Corrective Action Plans

Finding 2022-003Federal Program InformationFederal Agency: United States Department of EducationFederal Cluster: Student Financial AssistanceAward Periods: July 1, 2021 through June 30, 2022, and July 1, 2022 through June 30, 2023Corrective Action PlannedManagement agrees that Banner, the primary information system used to capture Federal Direct Loan information, was not specifically identified in the Mayo Clinic Information Security annual risk assessment which was primarily designed for compliance with The Health Insurance Portability and Accountability Act (HIPAA) Security rule.The following steps have been completed to address the gap identified:1. Compared the scope of the Mayo Clinic Information Security annual risk assessment and the requirements of the Department of Education, under the Gramm-Leach-Bliley Act and identified any gaps.2. Edited the existing annual risk assessment to close the gaps.3. Completed the risk assessment.Persons Responsible for Corrective ActionSarah Tyson, Senior Manager?Office of Information SecurityTarget Completion DateMay 31, 2023

Subawards for SAPT Not Included in FFATA ReportsState Agency: Department of Health and Human ServicesFederal Program: Substance Abuse and Prevention ProgramThe Department concurs with this recommendation. We agree to properly report the subaward information beginning with SFY23.Anticipated Correction Date: November 30, 2022Contact Person: Mark Meier, Financial Manager II, markmeier@utah.gov, and Kyle Larsen, Administrative Services Director, kblarson@utah.gov

Foster Care Eligibility Controls Not Completed in a Timely MannerState Agency: Department of Health and Human ServicesFederal Program: Foster Care Title IV-EThe Department concurs with this recommendation. The agency is in the process of building an integrated eligibility team and will increase its capacity by having three team leads and one support coordinator III to support the eligibility review process.Anticipated Correction Date: June 30, 2023Contact Person: Tracy Wiggill, Eligibility Program Manager, twiggill@utah.gov

Missing/Untimely Submissions and Errors in FFATA ReportingState Agency: Department of Workforce ServicesFederal Program: Vocational Rehabilitation, Emergency Rental Assistance Program, Low-Income Home Energy Assistance Program, CCDF ClusterThe errors cited by the auditors occurred prior to the corrective actions taken by the Department of Workforce Services for prior year finding 2021-006, as described below, which were fully implemented as of June 30, 2022.The Department centralized the contracts teams and standardized contract processes across the Department. This centralization enabled the contracts team to create and maintain a comprehensive contracts database which contains pertinent data elements for each of the Department?s contracts, including contract execution dates, FFATA applicability, and whether applicable FFATA data has been reported on the FFATA Subaward Reporting System (FSRS). The Department also added certain fields in the contracts database which are being utilized to record when FFATA data is received by the contracts team from subrecipients and when the data is forwarded to finance personnel for entry on FSRS. Capturing these additional data elements allows for the generation of reports from the contracts database to identify any instances where FFATA is applicable but data has not been obtained or reported. These enhancements have improved the ability of finance personnel to reconcile FFATA data collected by the contracts team to the data reported on FSRS and are utilized regularly to review FFATA submissions to ensure timeliness, accuracy and completeness in reporting FFATA data.Contact Person: Nathan Harrison, Finance Director, 801-526-9402Anticipated Correction Date: June 30, 2022

Sufficiently-Detailed PIC Meeting Minutes Not MaintainedState Agency: Department of Health and Human ServicesFederal Program: Medicaid ClusterThe Department concurs with this recommendation. The MOU between OIG and DIH/Medicaid and the PIC bylaws define that meeting minutes will be taken with each PIC Committee. These meeting minutes will be reviewed at the following PIC Committee meeting and voted on for approval.PIC bylaws specifically state:?To keep written minutes of all Committee meetings, with assistance of staff, including:? Date, time, and place of meeting;? Names of members present, absent, and excused;? Substance of all matters proposed, discussed or decided and a record of votes taken;? Names of all other individuals who appeared and the substance in brief of their testimony;? Any other information that any member requests to be entered in the minutes.?Anticipated Correction Date: June 31, 2023Contact Person: Jennifer Strohecker, Director Division of Integrated Healthcare, jstrohecker@utah.gov

Use of Appropriate National Correct Coding Initiative (NCCI) Edit Files Not VerifiedState Agency: Department of Health and Human ServicesFederal Program: Medicaid ClusterThe Department concurs with this recommendation. The Division successfully created and tested a comparison file. The division will continue to work to resolve audit concerns. Implementation in production is set for November 2022.Anticipated Correction Date: November 30, 2022Contact Person: Shandi Adamson, Director, Office of Medicaid Operations, shandiadamson@utah.gov

Go Utah Did Not Implement Internal Controls for Subrecipient Monitoring RequirementsState Agency: Go UtahFederal Program: Coronavirus State and Local Fiscal Recovery Fundsa. ?Gain an understanding of subrecipient requirements and establish internal controls to ensure compliance with these requirements;?In order to achieve a sufficient internal control environment, additional controls are needed at both the agency and state levels. Therefore, the Economic Opportunity Office will work with the Governor?s Office of Planning and Budget to create internal controls that, in addition to the ones already in place, create an environment that ensures compliance with federal requirements.b. ?Communicate all required federal award information to sub-recipients.?The Economic Opportunity Office will work with the Attorney General?s Office to include all required federal award information with the sub-recipient?s granting contracts.Contact Person: Kamron Dalton, Managing Director of Operations (COO), 801-538-8677Anticipated Correction Date: July 1, 2023

Suspension and Debarment Not Verified Prior to Awarding ContractsState Agency: Governor?s Office of Planning and BudgetFederal Program: Coronavirus State and Local Fiscal Recovery FundsGOPB will review its September 2022 guidance on requirements for SLFRF agreements and reissue the document to remind agencies of the need to perform timely suspension and debarment checks. GOPB will also provide training to agencies and remind them to include a suspension and debarment clause in contract agreements. GOPB will update the reference guide for agencies with standardized language about suspension and debarment checks to be used in new agreements. GOPB will include this review in its regular monitoring activities and sample contract agreements to verify inclusion of the appropriate contractual provisions.Contact Person: Darcy Jaimez, Fiscal Grant Manager, 385-377-3373Anticipated Correction Date: April 30, 2023

FFATA Award Information Not Submitted for UOVC?s 2020 Award & Inaccurate Information Submitted for 5 of UOVC?s 2019 SubawardsState Agency: Commission on Criminal and Juvenile JusticeFederal Program: Crime Victim AssistanceUOVC will follow the Audit recommendation by entering the final award information into the FSRS website rather than preliminary information. This will be done timely and according to policy. The UOVC Grant Management Team, in alliance with the Federal Fund Financial Manager, will meet to discuss and determine the best way to implement a review process to ensure compliance and accuracy in correcting this audit finding.Contact Person: Tallie Viteri, UOVC Asst. Director, Assistance Grant Program Mgr., 801-300-6605Gary Scheller, UOVC Director, 801-227-9375Mark Peterson, UOVC Financial Manager II, 801-793-8264Anticipated Correction Date: June 30, 2023 (New Grant awards will take place July 2023)

Food Commodity Shipments, Disbursements, and Inventory Not TrackedState Agency: Utah State Board of EducationFederal Program: Emergency Food Assistance Program (Food Commodities)?State agencies, sub distributing agencies, and eligible recipient agencies must maintain records to document the receipt, disposal, and inventory of commodities received under this part that they, in turn, distribute to eligible recipient agencies. (7 CFR 251.10(a)(1)? Therefore, as the distributing agency, the USBE Child Nutrition Program (CNP), shares responsibility for accountability of commodities the state of Utah receives as part of The Emergency Food Assistance Program (TEFAP) with the Utah Food Bank (UFB)?the sub distributing agency. The collaborative relationship between CNP and UFB, and maintenance of sufficient records, resulted in resolution of the initial differences calculated as part of the audit.As required by 7 CFR 251.10(e), CNP monitors the operation of TEFAP, including performance of required annual reviews of recipients, and of physical inventory. In addition to the monitoring procedures currently in place, CNP will enact a policy to reconcile book inventories of donated foods at least annually as required by 7 CFR 250.12(b).Contact Person(s):Michelle Martin, USBE Program Development Coordinator, 801-538-7687Melissa Cowder, USBE Food Distribution Specialist, 801-538-7697Anticipated Correction Date: USBE will develop a policy by September 30, 2022, that will outline procedures to reconcile book inventories of donated foods annually. Reconciliation will be based on the federal fiscal year.

2022-005 COVID-19-Coronavirus State and Local Fiscal Recovery Funds ? Assistance Listing No. 21.027Recommendation: We recommend that management review their policies and procedures to ensure that all monthly and quarterly reports are submitted timely, and the supporting documentation used to prepare the reports are retained for audit purposes.Explanation of disagreement with audit finding: There is no disagreement with the audit finding.Action taken in response to finding: The Office of Budget and Finance in conjunction with the Executive?s office of Government Reform and Strategic Initiative have partnered to establish best practice procedures surrounding the compilation, review and approval of the Coronavirus State and Local Fiscal Recovery Reporting to ensure reports are reviewed for accuracy, approved and submitted timely.Name(s) of the contact person(s) responsible for corrective action: Elisabeth Sachs and Rebecca LangPlanned completion date for corrective action plan: 4/1/2023

2022-008 COVID-19-Coronavirus State and Local Fiscal Recovery Funds ? Assistance Listing No. 21.027Recommendation: The County should reevaluate its current process, implement proper controls, and perform additional training over time and effort reporting. The County should not seek federal reimbursement unless it can substantiate that the time and effort was dedicated to the federal program.Explanation of disagreement with audit finding: There is no disagreement with the audit finding.Action taken in response to finding: The Office of Budget and Finance in conjunction with the Executive?s office of Government Reform and Strategic Initiative will review all employee files to ensure that an effort attestation exists, or that the employee is properly trained on the importance of effort reporting through a timesheet as a chargeback mechanism.Name(s) of the contact person(s) responsible for corrective action: Elisabeth Sachs and Rebecca LangPlanned completion date for corrective action plan: 7/1/2023

2022-007 COVID-19-Emergency Rental Assistance ? Assistance Listing No. 21.023Recommendation: The County should reevaluate its current process, implement proper controls, and perform additional training over time and effort reporting. The County should not seek federal reimbursement unless it can substantiate that the time and effort was dedicated to the federal program.Explanation of disagreement with audit finding: There is no disagreement with the audit finding.Action taken in response to finding: Baltimore County DHCD follows Baltimore County?s general payroll policies and procedures. DHCD allocates time and attendance based on a preset budgeted formula and monitors the staff?s time and attendance through biweekly timesheet prepared by the staff members and approved by unit managers and the review of payroll register. Baltimore is County is discontinuing the use of current payroll system CGI Advantage and will be migrating to Workday system which has more robust features and capabilities to capture time and attendance.Name(s) of the contact person(s) responsible for corrective action: Amir AssadiPlanned completion date for corrective action plan: 7/1/2023

2022-004 COVID-19-Emergency Rental Assistance ? Assistance Listing No. 21.023Recommendation: We recommend that management review their policies and procedures to ensure that all monthly and quarterly reports showing timely submission and the supporting documentation used to prepare the reports are retained for audit purposes.Explanation of disagreement with audit finding: DHCD possesses and utilized supporting documentation to prepare the required reports. However, DHCD was provided 24 hours to submit this information while the primary contributing staff was on scheduled leave and unreachable. DHCD disagrees with the statement about monthly and quarterly reports not being submitted timely. All required reports were submitted on-time and in accordance with current Treasury guidance at the time of submission. DHCD cannot ascertain the veracity of this statement about lack of supporting documentation because it was not provided the data points the auditors used to make their determination. Fully reconciled final documentation of ERA1 Participant Household Data Report was given to the Auditors. However, this data would not have matched earlier submissions to Treasury. Treasury requested full revisions because their staff became aware of many structural reporting problems were experienced by recipients while completing the reporting actions. Entries timed out, sometimes disappeared, sometimes double counted, and the database had no ability to allow for corrections once identified. For this reason, Treasury?s final reporting requirements for closeout had the option for jurisdictions to disregard all prior entries and submit a reconciled version of the households assisted and all related expenditures. This final data report was provided in this audit yet it does not match the initial submissions for the reasons stated. Because the Auditors did not afford DHCD the time to review their ?findings?, DHCD cannot ascertain the level of agreement with the statement.Action taken in response to finding: Not applicable, see above.Name(s) of the contact person(s) responsible for corrective action: Colleen MahonyPlanned completion date for corrective action plan: Not applicable, see above.

2022-001 WIOA Cluster ? Assistance Listing No. 17.258/.259/.278COVID-19-Coronavirus State and Local Fiscal Recovery Funds ? Assistance Listing No. 21.027Aging Cluster ? Assistance Listing No. 93.044/.045/.053Recommendation: We recommend that the County improve its SEFA compilation process to ensure that program expenditures reported on the County?s SEFA are complete and accurate. Procedures and controls should include a process to identify programs that are new to the County and ensure they are properly reported on the SEFA.We further recommend that County?s Office of Budget and Finance (OBF) work with the County?s agencies and departments to review and update their SEFA review and confirmation procedures to ensure that expenditure information they submit to OBF is accurate, that it includes all programs expended, and ties to detail expenditure transactions in the County?s accounting system. They should also review and enhance procedures and controls to ensure that subrecipient payments are accurately reported.Explanation of disagreement with audit finding: There is no disagreement with the audit finding.Action taken in response to finding: On July 1, 2022, Baltimore County deployed Workday Financials, as a replacement for the legacy ERP system, known as CGI Advantage. The Workday system is configured in a way that silos all Federal grants or portions of grants into one fund for reporting purposes. This new configuration captures all award information including CFDA number, Grantor, and Federal/State Grant Number is captured. Additionally, all subrecipients are managed through a Supplier Contract and are categorized as such. This system implementation will ensure accurate and efficient reporting as it related to the SEFA compilation and Subrecipient reporting.Furthermore, DEWD will provide OBF the reports and cost pools to support grant draws on a quarterly basis to assist OBF in the preparation of the Schedule of Expenditures of Federal Awards. DEWD will prepare grant closeout expenditure adjustments (journal entries) on a timely basis. DEWD reviews expenditures to ensure grant eligibility and proper posting to the correct grant. On a quarterly basis, DEWD performs a reconciliation of grant expenditures during preparation of the grant draw reports. OBF will not certify any quarterly cash draws that do not tie back into the general ledger.Name(s) of the contact person(s) responsible for corrective action: Robert Preston, Leonard Howie, Angelique Pefinis-Newport, Terry HickeyPlanned completion date for corrective action plan: 8/1/2023

2022-006 CDBG Entitlement Grant Cluster ? Assistance Listing No. 14.218Recommendation: The County should reevaluate its current process, implement proper controls, and perform additional training over time and effort reporting. The County should not seek federal reimbursement unless it can substantiate that the time and effort was dedicated to the federal program.Explanation of disagreement with audit finding: There is no disagreement with the audit finding.Action taken in response to finding: DHCD follows Baltimore County?s general payroll policies and procedures. DHCD allocates time and attendance based on a preset budgeted formula and monitors the staff?s time and attendance through biweekly timesheet prepared by the staff members and approved by unit managers and the review of payroll register. Baltimore County is discontinuing the use of current payroll system CGI Advantage and will be migrating to Workday system which has more robust features and capabilities to capture time and attendance.Name(s) of the contact person(s) responsible for corrective action: Amir AssadiPlanned completion date for corrective action plan: 7/1/2023

FINDING 2022-005Contact Person Responsible for Corrective Action: Lynn Leininger, Business ManagerContact Phone Number: (260) 367-3677Whitko Community Schools concurs with the finding and will implement internal controls for all grantrequirements and reporting compliances of the Education Stabilization Funds. All reporting will be a jointeffort between the Business Manager preparing the reports with the assistance of the business officepersonnel. Supporting paperwork and calculations will be maintained to support all report informationsubmitted. Prior to submission of Education Stabilization Funds, all information will be reviewed andsigned by the Deputy Treasurer to insure reporting compliance.The completion date for this corrective action will be May1, 2023.INDIANA STATE

FINDING 2022-004Contact Person responsible for Corrective Action: Allison Kellogg, Director of Special EducationContact Phone Number: (260) 367-3677Whitko Community Schools concurs with the finding and will meet and maintain suspension anddebarment requirements per internal control procedures over Federal awards through the use of thefollowing steps:1. Whitko Community Schools will use the System for Award Management (SAM.gov) website todetermine if a contractor is suspended or debarred.2. Include suspension and debarment terminology in all contracts with vendors receiving compensationthrough Federal wards.The completion date for this corrective action will be July 1, 2023.

FINDING 2022-003Contact People Responsible for Corrective Action: Lynn Leininger, Business Manager and AllisonKellogg, Director of Special EducationContact Phone Number: (260) 367-3677Whitko Community Schools concurs with the finding and will implement a dual check system with theBusiness Manager and the Director of Special Education. All proportionate money earmarked fornonpublic school expenditures under the Special Education Cluster will be continually monitored from theapproval through the end of the grant to insure all compliance requirements are met.The completion date for this corrective action will be July 1, 2023.

FINDING 2022-003Contact Person Responsible for Corrective Action: Lisa Mullaney Clerk/TreasurerContact Phone Number: 574-892-5717 x222.Views of Responsible Official: I concur with the findings.Description of Corrective Action Plan:The Clerk-Treasurer will review all reports submitted by the 3rd party grant writer with documentation.Anticipated Completion Date: 09/30/2023

Finding 2022-003Federal Agency Name: Department of Health and Human ServicesProgram Name: COVID-19 Provider Relief Fund and American Rescue Plan (ARP) Rural DistributionCFDA #93.498Finding Summary: The Organization?s special reports submitted to the Department of Health and HumanServices were not reviewed and approved by a separate individual outside of the preparer.Responsible Individuals: CFO Martin Quintana, and Controller Gladys LopezCorrective Action Plan: We reviewed the internal controls and provided better separation of duties in the process.Steps were added to the process that entail a review of the preparers? work by a second person before they aresubmitted to the Controller and/or the Chief Financial Officer for approval. Will also establish a process forensuring full review of financial statements.Anticipated Completion Date: By 11/30/2023

Finding 2022-002Federal Agency Name: Department of Health and Human ServicesProgram Name: COVID-19 Provider Relief Fund and American Rescue Plan (ARP) Rural DistributionCFDA #93.498Finding Summary: The Organization?s final expenditure listing identified as eligible and claimed under theProvider Relief Fund program lacked documentation of its review by a separate individual outside of thepreparer. The support for two out of 60 expenditures tested differed in amounts from the amount on thetracking spreadsheet. Three of the 60 invoices did not include evidence of approval for payment.Responsible Individuals: CFO Martin Quintana, and Controller Gladys LopezCorrective Action Plan: We reviewed the internal controls and provided better separation of duties in the process.Steps were added to the process that entail a review of the preparers? work by a second person before they aresubmitted to the Controller and/or the Chief Financial Officer for approval. Will also establish a process forensuring full review of financial statements.Anticipated Completion Date: By 11/30/2023

FINDING 2022-004Contact Person Responsible for Corrective Action: Kristin CharlesContact Phone Number: 765-866-0203Views of the Responsible Official: The School Corporation is in agreement with the Finding.Description of Corrective Action Plan: This should not be an issue moving forward as now write our grant to be used for our Co-Op Bill and do not pay salaries directly. In the future if we plan to pay with Federal Funding, we will require time and effort logs.Anticipated Completion Date: 4/1/2023

FINDING 2022-003Contact Person Responsible for Corrective Action: Kristin CharlesContact Phone Number: 765-866-0203Views of the Responsible Official: The School Corporation is in agreement with the Finding.Description of Corrective Action Plan: We have added for the upcoming contract with West Central Special Education Co-Op that they are responsible to report to us if they are under or could be under the threat of any suspension and debarment issues. We will also add this language into any other contract if we are ever in the position to use Federal Grant Funds.Anticipated Completion Date: 4/1/2023

STUDENT FINANCIAL ASSISTANCE CLUSTER FINDINGSFINDING 2022-003 - Internal Control over Compliance (Repeat Finding 2021-003, 2020-001, 2019-002, 2018-003, 2017-002, 2015-002, 2014-008)ResponsesNSHE Overall response/context ?NSHE increased its dialogue amongst the three instances of the student information system throughout fiscalyear 2022. The results of this robust dialogue led to additional controls to reduce related IT risks, enhancedmonitoring of activities, and targeted periodic reviews, highlighted in each instance?s response below. Theseenhanced techniques operating throughout the entire fiscal year ahead, should provide a stronger overall controlenvironment and lower associated risks.UNR ?? Detailed corrective action taken, including what will be done to avoid the identified issues inthe future, and when these measures will be in place;UNR has implemented controls to address the risk associated with the PeopleSoft Administrators(PSA?s) access to the production and development environments. The controls include:1. The University will remove the PSA role for the three individuals that are identified as not havingthe appropriate segregation of duties. The PSA role is still required of the University and will onlybe granted on a temporary basis when necessary and this access will be, documented, monitored,and deactivated upon completion of the required tasks.a) Approvals ? A PSA role is granted for task specific business needs and when the individualssecurity level does not permit the action to be performed. When justified, the PSA role isgranted by a security administrator.b) Documented ? When the PSA role is granted a notification is triggered to the Associate VicePresident, Planning, Budget and Analysis, the Registrar and the Director of AccountingOperations as to the role assignment and the person assigned.c) Monitored ? The activities performed are documented and monitored in a TeamDynamixticket.d) Deactivated ? The PSA system access is deactivated upon completion of the required activity.The deactivation is documented in the TeamDynamix ticketing system.2. The University will implement a quarterly User Access Review that identifies the incidences ofwhen the PSA role is granted and when the PSA login occurs and compares this to Team Dynamixto establish the activity. The activity can be compared to the system for validity. This will beperformed by the Registrar. 3. The University will continue to explore and research Change Control Systems as options tomonitor activities of the PSA?s.? How compliance and performance will be measured and documented for future audit,management and performance review.The PSA role will not be established for continuous periods of time. When the PSA role is temporarilygranted it is documented and tracked in Team Dynamix. This provides an audit trail of role access,timeframes of logins, and activities.? Who will be responsible and may be held accountable in the future if repeat or similarobservations are noted.The Associate Vice President, Planning, Budget and Analysis will monitor the compliance with thecorrective action plans and will implement new processes as needed to meet the needs of mitigatingthis risk and the system updates and changes.UNLV ?UNLV agrees with this finding.? Detailed corrective action taken, including what will be done to avoid the identified issues inthe future, and when these measures will be in place;UNLV understands the importance of adequate segregation of duties within the PeopleSoftenvironments and applications. The PeopleSoft Administrator (PSA) position that is the subject ofthe finding is responsible for the installation, configuration, upgrades, and troubleshooting of all theapplication environments. The PeopleSoft Administrators are not programmers/developers, andtheir access to the production environments is periodically required to perform the needed activitiesrequired to provide timely support of the application within the scope of their job duties.UNLV has implemented the following controls to mitigate the risks associated with the elevatedaccess required for the administrators to perform their required support activities.a. UNLV will remove the PeopleSoft Administrator role from all PSAs in productionenvironments.b. The PeopleSoft Administrator role will be assigned temporarily when elevated actions arerequired. The assignment will have the following requirements:i. Be limited in duration.ii. Document a justification detailing the need and actions to be performed.iii. Generate notification to the Director of Enterprise Applications.iv. Automatically be removed.v. It is reviewed as part of normal audit activities. c. UNLV will increase their reviews of access, activities, and assigned privileges to monthly forthe PeopleSoft Administrators.d. UNLV will continue researching and implementing other control methods to address thesegregation of duties while providing appropriate service and support.? How compliance and performance will be measured and documented for future audit,management and performance review.The PeopleSoft Administrator role will no longer be a persistent assignment to the PSA position.UNLV will perform monthly reviews of the access and activities to determine if the PeopleSoftAdministrators' current levels require further refinement. Additionally, UNLV will continue toresearch other control methods that will address the segregation of duties while providingappropriate service and support.? Who will be responsible and may be held accountable in the future if repeat or similarobservations are noted.The Director of Enterprise Applications will be responsible for reviewing the access needs of thePeopleSoft Administrators. The Director will complete the reviews and is also accountable if repeat orsimilar observations are noted. The Chief Information Security Officer will verify the reviews are permonthly audit practices.SCS ?? Detailed corrective action taken, including what will be done to avoid the identified issues inthe future, and when these measures will be in place;PeopleSoft Administrator (PSA) access to the Production and Development environments arereviewed on an ongoing basis. Due to the need to develop and perform program changes for all fiveshared-instance Institutions on a frequent basis it was determined that PSA access cannot be reducedany further. However, to address the segregation of duties risk the following compensating controlsare in place:(a) STAT for PeopleSoft ? Code control and internal modification tracking provides visibility over PSAactivities that are processed via this tool. These object changes are reviewed and approved by theDirector of Information and Application Services.(b) JIRA - Change control management and project tracking software. Change requests and projectsrelated to the PeopleSoft shared instance are tracked and approved. This would include user accessmodifications and system updates for example.(c) Security e-mail alerts ? The SCS security team are alerted via automated e-mails when user access(to include PSA roles) is changed.(d) User Access Reviews ? On an annual basis a user access review is performed incorporatingSCS/SA privileged users and all shared instance security coordinators SCS will implement the following additional control from FY22/23 going forward:(e) Splunk reporting and monitoring ? Reporting and trigger events developed incorporating PSAactivity ?anomalies?. For example, PSA after-hour logins reviewed and matched to plannedupdates/activities.(f) Periodic management reviews ? A formal review incorporating, and documenting PSA andassociated exception activities will take place. Where appropriate this will include approvals anddocumented rationale.SCS will continue to explore additional solutions to minimize the segregation of duties risk, especiallyas it relates to the monitoring of PSA activities.? How compliance and performance will be measured and documented for future audit,management and performance review.The periodic management review where appropriate will include documentation and approvals tosupport PSA activities that do not meet established criteria. This review will also document anyfollow-ups required as it relates to similar controls. For example, security e-mail alerts.? Who will be responsible and may be held accountable in the future if repeat or similarobservations are noted.SCS Director of Information and Application Services, SCS Security Group.