Corrective Action Plans

Finding 2022-001Federal Program InformationFederal Agency: United States Department of EducationAssistance Listing Nos.: 84.063 and 84.268, Student Financial Assistance ClusterAward Periods: July 1, 2021 through June 30, 2022, and July 1, 2022 through June 30, 2023Corrective Action PlannedMayo Clinic Information Technology will work with the Student Financial Aid office to review the risk rating of the Banner application. A complete user access review based on job roles will be completed for 2023. To improve the speed and accuracy of the completion of these requests, we will be working with the Identity Management Platform team to add the Banner application into SailPoint for access management and review.Persons Responsible for Corrective ActionAlec Haws, ETC Education Application Analyst Raj Sanwal, Lead IT Analyst/ProgrammerTarget Completion DateOctober 31, 2023

Subawards for SAPT Not Included in FFATA ReportsState Agency: Department of Health and Human ServicesFederal Program: Substance Abuse and Prevention ProgramThe Department concurs with this recommendation. We agree to properly report the subaward information beginning with SFY23.Anticipated Correction Date: November 30, 2022Contact Person: Mark Meier, Financial Manager II, markmeier@utah.gov, and Kyle Larsen, Administrative Services Director, kblarson@utah.gov

Foster Care Eligibility Controls Not Completed in a Timely MannerState Agency: Department of Health and Human ServicesFederal Program: Foster Care Title IV-EThe Department concurs with this recommendation. The agency is in the process of building an integrated eligibility team and will increase its capacity by having three team leads and one support coordinator III to support the eligibility review process.Anticipated Correction Date: June 30, 2023Contact Person: Tracy Wiggill, Eligibility Program Manager, twiggill@utah.gov

Sufficiently-Detailed PIC Meeting Minutes Not MaintainedState Agency: Department of Health and Human ServicesFederal Program: Medicaid ClusterThe Department concurs with this recommendation. The MOU between OIG and DIH/Medicaid and the PIC bylaws define that meeting minutes will be taken with each PIC Committee. These meeting minutes will be reviewed at the following PIC Committee meeting and voted on for approval.PIC bylaws specifically state:?To keep written minutes of all Committee meetings, with assistance of staff, including:? Date, time, and place of meeting;? Names of members present, absent, and excused;? Substance of all matters proposed, discussed or decided and a record of votes taken;? Names of all other individuals who appeared and the substance in brief of their testimony;? Any other information that any member requests to be entered in the minutes.?Anticipated Correction Date: June 31, 2023Contact Person: Jennifer Strohecker, Director Division of Integrated Healthcare, jstrohecker@utah.gov

Medical Loss Ratio Report Lacked Two Required ElementsState Agency: Department of Health and Human ServicesFederal Program: Medicaid ClusterThe Department concurs with this recommendation. The Department will ensure that all required elements of the MLR are received by having DHHS staff review elements of the MLR to ensure they are complete.Anticipated Correction Date: January 31, 2023Contact Person: Gregory Trollan, Director, Office of Managed Health Care, gtrollan@utah.gov

Use of Appropriate National Correct Coding Initiative (NCCI) Edit Files Not VerifiedState Agency: Department of Health and Human ServicesFederal Program: Medicaid ClusterThe Department concurs with this recommendation. The Division successfully created and tested a comparison file. The division will continue to work to resolve audit concerns. Implementation in production is set for November 2022.Anticipated Correction Date: November 30, 2022Contact Person: Shandi Adamson, Director, Office of Medicaid Operations, shandiadamson@utah.gov

Federal Funds Received Were Not Disbursed or Refunded Within Required TimeframeState Agency: Utah State UniversityFederal Program: Student Financial Assistance ClusterUtah State University will change its process for requesting federal funds in advance. The Controller?s Office will down less than the full amount of the estimated financial aid disbursement amounts to be issued to students, as calculated by the University?s Financial Aid Office at the first of each semester.The Controller's Office personnel will then review federal financial aid disbursements within three days of receiving the advance draw in order to return any undisbursed funds to the Department of Education within the required timeframe. Federal financial aid funds will then be drawn down on an on-going basis as additional federal financial aid funds are disbursed to students during the semester.Contact Person: Jennifer Jenkins, Manager of Sponsored Programs Accounting, 435-797-1077Completion date: October 31, 2022

Underlying Accounting Data Does Not Support Coronavirus Relief Fund Quarterly ReportsState Agency: Governor?s Office of Planning and BudgetFederal Program: Coronavirus Relief FundGOPB will continue to review its master CRF expenditure file and reconcile all reported CRF expenditures to FINET transactions. The reconciliation will account for original expenditure transactions, CRF expenditures that are booked when agencies are reimbursed for eligible transactions, and FEMA reimbursements for expenditures charged to the CRF.Contact Person: Duncan Evans, Senior Managing Director of Budget and Operations, 801-538-1592Anticipated Correction Date: April 10, 2023

Program: HOME Investment Partnership Program (HOME)Finding: 2022-001Contact Person: April ApodacaFinancial Services OfficerDevelopment Services DepartmentPhone: (562) 570-6611Email: april.apodaca@longbeach.govPlanned Actions:The Development Services Department (Department) will securely file all HOME monitoring documents and ensure it is accessible to multiple staff. As of June 27, 2023, thirteen of the fifteen non-compliant samples have been secured and communication has been sent to retrieve the remaining two from the developers. The final two samples are due on July 21, 2023, and we fully expect to show compliance documentation by that date. If the documents are not received by the due date, the Department will continue to communicate with the developers by telephone, mail, and email to provide second and third notices. If no response is submitted by the third notice (August 7, 2023) the Department will escalate the matter to the City Attorney?s Office to formally begin taking action for non-compliance

2022-005 COVID-19-Coronavirus State and Local Fiscal Recovery Funds ? Assistance Listing No. 21.027Recommendation: We recommend that management review their policies and procedures to ensure that all monthly and quarterly reports are submitted timely, and the supporting documentation used to prepare the reports are retained for audit purposes.Explanation of disagreement with audit finding: There is no disagreement with the audit finding.Action taken in response to finding: The Office of Budget and Finance in conjunction with the Executive?s office of Government Reform and Strategic Initiative have partnered to establish best practice procedures surrounding the compilation, review and approval of the Coronavirus State and Local Fiscal Recovery Reporting to ensure reports are reviewed for accuracy, approved and submitted timely.Name(s) of the contact person(s) responsible for corrective action: Elisabeth Sachs and Rebecca LangPlanned completion date for corrective action plan: 4/1/2023

2022-004 COVID-19-Emergency Rental Assistance ? Assistance Listing No. 21.023Recommendation: We recommend that management review their policies and procedures to ensure that all monthly and quarterly reports showing timely submission and the supporting documentation used to prepare the reports are retained for audit purposes.Explanation of disagreement with audit finding: DHCD possesses and utilized supporting documentation to prepare the required reports. However, DHCD was provided 24 hours to submit this information while the primary contributing staff was on scheduled leave and unreachable. DHCD disagrees with the statement about monthly and quarterly reports not being submitted timely. All required reports were submitted on-time and in accordance with current Treasury guidance at the time of submission. DHCD cannot ascertain the veracity of this statement about lack of supporting documentation because it was not provided the data points the auditors used to make their determination. Fully reconciled final documentation of ERA1 Participant Household Data Report was given to the Auditors. However, this data would not have matched earlier submissions to Treasury. Treasury requested full revisions because their staff became aware of many structural reporting problems were experienced by recipients while completing the reporting actions. Entries timed out, sometimes disappeared, sometimes double counted, and the database had no ability to allow for corrections once identified. For this reason, Treasury?s final reporting requirements for closeout had the option for jurisdictions to disregard all prior entries and submit a reconciled version of the households assisted and all related expenditures. This final data report was provided in this audit yet it does not match the initial submissions for the reasons stated. Because the Auditors did not afford DHCD the time to review their ?findings?, DHCD cannot ascertain the level of agreement with the statement.Action taken in response to finding: Not applicable, see above.Name(s) of the contact person(s) responsible for corrective action: Colleen MahonyPlanned completion date for corrective action plan: Not applicable, see above.

Corrective Action Plan: The Executive Director and Senior Director of Finance will ? fully document process and procedures for completing the SEFA. Checklists to support significant completion of closing in January each year. Improvement put in place for 2022 did not completely address issues. Improve system usage in developing SEFA reports and if necessary, engage outside consultants.Anticipated Completion Date of Corrective Action Plan: Procedure update with be completed by Sep 2023.

2022-001- Claims Auditor ProcessCondition: During three months of the 2021 ? 2022 fiscal year, certain checks were issued and mailed before being approved through the claims audit process. It is noted that the claims audit process took place after the fact and it appears that the three way matching process was in place.Recommendation: We recommend the District identify, appoint and properly train an individual to perform the claims audit function in the absence of the primary claims auditor. We also recommend that the District retain supporting documentation of the claims auditor?s review date for each batch of disbursements and no disbursement be release without proper vetting through the required claims audit process.Action Taken: The district hired a retired accounts payable clerk (M. Button) to act as a backup claims auditor when our primary internal claims auditor is not available. All required training was provided.Implementation: September 15, 2022

FINDING 2022-005Contact Person Responsible for Corrective Action: Lynn Leininger, Business ManagerContact Phone Number: (260) 367-3677Whitko Community Schools concurs with the finding and will implement internal controls for all grantrequirements and reporting compliances of the Education Stabilization Funds. All reporting will be a jointeffort between the Business Manager preparing the reports with the assistance of the business officepersonnel. Supporting paperwork and calculations will be maintained to support all report informationsubmitted. Prior to submission of Education Stabilization Funds, all information will be reviewed andsigned by the Deputy Treasurer to insure reporting compliance.The completion date for this corrective action will be May1, 2023.INDIANA STATE

FINDING 2022-003Contact People Responsible for Corrective Action: Lynn Leininger, Business Manager and AllisonKellogg, Director of Special EducationContact Phone Number: (260) 367-3677Whitko Community Schools concurs with the finding and will implement a dual check system with theBusiness Manager and the Director of Special Education. All proportionate money earmarked fornonpublic school expenditures under the Special Education Cluster will be continually monitored from theapproval through the end of the grant to insure all compliance requirements are met.The completion date for this corrective action will be July 1, 2023.

FINDING 2022-003Contact Person Responsible for Corrective Action: Lisa Mullaney Clerk/TreasurerContact Phone Number: 574-892-5717 x222.Views of Responsible Official: I concur with the findings.Description of Corrective Action Plan:The Clerk-Treasurer will review all reports submitted by the 3rd party grant writer with documentation.Anticipated Completion Date: 09/30/2023

2022-008 N. Special Tests and ProvisionsEducation Stabilization Fund CFDA #84.425Material Weakness in Internal Control over Compliance and Material Instance of NoncomplianceFinding Summary: During the course of the engagement, it was identified that the School didnot satisfy the requirements of 2 CFR 656.40 through 2 CFR 656.41. The School did not ensure proper inclusion of prevailing wage rate clauses were included in a construction contract and also did not obtain proper support to ensure required certified payrolls were submitted.Corrective Action Plan: The School will review internal controls surrounding required contract language and documentation supporting certified payroll reports are obtained from contractor.Anticipated Completion Date: June 30, 2023

Finding 2022-005 ReportingThe Corporation management agreed with the finding. As of August 15, 2023, the Corporation will remove any individual submissions from the general submission and reconcile the general submission to the supporting documentation less these individual submissions. The Corporation does not expect to receive any further funding from the ARP or PRF and has no further reporting requirements under this grant.Responsible Personnel include Harley McCoige, Controller, Cortney Couture, Director of Accounting, and Samantha Pratt, Director of Internal audit.

Finding 2022-002 ? EligibilityA qualified opinion was issued for Assistance Listing 93.011 as the auditors noted that the Corporation expended the full balance of gift cards purchased during the fiscal year 2022 rather than the amount that was distributed to eligible participants. Participants are eligible to participate in the program and receive a gift card if they received a COVID-19 vaccine.Compliance with the eligibility requirements is the responsibility of Kimberly Green Reeves, Executive Director of Community Impact and the grant coordinator. As grants G32HS42634C6 and U3SHS45317C6 ended May 31, 2023, and July 31, 2023, respectively, no further correction action will be taken. However, effective August 15, 2023, if future programs are awarded Beacon Health System (the Corporation) will track the total gift cards purchased as a prepaid expense and expense the gift cards at the time they are distributed to eligible participants. The Corporation Finance will work with the grant administrator to obtain the total amount of gift cards purchased and have that recorded as a prepaid asset. Each month the Corporation Finance will work with the grant administrator to obtain a schedule showing the total amount of gift cards distributed, which will be used to record the appropriate expense each month.

Finding 2022-001 Scope Limitation ? EligibilityA scope limitation qualified opinion was issued for Assistance Listing 10.557 as the auditors were unable to obtain sufficient documentation supporting the compliance of the Corporation regarding eligibility. The Corporation uses a paperless system as supported by the State of Indiana and the U.S. Department of Agriculture. Third-party documentation is reviewed by the Corporation at the time the initial eligibility determination of a WIC participant is made. However, due to the paperless system implemented in 2007, these records are not retained. The Corporation?s process for eligibility determination is as follows:1. A (potential) participant comes into the WIC clinic2. A clerk verifies information (by looking and checking the appropriate boxes on the screen)a. Proof of identification (driver?s license, birth certificate, hospital birth record, etc.)b. Proof of residence (bill, lease, driver?s license, etc.)c. Proof of incomei. Working ? 30 days of pay stubsii. Medicaid ? card needed3. All of the above information is entered into the State of Indiana?s systema. System automatically determines eligibilityi. If yes ? they continue with appointmentii. If no ? they get a letter explaining reason why (over income, etc.)Compliance with State of Indiana participant eligibility requirements is the responsibility of Leslie Miller, WIC Coordinator. As the Corporation follows the State of Indiana?s paperless system as described above, no further corrective action will be taken.

To ensure the charging of indirect costs to federal programs are at the elected de minimis amount of 10% and in the correct fiscal period, the UWGC Chief Financial Officer or the UWGC Senior Director of Finance will perform a secondary review of the calculation prepared by the Finance Manager. The review will take place prior to the final completion of the report to ensure that Federal funds are reported in the correct time period as well.

Management will ensure that accrued expenses are reviewed in detail at grant year end to ensure only costs incurred prior to year end are accrued and reported as grant expenditures.

Finding Number: 2022-002Planned Corrective Action: Cleveland Play House had extensive turnover during the 2022 fiscal yearwhich resulted in several vacancies, including the Director of Finance position, for a significant portion ofthe year. As a result, many of the reports that are standard practice in our organization were not beingcompleted. In addition, the filing of certain documentation to support expenditures was not being doneconsistently. The Director of Finance position was filled in the fall of 2022. As a result, documentationof allowable expenditures is being addressed for the fiscal 2023 audit.In addition to turnover, the organization transitioned to a new general ledger system with a new chartof accounts in fiscal year 2022. As a result of this transition and the vacancies mentioned above, certaindata pertaining to the federal programs was not being captured. Management has informed all staff ofthe requirements to track federal programs within the general ledger accounts.Anticipated Completion Date: June 30, 2023Responsible Contact Person: Erica Tkachyk, Director of Finance

STUDENT FINANCIAL ASSISTANCE CLUSTER FINDINGSFINDING 2022-003 - Internal Control over Compliance (Repeat Finding 2021-003, 2020-001, 2019-002, 2018-003, 2017-002, 2015-002, 2014-008)ResponsesNSHE Overall response/context ?NSHE increased its dialogue amongst the three instances of the student information system throughout fiscalyear 2022. The results of this robust dialogue led to additional controls to reduce related IT risks, enhancedmonitoring of activities, and targeted periodic reviews, highlighted in each instance?s response below. Theseenhanced techniques operating throughout the entire fiscal year ahead, should provide a stronger overall controlenvironment and lower associated risks.UNR ?? Detailed corrective action taken, including what will be done to avoid the identified issues inthe future, and when these measures will be in place;UNR has implemented controls to address the risk associated with the PeopleSoft Administrators(PSA?s) access to the production and development environments. The controls include:1. The University will remove the PSA role for the three individuals that are identified as not havingthe appropriate segregation of duties. The PSA role is still required of the University and will onlybe granted on a temporary basis when necessary and this access will be, documented, monitored,and deactivated upon completion of the required tasks.a) Approvals ? A PSA role is granted for task specific business needs and when the individualssecurity level does not permit the action to be performed. When justified, the PSA role isgranted by a security administrator.b) Documented ? When the PSA role is granted a notification is triggered to the Associate VicePresident, Planning, Budget and Analysis, the Registrar and the Director of AccountingOperations as to the role assignment and the person assigned.c) Monitored ? The activities performed are documented and monitored in a TeamDynamixticket.d) Deactivated ? The PSA system access is deactivated upon completion of the required activity.The deactivation is documented in the TeamDynamix ticketing system.2. The University will implement a quarterly User Access Review that identifies the incidences ofwhen the PSA role is granted and when the PSA login occurs and compares this to Team Dynamixto establish the activity. The activity can be compared to the system for validity. This will beperformed by the Registrar. 3. The University will continue to explore and research Change Control Systems as options tomonitor activities of the PSA?s.? How compliance and performance will be measured and documented for future audit,management and performance review.The PSA role will not be established for continuous periods of time. When the PSA role is temporarilygranted it is documented and tracked in Team Dynamix. This provides an audit trail of role access,timeframes of logins, and activities.? Who will be responsible and may be held accountable in the future if repeat or similarobservations are noted.The Associate Vice President, Planning, Budget and Analysis will monitor the compliance with thecorrective action plans and will implement new processes as needed to meet the needs of mitigatingthis risk and the system updates and changes.UNLV ?UNLV agrees with this finding.? Detailed corrective action taken, including what will be done to avoid the identified issues inthe future, and when these measures will be in place;UNLV understands the importance of adequate segregation of duties within the PeopleSoftenvironments and applications. The PeopleSoft Administrator (PSA) position that is the subject ofthe finding is responsible for the installation, configuration, upgrades, and troubleshooting of all theapplication environments. The PeopleSoft Administrators are not programmers/developers, andtheir access to the production environments is periodically required to perform the needed activitiesrequired to provide timely support of the application within the scope of their job duties.UNLV has implemented the following controls to mitigate the risks associated with the elevatedaccess required for the administrators to perform their required support activities.a. UNLV will remove the PeopleSoft Administrator role from all PSAs in productionenvironments.b. The PeopleSoft Administrator role will be assigned temporarily when elevated actions arerequired. The assignment will have the following requirements:i. Be limited in duration.ii. Document a justification detailing the need and actions to be performed.iii. Generate notification to the Director of Enterprise Applications.iv. Automatically be removed.v. It is reviewed as part of normal audit activities. c. UNLV will increase their reviews of access, activities, and assigned privileges to monthly forthe PeopleSoft Administrators.d. UNLV will continue researching and implementing other control methods to address thesegregation of duties while providing appropriate service and support.? How compliance and performance will be measured and documented for future audit,management and performance review.The PeopleSoft Administrator role will no longer be a persistent assignment to the PSA position.UNLV will perform monthly reviews of the access and activities to determine if the PeopleSoftAdministrators' current levels require further refinement. Additionally, UNLV will continue toresearch other control methods that will address the segregation of duties while providingappropriate service and support.? Who will be responsible and may be held accountable in the future if repeat or similarobservations are noted.The Director of Enterprise Applications will be responsible for reviewing the access needs of thePeopleSoft Administrators. The Director will complete the reviews and is also accountable if repeat orsimilar observations are noted. The Chief Information Security Officer will verify the reviews are permonthly audit practices.SCS ?? Detailed corrective action taken, including what will be done to avoid the identified issues inthe future, and when these measures will be in place;PeopleSoft Administrator (PSA) access to the Production and Development environments arereviewed on an ongoing basis. Due to the need to develop and perform program changes for all fiveshared-instance Institutions on a frequent basis it was determined that PSA access cannot be reducedany further. However, to address the segregation of duties risk the following compensating controlsare in place:(a) STAT for PeopleSoft ? Code control and internal modification tracking provides visibility over PSAactivities that are processed via this tool. These object changes are reviewed and approved by theDirector of Information and Application Services.(b) JIRA - Change control management and project tracking software. Change requests and projectsrelated to the PeopleSoft shared instance are tracked and approved. This would include user accessmodifications and system updates for example.(c) Security e-mail alerts ? The SCS security team are alerted via automated e-mails when user access(to include PSA roles) is changed.(d) User Access Reviews ? On an annual basis a user access review is performed incorporatingSCS/SA privileged users and all shared instance security coordinators SCS will implement the following additional control from FY22/23 going forward:(e) Splunk reporting and monitoring ? Reporting and trigger events developed incorporating PSAactivity ?anomalies?. For example, PSA after-hour logins reviewed and matched to plannedupdates/activities.(f) Periodic management reviews ? A formal review incorporating, and documenting PSA andassociated exception activities will take place. Where appropriate this will include approvals anddocumented rationale.SCS will continue to explore additional solutions to minimize the segregation of duties risk, especiallyas it relates to the monitoring of PSA activities.? How compliance and performance will be measured and documented for future audit,management and performance review.The periodic management review where appropriate will include documentation and approvals tosupport PSA activities that do not meet established criteria. This review will also document anyfollow-ups required as it relates to similar controls. For example, security e-mail alerts.? Who will be responsible and may be held accountable in the future if repeat or similarobservations are noted.SCS Director of Information and Application Services, SCS Security Group.

FINDING 2022-004 - Special Tests and Provisions: Return of Title IV funds for withdrawn students(Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011)ResponsesCSN?? Detailed corrective action taken, including what will be done to avoid the identified issues inthe future, and when these measures will be in place.All student accounts needing an R2T4 that require a date adjustment due to a gap between the lastdate of attendance for one course and the start of a new modular course will be reviewed by a secondindividual on the R2T4 processing team. This will ensure that the institution counts the correctnumber of complete days for the calculation when there is a gap in enrollment and a schedule breakof five days or more. These measures will be in place beginning October 15, 2022. Due to the error,the student will be made whole using institutional funds.? How compliance and performance will be measured and documented for future audit,management, and performance review.CSN will notate student accounts that must be reviewed as processors come across them. Who will be responsible and may be held accountable in the future if repeat or similarobservations are noted.The Assistant Director of Financial Aid will be responsible and may be held accountable if repeat orsimilar observations are noted.UNLV?UNLV agrees with this finding.? Detailed corrective action taken, including what will be done to avoid the identified issues inthe future, and when these measures will be in place:For context 1 (summer 2021), the student withdrawal occurred in FY 2021, with funds returned inAugust. This coincides with our 2020-2021 audit review, at which time many of the controlsdescribed in our response to findings for that year were in their early stages. Since summer 2021none of the identified issues that led to late fund returns have recurred.For context 2 (spring 2022), funds were returned one day late due to a failed transmission to theCommon Origination and Disbursement (COD) system. Normally when transmissions occur, anyrejected records are reviewed by the following day, in part to ensure that returns of funds are timely.In this particular instance, the file failed entirely and was never transmitted to COD at all, andtherefore no record was received of a file reject. Fortunately our own internal reconciliation controlsidentified the issue before even more time had passed.We regularly review records of when fund returns are processed in PeopleSoft to ensure reporting toCOD occurs within 45 days. In addition to our record of the PeopleSoft return date, we will nowtrack a second date to mark when the return record is accepted and reflected in COD. Thiscorrective action has been implemented as of October 10, 2022, and a review of fall 2022 R2T4returns to date indicates that all returns have been made within the 45-day timeframe.? How compliance and performance will be measured and documented for future audit,management and performance review:Steps taken in prior years, including expanded training around R2T4, the addition of a staff memberto support the R2T4 process, and increasing internal controls, have been successful in remediatingthe issues that were previously identified. To control for the file transmission issue, the correctiveplan will be monitored by both the Assistant Director for Financial Aid Processing and the ExecutiveDirector of Financial Aid & Scholarships on a weekly basis. Notes from these reviews will berecorded for future audits. Who will be responsible and may be held accountable in the future if repeat or similarobservations are noted:The Assistant Vice President for Admissions & Financial Aid and the Executive Director forFinancial Aid & Scholarships will be responsible for ensuring ongoing compliance.