FAC Explorer

Corrective Action Plans

Browse how organizations respond to audit findings

Total CAPs
56,575
In database
Filtered Results
53,589
Matching current filters
Showing Page
1187 of 2144
25 per page

Filters

Clear
Jewish Community Alliance of Southern Maine
ME
Subrecipient Monitoring Reporting
Views of responsible Officials and Planned Corrective Action: The Organization will review the process of submitting reports and improve their data collection process to enable the reports to be submitted in a timely manner.
Views of responsible Officials and Planned Corrective Action: The Organization will review the process of submitting reports and improve their data collection process to enable the reports to be submitted in a timely manner.
View Audit 307642
Finding 399004 (2023-004)
Significant Deficiency 2023
Ramona Unified School District
CA
Subrecipient Monitoring Reporting Significant Deficiency
Due to a change in personnel the format and procedures for reporting were not followed during the period of the personnel vacancy. Going forward proper procedures will be followed to ensure accurate reporting and a plan will be put into place to continue these procedures even in the event of personn...
Due to a change in personnel the format and procedures for reporting were not followed during the period of the personnel vacancy. Going forward proper procedures will be followed to ensure accurate reporting and a plan will be put into place to continue these procedures even in the event of personnel vacancies.
View Audit 307640
Front Porch Communities & Services
CA
Questioned Costs Procurement, Suspension & Debarment Allowable Costs / Cost Principles
We recognize the findings by FORVIS. Following a merger, the corporation closed its corporate credit card account, as a result, did not have access to the receipts of the expenditures. We do acknowledge the expenditures of the organization were greater than the disbursement received by HRSA. In May ...
We recognize the findings by FORVIS. Following a merger, the corporation closed its corporate credit card account, as a result, did not have access to the receipts of the expenditures. We do acknowledge the expenditures of the organization were greater than the disbursement received by HRSA. In May of 2023 the corporation enrolled in a new corporate credit card system through our banking institute. This new system offers enhanced features, including automatic receipt retention for all transactions and a detailed audit trail for charge approvals. In the event of an account closure, we will have the convenient option to download receipts for all transactions. Radana Kollehner is the individual responsible overseeing the corrective action plan. Her email address is RKOLLEHNER@FrontPorch.net and contact phone number 925-956-7366. Sincerely, Eduardo Salvador Chief Financial Officer
View Audit 307633 Questioned Costs: $1
Finding 399002 (2023-001)
Significant Deficiency 2023
Quaker Heights LLC
OH
HUD Housing Programs Internal Control / Segregation of Duties Procurement, Suspension & Debarment
Condition: The Company failed to abide by the regulatory agreement criteria by not maintaining a project operating account and depositing receipts for rents within the account. Planned Corrective Action: The Corporation was not in compliance with regulatory agreement guidelines as of June 30, 2023,...
Condition: The Company failed to abide by the regulatory agreement criteria by not maintaining a project operating account and depositing receipts for rents within the account. Planned Corrective Action: The Corporation was not in compliance with regulatory agreement guidelines as of June 30, 2023, and management will follow HUD's guidelines in the future. Contact person responsible for corrective action: Bob Stillman, CFO Anticipated Completion Date: 10/31/2023
View Audit 307614
Finding 398994 (2023-001)
Material Weakness 2023
Northshore School District No. 417
WA
Questioned Costs Allowable Costs / Cost Principles Subrecipient Monitoring
Going forward we will ensure federally funded items are designated as such and are tracked separately. The District does not concur with the finding or questioned costs. SAO reviewed various types of documentation and chose not to accept any documentation presented by the District to even consider r...
Going forward we will ensure federally funded items are designated as such and are tracked separately. The District does not concur with the finding or questioned costs. SAO reviewed various types of documentation and chose not to accept any documentation presented by the District to even consider reducing questioned costs. The standard of documentation required by SAO to satisfy “unmet” need in would have been hard to meet even if the District hadn’t been in the midst of a pandemic. The District has internal controls over asset inventory and provided equipment only to students and staff with unmet needs, and all costs were allowable, reasonable and necessary. We look forward to working with the FCC to resolve this finding and we appreciate the guidance that was provided by the FCC.
View Audit 307598 Questioned Costs: $1
Finding 398993 (2023-002)
Significant Deficiency 2023
National Community Reinvestment Coalition
DC
Reporting Significant Deficiency Internal Control / Segregation of Duties
Coronavirus State and Local Fiscal Recovery Funds – Assistance Listing Recommendation: Evaluation of the current monthly and year-end closing process to ensure procedures are in place to result in accurate and complete financial reporting in a timely manner. Explanation of disagreement with audit...
Coronavirus State and Local Fiscal Recovery Funds – Assistance Listing Recommendation: Evaluation of the current monthly and year-end closing process to ensure procedures are in place to result in accurate and complete financial reporting in a timely manner. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: New processes have been implemented that include proper approval and review of all accounting transactions. Name of the contact person responsible for corrective action: Brian Daskalovitz, CDFI Senior Finance Director Planned completion date for corrective action plan: December 2024
View Audit 307594
Finding 398990 (2023-001)
Significant Deficiency 2023
Lakeshore Regional Entity
MI
Subrecipient Monitoring Internal Control / Segregation of Duties Significant Deficiency § 200.332
2023-001 – Communications with Subrecipients Finding Type: Significant Deficiency in internal control over compliance / noncompliance Program: ALN 93.959 – COVID-19 – ARPA Prevention ALN 93.959 – SAPT Block Grant - Prevention ALN 93.959 – COVID-19 - Prevention Criteria: As required by 2 CFR 200.332,...
2023-001 – Communications with Subrecipients Finding Type: Significant Deficiency in internal control over compliance / noncompliance Program: ALN 93.959 – COVID-19 – ARPA Prevention ALN 93.959 – SAPT Block Grant - Prevention ALN 93.959 – COVID-19 - Prevention Criteria: As required by 2 CFR 200.332, the pass-through entity must communicate specific information to subrecipients, as applicable. Condition: Contracts with subrecipients did not include portions of required disclosures. Cause/Effect: Inadequate internal controls over compliance. Select contracts were not in compliance with 2 CFR 200.332. Questioned Cost: None. Recommendation: We recommend that the PIHP update all contracts with subrecipients to include required language. View of Responsible Official: Management is in agreement with this recommendation. Planned corrective action: FY2024 contracts with subrecipients have been updated with all the required language. Responsible party: Chief Financial Officer Anticipated completion date: September 30, 2024
View Audit 307591
Finding 398988 (2023-002)
Material Weakness 2023
National Trail Local School District
OH
Equipment & Real Property Management § 200.313
The National Trail Local School District will be updating the School District’s inventory system to properly account for all property and equipment purchased using federal funds.
The National Trail Local School District will be updating the School District’s inventory system to properly account for all property and equipment purchased using federal funds.
View Audit 307588
Finding 398975 (2023-001)
Material Weakness 2023
Edmonds School District No. 15
WA
Questioned Costs Subrecipient Monitoring Equipment & Real Property Management
As communicated in the District’s response to the prior audit finding, the District does not concur with the SAO’s interpretation of unmet need in the 2021-2022 audit nor does it concur with the same finding for the audit of the 2022-2023 fiscal year. We believe all Chromebook purchases were allowab...
As communicated in the District’s response to the prior audit finding, the District does not concur with the SAO’s interpretation of unmet need in the 2021-2022 audit nor does it concur with the same finding for the audit of the 2022-2023 fiscal year. We believe all Chromebook purchases were allowable and devices were only provided to those with an unmet need. We concur with SAO that we did not retain adequate documentation indicating which staff and students received hotspots and appreciate that SAO noted that there was an urgent need to distribute hotspot internet services to students in order that they could participate in remote learning, and that this urgency and extenuating circumstances resulted in this situation. We recognize there was an error associated with vendor credits in the amount of $2,751.10 but did not claim reimbursement for the other credits totaling $8,898.90 as indicated in the audit finding. We will work to improve our process regarding credits on future invoices. The District will continue to work with the FCC to resolve this finding.
View Audit 307577 Questioned Costs: $1
Finding 398974 (2023-002)
Significant Deficiency 2023
Steel Founders' Society of America
IL
Procurement, Suspension & Debarment Eligibility HUD Housing Programs
Procurement Recommendation: We recommend that the Organization follow the current policies and procedures over covered transactions and to maintain supporting documentation of the process. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action ta...
Procurement Recommendation: We recommend that the Organization follow the current policies and procedures over covered transactions and to maintain supporting documentation of the process. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: The Society has reviewed the procurement policy with staff, emphasized the importance of following, and will ensure that adequate documentation is retained. Name(s) of the contact person(s) responsible for corrective action: Kelly Moritz, Vice President of Finance and Contracts Planned completion date for corrective action plan: December 31, 2024
View Audit 307567
Finding 398972 (2023-001)
Significant Deficiency 2023
Steel Founders' Society of America
IL
Cash Management Significant Deficiency Internal Control / Segregation of Duties
Grant Reimbursement Requests (Indirect Costs and Cash Management) Recommendation: We recommend that the Organization follow the current policies and procedures over grant reimbursement transactions to maintain documentation supporting the request. This should include all supporting documentation a...
Grant Reimbursement Requests (Indirect Costs and Cash Management) Recommendation: We recommend that the Organization follow the current policies and procedures over grant reimbursement transactions to maintain documentation supporting the request. This should include all supporting documentation and back-up, and preparer and reviewer sign-offs and dates. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: The Society was short of trained billing staff due to employee leave and has provided training to additional back-up staff for future use. Name(s) of the contact person(s) responsible for corrective action: Kelly Moritz, Vice President of Finance and Contracts Planned completion date for corrective action plan: December 31, 2024
View Audit 307567
Finding 398971 (2023-002)
Significant Deficiency 2023
College of the Muscogee Nation
OK
Student Financial Aid Special Tests & Provisions Subrecipient Monitoring
In order to address this audit finding, CMN financial aid staff plans to seek continual improvement in the areas relating to Return of Title IV funds calculations. Through both Federal Student Aid and National Association of Financial Aid Administrators (NASFAA), staff will complete trainings to und...
In order to address this audit finding, CMN financial aid staff plans to seek continual improvement in the areas relating to Return of Title IV funds calculations. Through both Federal Student Aid and National Association of Financial Aid Administrators (NASFAA), staff will complete trainings to understand calculation and timing of returns. It should also be noted that in the current award year, CMN has moved to a model where attendance taking is not required, so staff is working with faculty and students to ensure timely notification of withdrawal and reviewing final grades at the end of the term in order to ensure all students needing a R2T4 calculation have one performed.
View Audit 307558
Finding 398970 (2023-001)
Significant Deficiency 2023
College of the Muscogee Nation
OK
Student Financial Aid Subrecipient Monitoring Eligibility
In order to address this audit finding, CMN financial aid staff plans to seek continual improvement in the areas relating to Pell calculations. Through both Federal Student Aid and National Association of Financial Aid Administrators (NASFAA), staff will complete trainings to understand all aspects ...
In order to address this audit finding, CMN financial aid staff plans to seek continual improvement in the areas relating to Pell calculations. Through both Federal Student Aid and National Association of Financial Aid Administrators (NASFAA), staff will complete trainings to understand all aspects of calculating awards, as well as staying up to date on regulatory changes through our student information system. In addition to more training in this area, priority will be placed on rechecking and auditing Pell awards so that they are reviewed during the award year. Staff has already begun reviewing fall 2023 Pell awards for accuracy and will continue to review awards as terms move forward.
View Audit 307558
Finding 398959 (2023-004)
Material Weakness 2023
The Land Institute
KS
Reporting § 200.308
Personnel Responsible for Corrective Action: Compliance with federal standards regarding key personnel change on federal grants will be supervised by COO, Tracie Thomas and coordinated by Grants Specialist, Westen Gehring Anticipated Completion Date: Policies and procedures will be implemented ...
Personnel Responsible for Corrective Action: Compliance with federal standards regarding key personnel change on federal grants will be supervised by COO, Tracie Thomas and coordinated by Grants Specialist, Westen Gehring Anticipated Completion Date: Policies and procedures will be implemented by the end of this fiscal year and reflected in the FY2024 audit. Corrective Action Plan: To ensure that key personnel changes on federal awards are in compliance with 2 CFR Section 200.308(c)(2) and (3), The Land Institute will draft and submit a request on letterhead to the pass-through entity for award 2020-68012-31934 specifying the cause for the disengagement of Rachel Stroer. Moving forward, all key personnel changes will be communicated beforehand for approval from the pass-through entity or awarding agency.
View Audit 307540
Finding 398948 (2023-003)
Material Weakness 2023
The Land Institute
KS
Equipment & Real Property Management § 200.313
Personnel Responsible for Corrective Action: Policies and procedures will be supervised by Senior Accounting Specialist, Laura Froese, Facilities Operations Manager, Tiffany Durr, Grants Specialist, Westen Gehring Anticipated Completion Date: Equipment inventory listing of federally covered purch...
Personnel Responsible for Corrective Action: Policies and procedures will be supervised by Senior Accounting Specialist, Laura Froese, Facilities Operations Manager, Tiffany Durr, Grants Specialist, Westen Gehring Anticipated Completion Date: Equipment inventory listing of federally covered purchases will be completed by July 1, 2024 and reflected in the 2024 audit. Integration into Limble will start this fiscal year, but full installation of the new system has an anticipated completion date of January 1, 2025. Corrective Action Plan: The Land Institute will review grant expenses in the previous years and cross reference with existing equipment inventory to create a complete listing of equipment purchased with federal funds. Documentation demonstrating proper equipment procurement practices will be housed in the federal award folders for the grant covering the purchase cost. Additionally, The Land Institute is currently modernizing equipment tracking and inventory practices using Limble and will ensure that federal procurement tracking in compliance with uniform guidance standards is included in this practice. TLI purchased Limble on 10/20/2023 after a competitive review of similar CMMS’s (Computerized Maintenance Management Systems). Setup of the system will be completed by June 30, 2024. Beginning July 1, 2024 TLI will start implementation and training of new system with full adoption of the system tentatively planned for January 1, 2025.
View Audit 307540
Finding 398937 (2023-002)
Material Weakness 2023
The Land Institute
KS
Procurement, Suspension & Debarment § 200.317 § 200.320
Personnel Responsible for Corrective Action: Policies and procedures will be supervised by COO, Tracie Thomas, Facilities Operations Manager, Tiffany Durr, Senior Accounting Specialist, Laura Froese, and Grants Specialist, Westen Gehring Anticipated Completion Date: Policies and procedures will ...
Personnel Responsible for Corrective Action: Policies and procedures will be supervised by COO, Tracie Thomas, Facilities Operations Manager, Tiffany Durr, Senior Accounting Specialist, Laura Froese, and Grants Specialist, Westen Gehring Anticipated Completion Date: Policies and procedures will be reviewed, drafted, and implemented by May 30, 2024 and reflected in the 2024 audit. Corrective Action Plan: To ensure compliance with federal procurement standards, by 05/30/2024 The Land Institute will develop more robust policies and procedures for tracking purchases in accordance with uniform guidance standards for formal federal procurement and noncompetitive procurement of equipment with federal funds. Updated policies will apply to micro-purchases above the threshold of $10,000 and will include requirement of documentation demonstrating that TLI checked the vendor’s status to ensure they were not suspended or debarred. A sole source justification form will be drafted and made available upon request for purchases where noncompetitive procurement was deemed necessary. These changes will be reflected in an updated procurement policy document as well as the development of a sole source justification template.
View Audit 307540
Gratz College
PA
Cash Management
Finding 2023-003 Corrective Action Plan The College acknowledges that there are unspent funds in this subprogram as of August 31, 2023. The College will return these unspent funds to the U.S. Department of Education before the close of the program’s fiscal quarter. The College’s management notes tha...
Finding 2023-003 Corrective Action Plan The College acknowledges that there are unspent funds in this subprogram as of August 31, 2023. The College will return these unspent funds to the U.S. Department of Education before the close of the program’s fiscal quarter. The College’s management notes that these Federal programs have expired and does not anticipate further funding related to the Education Stabilization Fund. Anticipated Completion Date The College anticipates completion of this corrective action on or before July 10, 2024. Name of Contact Person Responsible for Corrective Action Thomas R. Cipriano, Jr. – Manager of Business Operations and Facilities
View Audit 307535
Finding 398931 (2023-002)
Significant Deficiency 2023
Gratz College
PA
Cash Management Significant Deficiency
Finding 2023-002 Corrective Action Plan The College acknowledges that funds withdrawn for these subprograms were not disbursed in a timely manner. The College notes that although the funds were disbursed after the period required by the program (within 3 days of withdrawal for non-student aid expen...
Finding 2023-002 Corrective Action Plan The College acknowledges that funds withdrawn for these subprograms were not disbursed in a timely manner. The College notes that although the funds were disbursed after the period required by the program (within 3 days of withdrawal for non-student aid expenses), the expenses paid were allowable under the guidance of the program. The College’s staff and management developed a checklist in response to Finding 2022-005 from the prior year to ensure that reporting, filing, and disbursement requirements for all grants will be met. The College’s management notes that these Federal programs have expired and does not anticipate further funding related to the Education Stabilization Fund. Anticipated Completion Date The College anticipates completion of this corrective action on or before August 31, 2024. Name of Contact People Responsible for Corrective Action Thomas R. Cipriano, Jr. – Manager of Business Operations and Facilities Ross Holgado – Manager of Financial Reporting
View Audit 307535
Gratz College
PA
Reporting
Finding 2023-001 Corrective Action Plan The College was posting quarterly forms based on its financial records to its website. However, the current platform that the College utilizes does not provide an activity log to show that these reports were posted in a timely manner. The College’s staff and ...
Finding 2023-001 Corrective Action Plan The College was posting quarterly forms based on its financial records to its website. However, the current platform that the College utilizes does not provide an activity log to show that these reports were posted in a timely manner. The College’s staff and management developed a checklist in response to Finding 2022-002 from the prior year to ensure that reporting, filing, and disbursement requirements for all grants will be met. The College’s management notes that the reports were filed with the U.S. Department of Education on time and were subsequently accepted. The College’s management further notes that these Federal programs have expired and does not anticipate further funding related to the Education Stabilization Fund. Anticipated Completion Date The College anticipates completion of this corrective action on or before August 31, 2024. Name of Contact People Responsible for Corrective Action Thomas R. Cipriano, Jr. – Manager of Business Operations and Facilities Ross Holgado – Manager of Financial Reporting
View Audit 307535
Finding 398926 (2023-003)
Material Weakness 2023
Alta-Aurelia Community School District
IA
Internal Control / Segregation of Duties
SEE RESPONSE AND CORRECTIVE ACTION PLAN AT 2023-001
SEE RESPONSE AND CORRECTIVE ACTION PLAN AT 2023-001
View Audit 307531
Muscle Shoals City Board of Education
AL
Procurement, Suspension & Debarment Matching / Level of Effort / Earmarking
During the year, the Board utilized an approved procurement method for these services.
During the year, the Board utilized an approved procurement method for these services.
View Audit 307527
Muscle Shoals City Board of Education
AL
Procurement, Suspension & Debarment Matching / Level of Effort / Earmarking
During the year, the Board utilized an approved procurement method for these services.
During the year, the Board utilized an approved procurement method for these services.
View Audit 307527
Finding 398920 (2023-002)
Significant Deficiency 2023
Public Counsel
CA
Allowable Costs / Cost Principles Subrecipient Monitoring
Date: May 28, 2024 Cognizant or Oversight Agency: U.S. Department of the Treasury Public Counsel respectfully submits the following corrective action plan for the year ended August 31, 2023. Name and address of independent public accounting firm: Armani...
Date: May 28, 2024 Cognizant or Oversight Agency: U.S. Department of the Treasury Public Counsel respectfully submits the following corrective action plan for the year ended August 31, 2023. Name and address of independent public accounting firm: Armanino, LLP 11766 Wilshire Blvd. 9ᵗʰ Floor Los Angeles, CA 90025 Audit period: August 31, 2023 The finding from the August 31, 2023 schedule of findings and questioned costs is discussed below. The finding is numbered consistently with the number assigned in the schedule. FINDINGS-FINANCIAL STATEMENT AUDIT SIGNIFICANT DEFICIENCY 2023-002 The Uniform Guidance Cost principles require consistency in treatment of costs and, specifically, that compensation costs be consistent. In addition, the Uniform Guidance requires that there be a system of internal control which provides reasonable assurance that the charges are accurate, allowable and properly allocated and conform to the established accounting policies and practices of the Organization. Recommendation: Management should ensure that new processes reflect all compliance requirements, including the ability to produce evidence of the execution of relevant controls. Action Taken: We agree with the auditors' recommendations, and we have and will be taking the following actions within the current fiscal year: We have updated the payroll allocation methodology to ensure that we are making allocations for employees on a fully pro rata basis and that there is a validation process to ensure that 100% of an employee's time is appropriately allocated across Federal and non-Federal funding sources. The supporting documentation is saved in our shared network folders and attached to the journal entries within our financial system. For any future process or system changes, we will ensure that we have thoroughly assessed the impact of any change before we implement it and vet it in through our internal grant compliance team. We have already made changes to involve our Legal Data Manager to implement a reporting process to ensure that we have complete timeslips that reflect both employee and supervisor approvals for every pay period. We will maintain this approach in Legal Server, the Organization's case management and timekeeping system, and will attach these timeslips as support for each of our allocation entries. We will continue to assess our procedures and internal controls relevant to our Federal funding to ensure compliance with the requirements of Uniform Guidance. We will do a thorough review of our internal control system and update it as necessary to align with best practices as recipients of Federal funding. The Finance team will actively seek training related to Uniform Guidance and other Federal rules and requirements. We will share and discuss this information across departments to maintain organization-wide compliance. Name of responsible person: Steven Godoy VP, Finance & CFO Anticipated completion date: August 31, 2024 If the U.S. Department of Treasury has questions regarding this plan, please call Steven Godoy, VP, Finance & CFO at (213) 393-1055. Sincerely yours, Steven Godoy VP, Finance & CFO
View Audit 307522
Finding 398863 (2023-003)
Significant Deficiency 2023
Nevada System of Higher Education
NV
Special Tests & Provisions Student Financial Aid Matching / Level of Effort / Earmarking
Special Tests and Provisions: Return of Title IV funds for withdrawn students (Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011) Name of contact person responsible for corrective action plan: Rhett R. Vertrees, Assistant Chief Financial Officer 2601 Ent...
Special Tests and Provisions: Return of Title IV funds for withdrawn students (Repeat finding 2021-004, 2020-002, 2019-003, 2018-005, 2017-004, 2016-003, 2015-004, 2014-011) Name of contact person responsible for corrective action plan: Rhett R. Vertrees, Assistant Chief Financial Officer 2601 Enterprise Road, Reno NV 89512-1666 Phone: (775)784-3409, Fax: (775)784-1127 Email: rvertrees@nshe.nevada.edu Responses CSN agrees with the findings. • Detailed corrective action taken, including what will be done to avoid the identified issues in the future, and when these measures will be in place; CSN has started to select additional team members to cross train with seasoned R2T4 team members on the processing of R2T4 files. This will ensure that files are processed in a timely manner and meet compliance requirements. Additionally, training opportunities will be assessed and offered to the team members who are processing R2T4 records on an ongoing basis. Additionally, CSN is currently assessing a potential 3rd party vendor to assist with the processing of R2T4s as needed on an ongoing basis. • How compliance and performance will be measured and documented for future audit, management and performance review. Cross training and workshop opportunities will be provided to ensure knowledge and compliance for the R2T4 team and any staff member assisting with processing of R2T4 records. Queries will be utilized to track R2T4 files to ensure timely processing. • Who will be responsible and may be held accountable in the future if repeat or similar observations are noted. The Assistant Director of Financial Aid will be responsible and may be held accountable.
View Audit 307518
Finding 398762 (2023-002)
Significant Deficiency 2023
Nevada System of Higher Education
NV
Internal Control / Segregation of Duties Student Financial Aid Eligibility § 200.303
Internal Control over Compliance (Repeat Finding 2022-001, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002, 2015-002, 2014-008) Name of contact person responsible for corrective action plan: Rhett R. Vertrees, Assistant Chief Financial Officer 2601 Enterprise Road, Reno NV 89512-1666 Phone: (775)...
Internal Control over Compliance (Repeat Finding 2022-001, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002, 2015-002, 2014-008) Name of contact person responsible for corrective action plan: Rhett R. Vertrees, Assistant Chief Financial Officer 2601 Enterprise Road, Reno NV 89512-1666 Phone: (775)784-3409, Fax: (775)784-1127 Email: rvertrees@nshe.nevada.edu Responses UNR agrees with the findings • Detailed corrective action taken, including what will be done to avoid the identified issues in the future, and when these measures will be in place; The technical staff can only have the PeopleSoft Administrator (PSA) role in either development or production, but not both. There is an approval process in place to ensure that access is removed from either development or production when a PSA needs to be moved across to the other environment. This process became effective March 1, 2023. There is a quarterly security review of the PeopleSoft Administrator role in PeopleSoft. The first quarterly review was performed in FY16 Q1 and has been performed each quarter since. The reviews are documented and approved. There is a quarterly security review of the PeopleSoft Administrator activities in PeopleSoft. The first quarterly review was performed in FY22 Q4 and has been performed each quarter since. The reviews are documented and approved. There is a quarterly security review of the PeopleSoft Oracle database and user access. The first quarterly review was performed in FY20 Q2 and has been performed each quarter since. The reviews are documented and approved. • How compliance and performance will be measured and documented for future audit, management and performance review. Compliance and performance can be measured by the documented quarterly reviews. • Who will be responsible and may be held accountable in the future if repeat or similar observations are noted. The PeopleSoft Manager will be responsible for ensuring the corrective actions plans are implemented and followed. The Vice President of Information Technology will be accountable for the department’s compliance. UNLV agrees with the finding. • Detailed corrective action taken, including what will be done to avoid the identified issues in the future, and when these measures will be in place; UNLV understands the importance of adequate segregation of duties within the PeopleSoft environments and applications. The PeopleSoft Administrator (PSA) position that is the subject of the finding is responsible for the installation, configuration, upgrades, and troubleshooting of all the application environments. The PeopleSoft Administrators are not programmers/developers, and their access to the production environments is periodically required to perform the needed activities required to provide timely support of the application within the scope of their job duties. UNLV has implemented the following controls to mitigate the risks associated with the elevated access required for the administrators to perform their required support activities. 1. UNLV has removed all persistent assignment of the PeopleSoft Administrator role from all PSAs in all environments. 2. The PeopleSoft Administrator role is temporarily assigned only when elevated actions are required. All assignments are of a limited duration and include a justification detailing the need and actions to be performed. All assignments trigger the follow actions: a. An immediate notification to the Director of Business Continuity & Resiliency and the Interim Senior Associate Vice Provost for Digital Strategy and Transformation. b. Removal is automatic but can be initiated by PSA if work is completed sooner than expected. c. All details around the assignment are captured in a tracking table. d. A review of all assignments and activities is performed monthly. 3. UNLV will continue to review access, activities, and assigned privileges monthly for the PeopleSoft Administrators. 4. UNLV will continue researching and implementing other control methods that may strengthen the segregation of duties or the monitoring capabilities that are available. • How compliance and performance will be measured and documented for future audit, management and performance review. The PeopleSoft Administrator role is no longer persistently assigned to the PSA position. It is only assigned upon request with the knowledge and approval of approving authorities. UNLV performs monthly reviews of the access and activities to determine if the PeopleSoft Administrators' activities align with the necessary support. Additionally, UNLV will continue to research other control methods that will address the segregation of duties while providing appropriate service and support. • Who will be responsible and may be held accountable in the future if repeat or similar observations are noted. The Director of Business Continuity & Resiliency will be responsible for performing the activity reviews and access needs of the PeopleSoft Administrators. The Director will complete the reviews and is also accountable if repeat or similar observations are noted. The Chief Information Security Officer will verify that reviews are conducted on a monthly basis per audit practices. SCS agrees with the findings • Detailed corrective action taken, including what will be done to avoid the identified issues in the future, and when these measures will be in place; In addition to the compensating controls (a) to (d), that have been operating since prior to FY23 the segregation of PeopleSoft Administrators (PSA) is enforced through a “locked account” process. Only two employees have PSA access in both the Production and Development environment. Each employee can only have access to the Production or Development environment at any one time, i.e., the PSA account in the other environment remains locked. A JIRA ticket must be opened for an account to be unlocked. The request is approved by management and the account is unlocked by a member of the IT Security Team. The controls listed below should also mitigate the segregation of duties risk and support a review of “user activities” in the absence of an appropriate user activities audit log function. (a) STAT for PeopleSoft – Code control and internal modification tracking provides visibility over PSA activities that are processed via this tool. These object changes are reviewed and approved by the Director of Information and Application Services. (b) JIRA ‐ Change control management and project tracking software. Change requests and projects related to the PeopleSoft shared instance are tracked and approved. This would include user access modifications and system updates for example. (c) Security e‐mail alerts – The SCS security team are alerted via automated e‐mails when key events are triggered. For example, an elevated role is assigned to a user. (d) User Access Reviews – On an annual basis an independent user access review is performed incorporating SCS/SA privileged users and all shared instance security coordinators. • How compliance and performance will be measured and documented for future audit, management and performance review. The PeopleSoft Administrators will have persistent unlocked access to either the Production or Development environments only. Their corresponding account in the other environment will remain locked. In the event that access is needed to the locked environment, a ticket will be created requesting access which will document the rationale and approvals. In addition, PSA activities are monitored via the change control process through STAT for PeopleSoft. Object changes within the Production environment for example, are approved along with the associated workflows. • Who will be responsible and may be held accountable in the future if repeat or similar observations are noted. The SCS Director of Information and Application Services, and SCS Security Group are responsible for locking/unlocking PSA accounts. The SCS Security Group monitor PeopleSoft e-mail alerts. The IT Audit Manager is performing annual SCS/SA privileged user access reviews.
View Audit 307518
« 1 1185 1186 1188 1189 2144 »