYADPT, 2001NYADPT, 2101NYADPT, 2201NYADPT, 2301NYADPT 2101NYSOSR, 2101NYTANF, 2201NYSOSR, 2201NYTANF Federal Award Years: 2017, 2018, 2019, 2020, 2021, 2022, and 2023 State Agency: Office of Temporary and Disability Assistance Office of Children and Family Services Reference: 2023-013 Criteria Internal controls Title 45 U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards, section 75.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government,” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition New York State Information Technology Services (ITS) manages the IT environment for the Automated Claiming System (ACS). IT application controls for ACS are relied upon by Office of Temporary and Disability Assistance (OTDA) and the Office of Children and Family Services (OCFS) for the administration of claims submitted by the local districts that administer the following federal programs as subrecipients of the State of New York (the State): • Temporary Assistance for Needy Families • Social Services Block Grant • CCDF Cluster • Adoption Assistance ITS management of ACS includes maintaining the network, database, and operating system layers of the information technology control environment. During our testwork, we noted the following deficiencies in the implementation of the general information technology controls over ACS: 1) For 9 out of 13 instances related to de-provisioning of access for terminated employees to the ACS application, user access rights were disabled more than 5 days after the user ended employment with the State or otherwise did not need access to the specified system. In 7 of the 9 instances, the terminated employee had ‘inquiry only’ access. Upon audit inquiry, we obtained system documentation for the 9 users identified as exceptions indicating the related users did not logon to the app or the network past their termination date. Furthermore, we conducted testing over provisioning access to the application and privileged access, including migrator and developer access, for the ACS system, and noted those users did not access the system after termination. We determined that none of these users were part of the migrator groups or developer groups or admin users. 2) Users with access rights allowing them to provision access to the ACS application were reviewing their own access as part of the periodic user access review control. As a result, we verified that all reviewers were active and appeared to be appropriate per job title/responsibility. We also verified the system configuration for the user access review and determined that it is configured to automatically revoke access after one year without access and is operating as designed. Cause The conditions above related to the following: 1) The exception occurred due to human oversight during the execution of the de-provisioning process. 2) The control was designed such that individuals with access rights that allow them to perform provisioning activities were responsible for reviewing their own access as part of the periodic user access review control. Possible Asserted Effect Failure to have a reliable general information technology environment over logical access may result in unauthorized changes being made to ACS, which may result in erroneous reliance on the operating effectiveness of automated information technology control over subrecipient payments allowability. Failure to have effective internal controls over subrecipient payments allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs Not applicable  Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that management strengthen controls or add monitoring controls to ensure either management personnel at the State agencies/entities are notifying their respective IT departments or ITS, as applicable, in a timely manner when a user of a system or application no longer requires access, whether due to changes in job responsibilities or termination from the State; or such notifications are timely executed. We also recommend that management implement additional monitoring controls to evaluate a complete population of terminated users against system user listings to ensure access is removed for terminated users, including performance of an impact assessment for instances where it is determined that access rights were not removed in a timely manner for terminated employees. Additionally, we recommend that management restrict individuals with access rights that allow them to perform provisioning activities from reviewing their own access rights. Lastly, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication/documentation of reviewing and de-provisioning of users to the IT department during the user access review.

Federal Agency: United States Department of Health and Human Services Federal Program: Social Services Block Grant (93.667) Federal Award Numbers: 2010NYSOR, 2201NYSOR, 2101NYTANF, 2021NYTANF Federal Award Years: 2021 and 2022 State Agency: Office of Children and Family Services Reference: 2023-014 Criteria Subrecipient monitoring Title U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards, section 75.352(d) states all pass-through entities must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved including ensuring that information related to eligible participants reported by the district offices used to compile the annual Post Expenditure Report is complete and accurate. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. Performance Reporting - Post-Expenditure Report The 42 USC 1397e requires states and territories to submit to the federal administering agency, the Office of Community Services, an annual Post Expenditure Report no later than six months following the close of the fiscal year. Internal controls Lastly, 45 CFR 75.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government,” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).  Condition During the fiscal year ended March 31, 2023, the Office of Children and Family Services (the Office) passed through $297,149,657 under the Social Services Block Grant (SSBG) program, to local districts (or subrecipients) to provide programmatic services under the SSBG program. As part of the funding arrangement, the local districts are responsible for the administration of the federal program, including ensuring that costs incurred under the federal program are in compliance with federal regulations. During the fiscal year ended March 31, 2023, we noted on an annual basis, the Office submits the Post-Expenditure Report to the Federal Office of Community Services. As part of the federal reporting process, the Office is required to report the number of eligible individuals who received services paid for in part or in whole with federal funds under the SSBG program. All participant services are provided directly by the local district offices. In order to obtain the number of eligible individuals by services category to be included on the report, the Department obtains the information directly from the Welfare Reporting and Tracking Systems (WRTS). The WRTS system contains data from the State’s Welfare Management System (WMS) and the Benefits Issuance Control System (BICS). As it is the responsibility of the district offices to determine eligibility for services, the Office is relying on the district offices to have data entered complete and accurate information within the WMS and BICS systems. During our testwork, there did not appear to be any monitoring procedures performed during the fiscal year ended March 31, 2023 to ensure that this information is complete and accurate and that benefits were only provided to eligible participants. Cause The condition found was primarily due to the monitoring procedures implemented by the Office does not include a review to ensure that the participant was eligible to receive services, which would assist in assuring that the data reported on the Post-Expenditure Report is accurate. Possible Asserted Effect The lack of executed monitoring procedures over subawards provided to subrecipients could result in the use of federal funding provided under the federal award not being in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Questioned Costs Cannot be determined. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding A similar finding was included in the 2022 Single Audit Report as finding number 2022-015 on pages 53-55. Recommendation We recommend that the Office should also review its monitoring procedures to ensure that they are reviewing to determine if participants were eligible to receive services to assist in assuring that the data reported within the annual Post-Expenditure Report is complete and accurate. Such monitoring activities should be performed at a precision level that would detect and identify errors in that could impact the accuracy of the annual Post-Expenditure Report.

Federal Agency: Department of Health and Human Services Federal Program: Block Grants for Community Mental Health Services (93.958) Federal Award Numbers: 6B09SM083819-01M001; 6B09SM083990-01M002; 1B09SM085374-01; 1B09SM085374-01; 1B09SM085902-01; 6B09SM086027-01M003 Federal Award Years: 2021 and 2022 State Agency: Office of Mental Health Reference: 2023-015 Criteria Maintenance of effort Title 42 U.S. Code 300x, Formula grants to States (42 USC 300x) section 300x-4(b)(1) states a funding agreement for a grant under this title is that the State involved will maintain State expenditures for community mental health services at a level that is not less than the average level of such expenditures maintained by the State for the 2-year period preceding the fiscal year for which the State is applying for the grant. Internal controls Additionally, Title 45 Code of Federal Regulations Part 75, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards (45 CFR 75) section 303(a) states, the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the Federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Office of Mental Health (the Office) performed the annual maintenance of effort (MOE) calculation and submitted it to the Substance Abuse and Mental Health Services Administration. The source data for the calculation is a combination of data compiled by the Office's Community Budget and Financial Management Group and the Strategic Financial Direction Group. The source data for the reports are pulled from the NYS Statewide Financial System and the eMEDNY system. Data used in the calculations is linked to a live time data source and is a point in time data pull from the live data source. With the data being linked to the live time data source, any refinements and changes in data categorization would be reflected in the historical files. During our testing, we noted that while management did maintain the underlying supporting detail at the time of its submission of the annual MOE calculation, the integrity of the data was lost due to the linkage to the live time data source. As the underlying detail was unavailable due to the live time data links, we were unable to assess the completeness and accuracy of the State expenditures utilized to support the Office meeting the MOE requirement. Cause The condition caused was due to the Office's policies and procedures, including its internal control not designed to maintain appropriate supporting documentation related to the Maintenance of Effort calculation. Possible Asserted Effect Failure to maintain appropriate supporting documentation could result in the Office's inability to appropriately assess the degree of accuracy with respect to the maintenance of effort calculations and the amounts determined are not accurate and complete as reported to the federal government. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that the Office review and enhance its policies, procedures, and internal controls to ensure that the sources of data be maintained to support the calculation of the Maintenance of Effort requirement for each grant.

Federal Agency: Department of Health and Human Services Federal Program: Block Grants for Community Mental Health Services (93.958) Federal Award Numbers: 6B09SM083819-01M001; 6B09SM083990-01M002; 1B09SM085374-01; 1B09SM085374-01; 1B09SM085902-01; 6B09SM086027-01M003 Federal Award Years: 2021 and 2022 State Agency: Office of Mental Health Reference: 2023-016 Criteria Special Reporting for Federal Funding Accountability and Transparency Act Under the requirements of the Federal Funding Accountability and Transparency Act (FFATA) (Pub. L. No. 109-282), as amended by Section 6202 of Public Law 110-252, (Transparency Act) that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Aspects of the Transparency Act that relate to subaward reporting (1) under grants and cooperative agreements were implemented in OMB in 2 CFR Part 170 and (2) under contracts, by the regulatory agencies responsible for the Federal Acquisition Regulation (FAR at 5 FR 39414 et seq., July 8, 2010). The requirements pertain to recipients (i.e., direct recipients) of grants or cooperative agreements who make first-tier subawards and contractors (i.e., prime contractors) that award first-tier subcontracts. Title 45 U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards for HHS Awards, section 75.2 defines Subaward as an award provided by a pass-through entity to a subrecipient for the subrecipient to carry out part of a federal award received by the pass-through entity. It does not include payments to a contractor or payments to an individual that is a beneficiary of a federal program. A subaward may be provided through any form of legal agreement, including an agreement that the pass-through entity considers a contract. Further, 45 CFR 75.2 defines Subrecipient as a non-federal entity that receives a subaward from a passthrough entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other federal awards directly from a federal awarding agency. Internal controls Lastly, 45 CFR 75.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Office of Mental Health (the Office) did not report awards granted to subrecipients for the Block Grants for Community Mental Health Services program for the period April 2022 through March 2023 as required by FFATA. FFATA requires the State to report certain identifying information related to awards made to subrecipients in amounts greater than or equal to $30,000. Of the information to be reported, the following key data elements are required to be audited: 1. Subawardee name 2. Subawardee DUNS number 3. Amount of subaward 4. Subaward obligation/action date 5. Date of report submission 6. Subaward number 7. Subaward project description 8. Subawardee names and compensation of highly compensated officers During our testing, we noted that the Office did not establish control procedures to submit FFATA reports for all subawards as required by federal regulations. During our testwork of 40 subawards, we noted the following exceptions: Cause The condition found was due to the Office not having controls in place to ensure that FFATA reporting was being performed for the period April 2022 – March 2023. Possible Asserted Effect Failure to submit all subawards passed-through to subrecipients and subcontractors under subawards as defined by 45 CFR 75.2 in the Office's FFATA reporting could result in the Office reporting inaccurate and incomplete amounts to the federal government. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that the Office of Mental Health implement policies, procedures, and internal controls to ensure that all amounts passed-through to subrecipients and subcontractors under subawards as defined in 45 CFR 75.2 are reported in accordance with the FFATA federal regulations.

Federal Agency: Department of Health and Human Services Federal Program: Block Grants for Community Mental Health Services (93.958) Federal Award Numbers: 6B09SM083819-01M001; 6B09SM083990-01M002; 1B09SM085374-01; 1B09SM085374-01; 1B09SM085902-01; 6B09SM086027-01M003 Federal Award Years: 2021 and 2022 State Agency: Office of Mental Health Reference: 2023-017 Criteria Subrecipient monitoring Title 45 U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards, Section 352(a) states all pass-through entities must ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information include: (1) Federal Award Identification. i) Subrecipient name (which must match the name associated with its unique entity identifier; ii) Subrecipient’s unique entity identifier; iii) Federal Award Identification Number (FAIN); iv) Federal Award Date (see Section 75.2 Federal award date) of award to the recipient by the HHS awarding agency; v) Subaward Period of Performance Start and End Date; vi) Amount of Federal Funds Obligated by this action by the pass-through entity to the subrecipient; vii) Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity including the current obligation; viii) Total Amount of the Federal Award committed to the subrecipient by the pass-through entity; ix) Federal award project description, as required to be responsive to the Federal Funding Accountability and Transparency Act (FFATA); x) Name of HHS awarding agency, pass-through entity, and contract information for awarding official of the pass-through entity; xi) CFDA Number and Name; the pass-through entity must identify the dollar amount made available under each Federal award and the CFDA number at time of disbursement;  xii) Identification of whether the award is R&D; and xiii) Indirect cost rate for the Federal award (including if the de minimis rate is charged per Section 75.414). Title 45 Code of Federal Regulations Part 75, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards (45 CFR 75), section 352(b) states all pass-through entities must evaluate each subrecipient's risk of noncompliance with Federal Statues, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring as described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient's prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with subpart F, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of HHS awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a HHS awarding agency). Additionally, 45 CFR 75.352(d) states all pass-through entities must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. (3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity as required by Section 75.521. 45 CFR 74.352(e) states depending upon the pass-through entity's assessment of risk posed by the sub recipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program related matters; and (2) Performing on-site reviews of the subrecipient's program operations; Further, 45 CFR 75.352(f) states the pass-through entity must verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient's Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in § 200.501. Internal controls Lastly, 45 CFR 75.303 (a) states the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal Entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition During the fiscal year ended March 31, 2023, the Office of Mental Health (the Office) passed through $100,181,501 under the Block Grants for Community Mental Health Services program, to local districts and providers (subrecipients) to provide programmatic and administrative services. As part of the funding arrangement, the local districts and providers (subrecipients) are responsible for carrying out the programmatic services and use the funds to provide comprehensive, community‐based mental health services to adults with serious mental illnesses and to children with serious emotional disturbances and to monitor progress in implementing a comprehensive, community based mental health system. Funds are used for prevention, treatment, recovery support, and other services to supplement Medicaid, Medicare, and private insurance services. When subawards are made to subrecipients, the pass-through entities are required to communicate certain award information. The Office’s policies and procedures are not designed to ensure that award notifications are provided to subrecipients as required by 45 CFR 75.352(a). During our testwork of 40 subrecipient award notifications, we noted the following: 1. For 8 subrecipients, the Federal Award Identification Number (FAIN) was not provided. 2. For 11 subrecipients, which are all New York State Counties, there was no notification of access to records. 3. For 22 of the subrecipients, there was no notification of the DUNS number. All pass-through entities are required to perform a risk assessment over each subrecipient’s risk of noncompliance for purposes of determining appropriate subrecipient monitoring procedures. The Office did not perform an annual risk assessment process related to its subrecipients as required by 45 CFR 75.352(b). Additionally, all pass-through entities must monitor the activities of the subrecipient which must include review of financial and performance reports, follow up to ensure the subrecipient takes timely and appropriate action on any deficiencies identified, and issue a management decision for audit findings. The Office did not monitor and retain documentation of review of financial and performance reports, follow up to ensure appropriate action on any deficiencies identified, nor issue a management decision for audit findings. Lastly, all pass-through entities are required to verify each subrecipient is audited, if required. The Office did not ensure that all required single audits of the program’s subrecipients were received, reviewed, followed-up, or appropriate action was taken and as necessary issued a management decision pertaining to the audit finding in accordance with 45 CFR 75, as applicable. Cause The condition found is primarily due to the lack of written policies and procedures to ensure that: 1. all required award identification information per 45 CFR 75.352(a) is communicated to the subrecipients for each federal subaward period; 2. an appropriate risk assessment process is in place per 45 CFR 75.352(b);   3. during award monitoring procedures are performed per 45 CFR 75.352(d); and 4. review of the subrecipient single audit reports are performed per 45 CFR 75.352(f). Possible Asserted Effect Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award. Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures, failure to review financial and performance reports of subrecipients, as well as failure to obtain and review subrecipient single audit reports may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award. Questioned Costs Cannot be determined. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that the Office enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients of the Office as data elements change or funding is passed-through. We recommend that the Office implement policies, procedures, and internal controls to ensure that risk assessments of subrecipients are performed on an annual basis to determine appropriate monitoring of subrecipients is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e). Lastly, we recommend that the Office implement policies, procedures, and internal controls to track and review all subrecipients’ single audit submissions per 45 CFR 75.252(f).

Federal Agency: United States Department of Health and Human Services Federal Program: Block Grants for Prevention and Treatment of Substance Abuse (93.959) Federal Award Numbers: 21B1NYSAPT, 21B1NYSAPTC5, 21B1NYSAPTC6, 21B3NYSAPTC6, 22B1NYSAPT Federal Award Years: 2021 and 2022 State Agency: Office of Addiction Services and Support Reference: 2023-018 Criteria Special Reporting for Federal Funding Accountability and Transparency Act Under the requirements of the Federal Funding Accountability and Transparency Act (FFATA) (Pub. L. No. 109-282), as amended by Section 6202 of Public Law 110-252, (Transparency Act) that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Aspects of the Transparency Act that relate to subaward reporting (1) under grants and cooperative agreements were implemented in OMB in 2 CFR Part 170 and (2) under contracts, by the regulatory agencies responsible for the Federal Acquisition Regulation (FAR at 5 FR 39414 et seq., July 8, 2010). The requirements pertain to recipients (i.e., direct recipients) of grants or cooperative agreements who make first-tier subawards and contractors (i.e., prime contractors) that award first-tier subcontracts. Title 45 U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards for HHS Awards, section 75.2 defines Subaward as an award provided by a pass-through entity to a subrecipient for the subrecipient to carry out part of a federal award received by the pass-through entity. It does not include payments to a contractor or payments to an individual that is a beneficiary of a federal program. A subaward may be provided through any form of legal agreement, including an agreement that the pass-through entity considers a contract. Further, 45 CFR 75.2 defines Subrecipient as a non-federal entity that receives a subaward from a passthrough entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other federal awards directly from a federal awarding agency. Internal controls Lastly, 45 CFR 75.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Office of Addition Services and Support (OASAS) did not report awards granted to subrecipients for the Block Grants for Prevention and Treatment of Substance Abuse program for the period April 2022 through March 2023 as required by FFATA. FFATA requires the State to report certain identifying information related to awards made to subrecipients in amounts greater than or equal to $30,000. Of the information to be reported, the following key data elements are required to be audited: 1. Subawardee name 2. Subawardee DUNS number 3. Amount of subaward 4. Subaward obligation/action date 5. Date of report submission 6. Subaward number 7. Subaward project description 8. Subawardee names and compensation of highly compensated officers During our testwork, we noted OASAS did not establish control procedures to submit FFATA reports for all subawards. We noted the following exceptions: Cause The condition found was due to staffing changes and constraints brought on by COVID-19, this requirement was not appropriately considered and FFATA reporting was not completed during the fiscal year.  Possible Asserted Effect Failure to submit all subawards passed-through to subrecipients and subcontractors under subawards as defined by 45 CFR 75.2 in OASAS’s FFATA reporting could result in OASAS reporting inaccurate and incomplete amounts to the federal government. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend OASAS review and enhance its policies, procedures, and internal controls to ensure that all amounts passed-through to subrecipients and subcontractors under subawards as defined in 45 CFR 75.2 are reported in accordance with the FFATA federal regulations.

Federal Agency: United States Department of Health and Human Services Federal Program: Block Grants for Prevention and Treatment of Substance Abuse (93.959) Federal Award Numbers: 21B1NYSAPT, 21B1NYSAPTC5, 21B1NYSAPTC6, 21B3NYSAPTC6, 22B1NYSAPT Federal Award Years: 2021 and 2022 State Agency: Office of Addiction Services and Support Reference: 2023-019 Criteria Subrecipient monitoring Title 45 Code of Federal Regulations Part 75, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards (45 CFR 75), section 352(b) states all pass-through entities must evaluate each subrecipient's risk of noncompliance with Federal Statues, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring as described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient's prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with subpart F, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of HHS awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a HHS awarding agency). Internal controls Further, 45 CFR 75.303 (a) states the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal Entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition During our testwork, we noted the Office of Addiction Services and Support (OASAS) had developed and implemented a risk assessment process to help identify entities with higher risks that required additional monitoring procedures. Initially the risk assessment process begins with the programmatic input and is provided to the Fiscal Audit and Review Unit (FARU) to provide additional risk assessment factors. However, the agency was unable to provide documentation to support the additional risk factors considered by FARU. The documentation provided indicated that entities determined to be higher risk did not align with the entities selected and for which additional monitoring procedures were performed. Cause The condition found was because the agency was not able to provide documentation to support the additional risk factors considered by FARU that determined the higher risk entities reviewed for the fiscal year. Possible Asserted Effect Failure to properly document all program and fiscal risk factors considered in identifying higher risk subrecipients may result in inadequate incremental monitoring procedures being performed and subrecipients not being in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend the Office continue to enhance its subrecipient monitoring policies, procedures and internal control to help ensure the Office is monitoring subrecipients in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e). Such monitoring activities should be performed and documented to show all considerations made when determining which subrecipients would be subject to additional monitoring procedures.

Federal Agency: United States Department of Agriculture Federal Program: Child Nutrition Cluster (10.555, 10.559, and 10.582) Federal Award Numbers: 202323N119944, 202221N119944-SED Federal Award Years: 2022 and 2023 State Agency: State Education Department Reference: 2023-005 Criteria Special Reporting for Federal Funding Accountability and Transparency Act Under the requirements of the Federal Funding Accountability and Transparency Act (FFATA) (Pub. L. No. 109-282), as amended by Section 6202 of Public Law 110-252, (Transparency Act) that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Aspects of the Transparency Act that relate to subaward reporting (1) under grants and cooperative agreements were implemented in OMB in 2 CFR Part 170 and (2) under contracts, by the regulatory agencies responsible for the Federal Acquisition Regulation (FAR at 5 FR 39414 et seq., July 8, 2010). The requirements pertain to recipients (i.e., direct recipients) of grants or cooperative agreements who make first-tier subawards and contractors (i.e., prime contractors) that award first-tier subcontracts. Title 2 U.S. Code of Federal Regulations Part 200 (2 CFR 200), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards, section 200.2 defines Subaward as an award provided by a pass-through entity to a subrecipient for the subrecipient to carry out part of a federal award received by the pass-through entity. It does not include payments to a contractor or payments to an individual that is a beneficiary of a federal program. A subaward may be provided through any form of legal agreement, including an agreement that the pass-through entity considers a contract. Further, 2 CFR 200.2 defines Subrecipient as a non-federal entity that receives a subaward from a passthrough entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other federal awards directly from a federal awarding agency. Internal controls Lastly, 2 CFR 200.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition FFATA requires the State to report certain identifying information related to awards made to subrecipients in amounts greater than or equal to $30,000. Of the information to be reported, the following key data elements are required to be audited: 1. Subawardee name 2. Subawardee DUNS number 3. Amount of subaward 4. Subaward obligation/action date 5. Date of report submission 6. Subaward number 7. Subaward project description 8. Subawardee names and compensation of highly compensated officers During our testwork, we noted for the period of December 2022 through March 2023, the State Education Department (the Department) did not timely report any amounts passed-through to its subrecipients. During our testwork of 40 subawards, we noted the following exceptions: Cause The condition found was due to staffing shortages and the responsibility for FFATA reporting was not transferred between employees. Possible Asserted Effect Failure to submit all subawards passed-through to subrecipients and subcontractors under subawards as defined by 2CFR 200.2 in SED’s FFATA reporting could result in the Department reporting inaccurate and incomplete amounts to the federal government. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that the Department review and enhance its policies, procedures, and internal controls to ensure that all amounts passed-through to subrecipients and subcontractors under subawards as defined in 2 CFR 200.2 are reported in accordance with the FFATA federal regulations.

Federal Agency: United States Department of Agriculture Federal Program: Child Nutrition Cluster (10.555, 10.559, and 10.582) Federal Award Numbers: 202323N119944, 202221N119944-SED Federal Award Years: 2022 and 2023 State Agency: State Education Department Reference: 2023-005 Criteria Special Reporting for Federal Funding Accountability and Transparency Act Under the requirements of the Federal Funding Accountability and Transparency Act (FFATA) (Pub. L. No. 109-282), as amended by Section 6202 of Public Law 110-252, (Transparency Act) that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Aspects of the Transparency Act that relate to subaward reporting (1) under grants and cooperative agreements were implemented in OMB in 2 CFR Part 170 and (2) under contracts, by the regulatory agencies responsible for the Federal Acquisition Regulation (FAR at 5 FR 39414 et seq., July 8, 2010). The requirements pertain to recipients (i.e., direct recipients) of grants or cooperative agreements who make first-tier subawards and contractors (i.e., prime contractors) that award first-tier subcontracts. Title 2 U.S. Code of Federal Regulations Part 200 (2 CFR 200), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards, section 200.2 defines Subaward as an award provided by a pass-through entity to a subrecipient for the subrecipient to carry out part of a federal award received by the pass-through entity. It does not include payments to a contractor or payments to an individual that is a beneficiary of a federal program. A subaward may be provided through any form of legal agreement, including an agreement that the pass-through entity considers a contract. Further, 2 CFR 200.2 defines Subrecipient as a non-federal entity that receives a subaward from a passthrough entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other federal awards directly from a federal awarding agency. Internal controls Lastly, 2 CFR 200.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition FFATA requires the State to report certain identifying information related to awards made to subrecipients in amounts greater than or equal to $30,000. Of the information to be reported, the following key data elements are required to be audited: 1. Subawardee name 2. Subawardee DUNS number 3. Amount of subaward 4. Subaward obligation/action date 5. Date of report submission 6. Subaward number 7. Subaward project description 8. Subawardee names and compensation of highly compensated officers During our testwork, we noted for the period of December 2022 through March 2023, the State Education Department (the Department) did not timely report any amounts passed-through to its subrecipients. During our testwork of 40 subawards, we noted the following exceptions: Cause The condition found was due to staffing shortages and the responsibility for FFATA reporting was not transferred between employees. Possible Asserted Effect Failure to submit all subawards passed-through to subrecipients and subcontractors under subawards as defined by 2CFR 200.2 in SED’s FFATA reporting could result in the Department reporting inaccurate and incomplete amounts to the federal government. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that the Department review and enhance its policies, procedures, and internal controls to ensure that all amounts passed-through to subrecipients and subcontractors under subawards as defined in 2 CFR 200.2 are reported in accordance with the FFATA federal regulations.

Federal Agency: United States Department of Agriculture Federal Program: Child Nutrition Cluster (10.555, 10.559, and 10.582) Federal Award Numbers: 202323N119944, 202221N119944-SED Federal Award Years: 2022 and 2023 State Agency: State Education Department Reference: 2023-005 Criteria Special Reporting for Federal Funding Accountability and Transparency Act Under the requirements of the Federal Funding Accountability and Transparency Act (FFATA) (Pub. L. No. 109-282), as amended by Section 6202 of Public Law 110-252, (Transparency Act) that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Aspects of the Transparency Act that relate to subaward reporting (1) under grants and cooperative agreements were implemented in OMB in 2 CFR Part 170 and (2) under contracts, by the regulatory agencies responsible for the Federal Acquisition Regulation (FAR at 5 FR 39414 et seq., July 8, 2010). The requirements pertain to recipients (i.e., direct recipients) of grants or cooperative agreements who make first-tier subawards and contractors (i.e., prime contractors) that award first-tier subcontracts. Title 2 U.S. Code of Federal Regulations Part 200 (2 CFR 200), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards, section 200.2 defines Subaward as an award provided by a pass-through entity to a subrecipient for the subrecipient to carry out part of a federal award received by the pass-through entity. It does not include payments to a contractor or payments to an individual that is a beneficiary of a federal program. A subaward may be provided through any form of legal agreement, including an agreement that the pass-through entity considers a contract. Further, 2 CFR 200.2 defines Subrecipient as a non-federal entity that receives a subaward from a passthrough entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other federal awards directly from a federal awarding agency. Internal controls Lastly, 2 CFR 200.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition FFATA requires the State to report certain identifying information related to awards made to subrecipients in amounts greater than or equal to $30,000. Of the information to be reported, the following key data elements are required to be audited: 1. Subawardee name 2. Subawardee DUNS number 3. Amount of subaward 4. Subaward obligation/action date 5. Date of report submission 6. Subaward number 7. Subaward project description 8. Subawardee names and compensation of highly compensated officers During our testwork, we noted for the period of December 2022 through March 2023, the State Education Department (the Department) did not timely report any amounts passed-through to its subrecipients. During our testwork of 40 subawards, we noted the following exceptions: Cause The condition found was due to staffing shortages and the responsibility for FFATA reporting was not transferred between employees. Possible Asserted Effect Failure to submit all subawards passed-through to subrecipients and subcontractors under subawards as defined by 2CFR 200.2 in SED’s FFATA reporting could result in the Department reporting inaccurate and incomplete amounts to the federal government. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that the Department review and enhance its policies, procedures, and internal controls to ensure that all amounts passed-through to subrecipients and subcontractors under subawards as defined in 2 CFR 200.2 are reported in accordance with the FFATA federal regulations.

Federal Agency: United States Department of Housing and Urban Development Federal Program: CDBG – Disaster Recovery Grants – Pub. L. No. 113-2 Cluster (14.269, 14.272) Federal Award Number: B13DS360001 Federal Award Years: 2013 State Agency: Housing Trust Fund Corporation and Governor’s Office of Storm Recovery Reference: 2023-006 Criteria Special Reporting for Federal Funding Accountability and Transparency Act Under the requirements of the Federal Funding Accountability and Transparency Act (FFATA) (Pub. L. No. 109-282), as amended by Section 6202 of Public Law 110-252, herein referred to as the "Transparency Act" that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Aspects of the Transparency Act that relate to subaward reporting (1) under grants and cooperative agreements were implemented in OMB in 2 CFR Part 170 and (2) under contracts, by the regulatory agencies responsible for the Federal Acquisition Regulation (FAR at 5 FR 39414 et seq., July 8, 2010). The requirements pertain to recipients (i.e., direct recipients) of grants or cooperative agreements who make first-tier subawards and contractors (i.e., prime contractors) that award first-tier subcontracts. Title 2 U.S. Code of Federal Regulations Part 200 (2 CFR 200) Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards, section 200.1 defines Subaward as an award provided by a pass-through entity to a subrecipient for the subrecipient to carry out part of a federal award received by the pass-through entity. It does not include payments to a contractor or payments to an individual that is a beneficiary of a federal program. A subaward may be provided through any form of legal agreement, including an agreement that the pass-through entity considers a contract. Further, 2 CFR 200.1 defines Subrecipient as a non-federal entity that receives a subaward from a passthrough entity to carry out part of a federal program; but does not include an individual that is a beneficiary of such program. A subrecipient may also be a recipient of other federal awards directly from a federal awarding agency. Internal controls Lastly, 2 CFR 200.303(a) states, the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the Federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).  Condition The Housing Trust Fund Corporation (HTFC) did not report awards granted to subrecipients for the CDBG – Disaster Recovery Grants program for the period April 2022 through March 2023 as required by FFATA. FFATA requires the State to report certain identifying information related to awards made to subrecipients in amounts greater than or equal to $30,000. Of the information to be reported, the following key data elements are required to be audited: 1. Subawardee name 2. Subawardee DUNS number 3. Amount of subaward 4. Subaward obligation/action date 5. Date of report submission 6. Subaward number 7. Subaward project description 8. Subawardee names and compensation of highly compensated officers During our testing, we noted that HTFC did not establish control procedures to submit FFATA reports for all subawards as required by federal regulations. During our testwork of 7 subawards and 6 amendments, we noted the following exceptions: *For the 5 of 7 sampled subawards, the subaward amounts of $191,367,261 were incorrectly reported in FSRS as $7,757,484,755. **For one of the 7 sampled subawards the obligation date did not agree to FSRS and 7 of 7 subawards were missing the date of report submission (key data element). Cause The condition found was due to HTFC not reporting any amounts passed-through to subrecipients for the period April 2022 – March 2023 because the responsibility for FFATA reporting was not transferred between employees. Possible Asserted Effect Failure to submit all subaward amounts passed-through to subrecipients and subcontractors under subawards as defined by 2 CFR 200.1 in HTFC’s FFATA reporting could result in HTFC reporting inaccurate and incomplete amounts to the federal government. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that HTFC review and enhance its policies, procedures, and internal controls to ensure that all amounts passed-through to subrecipients and subcontractors under subawards as defined in 2 CFR 200.1 are reported in accordance with the FFATA federal regulations. In addition, we recommend that HTFC use obligation date for FFATA reporting.

Federal Agency: United States Department of Labor Federal Program: Unemployment Insurance (17.225) Federal Award Numbers: Not Applicable Federal Award Years : Not Applicable State Agency: Department of Labor Reference: 2023-007 Criteria Special Tests and Provisions – UI Benefit Payments The Payments Integrity Information Act (PIIA) of 2019 codified the requirement for valid statistical estimates of improper payments. by Title 20 Code of Federal Regulations Part 602 (20 CFR 602), Quality Control in the Federal-State Unemployment System, prescribes a Quality Control (QC) program for the Federal-State unemployment compensation (UC) system, which is appliable to the State UC programs and the Federal unemployment benefit and allowance programs administered by the State unemployment compensation agencies under agreements between the States and the Secretary of Labor. 20 CFR 602.11(d) states to satisfy the requirements of Section 303(a)(1) and (6) of the Social Security Act (SSA) (42 USC 503), a State law must contain a provision requiring, or which is construed to require, the establishment and maintenance of a QC program in accordance with the requirements of this part. The establishment and maintenance of such a QC program in accordance with this part shall not require any change in State law concerning authority to undertake redeterminations of claims or liabilities or the finality of any determination, redetermination or decision. Each State shall establish a QC unit independent of, and not accountable to, any unit performing functions subject to evaluation by the QC unit. The organizational location of this unit shall be positioned to maximize its objectivity, to facilitate its access to information necessary to carry out its responsibilities, and to minimize organizational conflict of interest. Per 20 CFR 602.21 – Standard methods and Procedures, Each State Shall: (a) Perform the requirements of this section in accordance with instructions issued by the Department, pursuant to § 602.30(a) of this part, to ensure standardization of methods and procedures in a manner consistent with this part; (b) Select representative samples for QC study of at least a minimum size specified by the Department to ensure statistical validity (for benefit payments, a minimum of 400 cases of weeks paid per State per year);   (c) Complete prompt and in-depth case investigations to determine the degree of accuracy and timeliness in the administration of the State UC law and Federal programs with respect to benefit determinations, benefit payments, and revenue collections; and conduct other measurements and studies necessary or appropriate for carrying out the purposes of this part; and in conducting investigations each State shall: (1) Inform claimants in writing that the information obtained from a QC investigation may affect their eligibility for benefits and inform employers in writing that the information obtained from a QC investigation of revenue may affect their tax liability, (2) Use a questionnaire, prescribed by the Department, which is designed to obtain such data as the Department deems necessary for the operation of the QC program; require completion of the questionnaire by claimants in accordance with the eligibility and reporting authority under State law, (3) Collect data identified by the Department as necessary for the operation of the QC program; however, the collection of demographic data will be limited to those data which relate to an individual's eligibility for UC benefits and necessary to conduct proportions tests to validate the selection of representative samples (the demographic data elements necessary to conduct proportions tests are claimants' date of birth, sex, and ethnic classification); and (4) Conclude all findings of inaccuracy as d(a) Perform the requirements of this section in accordance with instructions issued by the Department, pursuant to § 602.30(a) of this part, to ensure standardization of methods and procedures in a manner consistent with this part; (d) Classify benefit case findings resulting from QC investigations as: (1) Proper payments, underpayments, or overpayments in benefit payment cases, or (2) Proper denials or underpayments in benefit denial cases; (e) Make and maintain records pertaining to the QC program, and make all such records available in a timely manner for inspection, examination, and audit by such Federal officials as the Secretary may designate or as may be required or authorized by law; (f) Furnish information and reports to the Department, including weekly transmissions of case data entered into the automated QC system and annual reports, without, in any manner, identifying individuals to whom such data pertain; and (g) Release the results of the QC program at the same time each year, providing calendar year results using a standardized format to present the data as prescribed by the Department; States will have the opportunity to release this information prior to any release by the Department. Internal controls Additionally, Title 2 U.S. Code of Federal Regulations Part 200 (2 CFR 200) Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards, section 303(a) states, the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statues, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Benefit Accuracy Measurement (BAM) programs consists of reviews of Regular Unemployment Insurance (UI) payments, which are paid out of the Unemployment Insurance Trust Fund, and therefore are not associated with a Federal Award Number. For the period ending September 30, 2022, NYS failed the 90- and 120-day time lapse requirement for both Paid and Denied Claims. For the month of September 2022, for Paid Claims, 92.08% of cases were reviewed and closed within 90 days, less than 3% short of the required 95%. Similarly, 96.25% of cases were reviewed and closed within 120 days, less than 2% short of the required 98% federal benchmark. Also, for the month of September 2022, for Denied Claims, 96.66% of cases were reviewed and closed within 120 days, less than 2% short of the required 98%. Cause The condition related to the time lapse requirements results from a shortage of staff and backlogged cases. As a result, the Department was unable to meet all case allocation and timely review requirements. Possible Asserted Effect Failure to perform timely completion of investigations results in the inability of UI Program to appropriately assess the degree of accuracy and timeliness in the administration of the State UC law and federal programs with respect to benefit determinations, benefit payments, and revenue collections. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding A similar finding for the Department was included in the 2022 Single Audit Report as finding number 2022-004 at pages 25-27. Recommendation We recommend that the Department ensures that their polices and procedures are designed to review selected cases to ensure they meet the prescribed criteria and, if necessary, be replaced as part of the final sampling week for the PIIA year. Additionally, the Department should enhance its process to ensure the completion of Paid and Denied cases are reviewed and closed timely in accordance with State Law.

Federal Agency: United States Department of Health and Human Services Federal Program: CCDF Cluster (93.489, 93.575 and 93.596) Federal Award Numbers: 2001NYCCDD, 2101NYCCDD, 2201NYCCDD, 2001NYTANF, 2101NYTANF 2201NYTANF Federal Award Years: 2020, 2021, 2022 State Agency: Office of Children and Family Services Reference: 2023-011 Criteria Subrecipient monitoring Title U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards, section 75.352(d) states all pass-through entities must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved, including the requirements contained in 45 CFR section 98.60, related to the recovery of child care payments that are the result of fraud as these payments shall be recovered from the party responsible for committing the fraud. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. Additionally, 45 CFR 75.352(b) states all pass-through entities must evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring, which may include consideration of such factors as: (1) The subrecipient's prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with subpart F, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of HHS awarding agency monitoring (e.g., if the subrecipient also receives federal awards directly from a HHS awarding agency).  Further, 45 CFR 75.352(e) sates, depending upon the pass-through entity’s assessment of risk posed by the subrecipient, the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program-related matters; (2) Performing on-site reviews of the subrecipient’s program operations; and (3) Arranging for agreed-upon procedures engagements as described in 45 CFR 75.425. Internal controls Lastly, 45 CFR 75.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government,” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition During the fiscal year ended March 31, 2023, the Office of Children and Family Services (the Office) passed through approximately $530 million under the CCDF Cluster, to local districts (or subrecipients) to provide programmatic services under the CCDF Cluster. As part of the funding arrangement, the local districts are responsible for the administration of the federal program, including performing participant benefit eligibility determinations, payment of childcare subsidies, and monitoring for fraud. During our testwork over the subrecipient monitoring process we identified the following: 1. The Office prepared its annual risk assessment process and assessed risk related to its subrecipients/local districts. For the State fiscal year ended March 31, 2023, we noted that the Office did not select subrecipients/local districts based upon their risk assessment and only performed and completed one monitoring visit during the audit period. 2. The subrecipients/local districts are responsible for implementing policies and procedures related to fraud and improper payments. The Office requires each subrecipient/local district to have a plan in place for fraud detection that is reviewed and approved by the Office. As part of its monitoring procedures the Office has general inquiries it makes related to plan itself and will identify as part of its case review if the selected case was an improper payment. While these inquiries were made, we were not able to obtain any documented evidence that supports the results of those discussions, and the issued report for the one monitoring review selected for testwork also did not comment on these discussions. As a result, we could not verify through written documentation that the Office performed any monitoring to ensure that the subrecipient/local district is in compliance with its approved plan.  Cause The condition found was primarily due to the Office developing a new monitoring plan for the subrecipients/local districts during fiscal year 2023, of which would be implemented during fiscal year 2024. Additionally, the Office does not document the results of the monitoring procedures performed over the fraud and improper payment plans in place at the subrecipients/local districts. Possible Asserted Effect The lack of executed monitoring procedures over subawards provided to subrecipients/local districts could result in the use of federal funding provided under the federal award not being in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Questioned Costs Cannot be determined. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that the Office enhance its subrecipient monitoring policies, procedures and internal controls to ensure the Office is monitoring subrecipients/local districts in accordance with the federal requirements. The Office should also ensure its monitoring procedures include a review of the fraud and improper payment plans at the subrecipients/local districts.

Federal Agency: United States Department of Health and Human Services Federal Program: CCDF Cluster (93.489, 93.575 and 93.596) Federal Award Numbers: 2001NYCCDD, 2101NYCCDD, 2201NYCCDD, 2001NYTANF, 2101NYTANF 2201NYTANF Federal Award Years: 2020, 2021, 2022 State Agency: Office of Children and Family Services Reference: 2023-011 Criteria Subrecipient monitoring Title U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards, section 75.352(d) states all pass-through entities must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved, including the requirements contained in 45 CFR section 98.60, related to the recovery of child care payments that are the result of fraud as these payments shall be recovered from the party responsible for committing the fraud. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. Additionally, 45 CFR 75.352(b) states all pass-through entities must evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring, which may include consideration of such factors as: (1) The subrecipient's prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with subpart F, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of HHS awarding agency monitoring (e.g., if the subrecipient also receives federal awards directly from a HHS awarding agency).  Further, 45 CFR 75.352(e) sates, depending upon the pass-through entity’s assessment of risk posed by the subrecipient, the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program-related matters; (2) Performing on-site reviews of the subrecipient’s program operations; and (3) Arranging for agreed-upon procedures engagements as described in 45 CFR 75.425. Internal controls Lastly, 45 CFR 75.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government,” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition During the fiscal year ended March 31, 2023, the Office of Children and Family Services (the Office) passed through approximately $530 million under the CCDF Cluster, to local districts (or subrecipients) to provide programmatic services under the CCDF Cluster. As part of the funding arrangement, the local districts are responsible for the administration of the federal program, including performing participant benefit eligibility determinations, payment of childcare subsidies, and monitoring for fraud. During our testwork over the subrecipient monitoring process we identified the following: 1. The Office prepared its annual risk assessment process and assessed risk related to its subrecipients/local districts. For the State fiscal year ended March 31, 2023, we noted that the Office did not select subrecipients/local districts based upon their risk assessment and only performed and completed one monitoring visit during the audit period. 2. The subrecipients/local districts are responsible for implementing policies and procedures related to fraud and improper payments. The Office requires each subrecipient/local district to have a plan in place for fraud detection that is reviewed and approved by the Office. As part of its monitoring procedures the Office has general inquiries it makes related to plan itself and will identify as part of its case review if the selected case was an improper payment. While these inquiries were made, we were not able to obtain any documented evidence that supports the results of those discussions, and the issued report for the one monitoring review selected for testwork also did not comment on these discussions. As a result, we could not verify through written documentation that the Office performed any monitoring to ensure that the subrecipient/local district is in compliance with its approved plan.  Cause The condition found was primarily due to the Office developing a new monitoring plan for the subrecipients/local districts during fiscal year 2023, of which would be implemented during fiscal year 2024. Additionally, the Office does not document the results of the monitoring procedures performed over the fraud and improper payment plans in place at the subrecipients/local districts. Possible Asserted Effect The lack of executed monitoring procedures over subawards provided to subrecipients/local districts could result in the use of federal funding provided under the federal award not being in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Questioned Costs Cannot be determined. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that the Office enhance its subrecipient monitoring policies, procedures and internal controls to ensure the Office is monitoring subrecipients/local districts in accordance with the federal requirements. The Office should also ensure its monitoring procedures include a review of the fraud and improper payment plans at the subrecipients/local districts.

Federal Agency: United States Department of Health and Human Services Federal Program: CCDF Cluster (93.489, 93.575 and 93.596) Federal Award Numbers: 2001NYCCDD, 2101NYCCDD, 2201NYCCDD, 2001NYTANF, 2101NYTANF 2201NYTANF Federal Award Years: 2020, 2021, 2022 State Agency: Office of Children and Family Services Reference: 2023-011 Criteria Subrecipient monitoring Title U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards, section 75.352(d) states all pass-through entities must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved, including the requirements contained in 45 CFR section 98.60, related to the recovery of child care payments that are the result of fraud as these payments shall be recovered from the party responsible for committing the fraud. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. Additionally, 45 CFR 75.352(b) states all pass-through entities must evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring, which may include consideration of such factors as: (1) The subrecipient's prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with subpart F, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of HHS awarding agency monitoring (e.g., if the subrecipient also receives federal awards directly from a HHS awarding agency).  Further, 45 CFR 75.352(e) sates, depending upon the pass-through entity’s assessment of risk posed by the subrecipient, the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program-related matters; (2) Performing on-site reviews of the subrecipient’s program operations; and (3) Arranging for agreed-upon procedures engagements as described in 45 CFR 75.425. Internal controls Lastly, 45 CFR 75.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government,” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition During the fiscal year ended March 31, 2023, the Office of Children and Family Services (the Office) passed through approximately $530 million under the CCDF Cluster, to local districts (or subrecipients) to provide programmatic services under the CCDF Cluster. As part of the funding arrangement, the local districts are responsible for the administration of the federal program, including performing participant benefit eligibility determinations, payment of childcare subsidies, and monitoring for fraud. During our testwork over the subrecipient monitoring process we identified the following: 1. The Office prepared its annual risk assessment process and assessed risk related to its subrecipients/local districts. For the State fiscal year ended March 31, 2023, we noted that the Office did not select subrecipients/local districts based upon their risk assessment and only performed and completed one monitoring visit during the audit period. 2. The subrecipients/local districts are responsible for implementing policies and procedures related to fraud and improper payments. The Office requires each subrecipient/local district to have a plan in place for fraud detection that is reviewed and approved by the Office. As part of its monitoring procedures the Office has general inquiries it makes related to plan itself and will identify as part of its case review if the selected case was an improper payment. While these inquiries were made, we were not able to obtain any documented evidence that supports the results of those discussions, and the issued report for the one monitoring review selected for testwork also did not comment on these discussions. As a result, we could not verify through written documentation that the Office performed any monitoring to ensure that the subrecipient/local district is in compliance with its approved plan.  Cause The condition found was primarily due to the Office developing a new monitoring plan for the subrecipients/local districts during fiscal year 2023, of which would be implemented during fiscal year 2024. Additionally, the Office does not document the results of the monitoring procedures performed over the fraud and improper payment plans in place at the subrecipients/local districts. Possible Asserted Effect The lack of executed monitoring procedures over subawards provided to subrecipients/local districts could result in the use of federal funding provided under the federal award not being in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Questioned Costs Cannot be determined. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that the Office enhance its subrecipient monitoring policies, procedures and internal controls to ensure the Office is monitoring subrecipients/local districts in accordance with the federal requirements. The Office should also ensure its monitoring procedures include a review of the fraud and improper payment plans at the subrecipients/local districts.

Federal Agency: United States Department of Health and Human Services Federal Program: Temporary Assistance for Needy Families (93.558) Federal Award Numbers: 2101NYTANF, 2201NYTANF, 2301NYTAN3, 2301NYTANF Federal Award Years: 2021, 2022 and 2023 State Agency: Office of Temporary and Disability Assistance Reference: 2023-012 Criteria Special Reporting for Federal Funding Accountability and Transparency Act Under the requirements of the Federal Funding Accountability and Transparency Act (FFATA) (Pub. L. No. 109-282) (Transparency Act) that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements who make first tier subawards of $30,000 or more are required to register in the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) and report subaward data through FSRS. Aspects of the Transparency Act, as amended by Section 6202(a) of the Government Funding Transparency Act of 2008 (Pub. L. No. 111-252), that relate to subaward reporting (1) under grants and cooperative agreements were implemented in OMB in 2 CFR Part 170 and (2) under contracts, by the regulatory agencies responsible for the Federal Acquisition Regulation (FAR at 5 FR 39414 et seq., July 8, 2010). The requirements pertain to recipients (i.e., direct recipients) of grants or cooperative agreements who make first tier subawards and contractors (i.e., prime contractors) that award first-tier subcontracts. Title 45 U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards for HHS Awards, section 75.2 defines Subaward as an award provided by a pass-through entity to a subrecipient for the subrecipient to carry out part of a Federal award received by the pass-through entity. It does not include payments to a contractor or payments to an individual that is a beneficiary of a Federal program. A subaward may be provided through any form of legal agreement, including an agreement that the pass-through entity considers a contract. Further, 45 CFR 75.2 defines Subrecipient as a non-Federal entity that receives a subaward from a passthrough entity to carry out part of a Federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a Federal awarding agency. Internal controls Lastly, 45 CFR 75.303(a) states the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Office of Temporary and Disability Assistance (the Office) did not correctly report awards granted to some of its subrecipients for the Temporary Assistance for Needy Families program for the period April 2022 through March 2023 as required by FFATA. FFATA requires the State to report certain identifying information related to awards made to subrecipients in amounts greater than or equal to $30,000. Of the information to be reported, the following key data elements are required to be audited: 1. Subawardee name 2. Subawardee DUNS number 3. Amount of subaward 4. Subaward obligation/action date 5. Date of report submission 6. Subaward number 7. Subaward project description 8. Subawardee names and compensation of highly compensated officers For the period of April 2022 to March 2023, the Office of Temporary and Disability Assistance (the Office) incorrectly reported some of the subrecipient expenditures over $30,000. As a result of our testwork over this period we noted the following: During our testing, we noted the Office's control procedures did not identify incorrect amounts reported during its FFATA submission for some of its subrecipients. We noted the following exceptions: The Office incorrectly reported 11 subawards for a total of $22,013. For 5 of the 11 awards, the amount was incorrect due to a data entry error resulting in a $22,013 difference. For 6 of the 11 awards, the incorrect subaward number was reported due to a data entry error. The amount was reported correctly, however, the subaward was incorrect and therefore the net difference in the amount was $0. Cause The condition is due to oversight errors when submitting the reports. All information was entered and recorded, however the review was not at a level of precision to identify data entry errors prior to submission of the reports. Possible Asserted Effect Failure to correctly submit all subawards passed-through to subrecipients and subcontractors under subawards as defined by 45 CFR 75.2 in the Office's FFATA reporting could result in the Office reporting inaccurate and incomplete amounts to the federal government. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding A similar finding was included in the 2022 Single Audit Report as finding number 2022-012 on pages 45–47. Recommendation We recommend that the Office enhance its review of the submissions of the amounts passed-through to subrecipients and subcontractors under subawards as defined in 45 CFR 75.2 that are reported in accordance with the FFATA federal regulations to ensure its at a level of precision to identify data entry errors prior to submission.

Federal Agency: United States Department of Health and Human Services Federal Program: Temporary Assistance for Needy Families (93.558) CCDF Cluster (93.575 and 93.596) Adoption Assistance (93.659) Social Services Block Grant (93.667) Federal Award Numbers: 1701NYTANF, 1801NYTANF, 1901NYTANF, 2001NYTANF, 2101NYTANF, 2101NYTANFC6, 2201NYTAN3, 2201NYTANF, 2301NYTAN3, 2301NYTANF 1701NYCCDF, 2001NYCCC3, 2001NYCCDD, 2001NYTANF, 2101NYCCC5, 2101NYCCDD, 2101NYCCDF, 2101NYCCDM, 2101NYCDC6, 2101NYCSC6, 2101NYTANF, 2201NYCCDD, 2201NYTANF 1801NYADPT, 1901NYADPT, 2001NYADPT, 2101NYADPT, 2201NYADPT, 2301NYADPT 2101NYSOSR, 2101NYTANF, 2201NYSOSR, 2201NYTANF Federal Award Years: 2017, 2018, 2019, 2020, 2021, 2022, and 2023 State Agency: Office of Temporary and Disability Assistance Office of Children and Family Services Reference: 2023-013 Criteria Internal controls Title 45 U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards, section 75.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government,” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition New York State Information Technology Services (ITS) manages the IT environment for the Automated Claiming System (ACS). IT application controls for ACS are relied upon by Office of Temporary and Disability Assistance (OTDA) and the Office of Children and Family Services (OCFS) for the administration of claims submitted by the local districts that administer the following federal programs as subrecipients of the State of New York (the State): • Temporary Assistance for Needy Families • Social Services Block Grant • CCDF Cluster • Adoption Assistance ITS management of ACS includes maintaining the network, database, and operating system layers of the information technology control environment. During our testwork, we noted the following deficiencies in the implementation of the general information technology controls over ACS: 1) For 9 out of 13 instances related to de-provisioning of access for terminated employees to the ACS application, user access rights were disabled more than 5 days after the user ended employment with the State or otherwise did not need access to the specified system. In 7 of the 9 instances, the terminated employee had ‘inquiry only’ access. Upon audit inquiry, we obtained system documentation for the 9 users identified as exceptions indicating the related users did not logon to the app or the network past their termination date. Furthermore, we conducted testing over provisioning access to the application and privileged access, including migrator and developer access, for the ACS system, and noted those users did not access the system after termination. We determined that none of these users were part of the migrator groups or developer groups or admin users. 2) Users with access rights allowing them to provision access to the ACS application were reviewing their own access as part of the periodic user access review control. As a result, we verified that all reviewers were active and appeared to be appropriate per job title/responsibility. We also verified the system configuration for the user access review and determined that it is configured to automatically revoke access after one year without access and is operating as designed. Cause The conditions above related to the following: 1) The exception occurred due to human oversight during the execution of the de-provisioning process. 2) The control was designed such that individuals with access rights that allow them to perform provisioning activities were responsible for reviewing their own access as part of the periodic user access review control. Possible Asserted Effect Failure to have a reliable general information technology environment over logical access may result in unauthorized changes being made to ACS, which may result in erroneous reliance on the operating effectiveness of automated information technology control over subrecipient payments allowability. Failure to have effective internal controls over subrecipient payments allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs Not applicable  Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that management strengthen controls or add monitoring controls to ensure either management personnel at the State agencies/entities are notifying their respective IT departments or ITS, as applicable, in a timely manner when a user of a system or application no longer requires access, whether due to changes in job responsibilities or termination from the State; or such notifications are timely executed. We also recommend that management implement additional monitoring controls to evaluate a complete population of terminated users against system user listings to ensure access is removed for terminated users, including performance of an impact assessment for instances where it is determined that access rights were not removed in a timely manner for terminated employees. Additionally, we recommend that management restrict individuals with access rights that allow them to perform provisioning activities from reviewing their own access rights. Lastly, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication/documentation of reviewing and de-provisioning of users to the IT department during the user access review.

Federal Agency: United States Department of Health and Human Services Federal Program: Temporary Assistance for Needy Families (93.558) CCDF Cluster (93.575 and 93.596) Adoption Assistance (93.659) Social Services Block Grant (93.667) Federal Award Numbers: 1701NYTANF, 1801NYTANF, 1901NYTANF, 2001NYTANF, 2101NYTANF, 2101NYTANFC6, 2201NYTAN3, 2201NYTANF, 2301NYTAN3, 2301NYTANF 1701NYCCDF, 2001NYCCC3, 2001NYCCDD, 2001NYTANF, 2101NYCCC5, 2101NYCCDD, 2101NYCCDF, 2101NYCCDM, 2101NYCDC6, 2101NYCSC6, 2101NYTANF, 2201NYCCDD, 2201NYTANF 1801NYADPT, 1901NYADPT, 2001NYADPT, 2101NYADPT, 2201NYADPT, 2301NYADPT 2101NYSOSR, 2101NYTANF, 2201NYSOSR, 2201NYTANF Federal Award Years: 2017, 2018, 2019, 2020, 2021, 2022, and 2023 State Agency: Office of Temporary and Disability Assistance Office of Children and Family Services Reference: 2023-013 Criteria Internal controls Title 45 U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards, section 75.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government,” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition New York State Information Technology Services (ITS) manages the IT environment for the Automated Claiming System (ACS). IT application controls for ACS are relied upon by Office of Temporary and Disability Assistance (OTDA) and the Office of Children and Family Services (OCFS) for the administration of claims submitted by the local districts that administer the following federal programs as subrecipients of the State of New York (the State): • Temporary Assistance for Needy Families • Social Services Block Grant • CCDF Cluster • Adoption Assistance ITS management of ACS includes maintaining the network, database, and operating system layers of the information technology control environment. During our testwork, we noted the following deficiencies in the implementation of the general information technology controls over ACS: 1) For 9 out of 13 instances related to de-provisioning of access for terminated employees to the ACS application, user access rights were disabled more than 5 days after the user ended employment with the State or otherwise did not need access to the specified system. In 7 of the 9 instances, the terminated employee had ‘inquiry only’ access. Upon audit inquiry, we obtained system documentation for the 9 users identified as exceptions indicating the related users did not logon to the app or the network past their termination date. Furthermore, we conducted testing over provisioning access to the application and privileged access, including migrator and developer access, for the ACS system, and noted those users did not access the system after termination. We determined that none of these users were part of the migrator groups or developer groups or admin users. 2) Users with access rights allowing them to provision access to the ACS application were reviewing their own access as part of the periodic user access review control. As a result, we verified that all reviewers were active and appeared to be appropriate per job title/responsibility. We also verified the system configuration for the user access review and determined that it is configured to automatically revoke access after one year without access and is operating as designed. Cause The conditions above related to the following: 1) The exception occurred due to human oversight during the execution of the de-provisioning process. 2) The control was designed such that individuals with access rights that allow them to perform provisioning activities were responsible for reviewing their own access as part of the periodic user access review control. Possible Asserted Effect Failure to have a reliable general information technology environment over logical access may result in unauthorized changes being made to ACS, which may result in erroneous reliance on the operating effectiveness of automated information technology control over subrecipient payments allowability. Failure to have effective internal controls over subrecipient payments allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs Not applicable  Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that management strengthen controls or add monitoring controls to ensure either management personnel at the State agencies/entities are notifying their respective IT departments or ITS, as applicable, in a timely manner when a user of a system or application no longer requires access, whether due to changes in job responsibilities or termination from the State; or such notifications are timely executed. We also recommend that management implement additional monitoring controls to evaluate a complete population of terminated users against system user listings to ensure access is removed for terminated users, including performance of an impact assessment for instances where it is determined that access rights were not removed in a timely manner for terminated employees. Additionally, we recommend that management restrict individuals with access rights that allow them to perform provisioning activities from reviewing their own access rights. Lastly, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication/documentation of reviewing and de-provisioning of users to the IT department during the user access review.

Federal Agency: United States Department of Health and Human Services Federal Program: Temporary Assistance for Needy Families (93.558) CCDF Cluster (93.575 and 93.596) Adoption Assistance (93.659) Social Services Block Grant (93.667) Federal Award Numbers: 1701NYTANF, 1801NYTANF, 1901NYTANF, 2001NYTANF, 2101NYTANF, 2101NYTANFC6, 2201NYTAN3, 2201NYTANF, 2301NYTAN3, 2301NYTANF 1701NYCCDF, 2001NYCCC3, 2001NYCCDD, 2001NYTANF, 2101NYCCC5, 2101NYCCDD, 2101NYCCDF, 2101NYCCDM, 2101NYCDC6, 2101NYCSC6, 2101NYTANF, 2201NYCCDD, 2201NYTANF 1801NYADPT, 1901NYADPT, 2001NYADPT, 2101NYADPT, 2201NYADPT, 2301NYADPT 2101NYSOSR, 2101NYTANF, 2201NYSOSR, 2201NYTANF Federal Award Years: 2017, 2018, 2019, 2020, 2021, 2022, and 2023 State Agency: Office of Temporary and Disability Assistance Office of Children and Family Services Reference: 2023-013 Criteria Internal controls Title 45 U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards, section 75.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government,” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition New York State Information Technology Services (ITS) manages the IT environment for the Automated Claiming System (ACS). IT application controls for ACS are relied upon by Office of Temporary and Disability Assistance (OTDA) and the Office of Children and Family Services (OCFS) for the administration of claims submitted by the local districts that administer the following federal programs as subrecipients of the State of New York (the State): • Temporary Assistance for Needy Families • Social Services Block Grant • CCDF Cluster • Adoption Assistance ITS management of ACS includes maintaining the network, database, and operating system layers of the information technology control environment. During our testwork, we noted the following deficiencies in the implementation of the general information technology controls over ACS: 1) For 9 out of 13 instances related to de-provisioning of access for terminated employees to the ACS application, user access rights were disabled more than 5 days after the user ended employment with the State or otherwise did not need access to the specified system. In 7 of the 9 instances, the terminated employee had ‘inquiry only’ access. Upon audit inquiry, we obtained system documentation for the 9 users identified as exceptions indicating the related users did not logon to the app or the network past their termination date. Furthermore, we conducted testing over provisioning access to the application and privileged access, including migrator and developer access, for the ACS system, and noted those users did not access the system after termination. We determined that none of these users were part of the migrator groups or developer groups or admin users. 2) Users with access rights allowing them to provision access to the ACS application were reviewing their own access as part of the periodic user access review control. As a result, we verified that all reviewers were active and appeared to be appropriate per job title/responsibility. We also verified the system configuration for the user access review and determined that it is configured to automatically revoke access after one year without access and is operating as designed. Cause The conditions above related to the following: 1) The exception occurred due to human oversight during the execution of the de-provisioning process. 2) The control was designed such that individuals with access rights that allow them to perform provisioning activities were responsible for reviewing their own access as part of the periodic user access review control. Possible Asserted Effect Failure to have a reliable general information technology environment over logical access may result in unauthorized changes being made to ACS, which may result in erroneous reliance on the operating effectiveness of automated information technology control over subrecipient payments allowability. Failure to have effective internal controls over subrecipient payments allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs Not applicable  Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that management strengthen controls or add monitoring controls to ensure either management personnel at the State agencies/entities are notifying their respective IT departments or ITS, as applicable, in a timely manner when a user of a system or application no longer requires access, whether due to changes in job responsibilities or termination from the State; or such notifications are timely executed. We also recommend that management implement additional monitoring controls to evaluate a complete population of terminated users against system user listings to ensure access is removed for terminated users, including performance of an impact assessment for instances where it is determined that access rights were not removed in a timely manner for terminated employees. Additionally, we recommend that management restrict individuals with access rights that allow them to perform provisioning activities from reviewing their own access rights. Lastly, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication/documentation of reviewing and de-provisioning of users to the IT department during the user access review.

Federal Agency: United States Department of Health and Human Services Federal Program: Temporary Assistance for Needy Families (93.558) CCDF Cluster (93.575 and 93.596) Adoption Assistance (93.659) Social Services Block Grant (93.667) Federal Award Numbers: 1701NYTANF, 1801NYTANF, 1901NYTANF, 2001NYTANF, 2101NYTANF, 2101NYTANFC6, 2201NYTAN3, 2201NYTANF, 2301NYTAN3, 2301NYTANF 1701NYCCDF, 2001NYCCC3, 2001NYCCDD, 2001NYTANF, 2101NYCCC5, 2101NYCCDD, 2101NYCCDF, 2101NYCCDM, 2101NYCDC6, 2101NYCSC6, 2101NYTANF, 2201NYCCDD, 2201NYTANF 1801NYADPT, 1901NYADPT, 2001NYADPT, 2101NYADPT, 2201NYADPT, 2301NYADPT 2101NYSOSR, 2101NYTANF, 2201NYSOSR, 2201NYTANF Federal Award Years: 2017, 2018, 2019, 2020, 2021, 2022, and 2023 State Agency: Office of Temporary and Disability Assistance Office of Children and Family Services Reference: 2023-013 Criteria Internal controls Title 45 U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards, section 75.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government,” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition New York State Information Technology Services (ITS) manages the IT environment for the Automated Claiming System (ACS). IT application controls for ACS are relied upon by Office of Temporary and Disability Assistance (OTDA) and the Office of Children and Family Services (OCFS) for the administration of claims submitted by the local districts that administer the following federal programs as subrecipients of the State of New York (the State): • Temporary Assistance for Needy Families • Social Services Block Grant • CCDF Cluster • Adoption Assistance ITS management of ACS includes maintaining the network, database, and operating system layers of the information technology control environment. During our testwork, we noted the following deficiencies in the implementation of the general information technology controls over ACS: 1) For 9 out of 13 instances related to de-provisioning of access for terminated employees to the ACS application, user access rights were disabled more than 5 days after the user ended employment with the State or otherwise did not need access to the specified system. In 7 of the 9 instances, the terminated employee had ‘inquiry only’ access. Upon audit inquiry, we obtained system documentation for the 9 users identified as exceptions indicating the related users did not logon to the app or the network past their termination date. Furthermore, we conducted testing over provisioning access to the application and privileged access, including migrator and developer access, for the ACS system, and noted those users did not access the system after termination. We determined that none of these users were part of the migrator groups or developer groups or admin users. 2) Users with access rights allowing them to provision access to the ACS application were reviewing their own access as part of the periodic user access review control. As a result, we verified that all reviewers were active and appeared to be appropriate per job title/responsibility. We also verified the system configuration for the user access review and determined that it is configured to automatically revoke access after one year without access and is operating as designed. Cause The conditions above related to the following: 1) The exception occurred due to human oversight during the execution of the de-provisioning process. 2) The control was designed such that individuals with access rights that allow them to perform provisioning activities were responsible for reviewing their own access as part of the periodic user access review control. Possible Asserted Effect Failure to have a reliable general information technology environment over logical access may result in unauthorized changes being made to ACS, which may result in erroneous reliance on the operating effectiveness of automated information technology control over subrecipient payments allowability. Failure to have effective internal controls over subrecipient payments allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs Not applicable  Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that management strengthen controls or add monitoring controls to ensure either management personnel at the State agencies/entities are notifying their respective IT departments or ITS, as applicable, in a timely manner when a user of a system or application no longer requires access, whether due to changes in job responsibilities or termination from the State; or such notifications are timely executed. We also recommend that management implement additional monitoring controls to evaluate a complete population of terminated users against system user listings to ensure access is removed for terminated users, including performance of an impact assessment for instances where it is determined that access rights were not removed in a timely manner for terminated employees. Additionally, we recommend that management restrict individuals with access rights that allow them to perform provisioning activities from reviewing their own access rights. Lastly, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication/documentation of reviewing and de-provisioning of users to the IT department during the user access review.

Federal Agency: United States Department of Health and Human Services Federal Program: Temporary Assistance for Needy Families (93.558) CCDF Cluster (93.575 and 93.596) Adoption Assistance (93.659) Social Services Block Grant (93.667) Federal Award Numbers: 1701NYTANF, 1801NYTANF, 1901NYTANF, 2001NYTANF, 2101NYTANF, 2101NYTANFC6, 2201NYTAN3, 2201NYTANF, 2301NYTAN3, 2301NYTANF 1701NYCCDF, 2001NYCCC3, 2001NYCCDD, 2001NYTANF, 2101NYCCC5, 2101NYCCDD, 2101NYCCDF, 2101NYCCDM, 2101NYCDC6, 2101NYCSC6, 2101NYTANF, 2201NYCCDD, 2201NYTANF 1801NYADPT, 1901NYADPT, 2001NYADPT, 2101NYADPT, 2201NYADPT, 2301NYADPT 2101NYSOSR, 2101NYTANF, 2201NYSOSR, 2201NYTANF Federal Award Years: 2017, 2018, 2019, 2020, 2021, 2022, and 2023 State Agency: Office of Temporary and Disability Assistance Office of Children and Family Services Reference: 2023-013 Criteria Internal controls Title 45 U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards, section 75.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government,” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition New York State Information Technology Services (ITS) manages the IT environment for the Automated Claiming System (ACS). IT application controls for ACS are relied upon by Office of Temporary and Disability Assistance (OTDA) and the Office of Children and Family Services (OCFS) for the administration of claims submitted by the local districts that administer the following federal programs as subrecipients of the State of New York (the State): • Temporary Assistance for Needy Families • Social Services Block Grant • CCDF Cluster • Adoption Assistance ITS management of ACS includes maintaining the network, database, and operating system layers of the information technology control environment. During our testwork, we noted the following deficiencies in the implementation of the general information technology controls over ACS: 1) For 9 out of 13 instances related to de-provisioning of access for terminated employees to the ACS application, user access rights were disabled more than 5 days after the user ended employment with the State or otherwise did not need access to the specified system. In 7 of the 9 instances, the terminated employee had ‘inquiry only’ access. Upon audit inquiry, we obtained system documentation for the 9 users identified as exceptions indicating the related users did not logon to the app or the network past their termination date. Furthermore, we conducted testing over provisioning access to the application and privileged access, including migrator and developer access, for the ACS system, and noted those users did not access the system after termination. We determined that none of these users were part of the migrator groups or developer groups or admin users. 2) Users with access rights allowing them to provision access to the ACS application were reviewing their own access as part of the periodic user access review control. As a result, we verified that all reviewers were active and appeared to be appropriate per job title/responsibility. We also verified the system configuration for the user access review and determined that it is configured to automatically revoke access after one year without access and is operating as designed. Cause The conditions above related to the following: 1) The exception occurred due to human oversight during the execution of the de-provisioning process. 2) The control was designed such that individuals with access rights that allow them to perform provisioning activities were responsible for reviewing their own access as part of the periodic user access review control. Possible Asserted Effect Failure to have a reliable general information technology environment over logical access may result in unauthorized changes being made to ACS, which may result in erroneous reliance on the operating effectiveness of automated information technology control over subrecipient payments allowability. Failure to have effective internal controls over subrecipient payments allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs Not applicable  Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that management strengthen controls or add monitoring controls to ensure either management personnel at the State agencies/entities are notifying their respective IT departments or ITS, as applicable, in a timely manner when a user of a system or application no longer requires access, whether due to changes in job responsibilities or termination from the State; or such notifications are timely executed. We also recommend that management implement additional monitoring controls to evaluate a complete population of terminated users against system user listings to ensure access is removed for terminated users, including performance of an impact assessment for instances where it is determined that access rights were not removed in a timely manner for terminated employees. Additionally, we recommend that management restrict individuals with access rights that allow them to perform provisioning activities from reviewing their own access rights. Lastly, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication/documentation of reviewing and de-provisioning of users to the IT department during the user access review.

Federal Agency: United States Department of Health and Human Services Federal Program: Temporary Assistance for Needy Families (93.558) CCDF Cluster (93.575 and 93.596) Adoption Assistance (93.659) Social Services Block Grant (93.667) Federal Award Numbers: 1701NYTANF, 1801NYTANF, 1901NYTANF, 2001NYTANF, 2101NYTANF, 2101NYTANFC6, 2201NYTAN3, 2201NYTANF, 2301NYTAN3, 2301NYTANF 1701NYCCDF, 2001NYCCC3, 2001NYCCDD, 2001NYTANF, 2101NYCCC5, 2101NYCCDD, 2101NYCCDF, 2101NYCCDM, 2101NYCDC6, 2101NYCSC6, 2101NYTANF, 2201NYCCDD, 2201NYTANF 1801NYADPT, 1901NYADPT, 2001NYADPT, 2101NYADPT, 2201NYADPT, 2301NYADPT 2101NYSOSR, 2101NYTANF, 2201NYSOSR, 2201NYTANF Federal Award Years: 2017, 2018, 2019, 2020, 2021, 2022, and 2023 State Agency: Office of Temporary and Disability Assistance Office of Children and Family Services Reference: 2023-013 Criteria Internal controls Title 45 U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards, section 75.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government,” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition New York State Information Technology Services (ITS) manages the IT environment for the Automated Claiming System (ACS). IT application controls for ACS are relied upon by Office of Temporary and Disability Assistance (OTDA) and the Office of Children and Family Services (OCFS) for the administration of claims submitted by the local districts that administer the following federal programs as subrecipients of the State of New York (the State): • Temporary Assistance for Needy Families • Social Services Block Grant • CCDF Cluster • Adoption Assistance ITS management of ACS includes maintaining the network, database, and operating system layers of the information technology control environment. During our testwork, we noted the following deficiencies in the implementation of the general information technology controls over ACS: 1) For 9 out of 13 instances related to de-provisioning of access for terminated employees to the ACS application, user access rights were disabled more than 5 days after the user ended employment with the State or otherwise did not need access to the specified system. In 7 of the 9 instances, the terminated employee had ‘inquiry only’ access. Upon audit inquiry, we obtained system documentation for the 9 users identified as exceptions indicating the related users did not logon to the app or the network past their termination date. Furthermore, we conducted testing over provisioning access to the application and privileged access, including migrator and developer access, for the ACS system, and noted those users did not access the system after termination. We determined that none of these users were part of the migrator groups or developer groups or admin users. 2) Users with access rights allowing them to provision access to the ACS application were reviewing their own access as part of the periodic user access review control. As a result, we verified that all reviewers were active and appeared to be appropriate per job title/responsibility. We also verified the system configuration for the user access review and determined that it is configured to automatically revoke access after one year without access and is operating as designed. Cause The conditions above related to the following: 1) The exception occurred due to human oversight during the execution of the de-provisioning process. 2) The control was designed such that individuals with access rights that allow them to perform provisioning activities were responsible for reviewing their own access as part of the periodic user access review control. Possible Asserted Effect Failure to have a reliable general information technology environment over logical access may result in unauthorized changes being made to ACS, which may result in erroneous reliance on the operating effectiveness of automated information technology control over subrecipient payments allowability. Failure to have effective internal controls over subrecipient payments allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs Not applicable  Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that management strengthen controls or add monitoring controls to ensure either management personnel at the State agencies/entities are notifying their respective IT departments or ITS, as applicable, in a timely manner when a user of a system or application no longer requires access, whether due to changes in job responsibilities or termination from the State; or such notifications are timely executed. We also recommend that management implement additional monitoring controls to evaluate a complete population of terminated users against system user listings to ensure access is removed for terminated users, including performance of an impact assessment for instances where it is determined that access rights were not removed in a timely manner for terminated employees. Additionally, we recommend that management restrict individuals with access rights that allow them to perform provisioning activities from reviewing their own access rights. Lastly, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication/documentation of reviewing and de-provisioning of users to the IT department during the user access review.

Federal Agency: United States Department of Health and Human Services Federal Program: Temporary Assistance for Needy Families (93.558) CCDF Cluster (93.575 and 93.596) Adoption Assistance (93.659) Social Services Block Grant (93.667) Federal Award Numbers: 1701NYTANF, 1801NYTANF, 1901NYTANF, 2001NYTANF, 2101NYTANF, 2101NYTANFC6, 2201NYTAN3, 2201NYTANF, 2301NYTAN3, 2301NYTANF 1701NYCCDF, 2001NYCCC3, 2001NYCCDD, 2001NYTANF, 2101NYCCC5, 2101NYCCDD, 2101NYCCDF, 2101NYCCDM, 2101NYCDC6, 2101NYCSC6, 2101NYTANF, 2201NYCCDD, 2201NYTANF 1801NYADPT, 1901NYADPT, 2001NYADPT, 2101NYADPT, 2201NYADPT, 2301NYADPT 2101NYSOSR, 2101NYTANF, 2201NYSOSR, 2201NYTANF Federal Award Years: 2017, 2018, 2019, 2020, 2021, 2022, and 2023 State Agency: Office of Temporary and Disability Assistance Office of Children and Family Services Reference: 2023-013 Criteria Internal controls Title 45 U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards, section 75.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government,” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition New York State Information Technology Services (ITS) manages the IT environment for the Automated Claiming System (ACS). IT application controls for ACS are relied upon by Office of Temporary and Disability Assistance (OTDA) and the Office of Children and Family Services (OCFS) for the administration of claims submitted by the local districts that administer the following federal programs as subrecipients of the State of New York (the State): • Temporary Assistance for Needy Families • Social Services Block Grant • CCDF Cluster • Adoption Assistance ITS management of ACS includes maintaining the network, database, and operating system layers of the information technology control environment. During our testwork, we noted the following deficiencies in the implementation of the general information technology controls over ACS: 1) For 9 out of 13 instances related to de-provisioning of access for terminated employees to the ACS application, user access rights were disabled more than 5 days after the user ended employment with the State or otherwise did not need access to the specified system. In 7 of the 9 instances, the terminated employee had ‘inquiry only’ access. Upon audit inquiry, we obtained system documentation for the 9 users identified as exceptions indicating the related users did not logon to the app or the network past their termination date. Furthermore, we conducted testing over provisioning access to the application and privileged access, including migrator and developer access, for the ACS system, and noted those users did not access the system after termination. We determined that none of these users were part of the migrator groups or developer groups or admin users. 2) Users with access rights allowing them to provision access to the ACS application were reviewing their own access as part of the periodic user access review control. As a result, we verified that all reviewers were active and appeared to be appropriate per job title/responsibility. We also verified the system configuration for the user access review and determined that it is configured to automatically revoke access after one year without access and is operating as designed. Cause The conditions above related to the following: 1) The exception occurred due to human oversight during the execution of the de-provisioning process. 2) The control was designed such that individuals with access rights that allow them to perform provisioning activities were responsible for reviewing their own access as part of the periodic user access review control. Possible Asserted Effect Failure to have a reliable general information technology environment over logical access may result in unauthorized changes being made to ACS, which may result in erroneous reliance on the operating effectiveness of automated information technology control over subrecipient payments allowability. Failure to have effective internal controls over subrecipient payments allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs Not applicable  Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that management strengthen controls or add monitoring controls to ensure either management personnel at the State agencies/entities are notifying their respective IT departments or ITS, as applicable, in a timely manner when a user of a system or application no longer requires access, whether due to changes in job responsibilities or termination from the State; or such notifications are timely executed. We also recommend that management implement additional monitoring controls to evaluate a complete population of terminated users against system user listings to ensure access is removed for terminated users, including performance of an impact assessment for instances where it is determined that access rights were not removed in a timely manner for terminated employees. Additionally, we recommend that management restrict individuals with access rights that allow them to perform provisioning activities from reviewing their own access rights. Lastly, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication/documentation of reviewing and de-provisioning of users to the IT department during the user access review.

Federal Agency: United States Department of Health and Human Services Federal Program: Temporary Assistance for Needy Families (93.558) CCDF Cluster (93.575 and 93.596) Adoption Assistance (93.659) Social Services Block Grant (93.667) Federal Award Numbers: 1701NYTANF, 1801NYTANF, 1901NYTANF, 2001NYTANF, 2101NYTANF, 2101NYTANFC6, 2201NYTAN3, 2201NYTANF, 2301NYTAN3, 2301NYTANF 1701NYCCDF, 2001NYCCC3, 2001NYCCDD, 2001NYTANF, 2101NYCCC5, 2101NYCCDD, 2101NYCCDF, 2101NYCCDM, 2101NYCDC6, 2101NYCSC6, 2101NYTANF, 2201NYCCDD, 2201NYTANF 1801NYADPT, 1901NYADPT, 2001NYADPT, 2101NYADPT, 2201NYADPT, 2301NYADPT 2101NYSOSR, 2101NYTANF, 2201NYSOSR, 2201NYTANF Federal Award Years: 2017, 2018, 2019, 2020, 2021, 2022, and 2023 State Agency: Office of Temporary and Disability Assistance Office of Children and Family Services Reference: 2023-013 Criteria Internal controls Title 45 U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards, section 75.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government,” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition New York State Information Technology Services (ITS) manages the IT environment for the Automated Claiming System (ACS). IT application controls for ACS are relied upon by Office of Temporary and Disability Assistance (OTDA) and the Office of Children and Family Services (OCFS) for the administration of claims submitted by the local districts that administer the following federal programs as subrecipients of the State of New York (the State): • Temporary Assistance for Needy Families • Social Services Block Grant • CCDF Cluster • Adoption Assistance ITS management of ACS includes maintaining the network, database, and operating system layers of the information technology control environment. During our testwork, we noted the following deficiencies in the implementation of the general information technology controls over ACS: 1) For 9 out of 13 instances related to de-provisioning of access for terminated employees to the ACS application, user access rights were disabled more than 5 days after the user ended employment with the State or otherwise did not need access to the specified system. In 7 of the 9 instances, the terminated employee had ‘inquiry only’ access. Upon audit inquiry, we obtained system documentation for the 9 users identified as exceptions indicating the related users did not logon to the app or the network past their termination date. Furthermore, we conducted testing over provisioning access to the application and privileged access, including migrator and developer access, for the ACS system, and noted those users did not access the system after termination. We determined that none of these users were part of the migrator groups or developer groups or admin users. 2) Users with access rights allowing them to provision access to the ACS application were reviewing their own access as part of the periodic user access review control. As a result, we verified that all reviewers were active and appeared to be appropriate per job title/responsibility. We also verified the system configuration for the user access review and determined that it is configured to automatically revoke access after one year without access and is operating as designed. Cause The conditions above related to the following: 1) The exception occurred due to human oversight during the execution of the de-provisioning process. 2) The control was designed such that individuals with access rights that allow them to perform provisioning activities were responsible for reviewing their own access as part of the periodic user access review control. Possible Asserted Effect Failure to have a reliable general information technology environment over logical access may result in unauthorized changes being made to ACS, which may result in erroneous reliance on the operating effectiveness of automated information technology control over subrecipient payments allowability. Failure to have effective internal controls over subrecipient payments allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs Not applicable  Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that management strengthen controls or add monitoring controls to ensure either management personnel at the State agencies/entities are notifying their respective IT departments or ITS, as applicable, in a timely manner when a user of a system or application no longer requires access, whether due to changes in job responsibilities or termination from the State; or such notifications are timely executed. We also recommend that management implement additional monitoring controls to evaluate a complete population of terminated users against system user listings to ensure access is removed for terminated users, including performance of an impact assessment for instances where it is determined that access rights were not removed in a timely manner for terminated employees. Additionally, we recommend that management restrict individuals with access rights that allow them to perform provisioning activities from reviewing their own access rights. Lastly, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication/documentation of reviewing and de-provisioning of users to the IT department during the user access review.

Federal Agency: United States Department of Health and Human Services Federal Program: Block Grants for Prevention and Treatment of Substance Abuse (93.959) Federal Award Numbers: 21B1NYSAPT, 21B1NYSAPTC5, 21B1NYSAPTC6, 21B3NYSAPTC6, 22B1NYSAPT Federal Award Years: 2021 and 2022 State Agency: Office of Addiction Services and Support Reference: 2023-018 Criteria Special Reporting for Federal Funding Accountability and Transparency Act Under the requirements of the Federal Funding Accountability and Transparency Act (FFATA) (Pub. L. No. 109-282), as amended by Section 6202 of Public Law 110-252, (Transparency Act) that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Aspects of the Transparency Act that relate to subaward reporting (1) under grants and cooperative agreements were implemented in OMB in 2 CFR Part 170 and (2) under contracts, by the regulatory agencies responsible for the Federal Acquisition Regulation (FAR at 5 FR 39414 et seq., July 8, 2010). The requirements pertain to recipients (i.e., direct recipients) of grants or cooperative agreements who make first-tier subawards and contractors (i.e., prime contractors) that award first-tier subcontracts. Title 45 U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards for HHS Awards, section 75.2 defines Subaward as an award provided by a pass-through entity to a subrecipient for the subrecipient to carry out part of a federal award received by the pass-through entity. It does not include payments to a contractor or payments to an individual that is a beneficiary of a federal program. A subaward may be provided through any form of legal agreement, including an agreement that the pass-through entity considers a contract. Further, 45 CFR 75.2 defines Subrecipient as a non-federal entity that receives a subaward from a passthrough entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other federal awards directly from a federal awarding agency. Internal controls Lastly, 45 CFR 75.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Office of Addition Services and Support (OASAS) did not report awards granted to subrecipients for the Block Grants for Prevention and Treatment of Substance Abuse program for the period April 2022 through March 2023 as required by FFATA. FFATA requires the State to report certain identifying information related to awards made to subrecipients in amounts greater than or equal to $30,000. Of the information to be reported, the following key data elements are required to be audited: 1. Subawardee name 2. Subawardee DUNS number 3. Amount of subaward 4. Subaward obligation/action date 5. Date of report submission 6. Subaward number 7. Subaward project description 8. Subawardee names and compensation of highly compensated officers During our testwork, we noted OASAS did not establish control procedures to submit FFATA reports for all subawards. We noted the following exceptions: Cause The condition found was due to staffing changes and constraints brought on by COVID-19, this requirement was not appropriately considered and FFATA reporting was not completed during the fiscal year.  Possible Asserted Effect Failure to submit all subawards passed-through to subrecipients and subcontractors under subawards as defined by 45 CFR 75.2 in OASAS’s FFATA reporting could result in OASAS reporting inaccurate and incomplete amounts to the federal government. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend OASAS review and enhance its policies, procedures, and internal controls to ensure that all amounts passed-through to subrecipients and subcontractors under subawards as defined in 45 CFR 75.2 are reported in accordance with the FFATA federal regulations.

Federal Agency: United States Department of Health and Human Services Federal Program: Block Grants for Prevention and Treatment of Substance Abuse (93.959) Federal Award Numbers: 21B1NYSAPT, 21B1NYSAPTC5, 21B1NYSAPTC6, 21B3NYSAPTC6, 22B1NYSAPT Federal Award Years: 2021 and 2022 State Agency: Office of Addiction Services and Support Reference: 2023-019 Criteria Subrecipient monitoring Title 45 Code of Federal Regulations Part 75, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards (45 CFR 75), section 352(b) states all pass-through entities must evaluate each subrecipient's risk of noncompliance with Federal Statues, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring as described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient's prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with subpart F, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of HHS awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a HHS awarding agency). Internal controls Further, 45 CFR 75.303 (a) states the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal Entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition During our testwork, we noted the Office of Addiction Services and Support (OASAS) had developed and implemented a risk assessment process to help identify entities with higher risks that required additional monitoring procedures. Initially the risk assessment process begins with the programmatic input and is provided to the Fiscal Audit and Review Unit (FARU) to provide additional risk assessment factors. However, the agency was unable to provide documentation to support the additional risk factors considered by FARU. The documentation provided indicated that entities determined to be higher risk did not align with the entities selected and for which additional monitoring procedures were performed. Cause The condition found was because the agency was not able to provide documentation to support the additional risk factors considered by FARU that determined the higher risk entities reviewed for the fiscal year. Possible Asserted Effect Failure to properly document all program and fiscal risk factors considered in identifying higher risk subrecipients may result in inadequate incremental monitoring procedures being performed and subrecipients not being in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend the Office continue to enhance its subrecipient monitoring policies, procedures and internal control to help ensure the Office is monitoring subrecipients in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e). Such monitoring activities should be performed and documented to show all considerations made when determining which subrecipients would be subject to additional monitoring procedures.

Federal Agency: United States Department of Agriculture Federal Program: Child Nutrition Cluster (10.555, 10.559, and 10.582) Federal Award Numbers: 202323N119944, 202221N119944-SED Federal Award Years: 2022 and 2023 State Agency: State Education Department Reference: 2023-005 Criteria Special Reporting for Federal Funding Accountability and Transparency Act Under the requirements of the Federal Funding Accountability and Transparency Act (FFATA) (Pub. L. No. 109-282), as amended by Section 6202 of Public Law 110-252, (Transparency Act) that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Aspects of the Transparency Act that relate to subaward reporting (1) under grants and cooperative agreements were implemented in OMB in 2 CFR Part 170 and (2) under contracts, by the regulatory agencies responsible for the Federal Acquisition Regulation (FAR at 5 FR 39414 et seq., July 8, 2010). The requirements pertain to recipients (i.e., direct recipients) of grants or cooperative agreements who make first-tier subawards and contractors (i.e., prime contractors) that award first-tier subcontracts. Title 2 U.S. Code of Federal Regulations Part 200 (2 CFR 200), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards, section 200.2 defines Subaward as an award provided by a pass-through entity to a subrecipient for the subrecipient to carry out part of a federal award received by the pass-through entity. It does not include payments to a contractor or payments to an individual that is a beneficiary of a federal program. A subaward may be provided through any form of legal agreement, including an agreement that the pass-through entity considers a contract. Further, 2 CFR 200.2 defines Subrecipient as a non-federal entity that receives a subaward from a passthrough entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other federal awards directly from a federal awarding agency. Internal controls Lastly, 2 CFR 200.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition FFATA requires the State to report certain identifying information related to awards made to subrecipients in amounts greater than or equal to $30,000. Of the information to be reported, the following key data elements are required to be audited: 1. Subawardee name 2. Subawardee DUNS number 3. Amount of subaward 4. Subaward obligation/action date 5. Date of report submission 6. Subaward number 7. Subaward project description 8. Subawardee names and compensation of highly compensated officers During our testwork, we noted for the period of December 2022 through March 2023, the State Education Department (the Department) did not timely report any amounts passed-through to its subrecipients. During our testwork of 40 subawards, we noted the following exceptions: Cause The condition found was due to staffing shortages and the responsibility for FFATA reporting was not transferred between employees. Possible Asserted Effect Failure to submit all subawards passed-through to subrecipients and subcontractors under subawards as defined by 2CFR 200.2 in SED’s FFATA reporting could result in the Department reporting inaccurate and incomplete amounts to the federal government. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that the Department review and enhance its policies, procedures, and internal controls to ensure that all amounts passed-through to subrecipients and subcontractors under subawards as defined in 2 CFR 200.2 are reported in accordance with the FFATA federal regulations.

Federal Agency: United States Department of Housing and Urban Development Federal Program: CDBG – Disaster Recovery Grants – Pub. L. No. 113-2 Cluster (14.269, 14.272) Federal Award Number: B13DS360001 Federal Award Years: 2013 State Agency: Housing Trust Fund Corporation and Governor’s Office of Storm Recovery Reference: 2023-006 Criteria Special Reporting for Federal Funding Accountability and Transparency Act Under the requirements of the Federal Funding Accountability and Transparency Act (FFATA) (Pub. L. No. 109-282), as amended by Section 6202 of Public Law 110-252, herein referred to as the "Transparency Act" that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Aspects of the Transparency Act that relate to subaward reporting (1) under grants and cooperative agreements were implemented in OMB in 2 CFR Part 170 and (2) under contracts, by the regulatory agencies responsible for the Federal Acquisition Regulation (FAR at 5 FR 39414 et seq., July 8, 2010). The requirements pertain to recipients (i.e., direct recipients) of grants or cooperative agreements who make first-tier subawards and contractors (i.e., prime contractors) that award first-tier subcontracts. Title 2 U.S. Code of Federal Regulations Part 200 (2 CFR 200) Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards, section 200.1 defines Subaward as an award provided by a pass-through entity to a subrecipient for the subrecipient to carry out part of a federal award received by the pass-through entity. It does not include payments to a contractor or payments to an individual that is a beneficiary of a federal program. A subaward may be provided through any form of legal agreement, including an agreement that the pass-through entity considers a contract. Further, 2 CFR 200.1 defines Subrecipient as a non-federal entity that receives a subaward from a passthrough entity to carry out part of a federal program; but does not include an individual that is a beneficiary of such program. A subrecipient may also be a recipient of other federal awards directly from a federal awarding agency. Internal controls Lastly, 2 CFR 200.303(a) states, the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the Federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).  Condition The Housing Trust Fund Corporation (HTFC) did not report awards granted to subrecipients for the CDBG – Disaster Recovery Grants program for the period April 2022 through March 2023 as required by FFATA. FFATA requires the State to report certain identifying information related to awards made to subrecipients in amounts greater than or equal to $30,000. Of the information to be reported, the following key data elements are required to be audited: 1. Subawardee name 2. Subawardee DUNS number 3. Amount of subaward 4. Subaward obligation/action date 5. Date of report submission 6. Subaward number 7. Subaward project description 8. Subawardee names and compensation of highly compensated officers During our testing, we noted that HTFC did not establish control procedures to submit FFATA reports for all subawards as required by federal regulations. During our testwork of 7 subawards and 6 amendments, we noted the following exceptions: *For the 5 of 7 sampled subawards, the subaward amounts of $191,367,261 were incorrectly reported in FSRS as $7,757,484,755. **For one of the 7 sampled subawards the obligation date did not agree to FSRS and 7 of 7 subawards were missing the date of report submission (key data element). Cause The condition found was due to HTFC not reporting any amounts passed-through to subrecipients for the period April 2022 – March 2023 because the responsibility for FFATA reporting was not transferred between employees. Possible Asserted Effect Failure to submit all subaward amounts passed-through to subrecipients and subcontractors under subawards as defined by 2 CFR 200.1 in HTFC’s FFATA reporting could result in HTFC reporting inaccurate and incomplete amounts to the federal government. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that HTFC review and enhance its policies, procedures, and internal controls to ensure that all amounts passed-through to subrecipients and subcontractors under subawards as defined in 2 CFR 200.1 are reported in accordance with the FFATA federal regulations. In addition, we recommend that HTFC use obligation date for FFATA reporting.

Federal Agency: United States Department of Labor Federal Program: Unemployment Insurance (17.225) Federal Award Numbers: Not Applicable Federal Award Years : Not Applicable State Agency: Department of Labor Reference: 2023-007 Criteria Special Tests and Provisions – UI Benefit Payments The Payments Integrity Information Act (PIIA) of 2019 codified the requirement for valid statistical estimates of improper payments. by Title 20 Code of Federal Regulations Part 602 (20 CFR 602), Quality Control in the Federal-State Unemployment System, prescribes a Quality Control (QC) program for the Federal-State unemployment compensation (UC) system, which is appliable to the State UC programs and the Federal unemployment benefit and allowance programs administered by the State unemployment compensation agencies under agreements between the States and the Secretary of Labor. 20 CFR 602.11(d) states to satisfy the requirements of Section 303(a)(1) and (6) of the Social Security Act (SSA) (42 USC 503), a State law must contain a provision requiring, or which is construed to require, the establishment and maintenance of a QC program in accordance with the requirements of this part. The establishment and maintenance of such a QC program in accordance with this part shall not require any change in State law concerning authority to undertake redeterminations of claims or liabilities or the finality of any determination, redetermination or decision. Each State shall establish a QC unit independent of, and not accountable to, any unit performing functions subject to evaluation by the QC unit. The organizational location of this unit shall be positioned to maximize its objectivity, to facilitate its access to information necessary to carry out its responsibilities, and to minimize organizational conflict of interest. Per 20 CFR 602.21 – Standard methods and Procedures, Each State Shall: (a) Perform the requirements of this section in accordance with instructions issued by the Department, pursuant to § 602.30(a) of this part, to ensure standardization of methods and procedures in a manner consistent with this part; (b) Select representative samples for QC study of at least a minimum size specified by the Department to ensure statistical validity (for benefit payments, a minimum of 400 cases of weeks paid per State per year);   (c) Complete prompt and in-depth case investigations to determine the degree of accuracy and timeliness in the administration of the State UC law and Federal programs with respect to benefit determinations, benefit payments, and revenue collections; and conduct other measurements and studies necessary or appropriate for carrying out the purposes of this part; and in conducting investigations each State shall: (1) Inform claimants in writing that the information obtained from a QC investigation may affect their eligibility for benefits and inform employers in writing that the information obtained from a QC investigation of revenue may affect their tax liability, (2) Use a questionnaire, prescribed by the Department, which is designed to obtain such data as the Department deems necessary for the operation of the QC program; require completion of the questionnaire by claimants in accordance with the eligibility and reporting authority under State law, (3) Collect data identified by the Department as necessary for the operation of the QC program; however, the collection of demographic data will be limited to those data which relate to an individual's eligibility for UC benefits and necessary to conduct proportions tests to validate the selection of representative samples (the demographic data elements necessary to conduct proportions tests are claimants' date of birth, sex, and ethnic classification); and (4) Conclude all findings of inaccuracy as d(a) Perform the requirements of this section in accordance with instructions issued by the Department, pursuant to § 602.30(a) of this part, to ensure standardization of methods and procedures in a manner consistent with this part; (d) Classify benefit case findings resulting from QC investigations as: (1) Proper payments, underpayments, or overpayments in benefit payment cases, or (2) Proper denials or underpayments in benefit denial cases; (e) Make and maintain records pertaining to the QC program, and make all such records available in a timely manner for inspection, examination, and audit by such Federal officials as the Secretary may designate or as may be required or authorized by law; (f) Furnish information and reports to the Department, including weekly transmissions of case data entered into the automated QC system and annual reports, without, in any manner, identifying individuals to whom such data pertain; and (g) Release the results of the QC program at the same time each year, providing calendar year results using a standardized format to present the data as prescribed by the Department; States will have the opportunity to release this information prior to any release by the Department. Internal controls Additionally, Title 2 U.S. Code of Federal Regulations Part 200 (2 CFR 200) Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards, section 303(a) states, the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statues, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Benefit Accuracy Measurement (BAM) programs consists of reviews of Regular Unemployment Insurance (UI) payments, which are paid out of the Unemployment Insurance Trust Fund, and therefore are not associated with a Federal Award Number. For the period ending September 30, 2022, NYS failed the 90- and 120-day time lapse requirement for both Paid and Denied Claims. For the month of September 2022, for Paid Claims, 92.08% of cases were reviewed and closed within 90 days, less than 3% short of the required 95%. Similarly, 96.25% of cases were reviewed and closed within 120 days, less than 2% short of the required 98% federal benchmark. Also, for the month of September 2022, for Denied Claims, 96.66% of cases were reviewed and closed within 120 days, less than 2% short of the required 98%. Cause The condition related to the time lapse requirements results from a shortage of staff and backlogged cases. As a result, the Department was unable to meet all case allocation and timely review requirements. Possible Asserted Effect Failure to perform timely completion of investigations results in the inability of UI Program to appropriately assess the degree of accuracy and timeliness in the administration of the State UC law and federal programs with respect to benefit determinations, benefit payments, and revenue collections. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding A similar finding for the Department was included in the 2022 Single Audit Report as finding number 2022-004 at pages 25-27. Recommendation We recommend that the Department ensures that their polices and procedures are designed to review selected cases to ensure they meet the prescribed criteria and, if necessary, be replaced as part of the final sampling week for the PIIA year. Additionally, the Department should enhance its process to ensure the completion of Paid and Denied cases are reviewed and closed timely in accordance with State Law.

Federal Agency: United States Department of Education Federal Program: Federal Family Education Loans (Guaranty Agencies) (84.032) Federal Award Numbers: Not Applicable Federal Award Years: Not Applicable State Agency: Higher Education Services Corporation Reference: 2023-008 Criteria Special Tests and Provisions – Teacher Loan Forgiveness Claims In accordance with Title 34 CFR Section 682.216 (f)(3), the guaranty agency shall review a teacher loan forgiveness claim within 45 days of receiving the holder’s request for payment and must determine if the borrower meets the eligibility requirements for loan forgiveness under this section and must notify the holder of its determination of the borrower’s eligibility for loan forgiveness under this section. If the guaranty agency approves the loan forgiveness, it must, within the same 45-day period, pay the holder the amount of the loan forgiveness, up to $17,500, subject to paragraphs (c)(11), (d)(1), (d)(2), and (f)(2)(iii) of this section. Internal controls Additionally, Title 2 U.S. Code of Federal Regulations Part 200 (2 CFR 200) Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards, section 303(a) states, the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statues, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition For 3 out of 60 individual teacher loan forgiveness claims selected for testwork, management did not pay the lender within the required 45 day timeframe. The payments related to these 3 forgiveness claims occurred between 18 and 53 days beyond the 45 day requirement. Cause The condition related to management’s’ internal control to review and approve teacher loan forgiveness payment requests within 45 business days after receipt was not operating effectively. Specifically, there were delays in the determination of whether or not the borrower met its eligibility requirements for loan forgiveness.  Possible Asserted Effect Failure to timely remit payment to the lender for teacher loan forgiveness claims may result in noncompliance with federal laws and regulations. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding A similar finding was included in the separately issued Higher Education Services Corporation 2022 Single Audit Report as finding number 2022-002 on pages 59-60. Recommendation We recommend that management continue to monitor and review incoming teacher loan forgiveness claims from lenders and make any necessary payments for approved loan forgiveness within the 45 day period requirement.

Federal Agency: United States Department of Education Federal Program: Federal Family Education Loans (Guaranty Agencies) (84.032) Federal Award Numbers: Not Applicable Federal Award Years: Not Applicable State Agency: Higher Education Services Corporation Reference: 2023-009 Criteria Internal controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition Higher Education Services Corporation (HESC), with the support of New York State Information Technology Services (ITS) manages the IT environment for the Debt Management Collections Systems (DMCS) and Guaranteed Student Loan (GSL). IT application controls for DMCS and GSL are relied upon by Higher Education Services Corporation (HESC) for the administration of the Federal Family Education Loans (Guaranty Agencies) (FFEL). HESC utilizes DMCS, a legacy mainframe based system, for the accounting and debt management of the FFEL program and GSL to manage and monitor outstanding guaranteed loans. ITS management of DMCS and GSL includes maintaining the network, database, and operating system layers of the information technology control environment. During our testwork, we noted the following deficiencies in the implementation of the information technology general controls over DMCS and GSL: 1) For 3 out of 229 instances related to de-provisioning of access for terminated employees to the DMCS and GSL applications, user access rights were disabled more than 5 days after the user ended employment with the State or otherwise did not need access to the specified system. Upon audit inquiry, we obtained system documentation for the 3 users identified as exceptions indicating the related users did not logon to the app or the network past their termination date. 2) HESC did not perform a periodic user access review over GSL active users and their respective access rights. The system generated listings utilized in the access reviews were not generated and provided to the appropriate reviewers prior to the end of the audit period. Upon audit inquiry, we performed testing procedures over appropriateness of administrative access to the GSL application and noted it appeared appropriately provisioned and restricted. 3) For the periodic user access review for the DMCS application, HESC management did not consider the inclusion of external users of the application, including external users with more than read-only access, in the scope of the review. We noted that the entitlements for the users not included in the scope of the DMCS periodic user access review only included edit capabilities related to non-financial data, such demographic information. We performed testing procedures over appropriateness of administrative access to the DMCS application and noted it appeared appropriately provisioned and restricted. Cause The conditions above related to the following: 1) The exception occurred due to human oversight during the execution of the de-provisioning process. 2) The cause of the delay in the review process was due to internal prioritizations resulting in the review not being performed within the audit period. 3) External users were not considered by management in the access reviews. Possible Asserted Effect Failure to have a reliable general information technology control environment over logical access may result in unauthorized changes being made to DMCS and GSL, which may result in erroneous reliance on the operating effectiveness of automated information technology controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs Not applicable Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that management strengthen controls or add monitoring controls to ensure management personnel at HESC are notifying their IT department or ITS, as applicable, in a timely manner when a user of a system or application no longer requires access, whether due to changes in job responsibilities or termination of employment from HESC; or such notifications are timely executed. We also recommend that management implement additional monitoring controls to evaluate a complete population of terminated users against system user listings to ensure access is removed for terminated users, including performance of an impact assessment for instances where it is determined that access rights were not removed in a timely manner for terminated employees. Additionally, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication/documentation of reviewing and de-provisioning of users to the IT department during the user access review.

Federal Agency: United States Department of Education Federal Program: Rehabilitation Services — Vocational Rehabilitation Grants to States (84.126) Federal Award Numbers: H126A200047 – 20C (SED), H126A210047 (SED), H126A220047(SED), H126A200048 – 20D (OCFS), H126A210048 (OCFS), H126A220048 (OCFS) Federal Award Years: 2020, 2021, 2022 State Agency: Office of Children and Family Services and State Education Department Reference: 2023-010 Criteria Performance Reporting RSA-911, Case Service Report (RSA 911) (OMB No. 1820 0508). The RSA-911 is a set of data elements that state Vocational Rehabilitation (VR) agencies must submit to ED. The data elements obtained from state VR agency service records and case management systems document the application for and/or provision of VR services to individuals with disabilities, including program outcomes and demographic information. The RSA-911 data set instructions are available at https://rsa.ed.gov/sites/default/files/subregulatory/pd-19-03.pdf. Key Line Items – Supporting documentation must be included in the service record or case management system for the data elements listed below. Dates reported in the case management system must match the supporting documentation. The following data elements contain critical information: 1. Date of Application (element 7) 2. Date of Eligibility Determination (element 38) 3. Date of Most Recent or Amended Individualized Plan for Employment (IPE) (element 398)* 4. Start Date of Employment in Primary Occupation (element 350) 5. Employment Outcome at Exit (element 356) 6. Date of Exit (element 353) 7. Hourly Wage at Exit (element 359) *In accordance with the RSA-911 data set instructions available at https://rsa.ed.gov/sites/default/files/subregulatory/pd-19-03.pdf data element 398 above is listed as `Date of Initial IPE'. Internal controls Lastly, 2 CFR 200.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).  Condition New York State’s Office of Children and Family Services (OCFS) and State Education Department (SED) did not maintain complete and accurate data with the quarterly submissions of the RSA-911 report. A sample of 25 cases was selected from each department. For each case, the seven key line items were tested to verify the data reported in the case management system matched supporting documentation. During the audit we noted an inconsistency between the compliance supplement requirement and the RSA-911 data set instructions for data element 398 as included above in the Criteria. For testwork purposes the RSA-911 data set instructions were utilized. OCFS For the 25 cases selected for testing at OCFS, 6 samples within the RSA-911 were missing the Start Date of Employment in Primary Occupation (element 350) when compared to the supporting documentation. The VR counselor reviews the data entered into the electronic case management system prior to the submission of the RSA-911 report the missing information was not identified during the reviews of those 6 cases. SED For the 25 cases selected for testing at SED, the list below summarizes the key line elements the department could not provide supporting documentation or discrepancies were noted as follows: • Date of Application- 3 cases the data provided on the underlying application did not agree to data reported on the RSA-911 and 1 case no support was provided. • Date of Eligibility Determination- One case the date of eligibility provided by management on the eligibility determination worksheet did not agree to the date that was reported on the RSA-911. • Date of Initial IPE- 2 cases only an unsigned initial IPE was provided; 2 cases the IPE provided had a different date than the date that was reported on the RSA-911; and 5 cases no IPE was provided by management to support the cases selected. • Start date of employment in primary occupation- 3 cases the start date was not reported on the RSA-911 when it was readily available in the underlying support provided. • Date of Exit: 1 case the date of exit on underlying support provided did not agree to the date that was reported on the RSA-911. In addition, on a quarterly basis SED management performs a review on a sample of cases at the 15 local offices. Our testwork of this review noted for 2 cases the internal review checklists could not provided to evidence the review and for 6 cases outliers were identified in the review however management could not provide any evidence for resolution of the outlier, or support it was communicated or corrected. Lastly, we also noted the quarterly review process was not performed on any cases for the quarter ended March 31, 2023. Cause OCFS The condition related to a deficiency in the operation of the review process not occurring at a precision necessary to identify missing information during the review that is required to be reported on the RSA-911 report.   SED The condition related to a deficiency in the operation of the review process not occurring at a precision necessary to identify missing information during the review that is required to be reported on the RSA-911 report. Additionally, SED was preparing to transition to a new case management system and did not perform case reviews for the quarter ended March 31, 2023. Possible Asserted Effect Failure to perform proper review of the data recorded in the case management system prior to the submission of the RSA-911 report can result in incorrect and/or missing data elements of the seven key line items noted for the Case Service Report. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that OCFS and SED ensure its review process of the underlying cases operate at a precision necessary to identify missing and incorrect data to ensure complete and accurate data is submitted on the RSA-911 reports.

Federal Agency: United States Department of Health and Human Services Federal Program: CCDF Cluster (93.489, 93.575 and 93.596) Federal Award Numbers: 2001NYCCDD, 2101NYCCDD, 2201NYCCDD, 2001NYTANF, 2101NYTANF 2201NYTANF Federal Award Years: 2020, 2021, 2022 State Agency: Office of Children and Family Services Reference: 2023-011 Criteria Subrecipient monitoring Title U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards, section 75.352(d) states all pass-through entities must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved, including the requirements contained in 45 CFR section 98.60, related to the recovery of child care payments that are the result of fraud as these payments shall be recovered from the party responsible for committing the fraud. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. Additionally, 45 CFR 75.352(b) states all pass-through entities must evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring, which may include consideration of such factors as: (1) The subrecipient's prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with subpart F, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of HHS awarding agency monitoring (e.g., if the subrecipient also receives federal awards directly from a HHS awarding agency).  Further, 45 CFR 75.352(e) sates, depending upon the pass-through entity’s assessment of risk posed by the subrecipient, the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program-related matters; (2) Performing on-site reviews of the subrecipient’s program operations; and (3) Arranging for agreed-upon procedures engagements as described in 45 CFR 75.425. Internal controls Lastly, 45 CFR 75.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government,” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition During the fiscal year ended March 31, 2023, the Office of Children and Family Services (the Office) passed through approximately $530 million under the CCDF Cluster, to local districts (or subrecipients) to provide programmatic services under the CCDF Cluster. As part of the funding arrangement, the local districts are responsible for the administration of the federal program, including performing participant benefit eligibility determinations, payment of childcare subsidies, and monitoring for fraud. During our testwork over the subrecipient monitoring process we identified the following: 1. The Office prepared its annual risk assessment process and assessed risk related to its subrecipients/local districts. For the State fiscal year ended March 31, 2023, we noted that the Office did not select subrecipients/local districts based upon their risk assessment and only performed and completed one monitoring visit during the audit period. 2. The subrecipients/local districts are responsible for implementing policies and procedures related to fraud and improper payments. The Office requires each subrecipient/local district to have a plan in place for fraud detection that is reviewed and approved by the Office. As part of its monitoring procedures the Office has general inquiries it makes related to plan itself and will identify as part of its case review if the selected case was an improper payment. While these inquiries were made, we were not able to obtain any documented evidence that supports the results of those discussions, and the issued report for the one monitoring review selected for testwork also did not comment on these discussions. As a result, we could not verify through written documentation that the Office performed any monitoring to ensure that the subrecipient/local district is in compliance with its approved plan.  Cause The condition found was primarily due to the Office developing a new monitoring plan for the subrecipients/local districts during fiscal year 2023, of which would be implemented during fiscal year 2024. Additionally, the Office does not document the results of the monitoring procedures performed over the fraud and improper payment plans in place at the subrecipients/local districts. Possible Asserted Effect The lack of executed monitoring procedures over subawards provided to subrecipients/local districts could result in the use of federal funding provided under the federal award not being in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Questioned Costs Cannot be determined. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that the Office enhance its subrecipient monitoring policies, procedures and internal controls to ensure the Office is monitoring subrecipients/local districts in accordance with the federal requirements. The Office should also ensure its monitoring procedures include a review of the fraud and improper payment plans at the subrecipients/local districts.

Federal Agency: United States Department of Health and Human Services Federal Program: Temporary Assistance for Needy Families (93.558) Federal Award Numbers: 2101NYTANF, 2201NYTANF, 2301NYTAN3, 2301NYTANF Federal Award Years: 2021, 2022 and 2023 State Agency: Office of Temporary and Disability Assistance Reference: 2023-012 Criteria Special Reporting for Federal Funding Accountability and Transparency Act Under the requirements of the Federal Funding Accountability and Transparency Act (FFATA) (Pub. L. No. 109-282) (Transparency Act) that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements who make first tier subawards of $30,000 or more are required to register in the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) and report subaward data through FSRS. Aspects of the Transparency Act, as amended by Section 6202(a) of the Government Funding Transparency Act of 2008 (Pub. L. No. 111-252), that relate to subaward reporting (1) under grants and cooperative agreements were implemented in OMB in 2 CFR Part 170 and (2) under contracts, by the regulatory agencies responsible for the Federal Acquisition Regulation (FAR at 5 FR 39414 et seq., July 8, 2010). The requirements pertain to recipients (i.e., direct recipients) of grants or cooperative agreements who make first tier subawards and contractors (i.e., prime contractors) that award first-tier subcontracts. Title 45 U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards for HHS Awards, section 75.2 defines Subaward as an award provided by a pass-through entity to a subrecipient for the subrecipient to carry out part of a Federal award received by the pass-through entity. It does not include payments to a contractor or payments to an individual that is a beneficiary of a Federal program. A subaward may be provided through any form of legal agreement, including an agreement that the pass-through entity considers a contract. Further, 45 CFR 75.2 defines Subrecipient as a non-Federal entity that receives a subaward from a passthrough entity to carry out part of a Federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a Federal awarding agency. Internal controls Lastly, 45 CFR 75.303(a) states the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Office of Temporary and Disability Assistance (the Office) did not correctly report awards granted to some of its subrecipients for the Temporary Assistance for Needy Families program for the period April 2022 through March 2023 as required by FFATA. FFATA requires the State to report certain identifying information related to awards made to subrecipients in amounts greater than or equal to $30,000. Of the information to be reported, the following key data elements are required to be audited: 1. Subawardee name 2. Subawardee DUNS number 3. Amount of subaward 4. Subaward obligation/action date 5. Date of report submission 6. Subaward number 7. Subaward project description 8. Subawardee names and compensation of highly compensated officers For the period of April 2022 to March 2023, the Office of Temporary and Disability Assistance (the Office) incorrectly reported some of the subrecipient expenditures over $30,000. As a result of our testwork over this period we noted the following: During our testing, we noted the Office's control procedures did not identify incorrect amounts reported during its FFATA submission for some of its subrecipients. We noted the following exceptions: The Office incorrectly reported 11 subawards for a total of $22,013. For 5 of the 11 awards, the amount was incorrect due to a data entry error resulting in a $22,013 difference. For 6 of the 11 awards, the incorrect subaward number was reported due to a data entry error. The amount was reported correctly, however, the subaward was incorrect and therefore the net difference in the amount was $0. Cause The condition is due to oversight errors when submitting the reports. All information was entered and recorded, however the review was not at a level of precision to identify data entry errors prior to submission of the reports. Possible Asserted Effect Failure to correctly submit all subawards passed-through to subrecipients and subcontractors under subawards as defined by 45 CFR 75.2 in the Office's FFATA reporting could result in the Office reporting inaccurate and incomplete amounts to the federal government. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding A similar finding was included in the 2022 Single Audit Report as finding number 2022-012 on pages 45–47. Recommendation We recommend that the Office enhance its review of the submissions of the amounts passed-through to subrecipients and subcontractors under subawards as defined in 45 CFR 75.2 that are reported in accordance with the FFATA federal regulations to ensure its at a level of precision to identify data entry errors prior to submission.

Federal Agency: United States Department of Health and Human Services Federal Program: Temporary Assistance for Needy Families (93.558) CCDF Cluster (93.575 and 93.596) Adoption Assistance (93.659) Social Services Block Grant (93.667) Federal Award Numbers: 1701NYTANF, 1801NYTANF, 1901NYTANF, 2001NYTANF, 2101NYTANF, 2101NYTANFC6, 2201NYTAN3, 2201NYTANF, 2301NYTAN3, 2301NYTANF 1701NYCCDF, 2001NYCCC3, 2001NYCCDD, 2001NYTANF, 2101NYCCC5, 2101NYCCDD, 2101NYCCDF, 2101NYCCDM, 2101NYCDC6, 2101NYCSC6, 2101NYTANF, 2201NYCCDD, 2201NYTANF 1801NYADPT, 1901NYADPT, 2001NYADPT, 2101NYADPT, 2201NYADPT, 2301NYADPT 2101NYSOSR, 2101NYTANF, 2201NYSOSR, 2201NYTANF Federal Award Years: 2017, 2018, 2019, 2020, 2021, 2022, and 2023 State Agency: Office of Temporary and Disability Assistance Office of Children and Family Services Reference: 2023-013 Criteria Internal controls Title 45 U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards, section 75.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government,” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition New York State Information Technology Services (ITS) manages the IT environment for the Automated Claiming System (ACS). IT application controls for ACS are relied upon by Office of Temporary and Disability Assistance (OTDA) and the Office of Children and Family Services (OCFS) for the administration of claims submitted by the local districts that administer the following federal programs as subrecipients of the State of New York (the State): • Temporary Assistance for Needy Families • Social Services Block Grant • CCDF Cluster • Adoption Assistance ITS management of ACS includes maintaining the network, database, and operating system layers of the information technology control environment. During our testwork, we noted the following deficiencies in the implementation of the general information technology controls over ACS: 1) For 9 out of 13 instances related to de-provisioning of access for terminated employees to the ACS application, user access rights were disabled more than 5 days after the user ended employment with the State or otherwise did not need access to the specified system. In 7 of the 9 instances, the terminated employee had ‘inquiry only’ access. Upon audit inquiry, we obtained system documentation for the 9 users identified as exceptions indicating the related users did not logon to the app or the network past their termination date. Furthermore, we conducted testing over provisioning access to the application and privileged access, including migrator and developer access, for the ACS system, and noted those users did not access the system after termination. We determined that none of these users were part of the migrator groups or developer groups or admin users. 2) Users with access rights allowing them to provision access to the ACS application were reviewing their own access as part of the periodic user access review control. As a result, we verified that all reviewers were active and appeared to be appropriate per job title/responsibility. We also verified the system configuration for the user access review and determined that it is configured to automatically revoke access after one year without access and is operating as designed. Cause The conditions above related to the following: 1) The exception occurred due to human oversight during the execution of the de-provisioning process. 2) The control was designed such that individuals with access rights that allow them to perform provisioning activities were responsible for reviewing their own access as part of the periodic user access review control. Possible Asserted Effect Failure to have a reliable general information technology environment over logical access may result in unauthorized changes being made to ACS, which may result in erroneous reliance on the operating effectiveness of automated information technology control over subrecipient payments allowability. Failure to have effective internal controls over subrecipient payments allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs Not applicable  Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that management strengthen controls or add monitoring controls to ensure either management personnel at the State agencies/entities are notifying their respective IT departments or ITS, as applicable, in a timely manner when a user of a system or application no longer requires access, whether due to changes in job responsibilities or termination from the State; or such notifications are timely executed. We also recommend that management implement additional monitoring controls to evaluate a complete population of terminated users against system user listings to ensure access is removed for terminated users, including performance of an impact assessment for instances where it is determined that access rights were not removed in a timely manner for terminated employees. Additionally, we recommend that management restrict individuals with access rights that allow them to perform provisioning activities from reviewing their own access rights. Lastly, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication/documentation of reviewing and de-provisioning of users to the IT department during the user access review.

Federal Agency: United States Department of Health and Human Services Federal Program: Social Services Block Grant (93.667) Federal Award Numbers: 2010NYSOR, 2201NYSOR, 2101NYTANF, 2021NYTANF Federal Award Years: 2021 and 2022 State Agency: Office of Children and Family Services Reference: 2023-014 Criteria Subrecipient monitoring Title U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards, section 75.352(d) states all pass-through entities must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved including ensuring that information related to eligible participants reported by the district offices used to compile the annual Post Expenditure Report is complete and accurate. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. Performance Reporting - Post-Expenditure Report The 42 USC 1397e requires states and territories to submit to the federal administering agency, the Office of Community Services, an annual Post Expenditure Report no later than six months following the close of the fiscal year. Internal controls Lastly, 45 CFR 75.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government,” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).  Condition During the fiscal year ended March 31, 2023, the Office of Children and Family Services (the Office) passed through $297,149,657 under the Social Services Block Grant (SSBG) program, to local districts (or subrecipients) to provide programmatic services under the SSBG program. As part of the funding arrangement, the local districts are responsible for the administration of the federal program, including ensuring that costs incurred under the federal program are in compliance with federal regulations. During the fiscal year ended March 31, 2023, we noted on an annual basis, the Office submits the Post-Expenditure Report to the Federal Office of Community Services. As part of the federal reporting process, the Office is required to report the number of eligible individuals who received services paid for in part or in whole with federal funds under the SSBG program. All participant services are provided directly by the local district offices. In order to obtain the number of eligible individuals by services category to be included on the report, the Department obtains the information directly from the Welfare Reporting and Tracking Systems (WRTS). The WRTS system contains data from the State’s Welfare Management System (WMS) and the Benefits Issuance Control System (BICS). As it is the responsibility of the district offices to determine eligibility for services, the Office is relying on the district offices to have data entered complete and accurate information within the WMS and BICS systems. During our testwork, there did not appear to be any monitoring procedures performed during the fiscal year ended March 31, 2023 to ensure that this information is complete and accurate and that benefits were only provided to eligible participants. Cause The condition found was primarily due to the monitoring procedures implemented by the Office does not include a review to ensure that the participant was eligible to receive services, which would assist in assuring that the data reported on the Post-Expenditure Report is accurate. Possible Asserted Effect The lack of executed monitoring procedures over subawards provided to subrecipients could result in the use of federal funding provided under the federal award not being in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Questioned Costs Cannot be determined. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding A similar finding was included in the 2022 Single Audit Report as finding number 2022-015 on pages 53-55. Recommendation We recommend that the Office should also review its monitoring procedures to ensure that they are reviewing to determine if participants were eligible to receive services to assist in assuring that the data reported within the annual Post-Expenditure Report is complete and accurate. Such monitoring activities should be performed at a precision level that would detect and identify errors in that could impact the accuracy of the annual Post-Expenditure Report.

Federal Agency: Department of Health and Human Services Federal Program: Block Grants for Community Mental Health Services (93.958) Federal Award Numbers: 6B09SM083819-01M001; 6B09SM083990-01M002; 1B09SM085374-01; 1B09SM085374-01; 1B09SM085902-01; 6B09SM086027-01M003 Federal Award Years: 2021 and 2022 State Agency: Office of Mental Health Reference: 2023-015 Criteria Maintenance of effort Title 42 U.S. Code 300x, Formula grants to States (42 USC 300x) section 300x-4(b)(1) states a funding agreement for a grant under this title is that the State involved will maintain State expenditures for community mental health services at a level that is not less than the average level of such expenditures maintained by the State for the 2-year period preceding the fiscal year for which the State is applying for the grant. Internal controls Additionally, Title 45 Code of Federal Regulations Part 75, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards (45 CFR 75) section 303(a) states, the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the Federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Office of Mental Health (the Office) performed the annual maintenance of effort (MOE) calculation and submitted it to the Substance Abuse and Mental Health Services Administration. The source data for the calculation is a combination of data compiled by the Office's Community Budget and Financial Management Group and the Strategic Financial Direction Group. The source data for the reports are pulled from the NYS Statewide Financial System and the eMEDNY system. Data used in the calculations is linked to a live time data source and is a point in time data pull from the live data source. With the data being linked to the live time data source, any refinements and changes in data categorization would be reflected in the historical files. During our testing, we noted that while management did maintain the underlying supporting detail at the time of its submission of the annual MOE calculation, the integrity of the data was lost due to the linkage to the live time data source. As the underlying detail was unavailable due to the live time data links, we were unable to assess the completeness and accuracy of the State expenditures utilized to support the Office meeting the MOE requirement. Cause The condition caused was due to the Office's policies and procedures, including its internal control not designed to maintain appropriate supporting documentation related to the Maintenance of Effort calculation. Possible Asserted Effect Failure to maintain appropriate supporting documentation could result in the Office's inability to appropriately assess the degree of accuracy with respect to the maintenance of effort calculations and the amounts determined are not accurate and complete as reported to the federal government. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that the Office review and enhance its policies, procedures, and internal controls to ensure that the sources of data be maintained to support the calculation of the Maintenance of Effort requirement for each grant.

Federal Agency: Department of Health and Human Services Federal Program: Block Grants for Community Mental Health Services (93.958) Federal Award Numbers: 6B09SM083819-01M001; 6B09SM083990-01M002; 1B09SM085374-01; 1B09SM085374-01; 1B09SM085902-01; 6B09SM086027-01M003 Federal Award Years: 2021 and 2022 State Agency: Office of Mental Health Reference: 2023-016 Criteria Special Reporting for Federal Funding Accountability and Transparency Act Under the requirements of the Federal Funding Accountability and Transparency Act (FFATA) (Pub. L. No. 109-282), as amended by Section 6202 of Public Law 110-252, (Transparency Act) that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Aspects of the Transparency Act that relate to subaward reporting (1) under grants and cooperative agreements were implemented in OMB in 2 CFR Part 170 and (2) under contracts, by the regulatory agencies responsible for the Federal Acquisition Regulation (FAR at 5 FR 39414 et seq., July 8, 2010). The requirements pertain to recipients (i.e., direct recipients) of grants or cooperative agreements who make first-tier subawards and contractors (i.e., prime contractors) that award first-tier subcontracts. Title 45 U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards for HHS Awards, section 75.2 defines Subaward as an award provided by a pass-through entity to a subrecipient for the subrecipient to carry out part of a federal award received by the pass-through entity. It does not include payments to a contractor or payments to an individual that is a beneficiary of a federal program. A subaward may be provided through any form of legal agreement, including an agreement that the pass-through entity considers a contract. Further, 45 CFR 75.2 defines Subrecipient as a non-federal entity that receives a subaward from a passthrough entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other federal awards directly from a federal awarding agency. Internal controls Lastly, 45 CFR 75.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Office of Mental Health (the Office) did not report awards granted to subrecipients for the Block Grants for Community Mental Health Services program for the period April 2022 through March 2023 as required by FFATA. FFATA requires the State to report certain identifying information related to awards made to subrecipients in amounts greater than or equal to $30,000. Of the information to be reported, the following key data elements are required to be audited: 1. Subawardee name 2. Subawardee DUNS number 3. Amount of subaward 4. Subaward obligation/action date 5. Date of report submission 6. Subaward number 7. Subaward project description 8. Subawardee names and compensation of highly compensated officers During our testing, we noted that the Office did not establish control procedures to submit FFATA reports for all subawards as required by federal regulations. During our testwork of 40 subawards, we noted the following exceptions: Cause The condition found was due to the Office not having controls in place to ensure that FFATA reporting was being performed for the period April 2022 – March 2023. Possible Asserted Effect Failure to submit all subawards passed-through to subrecipients and subcontractors under subawards as defined by 45 CFR 75.2 in the Office's FFATA reporting could result in the Office reporting inaccurate and incomplete amounts to the federal government. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that the Office of Mental Health implement policies, procedures, and internal controls to ensure that all amounts passed-through to subrecipients and subcontractors under subawards as defined in 45 CFR 75.2 are reported in accordance with the FFATA federal regulations.

Federal Agency: Department of Health and Human Services Federal Program: Block Grants for Community Mental Health Services (93.958) Federal Award Numbers: 6B09SM083819-01M001; 6B09SM083990-01M002; 1B09SM085374-01; 1B09SM085374-01; 1B09SM085902-01; 6B09SM086027-01M003 Federal Award Years: 2021 and 2022 State Agency: Office of Mental Health Reference: 2023-017 Criteria Subrecipient monitoring Title 45 U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards, Section 352(a) states all pass-through entities must ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information include: (1) Federal Award Identification. i) Subrecipient name (which must match the name associated with its unique entity identifier; ii) Subrecipient’s unique entity identifier; iii) Federal Award Identification Number (FAIN); iv) Federal Award Date (see Section 75.2 Federal award date) of award to the recipient by the HHS awarding agency; v) Subaward Period of Performance Start and End Date; vi) Amount of Federal Funds Obligated by this action by the pass-through entity to the subrecipient; vii) Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity including the current obligation; viii) Total Amount of the Federal Award committed to the subrecipient by the pass-through entity; ix) Federal award project description, as required to be responsive to the Federal Funding Accountability and Transparency Act (FFATA); x) Name of HHS awarding agency, pass-through entity, and contract information for awarding official of the pass-through entity; xi) CFDA Number and Name; the pass-through entity must identify the dollar amount made available under each Federal award and the CFDA number at time of disbursement;  xii) Identification of whether the award is R&D; and xiii) Indirect cost rate for the Federal award (including if the de minimis rate is charged per Section 75.414). Title 45 Code of Federal Regulations Part 75, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards (45 CFR 75), section 352(b) states all pass-through entities must evaluate each subrecipient's risk of noncompliance with Federal Statues, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring as described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient's prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with subpart F, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of HHS awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a HHS awarding agency). Additionally, 45 CFR 75.352(d) states all pass-through entities must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. (3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity as required by Section 75.521. 45 CFR 74.352(e) states depending upon the pass-through entity's assessment of risk posed by the sub recipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program related matters; and (2) Performing on-site reviews of the subrecipient's program operations; Further, 45 CFR 75.352(f) states the pass-through entity must verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient's Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in § 200.501. Internal controls Lastly, 45 CFR 75.303 (a) states the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal Entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition During the fiscal year ended March 31, 2023, the Office of Mental Health (the Office) passed through $100,181,501 under the Block Grants for Community Mental Health Services program, to local districts and providers (subrecipients) to provide programmatic and administrative services. As part of the funding arrangement, the local districts and providers (subrecipients) are responsible for carrying out the programmatic services and use the funds to provide comprehensive, community‐based mental health services to adults with serious mental illnesses and to children with serious emotional disturbances and to monitor progress in implementing a comprehensive, community based mental health system. Funds are used for prevention, treatment, recovery support, and other services to supplement Medicaid, Medicare, and private insurance services. When subawards are made to subrecipients, the pass-through entities are required to communicate certain award information. The Office’s policies and procedures are not designed to ensure that award notifications are provided to subrecipients as required by 45 CFR 75.352(a). During our testwork of 40 subrecipient award notifications, we noted the following: 1. For 8 subrecipients, the Federal Award Identification Number (FAIN) was not provided. 2. For 11 subrecipients, which are all New York State Counties, there was no notification of access to records. 3. For 22 of the subrecipients, there was no notification of the DUNS number. All pass-through entities are required to perform a risk assessment over each subrecipient’s risk of noncompliance for purposes of determining appropriate subrecipient monitoring procedures. The Office did not perform an annual risk assessment process related to its subrecipients as required by 45 CFR 75.352(b). Additionally, all pass-through entities must monitor the activities of the subrecipient which must include review of financial and performance reports, follow up to ensure the subrecipient takes timely and appropriate action on any deficiencies identified, and issue a management decision for audit findings. The Office did not monitor and retain documentation of review of financial and performance reports, follow up to ensure appropriate action on any deficiencies identified, nor issue a management decision for audit findings. Lastly, all pass-through entities are required to verify each subrecipient is audited, if required. The Office did not ensure that all required single audits of the program’s subrecipients were received, reviewed, followed-up, or appropriate action was taken and as necessary issued a management decision pertaining to the audit finding in accordance with 45 CFR 75, as applicable. Cause The condition found is primarily due to the lack of written policies and procedures to ensure that: 1. all required award identification information per 45 CFR 75.352(a) is communicated to the subrecipients for each federal subaward period; 2. an appropriate risk assessment process is in place per 45 CFR 75.352(b);   3. during award monitoring procedures are performed per 45 CFR 75.352(d); and 4. review of the subrecipient single audit reports are performed per 45 CFR 75.352(f). Possible Asserted Effect Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award. Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures, failure to review financial and performance reports of subrecipients, as well as failure to obtain and review subrecipient single audit reports may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award. Questioned Costs Cannot be determined. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that the Office enhance its processes and internal controls over its reporting to the subrecipients of the federal program to ensure all award identification information required under 45 CFR 75.352(a) is provided to the subrecipients of the Office as data elements change or funding is passed-through. We recommend that the Office implement policies, procedures, and internal controls to ensure that risk assessments of subrecipients are performed on an annual basis to determine appropriate monitoring of subrecipients is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e). Lastly, we recommend that the Office implement policies, procedures, and internal controls to track and review all subrecipients’ single audit submissions per 45 CFR 75.252(f).

Federal Agency: United States Department of Health and Human Services Federal Program: Block Grants for Prevention and Treatment of Substance Abuse (93.959) Federal Award Numbers: 21B1NYSAPT, 21B1NYSAPTC5, 21B1NYSAPTC6, 21B3NYSAPTC6, 22B1NYSAPT Federal Award Years: 2021 and 2022 State Agency: Office of Addiction Services and Support Reference: 2023-018 Criteria Special Reporting for Federal Funding Accountability and Transparency Act Under the requirements of the Federal Funding Accountability and Transparency Act (FFATA) (Pub. L. No. 109-282), as amended by Section 6202 of Public Law 110-252, (Transparency Act) that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Aspects of the Transparency Act that relate to subaward reporting (1) under grants and cooperative agreements were implemented in OMB in 2 CFR Part 170 and (2) under contracts, by the regulatory agencies responsible for the Federal Acquisition Regulation (FAR at 5 FR 39414 et seq., July 8, 2010). The requirements pertain to recipients (i.e., direct recipients) of grants or cooperative agreements who make first-tier subawards and contractors (i.e., prime contractors) that award first-tier subcontracts. Title 45 U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards for HHS Awards, section 75.2 defines Subaward as an award provided by a pass-through entity to a subrecipient for the subrecipient to carry out part of a federal award received by the pass-through entity. It does not include payments to a contractor or payments to an individual that is a beneficiary of a federal program. A subaward may be provided through any form of legal agreement, including an agreement that the pass-through entity considers a contract. Further, 45 CFR 75.2 defines Subrecipient as a non-federal entity that receives a subaward from a passthrough entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other federal awards directly from a federal awarding agency. Internal controls Lastly, 45 CFR 75.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Office of Addition Services and Support (OASAS) did not report awards granted to subrecipients for the Block Grants for Prevention and Treatment of Substance Abuse program for the period April 2022 through March 2023 as required by FFATA. FFATA requires the State to report certain identifying information related to awards made to subrecipients in amounts greater than or equal to $30,000. Of the information to be reported, the following key data elements are required to be audited: 1. Subawardee name 2. Subawardee DUNS number 3. Amount of subaward 4. Subaward obligation/action date 5. Date of report submission 6. Subaward number 7. Subaward project description 8. Subawardee names and compensation of highly compensated officers During our testwork, we noted OASAS did not establish control procedures to submit FFATA reports for all subawards. We noted the following exceptions: Cause The condition found was due to staffing changes and constraints brought on by COVID-19, this requirement was not appropriately considered and FFATA reporting was not completed during the fiscal year.  Possible Asserted Effect Failure to submit all subawards passed-through to subrecipients and subcontractors under subawards as defined by 45 CFR 75.2 in OASAS’s FFATA reporting could result in OASAS reporting inaccurate and incomplete amounts to the federal government. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend OASAS review and enhance its policies, procedures, and internal controls to ensure that all amounts passed-through to subrecipients and subcontractors under subawards as defined in 45 CFR 75.2 are reported in accordance with the FFATA federal regulations.

Federal Agency: United States Department of Health and Human Services Federal Program: Block Grants for Prevention and Treatment of Substance Abuse (93.959) Federal Award Numbers: 21B1NYSAPT, 21B1NYSAPTC5, 21B1NYSAPTC6, 21B3NYSAPTC6, 22B1NYSAPT Federal Award Years: 2021 and 2022 State Agency: Office of Addiction Services and Support Reference: 2023-019 Criteria Subrecipient monitoring Title 45 Code of Federal Regulations Part 75, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards (45 CFR 75), section 352(b) states all pass-through entities must evaluate each subrecipient's risk of noncompliance with Federal Statues, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring as described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient's prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with subpart F, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of HHS awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a HHS awarding agency). Internal controls Further, 45 CFR 75.303 (a) states the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal Entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition During our testwork, we noted the Office of Addiction Services and Support (OASAS) had developed and implemented a risk assessment process to help identify entities with higher risks that required additional monitoring procedures. Initially the risk assessment process begins with the programmatic input and is provided to the Fiscal Audit and Review Unit (FARU) to provide additional risk assessment factors. However, the agency was unable to provide documentation to support the additional risk factors considered by FARU. The documentation provided indicated that entities determined to be higher risk did not align with the entities selected and for which additional monitoring procedures were performed. Cause The condition found was because the agency was not able to provide documentation to support the additional risk factors considered by FARU that determined the higher risk entities reviewed for the fiscal year. Possible Asserted Effect Failure to properly document all program and fiscal risk factors considered in identifying higher risk subrecipients may result in inadequate incremental monitoring procedures being performed and subrecipients not being in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend the Office continue to enhance its subrecipient monitoring policies, procedures and internal control to help ensure the Office is monitoring subrecipients in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e). Such monitoring activities should be performed and documented to show all considerations made when determining which subrecipients would be subject to additional monitoring procedures.

Federal Agency: United States Department of Agriculture Federal Program: Child Nutrition Cluster (10.555, 10.559, and 10.582) Federal Award Numbers: 202323N119944, 202221N119944-SED Federal Award Years: 2022 and 2023 State Agency: State Education Department Reference: 2023-005 Criteria Special Reporting for Federal Funding Accountability and Transparency Act Under the requirements of the Federal Funding Accountability and Transparency Act (FFATA) (Pub. L. No. 109-282), as amended by Section 6202 of Public Law 110-252, (Transparency Act) that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Aspects of the Transparency Act that relate to subaward reporting (1) under grants and cooperative agreements were implemented in OMB in 2 CFR Part 170 and (2) under contracts, by the regulatory agencies responsible for the Federal Acquisition Regulation (FAR at 5 FR 39414 et seq., July 8, 2010). The requirements pertain to recipients (i.e., direct recipients) of grants or cooperative agreements who make first-tier subawards and contractors (i.e., prime contractors) that award first-tier subcontracts. Title 2 U.S. Code of Federal Regulations Part 200 (2 CFR 200), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards, section 200.2 defines Subaward as an award provided by a pass-through entity to a subrecipient for the subrecipient to carry out part of a federal award received by the pass-through entity. It does not include payments to a contractor or payments to an individual that is a beneficiary of a federal program. A subaward may be provided through any form of legal agreement, including an agreement that the pass-through entity considers a contract. Further, 2 CFR 200.2 defines Subrecipient as a non-federal entity that receives a subaward from a passthrough entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other federal awards directly from a federal awarding agency. Internal controls Lastly, 2 CFR 200.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition FFATA requires the State to report certain identifying information related to awards made to subrecipients in amounts greater than or equal to $30,000. Of the information to be reported, the following key data elements are required to be audited: 1. Subawardee name 2. Subawardee DUNS number 3. Amount of subaward 4. Subaward obligation/action date 5. Date of report submission 6. Subaward number 7. Subaward project description 8. Subawardee names and compensation of highly compensated officers During our testwork, we noted for the period of December 2022 through March 2023, the State Education Department (the Department) did not timely report any amounts passed-through to its subrecipients. During our testwork of 40 subawards, we noted the following exceptions: Cause The condition found was due to staffing shortages and the responsibility for FFATA reporting was not transferred between employees. Possible Asserted Effect Failure to submit all subawards passed-through to subrecipients and subcontractors under subawards as defined by 2CFR 200.2 in SED’s FFATA reporting could result in the Department reporting inaccurate and incomplete amounts to the federal government. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that the Department review and enhance its policies, procedures, and internal controls to ensure that all amounts passed-through to subrecipients and subcontractors under subawards as defined in 2 CFR 200.2 are reported in accordance with the FFATA federal regulations.

Federal Agency: United States Department of Agriculture Federal Program: Child Nutrition Cluster (10.555, 10.559, and 10.582) Federal Award Numbers: 202323N119944, 202221N119944-SED Federal Award Years: 2022 and 2023 State Agency: State Education Department Reference: 2023-005 Criteria Special Reporting for Federal Funding Accountability and Transparency Act Under the requirements of the Federal Funding Accountability and Transparency Act (FFATA) (Pub. L. No. 109-282), as amended by Section 6202 of Public Law 110-252, (Transparency Act) that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Aspects of the Transparency Act that relate to subaward reporting (1) under grants and cooperative agreements were implemented in OMB in 2 CFR Part 170 and (2) under contracts, by the regulatory agencies responsible for the Federal Acquisition Regulation (FAR at 5 FR 39414 et seq., July 8, 2010). The requirements pertain to recipients (i.e., direct recipients) of grants or cooperative agreements who make first-tier subawards and contractors (i.e., prime contractors) that award first-tier subcontracts. Title 2 U.S. Code of Federal Regulations Part 200 (2 CFR 200), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards, section 200.2 defines Subaward as an award provided by a pass-through entity to a subrecipient for the subrecipient to carry out part of a federal award received by the pass-through entity. It does not include payments to a contractor or payments to an individual that is a beneficiary of a federal program. A subaward may be provided through any form of legal agreement, including an agreement that the pass-through entity considers a contract. Further, 2 CFR 200.2 defines Subrecipient as a non-federal entity that receives a subaward from a passthrough entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other federal awards directly from a federal awarding agency. Internal controls Lastly, 2 CFR 200.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition FFATA requires the State to report certain identifying information related to awards made to subrecipients in amounts greater than or equal to $30,000. Of the information to be reported, the following key data elements are required to be audited: 1. Subawardee name 2. Subawardee DUNS number 3. Amount of subaward 4. Subaward obligation/action date 5. Date of report submission 6. Subaward number 7. Subaward project description 8. Subawardee names and compensation of highly compensated officers During our testwork, we noted for the period of December 2022 through March 2023, the State Education Department (the Department) did not timely report any amounts passed-through to its subrecipients. During our testwork of 40 subawards, we noted the following exceptions: Cause The condition found was due to staffing shortages and the responsibility for FFATA reporting was not transferred between employees. Possible Asserted Effect Failure to submit all subawards passed-through to subrecipients and subcontractors under subawards as defined by 2CFR 200.2 in SED’s FFATA reporting could result in the Department reporting inaccurate and incomplete amounts to the federal government. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that the Department review and enhance its policies, procedures, and internal controls to ensure that all amounts passed-through to subrecipients and subcontractors under subawards as defined in 2 CFR 200.2 are reported in accordance with the FFATA federal regulations.

Federal Agency: United States Department of Agriculture Federal Program: Child Nutrition Cluster (10.555, 10.559, and 10.582) Federal Award Numbers: 202323N119944, 202221N119944-SED Federal Award Years: 2022 and 2023 State Agency: State Education Department Reference: 2023-005 Criteria Special Reporting for Federal Funding Accountability and Transparency Act Under the requirements of the Federal Funding Accountability and Transparency Act (FFATA) (Pub. L. No. 109-282), as amended by Section 6202 of Public Law 110-252, (Transparency Act) that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Aspects of the Transparency Act that relate to subaward reporting (1) under grants and cooperative agreements were implemented in OMB in 2 CFR Part 170 and (2) under contracts, by the regulatory agencies responsible for the Federal Acquisition Regulation (FAR at 5 FR 39414 et seq., July 8, 2010). The requirements pertain to recipients (i.e., direct recipients) of grants or cooperative agreements who make first-tier subawards and contractors (i.e., prime contractors) that award first-tier subcontracts. Title 2 U.S. Code of Federal Regulations Part 200 (2 CFR 200), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards, section 200.2 defines Subaward as an award provided by a pass-through entity to a subrecipient for the subrecipient to carry out part of a federal award received by the pass-through entity. It does not include payments to a contractor or payments to an individual that is a beneficiary of a federal program. A subaward may be provided through any form of legal agreement, including an agreement that the pass-through entity considers a contract. Further, 2 CFR 200.2 defines Subrecipient as a non-federal entity that receives a subaward from a passthrough entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other federal awards directly from a federal awarding agency. Internal controls Lastly, 2 CFR 200.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition FFATA requires the State to report certain identifying information related to awards made to subrecipients in amounts greater than or equal to $30,000. Of the information to be reported, the following key data elements are required to be audited: 1. Subawardee name 2. Subawardee DUNS number 3. Amount of subaward 4. Subaward obligation/action date 5. Date of report submission 6. Subaward number 7. Subaward project description 8. Subawardee names and compensation of highly compensated officers During our testwork, we noted for the period of December 2022 through March 2023, the State Education Department (the Department) did not timely report any amounts passed-through to its subrecipients. During our testwork of 40 subawards, we noted the following exceptions: Cause The condition found was due to staffing shortages and the responsibility for FFATA reporting was not transferred between employees. Possible Asserted Effect Failure to submit all subawards passed-through to subrecipients and subcontractors under subawards as defined by 2CFR 200.2 in SED’s FFATA reporting could result in the Department reporting inaccurate and incomplete amounts to the federal government. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that the Department review and enhance its policies, procedures, and internal controls to ensure that all amounts passed-through to subrecipients and subcontractors under subawards as defined in 2 CFR 200.2 are reported in accordance with the FFATA federal regulations.

Federal Agency: United States Department of Housing and Urban Development Federal Program: CDBG – Disaster Recovery Grants – Pub. L. No. 113-2 Cluster (14.269, 14.272) Federal Award Number: B13DS360001 Federal Award Years: 2013 State Agency: Housing Trust Fund Corporation and Governor’s Office of Storm Recovery Reference: 2023-006 Criteria Special Reporting for Federal Funding Accountability and Transparency Act Under the requirements of the Federal Funding Accountability and Transparency Act (FFATA) (Pub. L. No. 109-282), as amended by Section 6202 of Public Law 110-252, herein referred to as the "Transparency Act" that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Aspects of the Transparency Act that relate to subaward reporting (1) under grants and cooperative agreements were implemented in OMB in 2 CFR Part 170 and (2) under contracts, by the regulatory agencies responsible for the Federal Acquisition Regulation (FAR at 5 FR 39414 et seq., July 8, 2010). The requirements pertain to recipients (i.e., direct recipients) of grants or cooperative agreements who make first-tier subawards and contractors (i.e., prime contractors) that award first-tier subcontracts. Title 2 U.S. Code of Federal Regulations Part 200 (2 CFR 200) Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards, section 200.1 defines Subaward as an award provided by a pass-through entity to a subrecipient for the subrecipient to carry out part of a federal award received by the pass-through entity. It does not include payments to a contractor or payments to an individual that is a beneficiary of a federal program. A subaward may be provided through any form of legal agreement, including an agreement that the pass-through entity considers a contract. Further, 2 CFR 200.1 defines Subrecipient as a non-federal entity that receives a subaward from a passthrough entity to carry out part of a federal program; but does not include an individual that is a beneficiary of such program. A subrecipient may also be a recipient of other federal awards directly from a federal awarding agency. Internal controls Lastly, 2 CFR 200.303(a) states, the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the Federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).  Condition The Housing Trust Fund Corporation (HTFC) did not report awards granted to subrecipients for the CDBG – Disaster Recovery Grants program for the period April 2022 through March 2023 as required by FFATA. FFATA requires the State to report certain identifying information related to awards made to subrecipients in amounts greater than or equal to $30,000. Of the information to be reported, the following key data elements are required to be audited: 1. Subawardee name 2. Subawardee DUNS number 3. Amount of subaward 4. Subaward obligation/action date 5. Date of report submission 6. Subaward number 7. Subaward project description 8. Subawardee names and compensation of highly compensated officers During our testing, we noted that HTFC did not establish control procedures to submit FFATA reports for all subawards as required by federal regulations. During our testwork of 7 subawards and 6 amendments, we noted the following exceptions: *For the 5 of 7 sampled subawards, the subaward amounts of $191,367,261 were incorrectly reported in FSRS as $7,757,484,755. **For one of the 7 sampled subawards the obligation date did not agree to FSRS and 7 of 7 subawards were missing the date of report submission (key data element). Cause The condition found was due to HTFC not reporting any amounts passed-through to subrecipients for the period April 2022 – March 2023 because the responsibility for FFATA reporting was not transferred between employees. Possible Asserted Effect Failure to submit all subaward amounts passed-through to subrecipients and subcontractors under subawards as defined by 2 CFR 200.1 in HTFC’s FFATA reporting could result in HTFC reporting inaccurate and incomplete amounts to the federal government. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that HTFC review and enhance its policies, procedures, and internal controls to ensure that all amounts passed-through to subrecipients and subcontractors under subawards as defined in 2 CFR 200.1 are reported in accordance with the FFATA federal regulations. In addition, we recommend that HTFC use obligation date for FFATA reporting.

Federal Agency: United States Department of Labor Federal Program: Unemployment Insurance (17.225) Federal Award Numbers: Not Applicable Federal Award Years : Not Applicable State Agency: Department of Labor Reference: 2023-007 Criteria Special Tests and Provisions – UI Benefit Payments The Payments Integrity Information Act (PIIA) of 2019 codified the requirement for valid statistical estimates of improper payments. by Title 20 Code of Federal Regulations Part 602 (20 CFR 602), Quality Control in the Federal-State Unemployment System, prescribes a Quality Control (QC) program for the Federal-State unemployment compensation (UC) system, which is appliable to the State UC programs and the Federal unemployment benefit and allowance programs administered by the State unemployment compensation agencies under agreements between the States and the Secretary of Labor. 20 CFR 602.11(d) states to satisfy the requirements of Section 303(a)(1) and (6) of the Social Security Act (SSA) (42 USC 503), a State law must contain a provision requiring, or which is construed to require, the establishment and maintenance of a QC program in accordance with the requirements of this part. The establishment and maintenance of such a QC program in accordance with this part shall not require any change in State law concerning authority to undertake redeterminations of claims or liabilities or the finality of any determination, redetermination or decision. Each State shall establish a QC unit independent of, and not accountable to, any unit performing functions subject to evaluation by the QC unit. The organizational location of this unit shall be positioned to maximize its objectivity, to facilitate its access to information necessary to carry out its responsibilities, and to minimize organizational conflict of interest. Per 20 CFR 602.21 – Standard methods and Procedures, Each State Shall: (a) Perform the requirements of this section in accordance with instructions issued by the Department, pursuant to § 602.30(a) of this part, to ensure standardization of methods and procedures in a manner consistent with this part; (b) Select representative samples for QC study of at least a minimum size specified by the Department to ensure statistical validity (for benefit payments, a minimum of 400 cases of weeks paid per State per year);   (c) Complete prompt and in-depth case investigations to determine the degree of accuracy and timeliness in the administration of the State UC law and Federal programs with respect to benefit determinations, benefit payments, and revenue collections; and conduct other measurements and studies necessary or appropriate for carrying out the purposes of this part; and in conducting investigations each State shall: (1) Inform claimants in writing that the information obtained from a QC investigation may affect their eligibility for benefits and inform employers in writing that the information obtained from a QC investigation of revenue may affect their tax liability, (2) Use a questionnaire, prescribed by the Department, which is designed to obtain such data as the Department deems necessary for the operation of the QC program; require completion of the questionnaire by claimants in accordance with the eligibility and reporting authority under State law, (3) Collect data identified by the Department as necessary for the operation of the QC program; however, the collection of demographic data will be limited to those data which relate to an individual's eligibility for UC benefits and necessary to conduct proportions tests to validate the selection of representative samples (the demographic data elements necessary to conduct proportions tests are claimants' date of birth, sex, and ethnic classification); and (4) Conclude all findings of inaccuracy as d(a) Perform the requirements of this section in accordance with instructions issued by the Department, pursuant to § 602.30(a) of this part, to ensure standardization of methods and procedures in a manner consistent with this part; (d) Classify benefit case findings resulting from QC investigations as: (1) Proper payments, underpayments, or overpayments in benefit payment cases, or (2) Proper denials or underpayments in benefit denial cases; (e) Make and maintain records pertaining to the QC program, and make all such records available in a timely manner for inspection, examination, and audit by such Federal officials as the Secretary may designate or as may be required or authorized by law; (f) Furnish information and reports to the Department, including weekly transmissions of case data entered into the automated QC system and annual reports, without, in any manner, identifying individuals to whom such data pertain; and (g) Release the results of the QC program at the same time each year, providing calendar year results using a standardized format to present the data as prescribed by the Department; States will have the opportunity to release this information prior to any release by the Department. Internal controls Additionally, Title 2 U.S. Code of Federal Regulations Part 200 (2 CFR 200) Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards, section 303(a) states, the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statues, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Benefit Accuracy Measurement (BAM) programs consists of reviews of Regular Unemployment Insurance (UI) payments, which are paid out of the Unemployment Insurance Trust Fund, and therefore are not associated with a Federal Award Number. For the period ending September 30, 2022, NYS failed the 90- and 120-day time lapse requirement for both Paid and Denied Claims. For the month of September 2022, for Paid Claims, 92.08% of cases were reviewed and closed within 90 days, less than 3% short of the required 95%. Similarly, 96.25% of cases were reviewed and closed within 120 days, less than 2% short of the required 98% federal benchmark. Also, for the month of September 2022, for Denied Claims, 96.66% of cases were reviewed and closed within 120 days, less than 2% short of the required 98%. Cause The condition related to the time lapse requirements results from a shortage of staff and backlogged cases. As a result, the Department was unable to meet all case allocation and timely review requirements. Possible Asserted Effect Failure to perform timely completion of investigations results in the inability of UI Program to appropriately assess the degree of accuracy and timeliness in the administration of the State UC law and federal programs with respect to benefit determinations, benefit payments, and revenue collections. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding A similar finding for the Department was included in the 2022 Single Audit Report as finding number 2022-004 at pages 25-27. Recommendation We recommend that the Department ensures that their polices and procedures are designed to review selected cases to ensure they meet the prescribed criteria and, if necessary, be replaced as part of the final sampling week for the PIIA year. Additionally, the Department should enhance its process to ensure the completion of Paid and Denied cases are reviewed and closed timely in accordance with State Law.

Federal Agency: United States Department of Health and Human Services Federal Program: CCDF Cluster (93.489, 93.575 and 93.596) Federal Award Numbers: 2001NYCCDD, 2101NYCCDD, 2201NYCCDD, 2001NYTANF, 2101NYTANF 2201NYTANF Federal Award Years: 2020, 2021, 2022 State Agency: Office of Children and Family Services Reference: 2023-011 Criteria Subrecipient monitoring Title U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards, section 75.352(d) states all pass-through entities must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved, including the requirements contained in 45 CFR section 98.60, related to the recovery of child care payments that are the result of fraud as these payments shall be recovered from the party responsible for committing the fraud. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. Additionally, 45 CFR 75.352(b) states all pass-through entities must evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring, which may include consideration of such factors as: (1) The subrecipient's prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with subpart F, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of HHS awarding agency monitoring (e.g., if the subrecipient also receives federal awards directly from a HHS awarding agency).  Further, 45 CFR 75.352(e) sates, depending upon the pass-through entity’s assessment of risk posed by the subrecipient, the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program-related matters; (2) Performing on-site reviews of the subrecipient’s program operations; and (3) Arranging for agreed-upon procedures engagements as described in 45 CFR 75.425. Internal controls Lastly, 45 CFR 75.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government,” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition During the fiscal year ended March 31, 2023, the Office of Children and Family Services (the Office) passed through approximately $530 million under the CCDF Cluster, to local districts (or subrecipients) to provide programmatic services under the CCDF Cluster. As part of the funding arrangement, the local districts are responsible for the administration of the federal program, including performing participant benefit eligibility determinations, payment of childcare subsidies, and monitoring for fraud. During our testwork over the subrecipient monitoring process we identified the following: 1. The Office prepared its annual risk assessment process and assessed risk related to its subrecipients/local districts. For the State fiscal year ended March 31, 2023, we noted that the Office did not select subrecipients/local districts based upon their risk assessment and only performed and completed one monitoring visit during the audit period. 2. The subrecipients/local districts are responsible for implementing policies and procedures related to fraud and improper payments. The Office requires each subrecipient/local district to have a plan in place for fraud detection that is reviewed and approved by the Office. As part of its monitoring procedures the Office has general inquiries it makes related to plan itself and will identify as part of its case review if the selected case was an improper payment. While these inquiries were made, we were not able to obtain any documented evidence that supports the results of those discussions, and the issued report for the one monitoring review selected for testwork also did not comment on these discussions. As a result, we could not verify through written documentation that the Office performed any monitoring to ensure that the subrecipient/local district is in compliance with its approved plan.  Cause The condition found was primarily due to the Office developing a new monitoring plan for the subrecipients/local districts during fiscal year 2023, of which would be implemented during fiscal year 2024. Additionally, the Office does not document the results of the monitoring procedures performed over the fraud and improper payment plans in place at the subrecipients/local districts. Possible Asserted Effect The lack of executed monitoring procedures over subawards provided to subrecipients/local districts could result in the use of federal funding provided under the federal award not being in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Questioned Costs Cannot be determined. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that the Office enhance its subrecipient monitoring policies, procedures and internal controls to ensure the Office is monitoring subrecipients/local districts in accordance with the federal requirements. The Office should also ensure its monitoring procedures include a review of the fraud and improper payment plans at the subrecipients/local districts.

Federal Agency: United States Department of Health and Human Services Federal Program: CCDF Cluster (93.489, 93.575 and 93.596) Federal Award Numbers: 2001NYCCDD, 2101NYCCDD, 2201NYCCDD, 2001NYTANF, 2101NYTANF 2201NYTANF Federal Award Years: 2020, 2021, 2022 State Agency: Office of Children and Family Services Reference: 2023-011 Criteria Subrecipient monitoring Title U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards, section 75.352(d) states all pass-through entities must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved, including the requirements contained in 45 CFR section 98.60, related to the recovery of child care payments that are the result of fraud as these payments shall be recovered from the party responsible for committing the fraud. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. Additionally, 45 CFR 75.352(b) states all pass-through entities must evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring, which may include consideration of such factors as: (1) The subrecipient's prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with subpart F, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of HHS awarding agency monitoring (e.g., if the subrecipient also receives federal awards directly from a HHS awarding agency).  Further, 45 CFR 75.352(e) sates, depending upon the pass-through entity’s assessment of risk posed by the subrecipient, the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program-related matters; (2) Performing on-site reviews of the subrecipient’s program operations; and (3) Arranging for agreed-upon procedures engagements as described in 45 CFR 75.425. Internal controls Lastly, 45 CFR 75.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government,” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition During the fiscal year ended March 31, 2023, the Office of Children and Family Services (the Office) passed through approximately $530 million under the CCDF Cluster, to local districts (or subrecipients) to provide programmatic services under the CCDF Cluster. As part of the funding arrangement, the local districts are responsible for the administration of the federal program, including performing participant benefit eligibility determinations, payment of childcare subsidies, and monitoring for fraud. During our testwork over the subrecipient monitoring process we identified the following: 1. The Office prepared its annual risk assessment process and assessed risk related to its subrecipients/local districts. For the State fiscal year ended March 31, 2023, we noted that the Office did not select subrecipients/local districts based upon their risk assessment and only performed and completed one monitoring visit during the audit period. 2. The subrecipients/local districts are responsible for implementing policies and procedures related to fraud and improper payments. The Office requires each subrecipient/local district to have a plan in place for fraud detection that is reviewed and approved by the Office. As part of its monitoring procedures the Office has general inquiries it makes related to plan itself and will identify as part of its case review if the selected case was an improper payment. While these inquiries were made, we were not able to obtain any documented evidence that supports the results of those discussions, and the issued report for the one monitoring review selected for testwork also did not comment on these discussions. As a result, we could not verify through written documentation that the Office performed any monitoring to ensure that the subrecipient/local district is in compliance with its approved plan.  Cause The condition found was primarily due to the Office developing a new monitoring plan for the subrecipients/local districts during fiscal year 2023, of which would be implemented during fiscal year 2024. Additionally, the Office does not document the results of the monitoring procedures performed over the fraud and improper payment plans in place at the subrecipients/local districts. Possible Asserted Effect The lack of executed monitoring procedures over subawards provided to subrecipients/local districts could result in the use of federal funding provided under the federal award not being in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Questioned Costs Cannot be determined. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that the Office enhance its subrecipient monitoring policies, procedures and internal controls to ensure the Office is monitoring subrecipients/local districts in accordance with the federal requirements. The Office should also ensure its monitoring procedures include a review of the fraud and improper payment plans at the subrecipients/local districts.

Federal Agency: United States Department of Health and Human Services Federal Program: CCDF Cluster (93.489, 93.575 and 93.596) Federal Award Numbers: 2001NYCCDD, 2101NYCCDD, 2201NYCCDD, 2001NYTANF, 2101NYTANF 2201NYTANF Federal Award Years: 2020, 2021, 2022 State Agency: Office of Children and Family Services Reference: 2023-011 Criteria Subrecipient monitoring Title U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards, section 75.352(d) states all pass-through entities must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved, including the requirements contained in 45 CFR section 98.60, related to the recovery of child care payments that are the result of fraud as these payments shall be recovered from the party responsible for committing the fraud. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. Additionally, 45 CFR 75.352(b) states all pass-through entities must evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring, which may include consideration of such factors as: (1) The subrecipient's prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with subpart F, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of HHS awarding agency monitoring (e.g., if the subrecipient also receives federal awards directly from a HHS awarding agency).  Further, 45 CFR 75.352(e) sates, depending upon the pass-through entity’s assessment of risk posed by the subrecipient, the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program-related matters; (2) Performing on-site reviews of the subrecipient’s program operations; and (3) Arranging for agreed-upon procedures engagements as described in 45 CFR 75.425. Internal controls Lastly, 45 CFR 75.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government,” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition During the fiscal year ended March 31, 2023, the Office of Children and Family Services (the Office) passed through approximately $530 million under the CCDF Cluster, to local districts (or subrecipients) to provide programmatic services under the CCDF Cluster. As part of the funding arrangement, the local districts are responsible for the administration of the federal program, including performing participant benefit eligibility determinations, payment of childcare subsidies, and monitoring for fraud. During our testwork over the subrecipient monitoring process we identified the following: 1. The Office prepared its annual risk assessment process and assessed risk related to its subrecipients/local districts. For the State fiscal year ended March 31, 2023, we noted that the Office did not select subrecipients/local districts based upon their risk assessment and only performed and completed one monitoring visit during the audit period. 2. The subrecipients/local districts are responsible for implementing policies and procedures related to fraud and improper payments. The Office requires each subrecipient/local district to have a plan in place for fraud detection that is reviewed and approved by the Office. As part of its monitoring procedures the Office has general inquiries it makes related to plan itself and will identify as part of its case review if the selected case was an improper payment. While these inquiries were made, we were not able to obtain any documented evidence that supports the results of those discussions, and the issued report for the one monitoring review selected for testwork also did not comment on these discussions. As a result, we could not verify through written documentation that the Office performed any monitoring to ensure that the subrecipient/local district is in compliance with its approved plan.  Cause The condition found was primarily due to the Office developing a new monitoring plan for the subrecipients/local districts during fiscal year 2023, of which would be implemented during fiscal year 2024. Additionally, the Office does not document the results of the monitoring procedures performed over the fraud and improper payment plans in place at the subrecipients/local districts. Possible Asserted Effect The lack of executed monitoring procedures over subawards provided to subrecipients/local districts could result in the use of federal funding provided under the federal award not being in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Questioned Costs Cannot be determined. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that the Office enhance its subrecipient monitoring policies, procedures and internal controls to ensure the Office is monitoring subrecipients/local districts in accordance with the federal requirements. The Office should also ensure its monitoring procedures include a review of the fraud and improper payment plans at the subrecipients/local districts.

Federal Agency: United States Department of Health and Human Services Federal Program: Temporary Assistance for Needy Families (93.558) Federal Award Numbers: 2101NYTANF, 2201NYTANF, 2301NYTAN3, 2301NYTANF Federal Award Years: 2021, 2022 and 2023 State Agency: Office of Temporary and Disability Assistance Reference: 2023-012 Criteria Special Reporting for Federal Funding Accountability and Transparency Act Under the requirements of the Federal Funding Accountability and Transparency Act (FFATA) (Pub. L. No. 109-282) (Transparency Act) that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements who make first tier subawards of $30,000 or more are required to register in the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) and report subaward data through FSRS. Aspects of the Transparency Act, as amended by Section 6202(a) of the Government Funding Transparency Act of 2008 (Pub. L. No. 111-252), that relate to subaward reporting (1) under grants and cooperative agreements were implemented in OMB in 2 CFR Part 170 and (2) under contracts, by the regulatory agencies responsible for the Federal Acquisition Regulation (FAR at 5 FR 39414 et seq., July 8, 2010). The requirements pertain to recipients (i.e., direct recipients) of grants or cooperative agreements who make first tier subawards and contractors (i.e., prime contractors) that award first-tier subcontracts. Title 45 U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards for HHS Awards, section 75.2 defines Subaward as an award provided by a pass-through entity to a subrecipient for the subrecipient to carry out part of a Federal award received by the pass-through entity. It does not include payments to a contractor or payments to an individual that is a beneficiary of a Federal program. A subaward may be provided through any form of legal agreement, including an agreement that the pass-through entity considers a contract. Further, 45 CFR 75.2 defines Subrecipient as a non-Federal entity that receives a subaward from a passthrough entity to carry out part of a Federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a Federal awarding agency. Internal controls Lastly, 45 CFR 75.303(a) states the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Office of Temporary and Disability Assistance (the Office) did not correctly report awards granted to some of its subrecipients for the Temporary Assistance for Needy Families program for the period April 2022 through March 2023 as required by FFATA. FFATA requires the State to report certain identifying information related to awards made to subrecipients in amounts greater than or equal to $30,000. Of the information to be reported, the following key data elements are required to be audited: 1. Subawardee name 2. Subawardee DUNS number 3. Amount of subaward 4. Subaward obligation/action date 5. Date of report submission 6. Subaward number 7. Subaward project description 8. Subawardee names and compensation of highly compensated officers For the period of April 2022 to March 2023, the Office of Temporary and Disability Assistance (the Office) incorrectly reported some of the subrecipient expenditures over $30,000. As a result of our testwork over this period we noted the following: During our testing, we noted the Office's control procedures did not identify incorrect amounts reported during its FFATA submission for some of its subrecipients. We noted the following exceptions: The Office incorrectly reported 11 subawards for a total of $22,013. For 5 of the 11 awards, the amount was incorrect due to a data entry error resulting in a $22,013 difference. For 6 of the 11 awards, the incorrect subaward number was reported due to a data entry error. The amount was reported correctly, however, the subaward was incorrect and therefore the net difference in the amount was $0. Cause The condition is due to oversight errors when submitting the reports. All information was entered and recorded, however the review was not at a level of precision to identify data entry errors prior to submission of the reports. Possible Asserted Effect Failure to correctly submit all subawards passed-through to subrecipients and subcontractors under subawards as defined by 45 CFR 75.2 in the Office's FFATA reporting could result in the Office reporting inaccurate and incomplete amounts to the federal government. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding A similar finding was included in the 2022 Single Audit Report as finding number 2022-012 on pages 45–47. Recommendation We recommend that the Office enhance its review of the submissions of the amounts passed-through to subrecipients and subcontractors under subawards as defined in 45 CFR 75.2 that are reported in accordance with the FFATA federal regulations to ensure its at a level of precision to identify data entry errors prior to submission.

Federal Agency: United States Department of Health and Human Services Federal Program: Temporary Assistance for Needy Families (93.558) CCDF Cluster (93.575 and 93.596) Adoption Assistance (93.659) Social Services Block Grant (93.667) Federal Award Numbers: 1701NYTANF, 1801NYTANF, 1901NYTANF, 2001NYTANF, 2101NYTANF, 2101NYTANFC6, 2201NYTAN3, 2201NYTANF, 2301NYTAN3, 2301NYTANF 1701NYCCDF, 2001NYCCC3, 2001NYCCDD, 2001NYTANF, 2101NYCCC5, 2101NYCCDD, 2101NYCCDF, 2101NYCCDM, 2101NYCDC6, 2101NYCSC6, 2101NYTANF, 2201NYCCDD, 2201NYTANF 1801NYADPT, 1901NYADPT, 2001NYADPT, 2101NYADPT, 2201NYADPT, 2301NYADPT 2101NYSOSR, 2101NYTANF, 2201NYSOSR, 2201NYTANF Federal Award Years: 2017, 2018, 2019, 2020, 2021, 2022, and 2023 State Agency: Office of Temporary and Disability Assistance Office of Children and Family Services Reference: 2023-013 Criteria Internal controls Title 45 U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards, section 75.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government,” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition New York State Information Technology Services (ITS) manages the IT environment for the Automated Claiming System (ACS). IT application controls for ACS are relied upon by Office of Temporary and Disability Assistance (OTDA) and the Office of Children and Family Services (OCFS) for the administration of claims submitted by the local districts that administer the following federal programs as subrecipients of the State of New York (the State): • Temporary Assistance for Needy Families • Social Services Block Grant • CCDF Cluster • Adoption Assistance ITS management of ACS includes maintaining the network, database, and operating system layers of the information technology control environment. During our testwork, we noted the following deficiencies in the implementation of the general information technology controls over ACS: 1) For 9 out of 13 instances related to de-provisioning of access for terminated employees to the ACS application, user access rights were disabled more than 5 days after the user ended employment with the State or otherwise did not need access to the specified system. In 7 of the 9 instances, the terminated employee had ‘inquiry only’ access. Upon audit inquiry, we obtained system documentation for the 9 users identified as exceptions indicating the related users did not logon to the app or the network past their termination date. Furthermore, we conducted testing over provisioning access to the application and privileged access, including migrator and developer access, for the ACS system, and noted those users did not access the system after termination. We determined that none of these users were part of the migrator groups or developer groups or admin users. 2) Users with access rights allowing them to provision access to the ACS application were reviewing their own access as part of the periodic user access review control. As a result, we verified that all reviewers were active and appeared to be appropriate per job title/responsibility. We also verified the system configuration for the user access review and determined that it is configured to automatically revoke access after one year without access and is operating as designed. Cause The conditions above related to the following: 1) The exception occurred due to human oversight during the execution of the de-provisioning process. 2) The control was designed such that individuals with access rights that allow them to perform provisioning activities were responsible for reviewing their own access as part of the periodic user access review control. Possible Asserted Effect Failure to have a reliable general information technology environment over logical access may result in unauthorized changes being made to ACS, which may result in erroneous reliance on the operating effectiveness of automated information technology control over subrecipient payments allowability. Failure to have effective internal controls over subrecipient payments allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs Not applicable  Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that management strengthen controls or add monitoring controls to ensure either management personnel at the State agencies/entities are notifying their respective IT departments or ITS, as applicable, in a timely manner when a user of a system or application no longer requires access, whether due to changes in job responsibilities or termination from the State; or such notifications are timely executed. We also recommend that management implement additional monitoring controls to evaluate a complete population of terminated users against system user listings to ensure access is removed for terminated users, including performance of an impact assessment for instances where it is determined that access rights were not removed in a timely manner for terminated employees. Additionally, we recommend that management restrict individuals with access rights that allow them to perform provisioning activities from reviewing their own access rights. Lastly, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication/documentation of reviewing and de-provisioning of users to the IT department during the user access review.

Federal Agency: United States Department of Health and Human Services Federal Program: Temporary Assistance for Needy Families (93.558) CCDF Cluster (93.575 and 93.596) Adoption Assistance (93.659) Social Services Block Grant (93.667) Federal Award Numbers: 1701NYTANF, 1801NYTANF, 1901NYTANF, 2001NYTANF, 2101NYTANF, 2101NYTANFC6, 2201NYTAN3, 2201NYTANF, 2301NYTAN3, 2301NYTANF 1701NYCCDF, 2001NYCCC3, 2001NYCCDD, 2001NYTANF, 2101NYCCC5, 2101NYCCDD, 2101NYCCDF, 2101NYCCDM, 2101NYCDC6, 2101NYCSC6, 2101NYTANF, 2201NYCCDD, 2201NYTANF 1801NYADPT, 1901NYADPT, 2001NYADPT, 2101NYADPT, 2201NYADPT, 2301NYADPT 2101NYSOSR, 2101NYTANF, 2201NYSOSR, 2201NYTANF Federal Award Years: 2017, 2018, 2019, 2020, 2021, 2022, and 2023 State Agency: Office of Temporary and Disability Assistance Office of Children and Family Services Reference: 2023-013 Criteria Internal controls Title 45 U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards, section 75.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government,” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition New York State Information Technology Services (ITS) manages the IT environment for the Automated Claiming System (ACS). IT application controls for ACS are relied upon by Office of Temporary and Disability Assistance (OTDA) and the Office of Children and Family Services (OCFS) for the administration of claims submitted by the local districts that administer the following federal programs as subrecipients of the State of New York (the State): • Temporary Assistance for Needy Families • Social Services Block Grant • CCDF Cluster • Adoption Assistance ITS management of ACS includes maintaining the network, database, and operating system layers of the information technology control environment. During our testwork, we noted the following deficiencies in the implementation of the general information technology controls over ACS: 1) For 9 out of 13 instances related to de-provisioning of access for terminated employees to the ACS application, user access rights were disabled more than 5 days after the user ended employment with the State or otherwise did not need access to the specified system. In 7 of the 9 instances, the terminated employee had ‘inquiry only’ access. Upon audit inquiry, we obtained system documentation for the 9 users identified as exceptions indicating the related users did not logon to the app or the network past their termination date. Furthermore, we conducted testing over provisioning access to the application and privileged access, including migrator and developer access, for the ACS system, and noted those users did not access the system after termination. We determined that none of these users were part of the migrator groups or developer groups or admin users. 2) Users with access rights allowing them to provision access to the ACS application were reviewing their own access as part of the periodic user access review control. As a result, we verified that all reviewers were active and appeared to be appropriate per job title/responsibility. We also verified the system configuration for the user access review and determined that it is configured to automatically revoke access after one year without access and is operating as designed. Cause The conditions above related to the following: 1) The exception occurred due to human oversight during the execution of the de-provisioning process. 2) The control was designed such that individuals with access rights that allow them to perform provisioning activities were responsible for reviewing their own access as part of the periodic user access review control. Possible Asserted Effect Failure to have a reliable general information technology environment over logical access may result in unauthorized changes being made to ACS, which may result in erroneous reliance on the operating effectiveness of automated information technology control over subrecipient payments allowability. Failure to have effective internal controls over subrecipient payments allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs Not applicable  Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that management strengthen controls or add monitoring controls to ensure either management personnel at the State agencies/entities are notifying their respective IT departments or ITS, as applicable, in a timely manner when a user of a system or application no longer requires access, whether due to changes in job responsibilities or termination from the State; or such notifications are timely executed. We also recommend that management implement additional monitoring controls to evaluate a complete population of terminated users against system user listings to ensure access is removed for terminated users, including performance of an impact assessment for instances where it is determined that access rights were not removed in a timely manner for terminated employees. Additionally, we recommend that management restrict individuals with access rights that allow them to perform provisioning activities from reviewing their own access rights. Lastly, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication/documentation of reviewing and de-provisioning of users to the IT department during the user access review.

Federal Agency: United States Department of Health and Human Services Federal Program: Temporary Assistance for Needy Families (93.558) CCDF Cluster (93.575 and 93.596) Adoption Assistance (93.659) Social Services Block Grant (93.667) Federal Award Numbers: 1701NYTANF, 1801NYTANF, 1901NYTANF, 2001NYTANF, 2101NYTANF, 2101NYTANFC6, 2201NYTAN3, 2201NYTANF, 2301NYTAN3, 2301NYTANF 1701NYCCDF, 2001NYCCC3, 2001NYCCDD, 2001NYTANF, 2101NYCCC5, 2101NYCCDD, 2101NYCCDF, 2101NYCCDM, 2101NYCDC6, 2101NYCSC6, 2101NYTANF, 2201NYCCDD, 2201NYTANF 1801NYADPT, 1901NYADPT, 2001NYADPT, 2101NYADPT, 2201NYADPT, 2301NYADPT 2101NYSOSR, 2101NYTANF, 2201NYSOSR, 2201NYTANF Federal Award Years: 2017, 2018, 2019, 2020, 2021, 2022, and 2023 State Agency: Office of Temporary and Disability Assistance Office of Children and Family Services Reference: 2023-013 Criteria Internal controls Title 45 U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards, section 75.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government,” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition New York State Information Technology Services (ITS) manages the IT environment for the Automated Claiming System (ACS). IT application controls for ACS are relied upon by Office of Temporary and Disability Assistance (OTDA) and the Office of Children and Family Services (OCFS) for the administration of claims submitted by the local districts that administer the following federal programs as subrecipients of the State of New York (the State): • Temporary Assistance for Needy Families • Social Services Block Grant • CCDF Cluster • Adoption Assistance ITS management of ACS includes maintaining the network, database, and operating system layers of the information technology control environment. During our testwork, we noted the following deficiencies in the implementation of the general information technology controls over ACS: 1) For 9 out of 13 instances related to de-provisioning of access for terminated employees to the ACS application, user access rights were disabled more than 5 days after the user ended employment with the State or otherwise did not need access to the specified system. In 7 of the 9 instances, the terminated employee had ‘inquiry only’ access. Upon audit inquiry, we obtained system documentation for the 9 users identified as exceptions indicating the related users did not logon to the app or the network past their termination date. Furthermore, we conducted testing over provisioning access to the application and privileged access, including migrator and developer access, for the ACS system, and noted those users did not access the system after termination. We determined that none of these users were part of the migrator groups or developer groups or admin users. 2) Users with access rights allowing them to provision access to the ACS application were reviewing their own access as part of the periodic user access review control. As a result, we verified that all reviewers were active and appeared to be appropriate per job title/responsibility. We also verified the system configuration for the user access review and determined that it is configured to automatically revoke access after one year without access and is operating as designed. Cause The conditions above related to the following: 1) The exception occurred due to human oversight during the execution of the de-provisioning process. 2) The control was designed such that individuals with access rights that allow them to perform provisioning activities were responsible for reviewing their own access as part of the periodic user access review control. Possible Asserted Effect Failure to have a reliable general information technology environment over logical access may result in unauthorized changes being made to ACS, which may result in erroneous reliance on the operating effectiveness of automated information technology control over subrecipient payments allowability. Failure to have effective internal controls over subrecipient payments allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs Not applicable  Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that management strengthen controls or add monitoring controls to ensure either management personnel at the State agencies/entities are notifying their respective IT departments or ITS, as applicable, in a timely manner when a user of a system or application no longer requires access, whether due to changes in job responsibilities or termination from the State; or such notifications are timely executed. We also recommend that management implement additional monitoring controls to evaluate a complete population of terminated users against system user listings to ensure access is removed for terminated users, including performance of an impact assessment for instances where it is determined that access rights were not removed in a timely manner for terminated employees. Additionally, we recommend that management restrict individuals with access rights that allow them to perform provisioning activities from reviewing their own access rights. Lastly, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication/documentation of reviewing and de-provisioning of users to the IT department during the user access review.

Federal Agency: United States Department of Health and Human Services Federal Program: Temporary Assistance for Needy Families (93.558) CCDF Cluster (93.575 and 93.596) Adoption Assistance (93.659) Social Services Block Grant (93.667) Federal Award Numbers: 1701NYTANF, 1801NYTANF, 1901NYTANF, 2001NYTANF, 2101NYTANF, 2101NYTANFC6, 2201NYTAN3, 2201NYTANF, 2301NYTAN3, 2301NYTANF 1701NYCCDF, 2001NYCCC3, 2001NYCCDD, 2001NYTANF, 2101NYCCC5, 2101NYCCDD, 2101NYCCDF, 2101NYCCDM, 2101NYCDC6, 2101NYCSC6, 2101NYTANF, 2201NYCCDD, 2201NYTANF 1801NYADPT, 1901NYADPT, 2001NYADPT, 2101NYADPT, 2201NYADPT, 2301NYADPT 2101NYSOSR, 2101NYTANF, 2201NYSOSR, 2201NYTANF Federal Award Years: 2017, 2018, 2019, 2020, 2021, 2022, and 2023 State Agency: Office of Temporary and Disability Assistance Office of Children and Family Services Reference: 2023-013 Criteria Internal controls Title 45 U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards, section 75.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government,” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition New York State Information Technology Services (ITS) manages the IT environment for the Automated Claiming System (ACS). IT application controls for ACS are relied upon by Office of Temporary and Disability Assistance (OTDA) and the Office of Children and Family Services (OCFS) for the administration of claims submitted by the local districts that administer the following federal programs as subrecipients of the State of New York (the State): • Temporary Assistance for Needy Families • Social Services Block Grant • CCDF Cluster • Adoption Assistance ITS management of ACS includes maintaining the network, database, and operating system layers of the information technology control environment. During our testwork, we noted the following deficiencies in the implementation of the general information technology controls over ACS: 1) For 9 out of 13 instances related to de-provisioning of access for terminated employees to the ACS application, user access rights were disabled more than 5 days after the user ended employment with the State or otherwise did not need access to the specified system. In 7 of the 9 instances, the terminated employee had ‘inquiry only’ access. Upon audit inquiry, we obtained system documentation for the 9 users identified as exceptions indicating the related users did not logon to the app or the network past their termination date. Furthermore, we conducted testing over provisioning access to the application and privileged access, including migrator and developer access, for the ACS system, and noted those users did not access the system after termination. We determined that none of these users were part of the migrator groups or developer groups or admin users. 2) Users with access rights allowing them to provision access to the ACS application were reviewing their own access as part of the periodic user access review control. As a result, we verified that all reviewers were active and appeared to be appropriate per job title/responsibility. We also verified the system configuration for the user access review and determined that it is configured to automatically revoke access after one year without access and is operating as designed. Cause The conditions above related to the following: 1) The exception occurred due to human oversight during the execution of the de-provisioning process. 2) The control was designed such that individuals with access rights that allow them to perform provisioning activities were responsible for reviewing their own access as part of the periodic user access review control. Possible Asserted Effect Failure to have a reliable general information technology environment over logical access may result in unauthorized changes being made to ACS, which may result in erroneous reliance on the operating effectiveness of automated information technology control over subrecipient payments allowability. Failure to have effective internal controls over subrecipient payments allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs Not applicable  Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that management strengthen controls or add monitoring controls to ensure either management personnel at the State agencies/entities are notifying their respective IT departments or ITS, as applicable, in a timely manner when a user of a system or application no longer requires access, whether due to changes in job responsibilities or termination from the State; or such notifications are timely executed. We also recommend that management implement additional monitoring controls to evaluate a complete population of terminated users against system user listings to ensure access is removed for terminated users, including performance of an impact assessment for instances where it is determined that access rights were not removed in a timely manner for terminated employees. Additionally, we recommend that management restrict individuals with access rights that allow them to perform provisioning activities from reviewing their own access rights. Lastly, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication/documentation of reviewing and de-provisioning of users to the IT department during the user access review.

Federal Agency: United States Department of Health and Human Services Federal Program: Temporary Assistance for Needy Families (93.558) CCDF Cluster (93.575 and 93.596) Adoption Assistance (93.659) Social Services Block Grant (93.667) Federal Award Numbers: 1701NYTANF, 1801NYTANF, 1901NYTANF, 2001NYTANF, 2101NYTANF, 2101NYTANFC6, 2201NYTAN3, 2201NYTANF, 2301NYTAN3, 2301NYTANF 1701NYCCDF, 2001NYCCC3, 2001NYCCDD, 2001NYTANF, 2101NYCCC5, 2101NYCCDD, 2101NYCCDF, 2101NYCCDM, 2101NYCDC6, 2101NYCSC6, 2101NYTANF, 2201NYCCDD, 2201NYTANF 1801NYADPT, 1901NYADPT, 2001NYADPT, 2101NYADPT, 2201NYADPT, 2301NYADPT 2101NYSOSR, 2101NYTANF, 2201NYSOSR, 2201NYTANF Federal Award Years: 2017, 2018, 2019, 2020, 2021, 2022, and 2023 State Agency: Office of Temporary and Disability Assistance Office of Children and Family Services Reference: 2023-013 Criteria Internal controls Title 45 U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards, section 75.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government,” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition New York State Information Technology Services (ITS) manages the IT environment for the Automated Claiming System (ACS). IT application controls for ACS are relied upon by Office of Temporary and Disability Assistance (OTDA) and the Office of Children and Family Services (OCFS) for the administration of claims submitted by the local districts that administer the following federal programs as subrecipients of the State of New York (the State): • Temporary Assistance for Needy Families • Social Services Block Grant • CCDF Cluster • Adoption Assistance ITS management of ACS includes maintaining the network, database, and operating system layers of the information technology control environment. During our testwork, we noted the following deficiencies in the implementation of the general information technology controls over ACS: 1) For 9 out of 13 instances related to de-provisioning of access for terminated employees to the ACS application, user access rights were disabled more than 5 days after the user ended employment with the State or otherwise did not need access to the specified system. In 7 of the 9 instances, the terminated employee had ‘inquiry only’ access. Upon audit inquiry, we obtained system documentation for the 9 users identified as exceptions indicating the related users did not logon to the app or the network past their termination date. Furthermore, we conducted testing over provisioning access to the application and privileged access, including migrator and developer access, for the ACS system, and noted those users did not access the system after termination. We determined that none of these users were part of the migrator groups or developer groups or admin users. 2) Users with access rights allowing them to provision access to the ACS application were reviewing their own access as part of the periodic user access review control. As a result, we verified that all reviewers were active and appeared to be appropriate per job title/responsibility. We also verified the system configuration for the user access review and determined that it is configured to automatically revoke access after one year without access and is operating as designed. Cause The conditions above related to the following: 1) The exception occurred due to human oversight during the execution of the de-provisioning process. 2) The control was designed such that individuals with access rights that allow them to perform provisioning activities were responsible for reviewing their own access as part of the periodic user access review control. Possible Asserted Effect Failure to have a reliable general information technology environment over logical access may result in unauthorized changes being made to ACS, which may result in erroneous reliance on the operating effectiveness of automated information technology control over subrecipient payments allowability. Failure to have effective internal controls over subrecipient payments allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs Not applicable  Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that management strengthen controls or add monitoring controls to ensure either management personnel at the State agencies/entities are notifying their respective IT departments or ITS, as applicable, in a timely manner when a user of a system or application no longer requires access, whether due to changes in job responsibilities or termination from the State; or such notifications are timely executed. We also recommend that management implement additional monitoring controls to evaluate a complete population of terminated users against system user listings to ensure access is removed for terminated users, including performance of an impact assessment for instances where it is determined that access rights were not removed in a timely manner for terminated employees. Additionally, we recommend that management restrict individuals with access rights that allow them to perform provisioning activities from reviewing their own access rights. Lastly, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication/documentation of reviewing and de-provisioning of users to the IT department during the user access review.

Federal Agency: United States Department of Health and Human Services Federal Program: Temporary Assistance for Needy Families (93.558) CCDF Cluster (93.575 and 93.596) Adoption Assistance (93.659) Social Services Block Grant (93.667) Federal Award Numbers: 1701NYTANF, 1801NYTANF, 1901NYTANF, 2001NYTANF, 2101NYTANF, 2101NYTANFC6, 2201NYTAN3, 2201NYTANF, 2301NYTAN3, 2301NYTANF 1701NYCCDF, 2001NYCCC3, 2001NYCCDD, 2001NYTANF, 2101NYCCC5, 2101NYCCDD, 2101NYCCDF, 2101NYCCDM, 2101NYCDC6, 2101NYCSC6, 2101NYTANF, 2201NYCCDD, 2201NYTANF 1801NYADPT, 1901NYADPT, 2001NYADPT, 2101NYADPT, 2201NYADPT, 2301NYADPT 2101NYSOSR, 2101NYTANF, 2201NYSOSR, 2201NYTANF Federal Award Years: 2017, 2018, 2019, 2020, 2021, 2022, and 2023 State Agency: Office of Temporary and Disability Assistance Office of Children and Family Services Reference: 2023-013 Criteria Internal controls Title 45 U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards, section 75.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government,” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition New York State Information Technology Services (ITS) manages the IT environment for the Automated Claiming System (ACS). IT application controls for ACS are relied upon by Office of Temporary and Disability Assistance (OTDA) and the Office of Children and Family Services (OCFS) for the administration of claims submitted by the local districts that administer the following federal programs as subrecipients of the State of New York (the State): • Temporary Assistance for Needy Families • Social Services Block Grant • CCDF Cluster • Adoption Assistance ITS management of ACS includes maintaining the network, database, and operating system layers of the information technology control environment. During our testwork, we noted the following deficiencies in the implementation of the general information technology controls over ACS: 1) For 9 out of 13 instances related to de-provisioning of access for terminated employees to the ACS application, user access rights were disabled more than 5 days after the user ended employment with the State or otherwise did not need access to the specified system. In 7 of the 9 instances, the terminated employee had ‘inquiry only’ access. Upon audit inquiry, we obtained system documentation for the 9 users identified as exceptions indicating the related users did not logon to the app or the network past their termination date. Furthermore, we conducted testing over provisioning access to the application and privileged access, including migrator and developer access, for the ACS system, and noted those users did not access the system after termination. We determined that none of these users were part of the migrator groups or developer groups or admin users. 2) Users with access rights allowing them to provision access to the ACS application were reviewing their own access as part of the periodic user access review control. As a result, we verified that all reviewers were active and appeared to be appropriate per job title/responsibility. We also verified the system configuration for the user access review and determined that it is configured to automatically revoke access after one year without access and is operating as designed. Cause The conditions above related to the following: 1) The exception occurred due to human oversight during the execution of the de-provisioning process. 2) The control was designed such that individuals with access rights that allow them to perform provisioning activities were responsible for reviewing their own access as part of the periodic user access review control. Possible Asserted Effect Failure to have a reliable general information technology environment over logical access may result in unauthorized changes being made to ACS, which may result in erroneous reliance on the operating effectiveness of automated information technology control over subrecipient payments allowability. Failure to have effective internal controls over subrecipient payments allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs Not applicable  Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that management strengthen controls or add monitoring controls to ensure either management personnel at the State agencies/entities are notifying their respective IT departments or ITS, as applicable, in a timely manner when a user of a system or application no longer requires access, whether due to changes in job responsibilities or termination from the State; or such notifications are timely executed. We also recommend that management implement additional monitoring controls to evaluate a complete population of terminated users against system user listings to ensure access is removed for terminated users, including performance of an impact assessment for instances where it is determined that access rights were not removed in a timely manner for terminated employees. Additionally, we recommend that management restrict individuals with access rights that allow them to perform provisioning activities from reviewing their own access rights. Lastly, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication/documentation of reviewing and de-provisioning of users to the IT department during the user access review.

Federal Agency: United States Department of Health and Human Services Federal Program: Temporary Assistance for Needy Families (93.558) CCDF Cluster (93.575 and 93.596) Adoption Assistance (93.659) Social Services Block Grant (93.667) Federal Award Numbers: 1701NYTANF, 1801NYTANF, 1901NYTANF, 2001NYTANF, 2101NYTANF, 2101NYTANFC6, 2201NYTAN3, 2201NYTANF, 2301NYTAN3, 2301NYTANF 1701NYCCDF, 2001NYCCC3, 2001NYCCDD, 2001NYTANF, 2101NYCCC5, 2101NYCCDD, 2101NYCCDF, 2101NYCCDM, 2101NYCDC6, 2101NYCSC6, 2101NYTANF, 2201NYCCDD, 2201NYTANF 1801NYADPT, 1901NYADPT, 2001NYADPT, 2101NYADPT, 2201NYADPT, 2301NYADPT 2101NYSOSR, 2101NYTANF, 2201NYSOSR, 2201NYTANF Federal Award Years: 2017, 2018, 2019, 2020, 2021, 2022, and 2023 State Agency: Office of Temporary and Disability Assistance Office of Children and Family Services Reference: 2023-013 Criteria Internal controls Title 45 U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards, section 75.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government,” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition New York State Information Technology Services (ITS) manages the IT environment for the Automated Claiming System (ACS). IT application controls for ACS are relied upon by Office of Temporary and Disability Assistance (OTDA) and the Office of Children and Family Services (OCFS) for the administration of claims submitted by the local districts that administer the following federal programs as subrecipients of the State of New York (the State): • Temporary Assistance for Needy Families • Social Services Block Grant • CCDF Cluster • Adoption Assistance ITS management of ACS includes maintaining the network, database, and operating system layers of the information technology control environment. During our testwork, we noted the following deficiencies in the implementation of the general information technology controls over ACS: 1) For 9 out of 13 instances related to de-provisioning of access for terminated employees to the ACS application, user access rights were disabled more than 5 days after the user ended employment with the State or otherwise did not need access to the specified system. In 7 of the 9 instances, the terminated employee had ‘inquiry only’ access. Upon audit inquiry, we obtained system documentation for the 9 users identified as exceptions indicating the related users did not logon to the app or the network past their termination date. Furthermore, we conducted testing over provisioning access to the application and privileged access, including migrator and developer access, for the ACS system, and noted those users did not access the system after termination. We determined that none of these users were part of the migrator groups or developer groups or admin users. 2) Users with access rights allowing them to provision access to the ACS application were reviewing their own access as part of the periodic user access review control. As a result, we verified that all reviewers were active and appeared to be appropriate per job title/responsibility. We also verified the system configuration for the user access review and determined that it is configured to automatically revoke access after one year without access and is operating as designed. Cause The conditions above related to the following: 1) The exception occurred due to human oversight during the execution of the de-provisioning process. 2) The control was designed such that individuals with access rights that allow them to perform provisioning activities were responsible for reviewing their own access as part of the periodic user access review control. Possible Asserted Effect Failure to have a reliable general information technology environment over logical access may result in unauthorized changes being made to ACS, which may result in erroneous reliance on the operating effectiveness of automated information technology control over subrecipient payments allowability. Failure to have effective internal controls over subrecipient payments allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs Not applicable  Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that management strengthen controls or add monitoring controls to ensure either management personnel at the State agencies/entities are notifying their respective IT departments or ITS, as applicable, in a timely manner when a user of a system or application no longer requires access, whether due to changes in job responsibilities or termination from the State; or such notifications are timely executed. We also recommend that management implement additional monitoring controls to evaluate a complete population of terminated users against system user listings to ensure access is removed for terminated users, including performance of an impact assessment for instances where it is determined that access rights were not removed in a timely manner for terminated employees. Additionally, we recommend that management restrict individuals with access rights that allow them to perform provisioning activities from reviewing their own access rights. Lastly, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication/documentation of reviewing and de-provisioning of users to the IT department during the user access review.

Federal Agency: United States Department of Health and Human Services Federal Program: Temporary Assistance for Needy Families (93.558) CCDF Cluster (93.575 and 93.596) Adoption Assistance (93.659) Social Services Block Grant (93.667) Federal Award Numbers: 1701NYTANF, 1801NYTANF, 1901NYTANF, 2001NYTANF, 2101NYTANF, 2101NYTANFC6, 2201NYTAN3, 2201NYTANF, 2301NYTAN3, 2301NYTANF 1701NYCCDF, 2001NYCCC3, 2001NYCCDD, 2001NYTANF, 2101NYCCC5, 2101NYCCDD, 2101NYCCDF, 2101NYCCDM, 2101NYCDC6, 2101NYCSC6, 2101NYTANF, 2201NYCCDD, 2201NYTANF 1801NYADPT, 1901NYADPT, 2001NYADPT, 2101NYADPT, 2201NYADPT, 2301NYADPT 2101NYSOSR, 2101NYTANF, 2201NYSOSR, 2201NYTANF Federal Award Years: 2017, 2018, 2019, 2020, 2021, 2022, and 2023 State Agency: Office of Temporary and Disability Assistance Office of Children and Family Services Reference: 2023-013 Criteria Internal controls Title 45 U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards, section 75.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government,” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition New York State Information Technology Services (ITS) manages the IT environment for the Automated Claiming System (ACS). IT application controls for ACS are relied upon by Office of Temporary and Disability Assistance (OTDA) and the Office of Children and Family Services (OCFS) for the administration of claims submitted by the local districts that administer the following federal programs as subrecipients of the State of New York (the State): • Temporary Assistance for Needy Families • Social Services Block Grant • CCDF Cluster • Adoption Assistance ITS management of ACS includes maintaining the network, database, and operating system layers of the information technology control environment. During our testwork, we noted the following deficiencies in the implementation of the general information technology controls over ACS: 1) For 9 out of 13 instances related to de-provisioning of access for terminated employees to the ACS application, user access rights were disabled more than 5 days after the user ended employment with the State or otherwise did not need access to the specified system. In 7 of the 9 instances, the terminated employee had ‘inquiry only’ access. Upon audit inquiry, we obtained system documentation for the 9 users identified as exceptions indicating the related users did not logon to the app or the network past their termination date. Furthermore, we conducted testing over provisioning access to the application and privileged access, including migrator and developer access, for the ACS system, and noted those users did not access the system after termination. We determined that none of these users were part of the migrator groups or developer groups or admin users. 2) Users with access rights allowing them to provision access to the ACS application were reviewing their own access as part of the periodic user access review control. As a result, we verified that all reviewers were active and appeared to be appropriate per job title/responsibility. We also verified the system configuration for the user access review and determined that it is configured to automatically revoke access after one year without access and is operating as designed. Cause The conditions above related to the following: 1) The exception occurred due to human oversight during the execution of the de-provisioning process. 2) The control was designed such that individuals with access rights that allow them to perform provisioning activities were responsible for reviewing their own access as part of the periodic user access review control. Possible Asserted Effect Failure to have a reliable general information technology environment over logical access may result in unauthorized changes being made to ACS, which may result in erroneous reliance on the operating effectiveness of automated information technology control over subrecipient payments allowability. Failure to have effective internal controls over subrecipient payments allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs Not applicable  Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend that management strengthen controls or add monitoring controls to ensure either management personnel at the State agencies/entities are notifying their respective IT departments or ITS, as applicable, in a timely manner when a user of a system or application no longer requires access, whether due to changes in job responsibilities or termination from the State; or such notifications are timely executed. We also recommend that management implement additional monitoring controls to evaluate a complete population of terminated users against system user listings to ensure access is removed for terminated users, including performance of an impact assessment for instances where it is determined that access rights were not removed in a timely manner for terminated employees. Additionally, we recommend that management restrict individuals with access rights that allow them to perform provisioning activities from reviewing their own access rights. Lastly, we recommend that management review and emphasize the logical access policies and procedures with key personnel responsible for the timely communication/documentation of reviewing and de-provisioning of users to the IT department during the user access review.

Federal Agency: United States Department of Health and Human Services Federal Program: Block Grants for Prevention and Treatment of Substance Abuse (93.959) Federal Award Numbers: 21B1NYSAPT, 21B1NYSAPTC5, 21B1NYSAPTC6, 21B3NYSAPTC6, 22B1NYSAPT Federal Award Years: 2021 and 2022 State Agency: Office of Addiction Services and Support Reference: 2023-018 Criteria Special Reporting for Federal Funding Accountability and Transparency Act Under the requirements of the Federal Funding Accountability and Transparency Act (FFATA) (Pub. L. No. 109-282), as amended by Section 6202 of Public Law 110-252, (Transparency Act) that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Aspects of the Transparency Act that relate to subaward reporting (1) under grants and cooperative agreements were implemented in OMB in 2 CFR Part 170 and (2) under contracts, by the regulatory agencies responsible for the Federal Acquisition Regulation (FAR at 5 FR 39414 et seq., July 8, 2010). The requirements pertain to recipients (i.e., direct recipients) of grants or cooperative agreements who make first-tier subawards and contractors (i.e., prime contractors) that award first-tier subcontracts. Title 45 U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards for HHS Awards, section 75.2 defines Subaward as an award provided by a pass-through entity to a subrecipient for the subrecipient to carry out part of a federal award received by the pass-through entity. It does not include payments to a contractor or payments to an individual that is a beneficiary of a federal program. A subaward may be provided through any form of legal agreement, including an agreement that the pass-through entity considers a contract. Further, 45 CFR 75.2 defines Subrecipient as a non-federal entity that receives a subaward from a passthrough entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other federal awards directly from a federal awarding agency. Internal controls Lastly, 45 CFR 75.303(a) states the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Office of Addition Services and Support (OASAS) did not report awards granted to subrecipients for the Block Grants for Prevention and Treatment of Substance Abuse program for the period April 2022 through March 2023 as required by FFATA. FFATA requires the State to report certain identifying information related to awards made to subrecipients in amounts greater than or equal to $30,000. Of the information to be reported, the following key data elements are required to be audited: 1. Subawardee name 2. Subawardee DUNS number 3. Amount of subaward 4. Subaward obligation/action date 5. Date of report submission 6. Subaward number 7. Subaward project description 8. Subawardee names and compensation of highly compensated officers During our testwork, we noted OASAS did not establish control procedures to submit FFATA reports for all subawards. We noted the following exceptions: Cause The condition found was due to staffing changes and constraints brought on by COVID-19, this requirement was not appropriately considered and FFATA reporting was not completed during the fiscal year.  Possible Asserted Effect Failure to submit all subawards passed-through to subrecipients and subcontractors under subawards as defined by 45 CFR 75.2 in OASAS’s FFATA reporting could result in OASAS reporting inaccurate and incomplete amounts to the federal government. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend OASAS review and enhance its policies, procedures, and internal controls to ensure that all amounts passed-through to subrecipients and subcontractors under subawards as defined in 45 CFR 75.2 are reported in accordance with the FFATA federal regulations.

Federal Agency: United States Department of Health and Human Services Federal Program: Block Grants for Prevention and Treatment of Substance Abuse (93.959) Federal Award Numbers: 21B1NYSAPT, 21B1NYSAPTC5, 21B1NYSAPTC6, 21B3NYSAPTC6, 22B1NYSAPT Federal Award Years: 2021 and 2022 State Agency: Office of Addiction Services and Support Reference: 2023-019 Criteria Subrecipient monitoring Title 45 Code of Federal Regulations Part 75, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards (45 CFR 75), section 352(b) states all pass-through entities must evaluate each subrecipient's risk of noncompliance with Federal Statues, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring as described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient's prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with subpart F, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of HHS awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a HHS awarding agency). Internal controls Further, 45 CFR 75.303 (a) states the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal Entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition During our testwork, we noted the Office of Addiction Services and Support (OASAS) had developed and implemented a risk assessment process to help identify entities with higher risks that required additional monitoring procedures. Initially the risk assessment process begins with the programmatic input and is provided to the Fiscal Audit and Review Unit (FARU) to provide additional risk assessment factors. However, the agency was unable to provide documentation to support the additional risk factors considered by FARU. The documentation provided indicated that entities determined to be higher risk did not align with the entities selected and for which additional monitoring procedures were performed. Cause The condition found was because the agency was not able to provide documentation to support the additional risk factors considered by FARU that determined the higher risk entities reviewed for the fiscal year. Possible Asserted Effect Failure to properly document all program and fiscal risk factors considered in identifying higher risk subrecipients may result in inadequate incremental monitoring procedures being performed and subrecipients not being in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend the Office continue to enhance its subrecipient monitoring policies, procedures and internal control to help ensure the Office is monitoring subrecipients in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e). Such monitoring activities should be performed and documented to show all considerations made when determining which subrecipients would be subject to additional monitoring procedures.