FAC Explorer

Corrective Action Plans

Browse how organizations respond to audit findings

Total CAPs
56,232
In database
Filtered Results
18,506
Matching current filters
Showing Page
430 of 741
25 per page

Filters

Clear
Active filters: Internal Control / Segregation of Duties
Finding 386285 (2023-001)
Significant Deficiency 2023
University of Maine System
ME
Student Financial Aid Reporting Significant Deficiency
Student Financial Assistance Cluster – Assistance Listing No. Various Recommendation: We recommend the University review their reporting procedures to ensure that students’ statuses are accurately and timely reported to the National Student Loan Data System (NSLDS) within the appropriate timeframe ...
Student Financial Assistance Cluster – Assistance Listing No. Various Recommendation: We recommend the University review their reporting procedures to ensure that students’ statuses are accurately and timely reported to the National Student Loan Data System (NSLDS) within the appropriate timeframe as required by regulations. University of Maine Condition: During our testing of 40 students, we noted that seven of the 17 University of Maine (UM) students tested had changes in enrollment status that were not reported in a timely manner. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: The University will update its protocols for post-term reporting to the National Student Clearinghouse (NSC) each academic term to ensure students who have applied for graduation, and are pending final eligibility review, are assigned a withdrawn status until such time their degree(s) are conferred or they are reported as enrolled in a future term. Guidance received from the NSC School Operations team has been forwarded to UMS:IT, and steps to identify (or develop) and deploy the necessary reports are underway. The first round of updated reporting protocols are planned to take place in May 2024, for Spring 2024 graduation applicants. Name(s) of the contact person(s) responsible for corrective action: W. Sam Carrell, Registrar for the University of Maine Connie Smith, Director of Financial Aid for the University of Maine Planned completion date for corrective action plan: May 2024
View Audit 298686
Finding 386267 (2023-002)
Significant Deficiency 2023
Hugo Public School District No. I-39, Choctaw County, Ok
OK
Subrecipient Monitoring Internal Control / Segregation of Duties Special Tests & Provisions
Hugo Schools will communicate to and require that construction contracts provide proof of compliance such as payroll documents or other certifying records. Hugo schools administration will ensure that construction companies under contract will abide by all rules mandated by the Davis Bacon Act
Hugo Schools will communicate to and require that construction contracts provide proof of compliance such as payroll documents or other certifying records. Hugo schools administration will ensure that construction companies under contract will abide by all rules mandated by the Davis Bacon Act
View Audit 298674
Finding 386223 (2023-001)
Significant Deficiency 2023
Rockingham Nutrition and Meals on Wheels Program
NH
Subrecipient Monitoring Reporting Significant Deficiency § 200.328 § 200.329
Audit Finding Reference: 2023-001 Improve Controls Over Reporting Planned Corrective Action: 1. Request a list from DHHS of definitions of income types by program in the Quarterly Reports. Ensure that this list provides clarity on how to report income that is not explicitly tied to a single progr...
Audit Finding Reference: 2023-001 Improve Controls Over Reporting Planned Corrective Action: 1. Request a list from DHHS of definitions of income types by program in the Quarterly Reports. Ensure that this list provides clarity on how to report income that is not explicitly tied to a single program. 2. Review AFY23 and AFY24-to-date reports against these criteria (once received), and re-submit any reports which may need to be modified to comply with the guidance. 3. Going forward, the Quarterly Reports will be generated differently. The Client Services Manager will prepare actuals by program for number of clients and units. The Director of Administration will prepare actuals by program for income and expense. The Executive Director will compile the final report, which will not be submitted until both the Client Services Manager and Director of Administration have both checked the reports and electronically signed them. In the absence of specific guidance from DHHS to the contrary, any non-program-specific income will be allocated to programs by share of service units delivered. Planned Implementation Date of Corrective Action: 1. 3/29/24. 2. 6/30/24. 3. 4/15/24. Person Responsible for Corrective Action: Tim Diaz, Executive Director
View Audit 298652
Finding 386214 (2023-002)
Material Weakness 2023
Klamath Falls City School District
OR
Questioned Costs Internal Control / Segregation of Duties
Please find below the corrective action plans for Klamath Falls City School’s audit for the period ending June 30, 2023. Finding: Excess indirect costs of $70,531 were requested and received. Department’s Response: Cause: The excess was primarily due to a period of transition of business staff. ...
Please find below the corrective action plans for Klamath Falls City School’s audit for the period ending June 30, 2023. Finding: Excess indirect costs of $70,531 were requested and received. Department’s Response: Cause: The excess was primarily due to a period of transition of business staff. This created a duplicated claim for 2 quarters for a majority of the amount identified. After the transition of department personnel, the corrective action to assure that this issue does not happen again is to submit claims monthly and claim indirect costs at that time. At the end of each quarter review each account and reconcile expenses to claimed indirect costs to assure we are 100% in compliance. Name of Responsible Person: Charity Roach, Business Manager Name of Department Contact: Charity Roach, Business Manager Projected Implementation Date: Implemented
View Audit 298650 Questioned Costs: $1
Finding 386207 (2023-002)
Significant Deficiency 2023
City of Worcester, Massachusetts
MA
Reporting Significant Deficiency Internal Control / Segregation of Duties
DEPARTMENT OF HEALTH AND HUMAN SERVICES 2023-002 Head Start Program – Assistance Listing Number 93.600 Recommendation: We recommend procedures be implemented to file all required reports timely. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action t...
DEPARTMENT OF HEALTH AND HUMAN SERVICES 2023-002 Head Start Program – Assistance Listing Number 93.600 Recommendation: We recommend procedures be implemented to file all required reports timely. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: Program management has begun the process of strengthening procedures to timelier file all reports. Name(s) of the contact person(s) responsible for corrective action: Program management. Planned completion date for corrective action plan: As soon as possible.
View Audit 298624
Ncr of Victor Hdfc, Inc. Dba Autumn Grove
OH
HUD Housing Programs Internal Control / Segregation of Duties Procurement, Suspension & Debarment
The security deposit has been refunded and management is currently reviewing internal controls over security deposit refunds to ensure all deposits are returned timely.
The security deposit has been refunded and management is currently reviewing internal controls over security deposit refunds to ensure all deposits are returned timely.
View Audit 298618
Finding 386178 (2023-004)
Significant Deficiency 2023
Lincoln University of the Commonwealth System of Higher Education
PA
Reporting Significant Deficiency Matching / Level of Effort / Earmarking § 200.303
Action taken in response to finding: Fiscal Affairs will review reporting requirements for any funding received; communicate such requirements to the appropriate parties within the University; and coordinate with Office of Research & Sponsored Programs to ensure that the reporting requirement is me...
Action taken in response to finding: Fiscal Affairs will review reporting requirements for any funding received; communicate such requirements to the appropriate parties within the University; and coordinate with Office of Research & Sponsored Programs to ensure that the reporting requirement is met.
View Audit 298611
Municipality of Culebra
PR
Subrecipient Monitoring Reporting Internal Control / Segregation of Duties
The quarterly reports mentioned in the findings were prepared and submitted to the Puerto Rico Housing Department for review and evaluation.
The quarterly reports mentioned in the findings were prepared and submitted to the Puerto Rico Housing Department for review and evaluation.
View Audit 298592
Finding 386160 (2023-001)
Material Weakness 2023
Morris Heights Health Center, Inc. and Subsidiaries
NY
Material Weakness Reporting Internal Control / Segregation of Duties
2023-001 - Accuracy of Reporting to the PRF Portal: U.S. Department of Health and Human Services, COVID-19: Provider Relief Fund and American Rescue Plan ("ARP") Rural Distribution: Assistance Listing Number 93.498 - Reporting Recommendation We recommend that the Organization strengthen its system...
2023-001 - Accuracy of Reporting to the PRF Portal: U.S. Department of Health and Human Services, COVID-19: Provider Relief Fund and American Rescue Plan ("ARP") Rural Distribution: Assistance Listing Number 93.498 - Reporting Recommendation We recommend that the Organization strengthen its system of internal controls to ensure that all reporting that is done and submitted is consistent with requirements and instructions as provided by regulatory agencies. Action Taken Morris Heights Health Center is in the process of updating its Financial Policy & Procedures to strengthen its system of internal controls by including language that requires adequate review of the requirements and instructions of all regulatory reports. The policy also requires the review & sign-off of all regulatory reports by the Controller/CFO prior to any submission. We expect this to be corrected by April 30th, 2024.
View Audit 298583
Finding 386124 (2023-004)
Significant Deficiency 2023
Brooklyn Unit School District No. 188
IL
Reporting Internal Control / Segregation of Duties
We recommend that steps are taken, including oversight by a second employee, to ensure that all quarterly expenditure reports are filed by the due dates. Management will take the necessary steps to file all quarterly expenditure reports on time in the future.
We recommend that steps are taken, including oversight by a second employee, to ensure that all quarterly expenditure reports are filed by the due dates. Management will take the necessary steps to file all quarterly expenditure reports on time in the future.
View Audit 298533
Finding 386119 (2023-002)
Material Weakness 2023
Northwestern Consolidated School District of Shelby County
IN
School Nutrition Programs Internal Control / Segregation of Duties Allowable Costs / Cost Principles § 200.303
FINDING 2023-002 Finding Subject: Child Nutrition Cluster – Internal Controls Federal Agency: Department of Agriculture Federal Programs: School Breakfast Program, National School Lunch Program Assistance Listing Numbers: 10.553, 10.555 Federal Award Number: 7350 Pass-Through Entity: Indiana Departm...
FINDING 2023-002 Finding Subject: Child Nutrition Cluster – Internal Controls Federal Agency: Department of Agriculture Federal Programs: School Breakfast Program, National School Lunch Program Assistance Listing Numbers: 10.553, 10.555 Federal Award Number: 7350 Pass-Through Entity: Indiana Department of Education Compliance Requirements: Activities Allowed and Unallowed, Allowable Costs/Costs Principles, Special Tests and Provisions-Verification of Free and Reduced Price Applications Summary of Finding: Material Weakness Internal Controls were not implemented to prevent noncompliance related to the verification of free and reduced applications and hours and wages. A new internal control procedure will be implemented for the second review of the free and reduced applications and for the hours and wages. Repeat Finding: Prior audit finding number was 2021-002. Contact Person Responsible for Corrective Action: Tammy Achenbach Contact Information: Phone: 317-835-7461 Email: tachenbach@nwshelbyschools.org Views of Responsible Officials: Management agrees with the finding. Management will ensure proper documented review of amounts billed for personnel and for the free and reduce verification 􀀃 INDIANA STATE BOARD OF ACCOUNTS 23 First ~ Best ~ Different! 􀀃 Northwestern􀀃 Consolidated􀀃School􀀃 District􀀃of􀀃Shelby􀀃County􀀃 􀀃 4920􀀃W.􀀃600􀀃N􀀃 Fairland,􀀃IN􀀃46126􀀃 􀀃 Phone:􀀃317􀍲835􀍲7461􀀃 Fax:􀀃317􀍲835􀍲4441􀀃 􀀃 www.nwshelbyschools.org􀀃 Superintendent􀀃 Mr.􀀃Chris􀀃Hoke􀀃 􀀃 Business􀀃Manager􀀃 Mrs.􀀃Tammy􀀃Achenbach􀀃 􀀃 Technology􀀃Director􀀃 Mr.􀀃Josh􀀃Landis􀀃 􀀃 Maintenance􀀃Director􀀃 Mr.􀀃Terry􀀃Coons􀀃 􀀃 Transportation􀀃Director􀀃 Mrs.􀀃Susie􀀃Childress􀀃 􀀃 Special􀀃Education􀀃Director􀀃 Mrs.􀀃Terri􀀃Branson􀀃 􀀃􀀃 School􀀃Board􀀃 Mr.􀀃David􀀃Ploog􀀃 Mrs.􀀃Brooke􀀃Lockett􀀃 Mrs.􀀃Cressa􀀃Rund􀀃 Mr.􀀃Ken􀀃Polston􀀃 Mr.􀀃Terry􀀃Morgan􀀃 Mr.􀀃Travis􀀃Hensler􀀃 Mrs.􀀃Karen􀀃Humphreys􀀃 Cont. page 2 Description of Corrective Action Plan: Review for personnel charges: During the monthly meeting to review the FSMC invoice, along with Operations Ledger, Client P&L, Monthly Reimbursements, Invoices, USDA Reconciliation, Direct Certification, The Hours and Wages will be reviewed and approved. Free and Reduced Verification: Internal Controls for the first round of Free and Reduce Applications will be verified by the Data Controller or the Business Manager and the verification of the random testing of the verifications will be done by the Business Manager or the Deputy Treasurer. Anticipated Completion Date: The district will start the new internal control procedure March 2024 to correct for the 23-24 school year.
View Audit 298525
Finding 386118 (2023-001)
Material Weakness 2023
Hydro-Eakly Independent School District #11
OK
Procurement, Suspension & Debarment Subrecipient Monitoring Material Weakness
The School Superintendent will review all projects funded by Federal funds to determine if any projects are considered construction projects. The Superintendent will require all such contracts to include prevailing wage clauses to ensure that federal wage rates and fringe benefits, are met, as requ...
The School Superintendent will review all projects funded by Federal funds to determine if any projects are considered construction projects. The Superintendent will require all such contracts to include prevailing wage clauses to ensure that federal wage rates and fringe benefits, are met, as required by the Davis-Bacon Act. The Superintendent will review weekly payroll reports provided by the contractor to ensure adherence to the contract clauses. The Superintendent will survey the job site weekly to ensure that required work site notices are posted.
View Audit 298524
Finding 386104 (2023-001)
Significant Deficiency 2023
Northwest Mississippi Community College
MS
Student Financial Aid Subrecipient Monitoring Internal Control / Segregation of Duties
Name Connie Joseph Title Controller Phone (662) 562-3292 Email cjoseph@northwestms.edu Finding 2023-001: U.S. Department of Education-Student Financial Assistance Management is in the process of developing a written information security program. Anticipated Completion Date: Prior to June ...
Name Connie Joseph Title Controller Phone (662) 562-3292 Email cjoseph@northwestms.edu Finding 2023-001: U.S. Department of Education-Student Financial Assistance Management is in the process of developing a written information security program. Anticipated Completion Date: Prior to June 30, 2024
View Audit 298492
Finding 386101 (2023-002)
Significant Deficiency 2023
Wellspace Health
CA
Subrecipient Monitoring Internal Control / Segregation of Duties
Corrective Action Plan: The Organization will strengthen procedures to ensure discounts for sliding fee is applied consistently and accurately. Immediately, the Organization will conduct monthly application audits. An audit of 25 sliding fee application forms completed in the month prior will be exa...
Corrective Action Plan: The Organization will strengthen procedures to ensure discounts for sliding fee is applied consistently and accurately. Immediately, the Organization will conduct monthly application audits. An audit of 25 sliding fee application forms completed in the month prior will be examined for accuracy, along with their supporting data. All information from these applications will be cross‐verified in NextGen. The results from the sliding fee monthly audits will be monitored and reported quarterly at the Quality Assurance and Quality Improvement meetings. This has continued to occur monthly. We will be implementing a workflow adjustment stating all Slide applications will be noted in the system with a 30day expire date. This will ensure the staff will be able to notify the patient they would need to begin the process over and present the supporting documentation. Once the documentation is received the timeframe will extend to the one year. Furthermore, the Organization will continue the practice of conducting skills assessments at the start of the year and once more in July. These assessments are crucial as they help pinpoint staff members who might benefit from refresher training. Moreover, a meeting has been scheduled to finalize the days and times for virtual sliding fee application training. This training, aimed at all staff who handle a sliding fee form, will be spread out over four weeks, with one session per week lasting an hour. Additionally, the Organization will introduce a sliding fee training video to the new employee orientation. After completing their NextGen training, staff will receive this training video via email. Furthermore, this video will also be sent to all health center leadership to be utilized at the health center level. Estimated completion date: September 30, 2024 Contact person: Shannon Potter, Deputy Chief of Business Service
View Audit 298487
Finding 386100 (2023-005)
Significant Deficiency 2023
Shelby County, Tn
TN
Allowable Costs / Cost Principles Internal Control / Segregation of Duties
Rosita Timmons, Deputy Administrator, is currently working with the Project Officer, Jennifer Gray, to gain a better understanding of the finding and the changes necessary to comply with the site visit report. In prevoius conversations with Melody Berry, former project officer, during 2023, the chan...
Rosita Timmons, Deputy Administrator, is currently working with the Project Officer, Jennifer Gray, to gain a better understanding of the finding and the changes necessary to comply with the site visit report. In prevoius conversations with Melody Berry, former project officer, during 2023, the changes were considered acceptable. The department was moving forward with the plan to update duties. After discussing the logistics of adding Non-Medical Case Management, it was determined by the Planning Council Evaluation and Assessment Committee which consists of sub-recipients and clients that it is not feasible to add Non-Medical Case Management because it would create a barrier for the clients due to having to see multiple staff and make multiple appointments, which is something the clients and provider agreed would cause a barrier. The Evaluation Committee agreed that EIS workers could take some of those Non-Medical Case Management duties from the medical case managers which will give them more time to focus on the clients' helthcare outcomes. Final approval and acceptance of the corrective action taken is still pending. Upon final approval from the HRSA, this finding will be considered addressed and closed.
View Audit 298480
Finding 386097 (2023-001)
Significant Deficiency 2023
City of Portsmouth
NH
Procurement, Suspension & Debarment Subrecipient Monitoring Reporting
The City of Portsmouth, New Hampshire respectfully submits the following corrective action plan for the year ended June 30, 2023. Audit period: July 1, 2022 – June 30, 2023 The finding from the schedule of findings and questioned costs is discussed below. The finding is numbered consistently with th...
The City of Portsmouth, New Hampshire respectfully submits the following corrective action plan for the year ended June 30, 2023. Audit period: July 1, 2022 – June 30, 2023 The finding from the schedule of findings and questioned costs is discussed below. The finding is numbered consistently with the number assigned in the schedule. FINDING—FEDERAL AWARD PROGRAMS AUDITS DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT 2023-001 Community Development Block Grant - Assistance Listing Number 14.218 Recommendation: We recommend the City enhance internal controls and procedures to comply with all FFATA reporting requirements. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: Some FFATA reports were not entered timely into FSRS in FY 23. This was due to an incomplete understanding about the requirement as well as no FFATA reporting requests by the federal granting agency (HUD) to the City. All required FFATA reports were entered into the FSRS after the deadlines, and City staff responsible for FFATA reporting have completed additional training on the requirements. We do not anticipate untimely reports to the FSRS in the future. Name(s) of the contact person(s) responsible for corrective action: Elise Annunziata, Community Development Director Planned completion date for corrective action plan: All required FFATA reports were already entered into the FSRS, and City staff responsible for FFATA reporting have completed additional training on the requirements. We do not anticipate untimely reports to the FSRS in the future.
View Audit 298471
Finding 386093 (2023-003)
Significant Deficiency 2023
Municipality of Rio Grande
PR
Subrecipient Monitoring Reporting Significant Deficiency
As an internal control, the accountant in charge of the program will keep monthly reports of the expenditures to expedite the collection of information and submit timely and complete reports. The documentation of the reports will be physically filed and digitally saved in the accounting files. Impl...
As an internal control, the accountant in charge of the program will keep monthly reports of the expenditures to expedite the collection of information and submit timely and complete reports. The documentation of the reports will be physically filed and digitally saved in the accounting files. Implementation Date: Fiscal Year 2023-2024 Responsible Person: Mr. Ángel L. Reyes Matos, Finance Director
View Audit 298462
Sacred Heart Village II Inc.
DE
HUD Housing Programs Internal Control / Segregation of Duties
Corrective Action Plan: Sacred Heart Village II Inc. will contact its HUD representative to discuss this matter and determine if there is an obligation to repay any previous subsidies received. Contact Person Responsible for Corrective Action: Karen Smith, CFO Anticipated Completion Date of Correcti...
Corrective Action Plan: Sacred Heart Village II Inc. will contact its HUD representative to discuss this matter and determine if there is an obligation to repay any previous subsidies received. Contact Person Responsible for Corrective Action: Karen Smith, CFO Anticipated Completion Date of Corrective Action: Immediately
View Audit 298461
Finding 386090 (2023-002)
Significant Deficiency 2023
Delaware College of Art and Design
DE
Questioned Costs Internal Control / Segregation of Duties Special Tests & Provisions
Internal control procedures will be strengthened between Financial Aid, the Registrar’s Office, and the Bursar’s Office.
Internal control procedures will be strengthened between Financial Aid, the Registrar’s Office, and the Bursar’s Office.
View Audit 298459 Questioned Costs: $1
Finding 386084 (2023-001)
Significant Deficiency 2023
Miracosta Community College District
CA
Special Tests & Provisions Student Financial Aid Subrecipient Monitoring
During the year-end audit testing phase, the Financial Aid office was notified in August 2023 of the deficiencies noted on this finding. The Financial Aid office immediately took action to implement the recommendations in August 2023. The District established effective controls in August 2023 to en...
During the year-end audit testing phase, the Financial Aid office was notified in August 2023 of the deficiencies noted on this finding. The Financial Aid office immediately took action to implement the recommendations in August 2023. The District established effective controls in August 2023 to ensure the return of funds occurs within 45 days from the date the institution determines the student withdrew from all classes and that the withdrawal determination is performed within the required timeframe. Additionally, the District implemented procedures in August 2023 to ensure that the academic calendar loaded in the financial aid software is accurate and based on the most up to date information. The District implemented procedures in August 2023 to ensure that the correct student status is utilized in the calculation of Return to Title IV.
View Audit 298451
Town of Wakefield
MA
Reporting Internal Control / Segregation of Duties
CORRECTIVE ACTION PLAN Oversight Agency for Audit: U.S. Department of Elementary and Secondary Education The Town of Wakefield, Massachusetts respectfully submits the following corrective action plan for the year ended June 30, 2023. Name and address of independent public accounting firm: ...
CORRECTIVE ACTION PLAN Oversight Agency for Audit: U.S. Department of Elementary and Secondary Education The Town of Wakefield, Massachusetts respectfully submits the following corrective action plan for the year ended June 30, 2023. Name and address of independent public accounting firm: Powers & Sullivan, LLC 100 Quannapowitt Parkway, Suite 101 Wakefield, MA 01880 Audit period: July 1, 2022 through June 30, 2023 The finding from the June 30, 2023, schedule of findings and questioned costs is discussed below. The finding is numbered consistently with the number assigned in the schedule. FINDINGS—FEDERAL AWARD PROGRAMS AUDITS U.S. DEPARTMENT OF TREASURY COVID-19 - Coronavirus State and Local Fiscal Recovery Funds Federal Assistance Listing Number 21.027 2023-001: Reporting to the Federal Government Compliance Requirement: Reporting Type of Finding: Compliance and Internal Control over Compliance – Other Matter Criteria or Specific Requirement: Grantees must comply with reporting requirements established by the U.S. Treasury that includes reporting the total grant expenditures incurred for the reporting period. Since the Town is a Non-Entitlement Unit that was allocated less than $10.0 million in funding, the Town is required to submit, to the U.S. Department of Treasury, a project and expenditure report by April 30, 2022, and annually thereafter. Condition: The Town submitted the annual project and expenditure report timely, however the expenditures reported as of June 30, 2023, did not reconcile with the Town’s accounting ledger. Questioned Costs: None Reported. Context: The Town filed the required project and expenditure report in a timely manner; however the current period expenditures and cumulative expenditures were overstated by $7,215,950 and $6,453,661, respectively. The discrepancies were due to a misunderstanding about how expenditures should be recognized on the project and expenditure report. Effect: The expenditures reported on the Town’s project and expenditure report did not match the accounting ledger. Cause: The Town reported the total allotment of Coronavirus State and Local Fiscal Recovery Funds as expended and obligated on the project and expenditure report, instead of the expenditures incurred and obligated as of March 31, 2023. Recommendation: Management should implement procedures to ensure that current period and cumulative expenditures reported on the project all expenditure report are recorded in the corresponding period that they are reported on the Town’s general ledger. The Town should amend the previous submission so that the correct expenditures are reported. Views of Responsible Officials and Planned Corrective Actions: Management made a good faith effort to submit its reporting to the U.S. Treasury on a timely basis. This was a misunderstanding regarding how the expenditures should be recognized on the project and expenditure report. Management plans to amend the previous submission and to implement procedures to properly report expenditures going forward.
View Audit 298435
Finding 386079 (2023-004)
Material Weakness 2023
Howard County
IA
Internal Control / Segregation of Duties
We have reviewed procedures and plan to make improvements to internal control.
We have reviewed procedures and plan to make improvements to internal control.
View Audit 298433
Finding 386065 (2023-002)
Significant Deficiency 2023
Rice Lake Housing Authority
WI
Subrecipient Monitoring HUD Housing Programs Internal Control / Segregation of Duties
2023-002 - Insufficient Collateral Corrective Action Planned: The Authority will closely monitor all deposits to make sure that the amount of funds on deposit are protected by federal deposit insurance, corporate surety bond, or collateral. Completion Date: June 30, 2024
2023-002 - Insufficient Collateral Corrective Action Planned: The Authority will closely monitor all deposits to make sure that the amount of funds on deposit are protected by federal deposit insurance, corporate surety bond, or collateral. Completion Date: June 30, 2024
View Audit 298424
Finding 386063 (2023-001)
Significant Deficiency 2023
Rice Lake Housing Authority
WI
Internal Control / Segregation of Duties Reporting
Corrective Action Planned: Due to the Authority's size, it is cost-prohibitive and impractical to achieve the ideal level of segregation of duties. The Authority has implemented as many controls and segregation of duties as practically possible for an organization of this size. Completion Date: Ongo...
Corrective Action Planned: Due to the Authority's size, it is cost-prohibitive and impractical to achieve the ideal level of segregation of duties. The Authority has implemented as many controls and segregation of duties as practically possible for an organization of this size. Completion Date: Ongoing
View Audit 298424
Finding 386058 (2023-002)
Significant Deficiency 2023
Ripon College
WI
Special Tests & Provisions Subrecipient Monitoring Significant Deficiency
Finding 2023-002 Sept. 27, 2023 Criteria: The College is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for safeguarding sensitive data under the Gramm-Leach-Bliley Act, including a written information security program p...
Finding 2023-002 Sept. 27, 2023 Criteria: The College is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for safeguarding sensitive data under the Gramm-Leach-Bliley Act, including a written information security program policy that addresses the six required minimum safeguard elements identified within 16 Code of Federal Regulations (CFR) 314.4 (b). Statement of Condition: A formal written policy was not completed and documented in fiscal 2023 which would have addressed the required written policy noted in 16 CFR 314.4 (b). Corrective Action Plan: • The College agrees and concurs with the audit finding. • The College is working with a cybersecurity partner, OculusIT (OculusIT.com) to assist us with GLBA compliance and cybersecurity hardening of the college’s IT infrastructure. OculusIT will assist us in preparing the required documentation that addresses risk assessment of all three areas noted in the finding. Many elements of GLBA compliance have already been put in place as elaborated below. • Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). Vince Vargiya is the College’s designated qualified individual. • Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). OculusIT will undertake a GLBA risk assessment covering the following areas of the College: o Senior Management o IT Security o Admissions o Registrar Office o Financial Aid Office o HR and Payroll o Student Financial Services o Library Work on completing pre-audit questionnaires for each area is in progress. • Regarding a written information security policy that addresses the minimum safeguard requirements, see below. • Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: o Implement and periodically review access controls. We regularly review access controls to systems containing financial data. Our formal policy will document this. o Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. We maintain a server inventory, noting which sites contain financial information. Our formal policy will document this. o Encrypt customer information on the institution’s system and when it’s in transit. Our server data is encypted using standard SQL TDE encryption. All data transmitted to off campus partners uses the sftp protocol. Our formal policy will document this. o Assess apps developed by the institution. The College’s enterprise apps are commercially sourced, updated using vendor supplied processes per annual support contracts, and not developed in-house. Our formal policy will document this. o Implement multi-factor authentication for anyone accessing customer information on the institution’s system. All users who access Jenzabar (SIS, Financials), PowerFaids (Financial Aid) must use DUO MFA. RaisersEdge (Advancement/Donor Management) employs text or email MFA. All email accounts are secured with google 2 step authentication. Our formal policy will document this. o Dispose of customer information securely. When server hardware is decommissioned, the data drives are physically smashed. When leased endpoint systems are returned to the leasing company, their hard drives are wiped using standard software. Our formal policy will document this. o Anticipate and evaluate changes to the information system or network. We meet regularly with OculusIT to discuss changes to the network. Our endpoints are monitored for malware via a managed detection and response system. Our servers and network switches are monitored 24/7 by the Oculus SOC, and unusual events are flagged and presented to us for analysis. Our formal policy will document this. o Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. We have implemented a SIEM server which monitors server and network access and activity and is monitored by the OculusIT SOC. Our formal policy will document this. • Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). We have implemented a SIEM server which monitors server and network access and activity and is monitored by the OculusIT SOC. We receive weekly reports on any server vulnerabilities. We actively work to remediate identified vulnerabilities. We have implemented annual penetration testing, and have completed testing for 2023. We have remediated identified penetration issues. Our formal policy will document this. • Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). We require semi annual security awareness training and monthly phishing testing through KnowBe4. Our formal policy will document this. • Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). We require providers to submit SOC1 or HECVAT documentation. Our formal policy will document this. • Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). We work with OculusIT to follow up on results of testing and risk assessments. For example, we rescan our network to follow up on the results of pen testing. We meet with the Oculus SOC team to discuss server vulnerabilities uncovered on a monthly basis. Our formal policy will document this process. Names of Contact Persons Responsible for Corrective Action Plan: Gary Rodman (Senior Director of Information Technology), rodmang@ripon.edu, 920-748-8343 Vince Vargiya (Vice President Information Security | CISO, OculusIT) vince_varigiya@oculusit.com 844-462-8587 ext. 193 Anticipated Completion Date: Implementation of this plan began in March 2023, focusing on infrastructure hardening. Formal written polices will be put in place no later than June 30, 2024.
View Audit 298423
« 1 428 429 431 432 741 »