FAC Explorer

Corrective Action Plans

Browse how organizations respond to audit findings

Total CAPs
57,859
In database
Filtered Results
9,006
Matching current filters
Showing Page
234 of 361
25 per page

Filters

Clear
Active filters: § 200.303
Finding 377338 (2023-002)
Material Weakness 2023
West Lafayette Community School Corporation
IN
Subrecipient Monitoring Internal Control / Segregation of Duties § 200.1 § 200.208 § 200.303 § 200.332 § 200.339
FINDING 2023-002 Finding Subject: COVID-19 – Education Stabilization Fund – Subrecipient Monitoring Summary of Finding: The School Corporation received and passed through to subrecipients $495,386 of ESF funds. The School Corporation is to clearly identify the award and applicable requirements to th...
FINDING 2023-002 Finding Subject: COVID-19 – Education Stabilization Fund – Subrecipient Monitoring Summary of Finding: The School Corporation received and passed through to subrecipients $495,386 of ESF funds. The School Corporation is to clearly identify the award and applicable requirements to the subrecipients, evaluate the risk of noncompliance related to the subrecipients to determine appropriate monitoring of the subaward, and monitor the activities of the subrecipients to ensure that the subaward is used for authorized purposes, complies with the terms and conditions of the subaward, and achieves performance goals. Contact Person Responsible for Corrective Action: Dr. Judi Hendrix, Director of WVEC and Michelle Cronk, CFO of West Lafayette Schools Contact Phone Number and Email Address: Dr. Judi Hendrix Michelle Cronk 765-894-0333 765-746-1602 judi.hendrix@esc5.k12.in.us cronkm@wl.k12.in.us Views of Responsible Officials: We concur with the finding regarding the informing and monitoring of subrecipients for federal grants. Description of Corrective Action Plan: We concur with the findings from the State Audit regarding the 3E grants funds; 2023-002. Our Corrective Action Plan would consist of the following:  Before ESF funds are dispersed to school districts (subrecipients), the WVEC Grant Director will ask districts for proper documentation such as receipts, college entrance letters, staff documented timesheets to support their request for funding.  The WVEC Grant Director will monitor the activities of the subrecipients to ensure that the financial subaward is used for authorized purposes, complies with the terms and conditions of the subaward, and achieves performance goals of the grant.  Once the school district’s information and documentation is received and approved, grant funding will be dispersed. Both the Service Center Executive Director and WVEC Grant Manager will approve and sign off on any payment made to a subrecipient.  On a biannual basis (periods ending June 30 and December 31), West Lafayette School Corporation will request the monitoring documentation from WVEC to ensure that proper monitoring is taking place. The WVEC Grant Director will create a sub-grantee reporting procedure:  Monthly spreadsheet with district allowable expense and sign off by Grant Manager, WVEC Executive Director and WVEC Treasurer approval.  This will take place every pay period to monitor the disbursement of any federal funds and to ensure that they are used for allowable expenditures under the grant.  This monitoring will begin in the month of March 2024 and continue until the end of the grant or Final Report, December 31, 2024. This procedure will also be used for other federal grants received.  On a biannual basis (periods ending June 30 and December 31), West Lafayette School Corporation will request the monitoring documentation from WVEC to ensure that proper monitoring is taking place. Anticipated Completion Date: Monthly monitoring will begin promptly (March 2024) and end with the final report of 3E grant activities on December 31, 2024.
View Audit 295131
Finding 377334 (2023-001)
Material Weakness 2023
West Lafayette Community School Corporation
IN
Matching / Level of Effort / Earmarking Allowable Costs / Cost Principles § 200.208 § 200.303 § 200.403
FINDING 2023-001 Finding Subject: Special Education Cluster (IDEA) - Earmarking Summary of Finding: The School Corporation did not have internal controls in place to ensure that the Greater Lafayette Area Special Services Cooperative complied with the earmarking requirements. The Cooperative did not...
FINDING 2023-001 Finding Subject: Special Education Cluster (IDEA) - Earmarking Summary of Finding: The School Corporation did not have internal controls in place to ensure that the Greater Lafayette Area Special Services Cooperative complied with the earmarking requirements. The Cooperative did not have adequate procedures in place to ensure that the required level of expenditures for nonpublic school students with disabilities was met for each member school. The Cooperative did not have effective internal controls to ensure non-public school expenditures were appropriately identified and reported. Contact Person Responsible for Corrective Action: Lissa Stranahan, GLASS Director and Michelle Cronk, CFO of West Lafayette Schools Contact Phone Number and Email Address: Lissa Stranahan Michelle Cronk 765-771-6013 765-746-1602 lstranahan@lsc.k12.in.us cronkm@wl.k12.in.us Views of Responsible Officials: We concur with the finding for earmarking. GLASS did not have adequate procedures in place to ensure that the required level of expenditures for non-public school students with disabilities was met for each member school. The Cooperative did not have effective internal controls to ensure nonpublic school expenditures were appropriately identified and reported. The methodology used by the Cooperative to monitor non-public proportionate share expenditures was based upon a percentage for each school corporation that comprises the Cooperative rather than basing the expenditures off of the grant award for each non-public school within the geographical boundaries of the school corporations. While all proportionate share funds were expended, it was problematic in determining if the minimum amount per the grant awards was expended and properly reported prior to July 1, 2023. Description of Corrective Action Plan: The former Director of GLASS retired June 30, 2023. Upon hire on July 1, 2023, the new director immediately implemented measures to correct the previous methodology used at GLASS. Non-public proportionate share funds are identified and reported based upon the grant award for each school corporation. The expenditures are based upon the geographical location of the non-public school and the corresponding public school corporation, not based upon the “home” school corporation of the student. The school corporation will review the methodology used to calculate non-public proportionate share on the grant applications to ensure that the correct methodology is used. Anticipated Completion Date: The corrective action was already put into place on July 1, 2023. The audit finding reflects the previous grant cycle prior to the action taken.
View Audit 295131
Finding 377325 (2023-001)
Material Weakness 2023
Horizon Health and Wellness, Inc.
AZ
Material Weakness Reporting Internal Control / Segregation of Duties § 200.303
Department of Health and Human Services Federal Assistance Listing #93.498 COVID-19 Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution Applicable Federal Award Number and Year – Period 4 TIN #860554593 Reporting Material Weakness in Internal Control Over Compliance and Material N...
Department of Health and Human Services Federal Assistance Listing #93.498 COVID-19 Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution Applicable Federal Award Number and Year – Period 4 TIN #860554593 Reporting Material Weakness in Internal Control Over Compliance and Material Noncompliance Finding Summary: The Organization selected option iii to calculate lost revenue using budgeted gross revenues to actual gross revenues. The Organization’s HHS Period 4 Report included lost revenues for three quarters that did not agree to the supporting calculation of lost revenues. Without proper implementation of internal controls over the Organization’s budget prior to submission errors could occur resulting in the Organization not calculating lost revenues correctly. Status: The Organization will be adopting a policy to enhance internal controls over the budget to ensure that the lost revenue calculation is not changed after submission and follows the option iii methodology utilized to calculate lost revenues. Responsibility of: Richard Leonard (Controller) and Andrew Horan (Director of F.P. and A.) Estimated Completion Date: 3/31/24
View Audit 295119
Finding 377318 (2023-001)
Material Weakness 2023
Sarasota County, Florida
FL
Subrecipient Monitoring Material Weakness Reporting § 200.303
Material Weakness - Internal Controls over Reporting and Noncompliance The Office of Financial Management (OFM) Grant Program Administrator, Heather Larson will monitor and ensure that Federal Funding Accountability and Transparency Act of 2006 (FFATA) reports are filed as required in the FSRS syste...
Material Weakness - Internal Controls over Reporting and Noncompliance The Office of Financial Management (OFM) Grant Program Administrator, Heather Larson will monitor and ensure that Federal Funding Accountability and Transparency Act of 2006 (FFATA) reports are filed as required in the FSRS system. Since the recent transition of the CDBG Entitlement Cluster from an outside agency back to Sarasota County, the County has implemented a standardized form to capture needed information from current and future subrecipients to report appropriately the requirements of the Federal Funding Accountability and Transparency Act of 2006 (FFATA). The OFM Grant Analyst assigned to the funding award, upon review of any pending subaward/ subaward amendment, will create an Action Item utilizing the Grants Administration module of OnBase. The Action Item will require completion of any required FSRS reporting. Action item will be assigned and have a deadline date no late than the last day of the month following the month in which the subaward/ subaward amendment obligation was made. Implementation date for this process - On or before February 28, 2024.
View Audit 295115
Finding 377316 (2023-004)
Material Weakness 2023
South Ripley Community School Corporation
IN
Matching / Level of Effort / Earmarking Allowable Costs / Cost Principles § 200.208 § 200.303 § 200.403
FINDING 2023-004 Finding Subject: Special Education Cluster (IDEA) – Earmarking Summary of Finding: The Non-Public Proportionate Share expenditures for the 21611-048-PN01 grant award could not be verified for the individual member schools. The non-public school share funds for the participating memb...
FINDING 2023-004 Finding Subject: Special Education Cluster (IDEA) – Earmarking Summary of Finding: The Non-Public Proportionate Share expenditures for the 21611-048-PN01 grant award could not be verified for the individual member schools. The non-public school share funds for the participating member schools were allocated based on the yearly budget for certified staff instead of time charged to the non-public schools. These allocations were the amounts reported to IDOE. As such, we were unable to identify which expenditures were for each school in order to verify the minimum amount per the grant award was expended and properly reported to IDOE as required. Contact Person Responsible for Corrective Action: Lana M. Miller Contact Phone Number and Email Address: Phone Number-812-689-6282 Email- lmiller@sripley.k12.in.us Views of Responsible Officials: We concur with the finding Description of Corrective Action Plan: INDIANA STATE BOARD OF ACCOUNTS 31 Expenses for non-public schools are tracked and charged to the appropriate corporation. Staff record time spent at each non-public school, sign and date the form and turn it into the treasurer. The expenses are then moved to the correct expense line on the grant after receiving this information. Materials that are purchased are charged to the correct expense account when paid. ROD’s treasurer will prepare a report showing compliance with the earmarking requirement on a monthly basis. These reports will be provided to the ROD board for review, and our Superintendent is a member of that board. Anticipated Completion Date: July 1, 2023
View Audit 295114
Finding 377314 (2023-003)
Material Weakness 2023
South Ripley Community School Corporation
IN
Procurement, Suspension & Debarment Subrecipient Monitoring § 200.1 § 200.303 § 200.317 § 200.318 § 200.319
FINDING 2023-003 Finding Subject: Special Education Cluster (IDEA) – Procurement and Suspension and Debarment Summary of Finding: Procurement Federal regulations allow for informal procurement methods when the value of the procurement for goods or services does not exceed the simplified acquisition ...
FINDING 2023-003 Finding Subject: Special Education Cluster (IDEA) – Procurement and Suspension and Debarment Summary of Finding: Procurement Federal regulations allow for informal procurement methods when the value of the procurement for goods or services does not exceed the simplified acquisition threshold, which is customarily set at $250,000. However, Indiana Code 5-22-8 has a more restrictive threshold of $150,000 or less for when small purchase procedures may be used. This informal process allows for methods other than the formal bid process. The informal process is divided between two methods based on thresholds. Micropurchases, typically for those purchases $10,000 or under, and small purchase procedures for those purchases above the micro-purchase threshold, but below the simplified acquisition threshold. Micro-purchases may be awarded without soliciting competitive price rate quotations. If small purchase procedures are used, then price or rate quotations must be obtained from an adequate number of qualified sources. If it is determined a single source provider can be used for a small purchase, documentation must be retained supporting the determination. The Cooperative did not adhere to the requirements necessary for them to be in compliance with the procurement of small purchases during the audit period. Suspension and Debarment The School Corporation did not have internal controls in place to ensure compliance with the suspension and debarment requirement. The Cooperative did not have adequate internal controls in place to ensure all applicable vendors were not suspended or debarred prior to entering into a covered transaction. As such, the Cooperative never entered into a contract, although their payments to the vendor exceeded $50,000. The INDIANA STATE BOARD OF ACCOUNTS 30 Cooperative did not perform procedures to ensure that the vendor was not suspended or debarred from participation in federal programs. Contact Person Responsible for Corrective Action: Lana M. Miller Contact Phone Number and Email Address: Phone Number-812-689-6282 Email- lmiller@sripley.k12.in.us Views of Responsible Officials: We concur with the finding. Description of Corrective Action Plan: The ROD Special Education Cooperative will make notes in the Board Minutes regarding the fact that only one vendor can provide specific services prior to entering into a contract or purchasing said services. Each company providing services will be checked on the SAM.gov website to ensure that the vendor has not been suspended or debarred. This documentation will be provided to the ROD board for review, and our Superintendent is a member of that board. Anticipated Completion Date: February 1, 2024
View Audit 295114
Finding 377310 (2023-002)
Material Weakness 2023
South Ripley Community School Corporation
IN
Procurement, Suspension & Debarment Subrecipient Monitoring School Nutrition Programs § 200.303
FINDING 2023-002 Finding Subject: Child Nutrition Cluster - Procurement and Suspension and Debarment Summary of Finding: Prior to entering into subawards and covered transactions with program funds, recipients are required to verify that such contractors and subrecipients are not suspended, debarred...
FINDING 2023-002 Finding Subject: Child Nutrition Cluster - Procurement and Suspension and Debarment Summary of Finding: Prior to entering into subawards and covered transactions with program funds, recipients are required to verify that such contractors and subrecipients are not suspended, debarred, or otherwise excluded. "Covered transactions" include, but are not limited to contracts for goods and services awarded under a non-procurement transaction (i.e., grant agreement) that are expected to equal or exceed $25,000. The verification is to be done by checking the SAM exclusions, collecting a certification from that person, or adding a clause or condition to the covered transaction with that person. Upon inquiry of the School Corporation, in order to review the procedures in place for verifying that an entity with which it plans to enter into a covered transaction is not suspended, debarred, or otherwise excluded, the School Corporation disclosed there were not adequate procedures in place to ensure this. While the suspension and debarment report is run on a yearly basis in June, this was not adequate to ensure that this verification was performed prior to a covered transaction being entered into. One covered transaction that equaled or exceeded $25,000, paid from Child Nutrition Cluster funds, was identified. The one transaction, totaling $43,599.31, was selected for testing. The School Corporation did not verify the vendor's suspension and debarment status prior to payment. INDIANA STATE BOARD OF ACCOUNTS 29 Contact Person Responsible for Corrective Action: Lana M. Miller Contact Phone Number and Email Address: Phone Number-812-689-6282 Email- lmiller@sripley.k12.in.us Views of Responsible Officials: We concur with the finding Description of Corrective Action Plan: We will amend our current process of running Suspension and Debarment inquiries from annually in June each year to every six months and prior to check issuance when over $25,000 from federal funds. Anticipated Completion Date: Immediately, February 2024
View Audit 295114
Finding 377308 (2023-001)
Material Weakness 2023
South Ripley Community School Corporation
IN
School Nutrition Programs Eligibility Material Weakness § 200.303
FINDING 2023-001 Finding Subject: Child Nutrition Cluster - Special Tests and Provisions - Verification of Free and Reduced Price Applications Summary of Finding: An effective internal control system, which would include segregation of duties, was not in place at the School Corporation in order to e...
FINDING 2023-001 Finding Subject: Child Nutrition Cluster - Special Tests and Provisions - Verification of Free and Reduced Price Applications Summary of Finding: An effective internal control system, which would include segregation of duties, was not in place at the School Corporation in order to ensure compliance with requirements related to the grant agreement and the Special Tests and Provisions - Verification of Free and Reduced Price Applications compliance requirement. Based upon the number of approved applications on file on October 1, the School Corporation was required to select a sample of three applications for fiscal year 2022- 2023 that were approved for free and reduced price meals, to verify the applicants' eligibility for the benefits received. The School Corporation requested income documentation from each applicant to perform the verifications as required. The School Corporation did not receive a response from any of the applicants. As a result, the student included in each application should have had a change in status from free or reduced to paid. However, for two of the applicants, the student was flagged in the system as no response, but the students' statuses were not updated to reflect that each was no longer eligible for free or reduced price meals. Contact Person Responsible for Corrective Action: Lana M. Miller Contact Phone Number and Email Address: Phone Number- 812-689-6282 Email- lmiller@sripley.k12.in.us INDIANA STATE BOARD OF ACCOUNTS 28 Views of Responsible Officials: We concur with the finding. Description of Corrective Action Plan: This finding was a result of a new staff person in the position working with software that was new to her. It was noted by the auditor that the application status was changed to paid in the verification status. The staff person involved did not know that she needed to make another change in the software other than changing the application status. We have discussed with the person responsible for this regarding the needed two-step process to change a student’s status. Additionally, the staff person has set up a process for segregation of duties. A second person will be reviewing the screens after verification changes are made. This person will also sign off on the paper/report to show the second review and segregation of duties. Anticipated Completion Date: Immediately, February 2024
View Audit 295114
Finding 377304 (2023-005)
Significant Deficiency 2023
Floyd County Medical Center
IA
Reporting Significant Deficiency Internal Control / Segregation of Duties § 200.303
Federal Agency Name: Department of Health and Human Services Program Name: COVID‐19 Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution Applicable Federal Award Number and Year – Period 4 TIN #420868216 Federal Financial Assistance Listing #93.498 Compliance Requirement: Reporting...
Federal Agency Name: Department of Health and Human Services Program Name: COVID‐19 Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution Applicable Federal Award Number and Year – Period 4 TIN #420868216 Federal Financial Assistance Listing #93.498 Compliance Requirement: Reporting Finding Summary: There was no evidence retained that the Hospital’s special report submitted to the Department of Health and Human Services for Period 4 TIN #420868216 was reviewed or approved by an individual separate from the preparer prior to submission. Responsible Individuals: Craig Carstens, CFO Corrective Action Plan: Management agrees with this finding. Management will designate specific individuals to review HHS special report submissions before submission to HHS. Management will require documentation verifying independent review and approval prior to submission. Management will provide comprehensive training to staff on the importance of independent review processes. Management will set up automated workflow systems and checklists to enforce review procedures. Management will regularly audit the review process, gather feedback, and make necessary adjustments for enhancement. Anticipated Completion Date: 2/26/2024.
View Audit 295111
Finding 377303 (2023-004)
Significant Deficiency 2023
Floyd County Medical Center
IA
Allowable Costs / Cost Principles Eligibility Significant Deficiency § 200.303
Federal Agency Name: Department of Health and Human Services Program Name: COVID‐19 Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution Applicable Federal Award Number and Year – Period 4 TIN #420868216 Federal Financial Assistance Listing #93.498 Compliance Requirement: Activitie...
Federal Agency Name: Department of Health and Human Services Program Name: COVID‐19 Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution Applicable Federal Award Number and Year – Period 4 TIN #420868216 Federal Financial Assistance Listing #93.498 Compliance Requirement: Activities Allowed or Unallowed and Allowable Costs/Cost Principles Finding Summary: The Hospital claimed expenses in the HHS special report for Period 4 that were related to services to be performed after the period of availability. Responsible Individuals: Craig Carstens, CFO Corrective Action Plan: Management agrees with the findings. Management will ensure that all expenses claimed are properly documented and supported by appropriate documentation, including invoices, receipts, and service agreements. Management will provide training and education to relevant staff members responsible for preparing and submitting expense claims to ensure they understand the period of availability and the importance of accurate reporting. Management will implement controls and procedures to prevent similar errors in the future. This may include implementing a review process for expense claims to ensure compliance with reporting requirements. Management will communicate the importance of accurate reporting and adherence to reporting equirements to all relevant staff members. Emphasize the impact of inaccurate reporting on the hospital's reputation and compliance status. Management will Establish a system for ongoing monitoring and oversight of expense reporting processes to identify and address any issues or discrepancies in a timely manner. Anticipated Completion Date: 2/26/2024.
View Audit 295111
Finding 377290 (2023-107)
Significant Deficiency 2023
Commonwealth of Virginia
VA
Subrecipient Monitoring Matching / Level of Effort / Earmarking Reporting § 200.303
Responsible Contact Person(s): Ida Witherspoon, Chief Financial Officer Corrective Action Planned: Send periodic e-mail reminders to program staff responsible for submitting FFATA data to the Federal Reporting Unit for submission to the federal government. Additional time is needed to fully impleme...
Responsible Contact Person(s): Ida Witherspoon, Chief Financial Officer Corrective Action Planned: Send periodic e-mail reminders to program staff responsible for submitting FFATA data to the Federal Reporting Unit for submission to the federal government. Additional time is needed to fully implement an automated solution. Estimated Completion Date: 10/30/2024
View Audit 295106
Finding 377287 (2023-106)
Significant Deficiency 2023
Commonwealth of Virginia
VA
Subrecipient Monitoring Reporting Significant Deficiency § 200.303
Responsible Contact Person(s): Angela Morse, Director of Benefit Programs Frank Smith, Associate Director of Benefit Programs Corrective Action Planned: DSS will perform an analysis of identified reporting errors to determine causality and the appropriate actions to resolve reporting errors. Additio...
Responsible Contact Person(s): Angela Morse, Director of Benefit Programs Frank Smith, Associate Director of Benefit Programs Corrective Action Planned: DSS will perform an analysis of identified reporting errors to determine causality and the appropriate actions to resolve reporting errors. Additionally, DSS will create a systems modification request to correct errors that are identified as occurring as a result of inaccurate programming in the data modification phase of federal report creation. Estimated Completion Date: 12/31/2024
View Audit 295106
Finding 377283 (2023-104)
Material Weakness 2023
Commonwealth of Virginia
VA
Eligibility Material Weakness Period of Performance § 200.303 § 200.501
Responsible Contact Person(s): Angela Morse, Director of Benefit Programs Frank Smith, Associate Director of Benefit Programs Corrective Action Planned: DSS has requested the vendor's records. Once received, DSS will audit those records to provide reasonable assurance that the contractor administer...
Responsible Contact Person(s): Angela Morse, Director of Benefit Programs Frank Smith, Associate Director of Benefit Programs Corrective Action Planned: DSS has requested the vendor's records. Once received, DSS will audit those records to provide reasonable assurance that the contractor administered the LIHWAP federal grant program in accordance with federal statutes, regulations, and the terms and conditions of the federal award before it closes the grant award. Estimated Completion Date: 6/30/2024
View Audit 295106
Finding 377280 (2023-103)
Significant Deficiency 2023
Commonwealth of Virginia
VA
Questioned Costs Subrecipient Monitoring Eligibility § 200.303
Responsible Contact Person(s): Angela Morse, Director of Benefit Programs Frank Smith, Associate Director Senior Benefit Programs Denise Surber, EAP Manager - Division of Benefit Programs Corrective Action Planned: DSS will work to provide additional training to local agency eligibility workers on h...
Responsible Contact Person(s): Angela Morse, Director of Benefit Programs Frank Smith, Associate Director Senior Benefit Programs Denise Surber, EAP Manager - Division of Benefit Programs Corrective Action Planned: DSS will work to provide additional training to local agency eligibility workers on how to properly determine and document eligibility determinations in the case management system. Additionally, DSS will consider monitoring local agency eligibility worker’s use of manual overrides to confirm that they properly document eligibility determinations in the case management system. Estimated Completion Date: 12/31/2024
View Audit 295106 Questioned Costs: $1
Finding 377262 (2023-099)
Significant Deficiency 2023
Commonwealth of Virginia
VA
Subrecipient Monitoring § 200.303 § 200.332
Responsible Contact Person(s): Ross McDonald, Director of Compliance Ousman Kah, Subrecipient Monitoring Coordinator Corrective Action Planned: The final version of the agency's Monitoring Plan was completed. Estimated Completion Date: 8/1/2023
Responsible Contact Person(s): Ross McDonald, Director of Compliance Ousman Kah, Subrecipient Monitoring Coordinator Corrective Action Planned: The final version of the agency's Monitoring Plan was completed. Estimated Completion Date: 8/1/2023
View Audit 295106
Finding 377253 (2023-097)
Material Weakness 2023
Commonwealth of Virginia
VA
Subrecipient Monitoring Internal Control / Segregation of Duties Matching / Level of Effort / Earmarking § 200.303 § 200.332
Responsible Contact Person(s): Ross McDonald, Director of Compliance Ousman Kah, Subrecipient Monitoring Coordinator Corrective Action Planned: A Grants Management solution is being pursued by DSS in anticipation that it can be deployed with Subrecipient Monitoring capabilities needed to comply with...
Responsible Contact Person(s): Ross McDonald, Director of Compliance Ousman Kah, Subrecipient Monitoring Coordinator Corrective Action Planned: A Grants Management solution is being pursued by DSS in anticipation that it can be deployed with Subrecipient Monitoring capabilities needed to comply with these requirements. A new budget request has been submitted for funding of a contingent Subrecipient Monitoring System solution. This will help bridge the deficiencies noted until an integrated permanent solution is implemented. Estimated Completion Date: 3/31/2025
View Audit 295106
Finding 376168 (2023-086)
Significant Deficiency 2023
Commonwealth of Virginia
VA
Internal Control / Segregation of Duties Subrecipient Monitoring Significant Deficiency § 200.303
Responsible Contact Person(s): Steve Hanoka, Chief Information Security Officer Corrective Action Planned: This finding was marked as FOIA Exempt (FOIAE) and as a result, the State Comptroller has determined that the resulting corrective actions are FOIAE under §2.2-3705.2 (9.) of the Code of Virgin...
Responsible Contact Person(s): Steve Hanoka, Chief Information Security Officer Corrective Action Planned: This finding was marked as FOIA Exempt (FOIAE) and as a result, the State Comptroller has determined that the resulting corrective actions are FOIAE under §2.2-3705.2 (9.) of the Code of Virginia. Federal awarding agencies and pass-through entities, please see the Appendix titled “Applicable Management Contacts for Findings and Questioned Costs” to request the corrective action planned from the applicable entity. Estimated Completion Date: 4/1/2024
View Audit 295106
Finding 376165 (2023-085)
Significant Deficiency 2023
Commonwealth of Virginia
VA
Internal Control / Segregation of Duties Reporting Significant Deficiency § 200.303
Responsible Contact Person(s): Kevin Platea, Chief Information Officer Corrective Action Planned: DSS has 15 plus applications that are in active oversight; IT Business Administration is in receipt of the required SOC 2, Type 2 reports. However, additional requirements to capture the SOC 1, Type 2 ...
Responsible Contact Person(s): Kevin Platea, Chief Information Officer Corrective Action Planned: DSS has 15 plus applications that are in active oversight; IT Business Administration is in receipt of the required SOC 2, Type 2 reports. However, additional requirements to capture the SOC 1, Type 2 reports have not yet been accomplished. Several SOC reports were not captured by VITA and then provided to DSS for review. Additional requirements to capture SOC 1, Type 2 reports have been identified and VITA is requesting this information of the providers. Estimated Completion Date: 12/31/2024
View Audit 295106
Finding 376162 (2023-072)
Significant Deficiency 2023
Commonwealth of Virginia
VA
Subrecipient Monitoring Reporting Significant Deficiency § 200.303
Responsible Contact Person(s): Naveen Abraham, Chief Core Infrastructure Services Corrective Action Planned: Ensuring that infrastructure suppliers fulfill all contractual requirements with respect to Commonwealth security policies and standards necessitates a programmatic, continuous improvement ap...
Responsible Contact Person(s): Naveen Abraham, Chief Core Infrastructure Services Corrective Action Planned: Ensuring that infrastructure suppliers fulfill all contractual requirements with respect to Commonwealth security policies and standards necessitates a programmatic, continuous improvement approach. VITA has made improved cybersecurity a primary goal and major initiatives have completed and are underway. VITA has established a scoring mechanism, based on the Common Vulnerability Scoring System (CVSS), that delineates the necessary response based on the criticality of the vulnerability (critical, high, and medium). For vulnerabilities with a CVSS score of (critical and high), service level agreement (SLA) 1.1.3 is now in place to measure supplier performance and adjust supplier compensation accordingly through SLA credits and RCDs. For vulnerabilities below the critical and high score, in Q4 of 2023, suppliers started providing data in a quarterly report to the MSI and VITA. The new SLAs combined with the reports of vulnerabilities below the critical and high score are used to ensure suppliers’ contractual compliance. VITA’s data shows that patches for software on the enterprise software list are being applied on an ongoing basis. VITA will work with agencies and suppliers if there are any new technical difficulties or questions about patching. New tools are now available to agencies so that they can monitor and verify the remediation of the vulnerabilities for which infrastructure suppliers are responsible. Dashboards have also been provided to the suppliers so that they can review a shared and common vulnerability list. VITA and the suppliers monitor and review enterprise level logs and security events on behalf of customer agencies through the system dashboard and a 24x7 Security Operations Center. The dashboard is available for access by agencies as of Q4 2023. VITA will continue to monitor and improve the security of infrastructure services through ongoing governance, including the requirements of architecture documentation, system security plans, and audit reports. VITA’s infrastructure services group will work with the VITA security group to confirm that the current state achieves security standards compliance. Estimated Completion Date: 6/30/2024
View Audit 295106
Finding 376159 (2023-066)
Significant Deficiency 2023
Commonwealth of Virginia
VA
HUD Housing Programs Significant Deficiency Internal Control / Segregation of Duties § 200.303
Responsible Contact Person(s): Kevin Platea, Chief Information Officer Stephen Schleck, Associate Director of Enterprise Business Solutions Corrective Action Planned: A Change Request for the case management system was developed 2 years ago and DSS is reviewing the change request to determine a stat...
Responsible Contact Person(s): Kevin Platea, Chief Information Officer Stephen Schleck, Associate Director of Enterprise Business Solutions Corrective Action Planned: A Change Request for the case management system was developed 2 years ago and DSS is reviewing the change request to determine a status. It was agreed by Line of Business and ITS EBS & a vendor (the systems provider) that there will be an iterative approach to completing the record retention and purge rules for implementation in the case management system. Estimated Completion Date: 12/31/2024
View Audit 295106
Finding 376134 (2023-061)
Significant Deficiency 2023
Commonwealth of Virginia
VA
Significant Deficiency Internal Control / Segregation of Duties § 200.303
Responsible Contact Person(s): Diane Carnohan, Chief Information Security Officer Corrective Action Planned: This finding was marked as FOIA Exempt (FOIAE) and as a result, the State Comptroller has determined that the resulting corrective actions are FOIAE under §2.2-3705.2 (9.) of the Code of Virg...
Responsible Contact Person(s): Diane Carnohan, Chief Information Security Officer Corrective Action Planned: This finding was marked as FOIA Exempt (FOIAE) and as a result, the State Comptroller has determined that the resulting corrective actions are FOIAE under §2.2-3705.2 (9.) of the Code of Virginia. Federal awarding agencies and pass-through entities, please see the Appendix titled “Applicable Management Contacts for Findings and Questioned Costs” to request the corrective action planned from the applicable entity. Estimated Completion Date: 6/1/2024
View Audit 295106
Finding 376131 (2023-058)
Significant Deficiency 2023
Commonwealth of Virginia
VA
Significant Deficiency Internal Control / Segregation of Duties § 200.303
Responsible Contact Person(s): Kevin Platea, Chief Information Officer Corrective Action Planned: This finding was marked as FOIA Exempt (FOIAE) and as a result, the State Comptroller has determined that the resulting corrective actions are FOIAE under §2.2-3705.2 (9.) of the Code of Virginia. Fede...
Responsible Contact Person(s): Kevin Platea, Chief Information Officer Corrective Action Planned: This finding was marked as FOIA Exempt (FOIAE) and as a result, the State Comptroller has determined that the resulting corrective actions are FOIAE under §2.2-3705.2 (9.) of the Code of Virginia. Federal awarding agencies and pass-through entities, please see the Appendix titled “Applicable Management Contacts for Findings and Questioned Costs” to request the corrective action planned from the applicable entity. Estimated Completion Date: 12/31/2024
View Audit 295106
Finding 376128 (2023-056)
Significant Deficiency 2023
Commonwealth of Virginia
VA
Internal Control / Segregation of Duties Significant Deficiency § 200.303
Responsible Contact Person(s): Barry Davis, Chief Information Security Officer and Director of Information Security & Risk Management John Vosper, Information Technology Audit Manager Corrective Action Planned: DSS has contracted with a contractor to perform IT audits once every three years on an on...
Responsible Contact Person(s): Barry Davis, Chief Information Security Officer and Director of Information Security & Risk Management John Vosper, Information Technology Audit Manager Corrective Action Planned: DSS has contracted with a contractor to perform IT audits once every three years on an ongoing rotating basis. Estimated Completion Date: 12/31/2023
View Audit 295106
Finding 376123 (2023-051)
Significant Deficiency 2023
Commonwealth of Virginia
VA
Significant Deficiency Internal Control / Segregation of Duties § 200.303
Responsible Contact Person(s): David Clark, Information Security Officer Corrective Action Planned: The Information Security Unit has documented a process for the types of changes that trigger a security impact analysis (SIA) as well as a request form for a security impact review. Part of the SIA pr...
Responsible Contact Person(s): David Clark, Information Security Officer Corrective Action Planned: The Information Security Unit has documented a process for the types of changes that trigger a security impact analysis (SIA) as well as a request form for a security impact review. Part of the SIA process will be to determine if pre-implementation testing is required. The Information Security Unit will retain documentation in accordance with the Configuration Management Policy. Once the processes are further defined, the Information Security Unit will update the Configuration Management Policy & Procedures. Estimated Completion Date: 3/31/2024
View Audit 295106
Finding 376120 (2023-049)
Significant Deficiency 2023
Commonwealth of Virginia
VA
Significant Deficiency Internal Control / Segregation of Duties § 200.303
Responsible Contact Person(s): Kevin Platea, Chief Information Officer Corrective Action Planned: This finding was marked as FOIA Exempt (FOIAE) and as a result, the State Comptroller has determined that the resulting corrective actions are FOIAE under §2.2-3705.2 (9.) of the Code of Virginia. Fede...
Responsible Contact Person(s): Kevin Platea, Chief Information Officer Corrective Action Planned: This finding was marked as FOIA Exempt (FOIAE) and as a result, the State Comptroller has determined that the resulting corrective actions are FOIAE under §2.2-3705.2 (9.) of the Code of Virginia. Federal awarding agencies and pass-through entities, please see the Appendix titled “Applicable Management Contacts for Findings and Questioned Costs” to request the corrective action planned from the applicable entity. Estimated Completion Date: 6/30/2024
View Audit 295106
« 1 232 233 235 236 361 »