FINDING 2024-002 Subject: Child Nutrition Cluster - Procurement and Suspension and Debarment Federal Agency: Department of Agriculture Federal Programs: School Breakfast Program, National School Lunch Program, Summer Food Service Program for Children Assistance Listings Numbers: 10.553, 10.555, 10.559 Federal Award Numbers and Years (or Other Identifying Numbers): FY2023, FY2024, FY23/FY24 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Procurement and Suspension and Debarment Audit Findings: Material Weakness, Modified Opinion Repeat Finding This is a repeat finding from the immediately prior audit report. The prior audit finding number was 2022-003. Condition and Context An effective internal control system, which would include segregation of duties, was not in place at the School Corporation in order to ensure compliance with requirements related to the grant agreement and the Procurement and Suspension and Debarment compliance requirement. INDIANA STATE BOARD OF ACCOUNTS 17 SOUTH VERMILLION COMMUNITY SCHOOL CORPORATION SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Procurement Federal regulations allow for informal procurement methods when the value of the procurement for property or services does not exceed the simplified acquisition threshold, which is set at $150,000. This informal process allows for methods other than the formal bid process. The informal process is divided between two methods based on thresholds: Micro-purchases, typically for those purchases of $10,000 or under, and small purchase procedures for those purchases above the micro-purchases threshold but below the simplified acquisition threshold. Micro-purchases may be awarded without soliciting competitive price rate quotations. If small purchase procedures are used, then price or rate quotations must be obtained from an adequate number of qualified sources. There were no internal controls in place to ensure that the School Corporation complied with the small purchase requirements. The School Corporation obtained quotes for the two vendors that qualified for the small purchase threshold, but there was no review or oversight process performed. Suspension and Debarment There were no internal controls in place to ensure that the School Corporation complied with the suspension and debarment requirements. The School Corporation did not verify that the two vendors were not suspended or debarred. They did not have a contract with the vendors that included the suspension and debarment clause, did not collect a certification from the vendors, and did not check the Sam.gov website to verify that vendors were not suspended or debarred. The lack of internal controls and noncompliance were systemic throughout the audit period. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." 2 CFR 200.318(i) states: "The non-Federal entity must maintain records sufficient to detail the history of procurement. These records will include, but are not necessarily limited to, the following: Rationale for the method of procurement, selection of contract type, contractor selection or rejection, and the basis for the contract price." INDIANA STATE BOARD OF ACCOUNTS 18 SOUTH VERMILLION COMMUNITY SCHOOL CORPORATION SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) 2 CFR 200.320 states in part: "The non-Federal entity must have and use documented procurement procedures, consistent with the standards of this section and §§ 200.317, 200.318, and 200.319 for any of the following methods of procurement used for the acquisition of property or services required under a Federal award or sub-award. (a) Informal procurement methods. When the value of the procurement for property or services under a Federal award does not exceed the simplified acquisition threshold (SAT), as defined in § 200.1, or a lower threshold established by a non-Federal entity, formal procurement methods are not required. The non-Federal entity may use informal procurement methods to expedite the completion of its transactions and minimize the associated administrative burden and cost. The informal methods used for procurement of property or services at or below the SAT include: . . . (2) Small purchases — (i) Small purchase procedures. The acquisition of property or services, the aggregate dollar amount of which is higher than the micro-purchase threshold but does not exceed the simplified acquisition threshold. If small purchase procedures are used, price or rate quotations must be obtained from an adequate number of qualified sources as determined appropriate by the non-Federal entity. . . ." 2 CFR 180.300 states: "When you enter into a covered transaction with another person at the next lower tier, you must verify that the person with whom you intend to do business is not excluded or disqualified. You do this by: (a) Checking the SAM.gov Exclusions, or (b) Collecting a certification from that person, or (c) Adding a clause or condition to the covered transaction with that person." Cause Management had not developed or implemented a system of internal controls that would have ensured compliance with the grant agreement and the Procurement and Suspension and Debarment compliance requirement. The School Corporation obtained quotes for the two vendors that qualified for the small purchase threshold, but there was not a review or oversight performed. The School Corporation was unaware of the requirement to provide documentation to show that a verification was done to determine that the two vendors were not suspended or debarred. Effect Without the proper implementation of an effectively designed system of internal controls, the School Corporation could have used a vendor that charged more than the lowest quote for small purchases or could have entered into transaction with vendors that were excluded from participating in federal transactions. Noncompliance with the grant agreement and the Procurement and Suspension and Debarment compliance requirement could result in the loss of future federal funds to the School Corporation. INDIANA STATE BOARD OF ACCOUNTS 19 SOUTH VERMILLION COMMUNITY SCHOOL CORPORATION SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Questioned Costs There were no questioned costs identified. Recommendation We recommended that the School Corporation's management establish a system of internal controls to ensure compliance with the grant agreement and the Procurement and Suspension and Debarment compliance requirement. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.
FINDING 2024-002 Subject: Child Nutrition Cluster - Procurement and Suspension and Debarment Federal Agency: Department of Agriculture Federal Programs: School Breakfast Program, National School Lunch Program, Summer Food Service Program for Children Assistance Listings Numbers: 10.553, 10.555, 10.559 Federal Award Numbers and Years (or Other Identifying Numbers): FY2023, FY2024, FY23/FY24 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Procurement and Suspension and Debarment Audit Findings: Material Weakness, Modified Opinion Repeat Finding This is a repeat finding from the immediately prior audit report. The prior audit finding number was 2022-003. Condition and Context An effective internal control system, which would include segregation of duties, was not in place at the School Corporation in order to ensure compliance with requirements related to the grant agreement and the Procurement and Suspension and Debarment compliance requirement. INDIANA STATE BOARD OF ACCOUNTS 17 SOUTH VERMILLION COMMUNITY SCHOOL CORPORATION SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Procurement Federal regulations allow for informal procurement methods when the value of the procurement for property or services does not exceed the simplified acquisition threshold, which is set at $150,000. This informal process allows for methods other than the formal bid process. The informal process is divided between two methods based on thresholds: Micro-purchases, typically for those purchases of $10,000 or under, and small purchase procedures for those purchases above the micro-purchases threshold but below the simplified acquisition threshold. Micro-purchases may be awarded without soliciting competitive price rate quotations. If small purchase procedures are used, then price or rate quotations must be obtained from an adequate number of qualified sources. There were no internal controls in place to ensure that the School Corporation complied with the small purchase requirements. The School Corporation obtained quotes for the two vendors that qualified for the small purchase threshold, but there was no review or oversight process performed. Suspension and Debarment There were no internal controls in place to ensure that the School Corporation complied with the suspension and debarment requirements. The School Corporation did not verify that the two vendors were not suspended or debarred. They did not have a contract with the vendors that included the suspension and debarment clause, did not collect a certification from the vendors, and did not check the Sam.gov website to verify that vendors were not suspended or debarred. The lack of internal controls and noncompliance were systemic throughout the audit period. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." 2 CFR 200.318(i) states: "The non-Federal entity must maintain records sufficient to detail the history of procurement. These records will include, but are not necessarily limited to, the following: Rationale for the method of procurement, selection of contract type, contractor selection or rejection, and the basis for the contract price." INDIANA STATE BOARD OF ACCOUNTS 18 SOUTH VERMILLION COMMUNITY SCHOOL CORPORATION SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) 2 CFR 200.320 states in part: "The non-Federal entity must have and use documented procurement procedures, consistent with the standards of this section and §§ 200.317, 200.318, and 200.319 for any of the following methods of procurement used for the acquisition of property or services required under a Federal award or sub-award. (a) Informal procurement methods. When the value of the procurement for property or services under a Federal award does not exceed the simplified acquisition threshold (SAT), as defined in § 200.1, or a lower threshold established by a non-Federal entity, formal procurement methods are not required. The non-Federal entity may use informal procurement methods to expedite the completion of its transactions and minimize the associated administrative burden and cost. The informal methods used for procurement of property or services at or below the SAT include: . . . (2) Small purchases — (i) Small purchase procedures. The acquisition of property or services, the aggregate dollar amount of which is higher than the micro-purchase threshold but does not exceed the simplified acquisition threshold. If small purchase procedures are used, price or rate quotations must be obtained from an adequate number of qualified sources as determined appropriate by the non-Federal entity. . . ." 2 CFR 180.300 states: "When you enter into a covered transaction with another person at the next lower tier, you must verify that the person with whom you intend to do business is not excluded or disqualified. You do this by: (a) Checking the SAM.gov Exclusions, or (b) Collecting a certification from that person, or (c) Adding a clause or condition to the covered transaction with that person." Cause Management had not developed or implemented a system of internal controls that would have ensured compliance with the grant agreement and the Procurement and Suspension and Debarment compliance requirement. The School Corporation obtained quotes for the two vendors that qualified for the small purchase threshold, but there was not a review or oversight performed. The School Corporation was unaware of the requirement to provide documentation to show that a verification was done to determine that the two vendors were not suspended or debarred. Effect Without the proper implementation of an effectively designed system of internal controls, the School Corporation could have used a vendor that charged more than the lowest quote for small purchases or could have entered into transaction with vendors that were excluded from participating in federal transactions. Noncompliance with the grant agreement and the Procurement and Suspension and Debarment compliance requirement could result in the loss of future federal funds to the School Corporation. INDIANA STATE BOARD OF ACCOUNTS 19 SOUTH VERMILLION COMMUNITY SCHOOL CORPORATION SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Questioned Costs There were no questioned costs identified. Recommendation We recommended that the School Corporation's management establish a system of internal controls to ensure compliance with the grant agreement and the Procurement and Suspension and Debarment compliance requirement. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.
FINDING 2024-002 Subject: Child Nutrition Cluster - Procurement and Suspension and Debarment Federal Agency: Department of Agriculture Federal Programs: School Breakfast Program, National School Lunch Program, Summer Food Service Program for Children Assistance Listings Numbers: 10.553, 10.555, 10.559 Federal Award Numbers and Years (or Other Identifying Numbers): FY2023, FY2024, FY23/FY24 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Procurement and Suspension and Debarment Audit Findings: Material Weakness, Modified Opinion Repeat Finding This is a repeat finding from the immediately prior audit report. The prior audit finding number was 2022-003. Condition and Context An effective internal control system, which would include segregation of duties, was not in place at the School Corporation in order to ensure compliance with requirements related to the grant agreement and the Procurement and Suspension and Debarment compliance requirement. INDIANA STATE BOARD OF ACCOUNTS 17 SOUTH VERMILLION COMMUNITY SCHOOL CORPORATION SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Procurement Federal regulations allow for informal procurement methods when the value of the procurement for property or services does not exceed the simplified acquisition threshold, which is set at $150,000. This informal process allows for methods other than the formal bid process. The informal process is divided between two methods based on thresholds: Micro-purchases, typically for those purchases of $10,000 or under, and small purchase procedures for those purchases above the micro-purchases threshold but below the simplified acquisition threshold. Micro-purchases may be awarded without soliciting competitive price rate quotations. If small purchase procedures are used, then price or rate quotations must be obtained from an adequate number of qualified sources. There were no internal controls in place to ensure that the School Corporation complied with the small purchase requirements. The School Corporation obtained quotes for the two vendors that qualified for the small purchase threshold, but there was no review or oversight process performed. Suspension and Debarment There were no internal controls in place to ensure that the School Corporation complied with the suspension and debarment requirements. The School Corporation did not verify that the two vendors were not suspended or debarred. They did not have a contract with the vendors that included the suspension and debarment clause, did not collect a certification from the vendors, and did not check the Sam.gov website to verify that vendors were not suspended or debarred. The lack of internal controls and noncompliance were systemic throughout the audit period. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." 2 CFR 200.318(i) states: "The non-Federal entity must maintain records sufficient to detail the history of procurement. These records will include, but are not necessarily limited to, the following: Rationale for the method of procurement, selection of contract type, contractor selection or rejection, and the basis for the contract price." INDIANA STATE BOARD OF ACCOUNTS 18 SOUTH VERMILLION COMMUNITY SCHOOL CORPORATION SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) 2 CFR 200.320 states in part: "The non-Federal entity must have and use documented procurement procedures, consistent with the standards of this section and §§ 200.317, 200.318, and 200.319 for any of the following methods of procurement used for the acquisition of property or services required under a Federal award or sub-award. (a) Informal procurement methods. When the value of the procurement for property or services under a Federal award does not exceed the simplified acquisition threshold (SAT), as defined in § 200.1, or a lower threshold established by a non-Federal entity, formal procurement methods are not required. The non-Federal entity may use informal procurement methods to expedite the completion of its transactions and minimize the associated administrative burden and cost. The informal methods used for procurement of property or services at or below the SAT include: . . . (2) Small purchases — (i) Small purchase procedures. The acquisition of property or services, the aggregate dollar amount of which is higher than the micro-purchase threshold but does not exceed the simplified acquisition threshold. If small purchase procedures are used, price or rate quotations must be obtained from an adequate number of qualified sources as determined appropriate by the non-Federal entity. . . ." 2 CFR 180.300 states: "When you enter into a covered transaction with another person at the next lower tier, you must verify that the person with whom you intend to do business is not excluded or disqualified. You do this by: (a) Checking the SAM.gov Exclusions, or (b) Collecting a certification from that person, or (c) Adding a clause or condition to the covered transaction with that person." Cause Management had not developed or implemented a system of internal controls that would have ensured compliance with the grant agreement and the Procurement and Suspension and Debarment compliance requirement. The School Corporation obtained quotes for the two vendors that qualified for the small purchase threshold, but there was not a review or oversight performed. The School Corporation was unaware of the requirement to provide documentation to show that a verification was done to determine that the two vendors were not suspended or debarred. Effect Without the proper implementation of an effectively designed system of internal controls, the School Corporation could have used a vendor that charged more than the lowest quote for small purchases or could have entered into transaction with vendors that were excluded from participating in federal transactions. Noncompliance with the grant agreement and the Procurement and Suspension and Debarment compliance requirement could result in the loss of future federal funds to the School Corporation. INDIANA STATE BOARD OF ACCOUNTS 19 SOUTH VERMILLION COMMUNITY SCHOOL CORPORATION SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Questioned Costs There were no questioned costs identified. Recommendation We recommended that the School Corporation's management establish a system of internal controls to ensure compliance with the grant agreement and the Procurement and Suspension and Debarment compliance requirement. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.
FINDING 2024-002 Subject: Child Nutrition Cluster - Procurement and Suspension and Debarment Federal Agency: Department of Agriculture Federal Programs: School Breakfast Program, National School Lunch Program, Summer Food Service Program for Children Assistance Listings Numbers: 10.553, 10.555, 10.559 Federal Award Numbers and Years (or Other Identifying Numbers): FY2023, FY2024, FY23/FY24 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Procurement and Suspension and Debarment Audit Findings: Material Weakness, Modified Opinion Repeat Finding This is a repeat finding from the immediately prior audit report. The prior audit finding number was 2022-003. Condition and Context An effective internal control system, which would include segregation of duties, was not in place at the School Corporation in order to ensure compliance with requirements related to the grant agreement and the Procurement and Suspension and Debarment compliance requirement. INDIANA STATE BOARD OF ACCOUNTS 17 SOUTH VERMILLION COMMUNITY SCHOOL CORPORATION SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Procurement Federal regulations allow for informal procurement methods when the value of the procurement for property or services does not exceed the simplified acquisition threshold, which is set at $150,000. This informal process allows for methods other than the formal bid process. The informal process is divided between two methods based on thresholds: Micro-purchases, typically for those purchases of $10,000 or under, and small purchase procedures for those purchases above the micro-purchases threshold but below the simplified acquisition threshold. Micro-purchases may be awarded without soliciting competitive price rate quotations. If small purchase procedures are used, then price or rate quotations must be obtained from an adequate number of qualified sources. There were no internal controls in place to ensure that the School Corporation complied with the small purchase requirements. The School Corporation obtained quotes for the two vendors that qualified for the small purchase threshold, but there was no review or oversight process performed. Suspension and Debarment There were no internal controls in place to ensure that the School Corporation complied with the suspension and debarment requirements. The School Corporation did not verify that the two vendors were not suspended or debarred. They did not have a contract with the vendors that included the suspension and debarment clause, did not collect a certification from the vendors, and did not check the Sam.gov website to verify that vendors were not suspended or debarred. The lack of internal controls and noncompliance were systemic throughout the audit period. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." 2 CFR 200.318(i) states: "The non-Federal entity must maintain records sufficient to detail the history of procurement. These records will include, but are not necessarily limited to, the following: Rationale for the method of procurement, selection of contract type, contractor selection or rejection, and the basis for the contract price." INDIANA STATE BOARD OF ACCOUNTS 18 SOUTH VERMILLION COMMUNITY SCHOOL CORPORATION SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) 2 CFR 200.320 states in part: "The non-Federal entity must have and use documented procurement procedures, consistent with the standards of this section and §§ 200.317, 200.318, and 200.319 for any of the following methods of procurement used for the acquisition of property or services required under a Federal award or sub-award. (a) Informal procurement methods. When the value of the procurement for property or services under a Federal award does not exceed the simplified acquisition threshold (SAT), as defined in § 200.1, or a lower threshold established by a non-Federal entity, formal procurement methods are not required. The non-Federal entity may use informal procurement methods to expedite the completion of its transactions and minimize the associated administrative burden and cost. The informal methods used for procurement of property or services at or below the SAT include: . . . (2) Small purchases — (i) Small purchase procedures. The acquisition of property or services, the aggregate dollar amount of which is higher than the micro-purchase threshold but does not exceed the simplified acquisition threshold. If small purchase procedures are used, price or rate quotations must be obtained from an adequate number of qualified sources as determined appropriate by the non-Federal entity. . . ." 2 CFR 180.300 states: "When you enter into a covered transaction with another person at the next lower tier, you must verify that the person with whom you intend to do business is not excluded or disqualified. You do this by: (a) Checking the SAM.gov Exclusions, or (b) Collecting a certification from that person, or (c) Adding a clause or condition to the covered transaction with that person." Cause Management had not developed or implemented a system of internal controls that would have ensured compliance with the grant agreement and the Procurement and Suspension and Debarment compliance requirement. The School Corporation obtained quotes for the two vendors that qualified for the small purchase threshold, but there was not a review or oversight performed. The School Corporation was unaware of the requirement to provide documentation to show that a verification was done to determine that the two vendors were not suspended or debarred. Effect Without the proper implementation of an effectively designed system of internal controls, the School Corporation could have used a vendor that charged more than the lowest quote for small purchases or could have entered into transaction with vendors that were excluded from participating in federal transactions. Noncompliance with the grant agreement and the Procurement and Suspension and Debarment compliance requirement could result in the loss of future federal funds to the School Corporation. INDIANA STATE BOARD OF ACCOUNTS 19 SOUTH VERMILLION COMMUNITY SCHOOL CORPORATION SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Questioned Costs There were no questioned costs identified. Recommendation We recommended that the School Corporation's management establish a system of internal controls to ensure compliance with the grant agreement and the Procurement and Suspension and Debarment compliance requirement. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.
FINDING 2024-002 Subject: Child Nutrition Cluster - Procurement and Suspension and Debarment Federal Agency: Department of Agriculture Federal Programs: School Breakfast Program, National School Lunch Program, Summer Food Service Program for Children Assistance Listings Numbers: 10.553, 10.555, 10.559 Federal Award Numbers and Years (or Other Identifying Numbers): FY2023, FY2024, FY23/FY24 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Procurement and Suspension and Debarment Audit Findings: Material Weakness, Modified Opinion Repeat Finding This is a repeat finding from the immediately prior audit report. The prior audit finding number was 2022-003. Condition and Context An effective internal control system, which would include segregation of duties, was not in place at the School Corporation in order to ensure compliance with requirements related to the grant agreement and the Procurement and Suspension and Debarment compliance requirement. INDIANA STATE BOARD OF ACCOUNTS 17 SOUTH VERMILLION COMMUNITY SCHOOL CORPORATION SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Procurement Federal regulations allow for informal procurement methods when the value of the procurement for property or services does not exceed the simplified acquisition threshold, which is set at $150,000. This informal process allows for methods other than the formal bid process. The informal process is divided between two methods based on thresholds: Micro-purchases, typically for those purchases of $10,000 or under, and small purchase procedures for those purchases above the micro-purchases threshold but below the simplified acquisition threshold. Micro-purchases may be awarded without soliciting competitive price rate quotations. If small purchase procedures are used, then price or rate quotations must be obtained from an adequate number of qualified sources. There were no internal controls in place to ensure that the School Corporation complied with the small purchase requirements. The School Corporation obtained quotes for the two vendors that qualified for the small purchase threshold, but there was no review or oversight process performed. Suspension and Debarment There were no internal controls in place to ensure that the School Corporation complied with the suspension and debarment requirements. The School Corporation did not verify that the two vendors were not suspended or debarred. They did not have a contract with the vendors that included the suspension and debarment clause, did not collect a certification from the vendors, and did not check the Sam.gov website to verify that vendors were not suspended or debarred. The lack of internal controls and noncompliance were systemic throughout the audit period. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." 2 CFR 200.318(i) states: "The non-Federal entity must maintain records sufficient to detail the history of procurement. These records will include, but are not necessarily limited to, the following: Rationale for the method of procurement, selection of contract type, contractor selection or rejection, and the basis for the contract price." INDIANA STATE BOARD OF ACCOUNTS 18 SOUTH VERMILLION COMMUNITY SCHOOL CORPORATION SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) 2 CFR 200.320 states in part: "The non-Federal entity must have and use documented procurement procedures, consistent with the standards of this section and §§ 200.317, 200.318, and 200.319 for any of the following methods of procurement used for the acquisition of property or services required under a Federal award or sub-award. (a) Informal procurement methods. When the value of the procurement for property or services under a Federal award does not exceed the simplified acquisition threshold (SAT), as defined in § 200.1, or a lower threshold established by a non-Federal entity, formal procurement methods are not required. The non-Federal entity may use informal procurement methods to expedite the completion of its transactions and minimize the associated administrative burden and cost. The informal methods used for procurement of property or services at or below the SAT include: . . . (2) Small purchases — (i) Small purchase procedures. The acquisition of property or services, the aggregate dollar amount of which is higher than the micro-purchase threshold but does not exceed the simplified acquisition threshold. If small purchase procedures are used, price or rate quotations must be obtained from an adequate number of qualified sources as determined appropriate by the non-Federal entity. . . ." 2 CFR 180.300 states: "When you enter into a covered transaction with another person at the next lower tier, you must verify that the person with whom you intend to do business is not excluded or disqualified. You do this by: (a) Checking the SAM.gov Exclusions, or (b) Collecting a certification from that person, or (c) Adding a clause or condition to the covered transaction with that person." Cause Management had not developed or implemented a system of internal controls that would have ensured compliance with the grant agreement and the Procurement and Suspension and Debarment compliance requirement. The School Corporation obtained quotes for the two vendors that qualified for the small purchase threshold, but there was not a review or oversight performed. The School Corporation was unaware of the requirement to provide documentation to show that a verification was done to determine that the two vendors were not suspended or debarred. Effect Without the proper implementation of an effectively designed system of internal controls, the School Corporation could have used a vendor that charged more than the lowest quote for small purchases or could have entered into transaction with vendors that were excluded from participating in federal transactions. Noncompliance with the grant agreement and the Procurement and Suspension and Debarment compliance requirement could result in the loss of future federal funds to the School Corporation. INDIANA STATE BOARD OF ACCOUNTS 19 SOUTH VERMILLION COMMUNITY SCHOOL CORPORATION SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Questioned Costs There were no questioned costs identified. Recommendation We recommended that the School Corporation's management establish a system of internal controls to ensure compliance with the grant agreement and the Procurement and Suspension and Debarment compliance requirement. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.
2024-001 Document Policies and Procedures over Federal Awards (Significant Deficiency) Cluster/Program: All Federal Programs Type of Finding: Compliance – Other Matters Internal Control over Compliance – Significant Deficiency Criteria or Specific Requirement: OMB’s Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (UG) established significant requirements related to Federal awards. The requirements stipulate that federal award recipients must document their policies and procedures over certain aspects of financial program management. Specifically, written policies are required for the following: • Determination of allowable costs • Conflict of interest • Employee travel • Cash Management • Equipment and inventory • Procurement and Suspension and Debarment • Time and effort reporting; and • Subrecipient monitoring and management. Federal regulations 2 CFR 200.303 states, the Town, as a recipient of Federal funds, must establish and maintain effective internal controls over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. Condition: The Town has not formalized written policies and procedures related to Federal awards as required under Uniform Guidance. Cause: Weaknesses in the formal documentation of internal controls. Effect: There are no formal policies related to federal grant activity noted above. Questioned Costs: There are no questioned costs because of this finding as there are no costs directly associated with this compliance requirement. Identification as Repeat Finding: This is not a repeat finding. Recommendation: The Town should ensure that written policies and procedures are compiled and adopted as soon as practicable to ensure compliance with the Uniform Guidance. Views of Responsible Officials: Management’s views and corrective action plan is included at the end of this report.
2024-001 Document Policies and Procedures over Federal Awards (Significant Deficiency) Cluster/Program: All Federal Programs Type of Finding: Compliance – Other Matters Internal Control over Compliance – Significant Deficiency Criteria or Specific Requirement: OMB’s Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (UG) established significant requirements related to Federal awards. The requirements stipulate that federal award recipients must document their policies and procedures over certain aspects of financial program management. Specifically, written policies are required for the following: • Determination of allowable costs • Conflict of interest • Employee travel • Cash Management • Equipment and inventory • Procurement and Suspension and Debarment • Time and effort reporting; and • Subrecipient monitoring and management. Federal regulations 2 CFR 200.303 states, the Town, as a recipient of Federal funds, must establish and maintain effective internal controls over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. Condition: The Town has not formalized written policies and procedures related to Federal awards as required under Uniform Guidance. Cause: Weaknesses in the formal documentation of internal controls. Effect: There are no formal policies related to federal grant activity noted above. Questioned Costs: There are no questioned costs because of this finding as there are no costs directly associated with this compliance requirement. Identification as Repeat Finding: This is not a repeat finding. Recommendation: The Town should ensure that written policies and procedures are compiled and adopted as soon as practicable to ensure compliance with the Uniform Guidance. Views of Responsible Officials: Management’s views and corrective action plan is included at the end of this report.
2024-001 Document Policies and Procedures over Federal Awards (Significant Deficiency) Cluster/Program: All Federal Programs Type of Finding: Compliance – Other Matters Internal Control over Compliance – Significant Deficiency Criteria or Specific Requirement: OMB’s Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (UG) established significant requirements related to Federal awards. The requirements stipulate that federal award recipients must document their policies and procedures over certain aspects of financial program management. Specifically, written policies are required for the following: • Determination of allowable costs • Conflict of interest • Employee travel • Cash Management • Equipment and inventory • Procurement and Suspension and Debarment • Time and effort reporting; and • Subrecipient monitoring and management. Federal regulations 2 CFR 200.303 states, the Town, as a recipient of Federal funds, must establish and maintain effective internal controls over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. Condition: The Town has not formalized written policies and procedures related to Federal awards as required under Uniform Guidance. Cause: Weaknesses in the formal documentation of internal controls. Effect: There are no formal policies related to federal grant activity noted above. Questioned Costs: There are no questioned costs because of this finding as there are no costs directly associated with this compliance requirement. Identification as Repeat Finding: This is not a repeat finding. Recommendation: The Town should ensure that written policies and procedures are compiled and adopted as soon as practicable to ensure compliance with the Uniform Guidance. Views of Responsible Officials: Management’s views and corrective action plan is included at the end of this report.
2024-001 Document Policies and Procedures over Federal Awards (Significant Deficiency) Cluster/Program: All Federal Programs Type of Finding: Compliance – Other Matters Internal Control over Compliance – Significant Deficiency Criteria or Specific Requirement: OMB’s Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (UG) established significant requirements related to Federal awards. The requirements stipulate that federal award recipients must document their policies and procedures over certain aspects of financial program management. Specifically, written policies are required for the following: • Determination of allowable costs • Conflict of interest • Employee travel • Cash Management • Equipment and inventory • Procurement and Suspension and Debarment • Time and effort reporting; and • Subrecipient monitoring and management. Federal regulations 2 CFR 200.303 states, the Town, as a recipient of Federal funds, must establish and maintain effective internal controls over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. Condition: The Town has not formalized written policies and procedures related to Federal awards as required under Uniform Guidance. Cause: Weaknesses in the formal documentation of internal controls. Effect: There are no formal policies related to federal grant activity noted above. Questioned Costs: There are no questioned costs because of this finding as there are no costs directly associated with this compliance requirement. Identification as Repeat Finding: This is not a repeat finding. Recommendation: The Town should ensure that written policies and procedures are compiled and adopted as soon as practicable to ensure compliance with the Uniform Guidance. Views of Responsible Officials: Management’s views and corrective action plan is included at the end of this report.
2024-001 Document Policies and Procedures over Federal Awards (Significant Deficiency) Cluster/Program: All Federal Programs Type of Finding: Compliance – Other Matters Internal Control over Compliance – Significant Deficiency Criteria or Specific Requirement: OMB’s Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (UG) established significant requirements related to Federal awards. The requirements stipulate that federal award recipients must document their policies and procedures over certain aspects of financial program management. Specifically, written policies are required for the following: • Determination of allowable costs • Conflict of interest • Employee travel • Cash Management • Equipment and inventory • Procurement and Suspension and Debarment • Time and effort reporting; and • Subrecipient monitoring and management. Federal regulations 2 CFR 200.303 states, the Town, as a recipient of Federal funds, must establish and maintain effective internal controls over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. Condition: The Town has not formalized written policies and procedures related to Federal awards as required under Uniform Guidance. Cause: Weaknesses in the formal documentation of internal controls. Effect: There are no formal policies related to federal grant activity noted above. Questioned Costs: There are no questioned costs because of this finding as there are no costs directly associated with this compliance requirement. Identification as Repeat Finding: This is not a repeat finding. Recommendation: The Town should ensure that written policies and procedures are compiled and adopted as soon as practicable to ensure compliance with the Uniform Guidance. Views of Responsible Officials: Management’s views and corrective action plan is included at the end of this report.
2024-001 Document Policies and Procedures over Federal Awards (Significant Deficiency) Cluster/Program: All Federal Programs Type of Finding: Compliance – Other Matters Internal Control over Compliance – Significant Deficiency Criteria or Specific Requirement: OMB’s Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (UG) established significant requirements related to Federal awards. The requirements stipulate that federal award recipients must document their policies and procedures over certain aspects of financial program management. Specifically, written policies are required for the following: • Determination of allowable costs • Conflict of interest • Employee travel • Cash Management • Equipment and inventory • Procurement and Suspension and Debarment • Time and effort reporting; and • Subrecipient monitoring and management. Federal regulations 2 CFR 200.303 states, the Town, as a recipient of Federal funds, must establish and maintain effective internal controls over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. Condition: The Town has not formalized written policies and procedures related to Federal awards as required under Uniform Guidance. Cause: Weaknesses in the formal documentation of internal controls. Effect: There are no formal policies related to federal grant activity noted above. Questioned Costs: There are no questioned costs because of this finding as there are no costs directly associated with this compliance requirement. Identification as Repeat Finding: This is not a repeat finding. Recommendation: The Town should ensure that written policies and procedures are compiled and adopted as soon as practicable to ensure compliance with the Uniform Guidance. Views of Responsible Officials: Management’s views and corrective action plan is included at the end of this report.
2024-001 Document Policies and Procedures over Federal Awards (Significant Deficiency) Cluster/Program: All Federal Programs Type of Finding: Compliance – Other Matters Internal Control over Compliance – Significant Deficiency Criteria or Specific Requirement: OMB’s Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (UG) established significant requirements related to Federal awards. The requirements stipulate that federal award recipients must document their policies and procedures over certain aspects of financial program management. Specifically, written policies are required for the following: • Determination of allowable costs • Conflict of interest • Employee travel • Cash Management • Equipment and inventory • Procurement and Suspension and Debarment • Time and effort reporting; and • Subrecipient monitoring and management. Federal regulations 2 CFR 200.303 states, the Town, as a recipient of Federal funds, must establish and maintain effective internal controls over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. Condition: The Town has not formalized written policies and procedures related to Federal awards as required under Uniform Guidance. Cause: Weaknesses in the formal documentation of internal controls. Effect: There are no formal policies related to federal grant activity noted above. Questioned Costs: There are no questioned costs because of this finding as there are no costs directly associated with this compliance requirement. Identification as Repeat Finding: This is not a repeat finding. Recommendation: The Town should ensure that written policies and procedures are compiled and adopted as soon as practicable to ensure compliance with the Uniform Guidance. Views of Responsible Officials: Management’s views and corrective action plan is included at the end of this report.
2024-001 Document Policies and Procedures over Federal Awards (Significant Deficiency) Cluster/Program: All Federal Programs Type of Finding: Compliance – Other Matters Internal Control over Compliance – Significant Deficiency Criteria or Specific Requirement: OMB’s Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (UG) established significant requirements related to Federal awards. The requirements stipulate that federal award recipients must document their policies and procedures over certain aspects of financial program management. Specifically, written policies are required for the following: • Determination of allowable costs • Conflict of interest • Employee travel • Cash Management • Equipment and inventory • Procurement and Suspension and Debarment • Time and effort reporting; and • Subrecipient monitoring and management. Federal regulations 2 CFR 200.303 states, the Town, as a recipient of Federal funds, must establish and maintain effective internal controls over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. Condition: The Town has not formalized written policies and procedures related to Federal awards as required under Uniform Guidance. Cause: Weaknesses in the formal documentation of internal controls. Effect: There are no formal policies related to federal grant activity noted above. Questioned Costs: There are no questioned costs because of this finding as there are no costs directly associated with this compliance requirement. Identification as Repeat Finding: This is not a repeat finding. Recommendation: The Town should ensure that written policies and procedures are compiled and adopted as soon as practicable to ensure compliance with the Uniform Guidance. Views of Responsible Officials: Management’s views and corrective action plan is included at the end of this report.
2024-001 Document Policies and Procedures over Federal Awards (Significant Deficiency) Cluster/Program: All Federal Programs Type of Finding: Compliance – Other Matters Internal Control over Compliance – Significant Deficiency Criteria or Specific Requirement: OMB’s Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (UG) established significant requirements related to Federal awards. The requirements stipulate that federal award recipients must document their policies and procedures over certain aspects of financial program management. Specifically, written policies are required for the following: • Determination of allowable costs • Conflict of interest • Employee travel • Cash Management • Equipment and inventory • Procurement and Suspension and Debarment • Time and effort reporting; and • Subrecipient monitoring and management. Federal regulations 2 CFR 200.303 states, the Town, as a recipient of Federal funds, must establish and maintain effective internal controls over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. Condition: The Town has not formalized written policies and procedures related to Federal awards as required under Uniform Guidance. Cause: Weaknesses in the formal documentation of internal controls. Effect: There are no formal policies related to federal grant activity noted above. Questioned Costs: There are no questioned costs because of this finding as there are no costs directly associated with this compliance requirement. Identification as Repeat Finding: This is not a repeat finding. Recommendation: The Town should ensure that written policies and procedures are compiled and adopted as soon as practicable to ensure compliance with the Uniform Guidance. Views of Responsible Officials: Management’s views and corrective action plan is included at the end of this report.
2024-002 Unrecorded Deposits (Material Weakness) Federal Agency: Department of Homeland Security Pass-through Agency: N/A Cluster/Program: Staffing for Adequate Fire and Emergency Response (SAFER) Assistance Listing Number: 97.083 Passed-through Identification: EMW-2020-FF-00046 Compliance Requirement: Cash Management Type of Finding: Internal Control over Compliance – Material Weakness Material Noncompliance Criteria or Specific Requirement: Federal regulations 2 CFR 200.303 states, the Town, as a recipient of Federal funds, must establish and maintain effective internal controls over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. Proper financial management and internal controls should ensure that all transactions related to Federal grants, including revenue recognition, expenditure tracking, and reporting, are accurately recorded in the Town’s general ledger in a timely manner. Failure to record deposits properly may result in financial misstatements, impact budgetary decisions, and affect compliance with Federal grant requirements. Condition: During the audit, we identified that the Town did not record deposits related to reimbursement requests #18 and #19 in the general ledger. These deposits, totaling $132,701, were reimbursements for payroll expenses associated with the firefighters hired under the SAFER grant. The unrecorded deposits caused the general ledger to be misstated as of June 30, 2024. Cause: The Town does not have adequate internal controls to ensure that all cash receipts, particularly those related to federal programs are recorded in the general ledger in a timely manner. This appears to stem from lack of detailed oversight over the cash reconciliation process while there was turnover in the finance office. Effect: Failure to record $132,701 in deposits resulted in a misstatement in the Town’s financial statements and non-compliance with cash management requirements. Additionally, the lack of timely recorded increases the risk of undetected errors or misuse of funds. Questioned Costs: None. While the deposits cleared the Town’s operating bank account via ACH from the federal awarding agency, the Town eventually identified the missing deposits and posted them to their general ledger system. Identification as Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that the Town implement procedures to ensure that all grant related deposits are recorded in the general ledger upon receipt. In addition, we recommend that the Town implement additional procedures during the reconciliation process to ensure any identified variances or discrepancies are researched and addressed in a timely manner. Views of Responsible Officials: Management’s views and corrective action plan is included at the end of this report.
FINDING 2024-003 Subject: Child Nutrition Cluster - Procurement and Suspension and Debarment Federal Agency: Department of Agriculture Federal Programs: School Breakfast Program, National School Lunch Program Assistance Listings Numbers: 10.553, 10.555 Federal Award Number and Year (or Other Identifying Number): FY 2023-2024 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Procurement and Suspension and Debarment Audit Finding: Material Weakness Repeat Finding This is a repeat finding pertaining to internal controls from the immediately prior audit report. The prior audit finding number was 2022-006. Condition and Context An effective internal control system was not in place at the School Corporation to ensure compliance with requirements related to the grant agreement and the Procurement and Suspension and Debarment compliance requirement. Procurement Federal regulations allow for informal procurement methods when the value of the procurement for property or services does not exceed the simplified acquisition threshold, which is customarily set at $250,000. However, Indiana Code 5-22-8 has a more restrictive threshold of $150,000 or less for when small purchase procedures may be used. This informal process allows for methods other than the formal bid process. The informal process is divided between two methods based on thresholds. Micro-purchases, typically for those purchases $10,000 or under, and small purchase procedures for those purchases above the micro-purchase threshold, but below the simplified acquisition threshold. Micro-purchases may be awarded without soliciting competitive price rate quotations. If small purchase procedures are used, then price or rate quotations must be obtained from an adequate number of qualified sources. The School Corporation did not have effective internal controls in place to ensure that an adequate number of price or rate quotations were obtained for all small purchases. Suspension and Debarment Prior to entering into subawards and covered transactions with the Child Nutrition Cluster (CNC) award funds, recipients are required to verify that such contractors and subrecipients are not suspended, debarred, or otherwise excluded. "Covered transactions" include, but are not limited to, contracts for goods and services awarded under a nonprocurement transaction (i.e., grant agreement) that are expected to equal or exceed $25,000. The verification is to be done by checking the Excluded Parties List System (EPLS), collecting a certification from that person, or adding a clause or condition to the covered transactions with that person. The School Corporation did not have effective internal controls in place to ensure that the verification was completed for all contractors prior to entering into covered transactions. The lack of internal controls was isolated to fiscal year 2023-2024. INDIANA STATE BOARD OF ACCOUNTS 20 MADISON CONSOLIDATED SCHOOLS SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." Cause Management had not established a system of internal controls to ensure documentation was obtained and retained to demonstrate they had properly procured all small purchases. Management had not established a system of internal controls to ensure that the School Corporation's procedures for verifying a contractor's suspension and debarment status was followed for all contractors. Effect Without the proper design or implementation of internal controls, the internal control system cannot be capable of effectively preventing, or detecting and correcting, material noncompliance. This could result in the School Corporation overpaying for goods or services or paying a contractor who has been suspended or debarred, which would be unallowable. Questioned Costs There were no questioned costs identified. Recommendation We recommended that management of the School Corporation strengthen its system of internal controls to ensure that an adequate number of price or rate quotations are obtained for all small purchases and that suspension and debarment is verified for all covered transactions of $25,000 or more. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.
FINDING 2024-003 Subject: Child Nutrition Cluster - Procurement and Suspension and Debarment Federal Agency: Department of Agriculture Federal Programs: School Breakfast Program, National School Lunch Program Assistance Listings Numbers: 10.553, 10.555 Federal Award Number and Year (or Other Identifying Number): FY 2023-2024 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Procurement and Suspension and Debarment Audit Finding: Material Weakness Repeat Finding This is a repeat finding pertaining to internal controls from the immediately prior audit report. The prior audit finding number was 2022-006. Condition and Context An effective internal control system was not in place at the School Corporation to ensure compliance with requirements related to the grant agreement and the Procurement and Suspension and Debarment compliance requirement. Procurement Federal regulations allow for informal procurement methods when the value of the procurement for property or services does not exceed the simplified acquisition threshold, which is customarily set at $250,000. However, Indiana Code 5-22-8 has a more restrictive threshold of $150,000 or less for when small purchase procedures may be used. This informal process allows for methods other than the formal bid process. The informal process is divided between two methods based on thresholds. Micro-purchases, typically for those purchases $10,000 or under, and small purchase procedures for those purchases above the micro-purchase threshold, but below the simplified acquisition threshold. Micro-purchases may be awarded without soliciting competitive price rate quotations. If small purchase procedures are used, then price or rate quotations must be obtained from an adequate number of qualified sources. The School Corporation did not have effective internal controls in place to ensure that an adequate number of price or rate quotations were obtained for all small purchases. Suspension and Debarment Prior to entering into subawards and covered transactions with the Child Nutrition Cluster (CNC) award funds, recipients are required to verify that such contractors and subrecipients are not suspended, debarred, or otherwise excluded. "Covered transactions" include, but are not limited to, contracts for goods and services awarded under a nonprocurement transaction (i.e., grant agreement) that are expected to equal or exceed $25,000. The verification is to be done by checking the Excluded Parties List System (EPLS), collecting a certification from that person, or adding a clause or condition to the covered transactions with that person. The School Corporation did not have effective internal controls in place to ensure that the verification was completed for all contractors prior to entering into covered transactions. The lack of internal controls was isolated to fiscal year 2023-2024. INDIANA STATE BOARD OF ACCOUNTS 20 MADISON CONSOLIDATED SCHOOLS SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." Cause Management had not established a system of internal controls to ensure documentation was obtained and retained to demonstrate they had properly procured all small purchases. Management had not established a system of internal controls to ensure that the School Corporation's procedures for verifying a contractor's suspension and debarment status was followed for all contractors. Effect Without the proper design or implementation of internal controls, the internal control system cannot be capable of effectively preventing, or detecting and correcting, material noncompliance. This could result in the School Corporation overpaying for goods or services or paying a contractor who has been suspended or debarred, which would be unallowable. Questioned Costs There were no questioned costs identified. Recommendation We recommended that management of the School Corporation strengthen its system of internal controls to ensure that an adequate number of price or rate quotations are obtained for all small purchases and that suspension and debarment is verified for all covered transactions of $25,000 or more. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.
FINDING 2024-004 Subject: Title I Grants to Local Educational Agencies - Special Tests and Provisions - Assessment System Security Federal Agency: Department of Education Federal Program: Title I Grants to Local Educational Agencies Assistance Listings Number: 84.010 Federal Award Numbers and Years (or Other Identifying Numbers): S010A210014, S010A220014, S010A230014 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Special Tests and Provisions - Assessment System Security Audit Findings: Material Weakness, Other Matters Condition and Context State educational agencies (SEA), in consultation with local educational agencies (LEA), are required to establish and maintain an assessment security system that is valid, reliable, and consistent with relevant professional and technical standards. Within their assessment system, SEAs must have policies and procedures to maintain test security measures and ensure that LEAs implement those policies and procedures. As such, the Indiana Department of Education created and published the Indiana Assessment Policy Manual. As a part of the assessment security, any individual who administers, handles, or has access to secure test materials at the school or school corporation shall complete assessment training and sign a testing security and integrity statement that remains on file in the appropriate building-level office each year. Each individual required to sign the testing integrity agreement shall sign the form by an established date. The School Corporation had a process to provide assessment system security training and to ensure each employee that attended training signed the agreement indicating training was received. However, there was no process in place to ensure that all documentation of school employees being trained was retained for audit. Due to the lack of internal controls over maintaining the supporting documentation, some of the Indiana Testing and Security agreements were not provided for review. A sample of 40 employees was selected for testing from the School Corporation's roster. Of the 40 employees tested, 8 did not have a signed agreement on file indicating training was received as required. The lack of internal controls and noncompliance was isolated to the 2022-2023 school year for 3 of the buildings. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." INDIANA STATE BOARD OF ACCOUNTS 22 MADISON CONSOLIDATED SCHOOLS SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) 511 IAC 5-5-5(b) states: "Any individual who administers, handles, or has access to secure test materials at the school or school corporation shall complete assessment training and sign a testing security and integrity agreement to remain on file in the appropriate building-level office each year." Cause A proper system of internal controls was not designed by management of the School Corporation to ensure that all Indiana Testing and Security agreements were on file and could be presented for audit. Agreements for 8 employees selected for testing could not be located. Effect Without the proper implementation of an effectively designed system of internal controls, the internal control system cannot be capable of effectively preventing, or detecting and correcting, material noncompliance. As a result, not all required employees have the required Indiana Testing Security and Integrity agreement maintained for Assessment System Security. Noncompliance with the grant agreement and the compliance requirement could result in the loss of future federal funds to the School Corporation. Questioned Costs There were no questioned costs identified. Recommendation We recommended that management of the School Corporation establish a proper system of internal controls and develop policies and procedures to ensure that all required employees complete assessment security training and that the signed appropriate forms are retained for audit. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.
FINDING 2024-004 Subject: Title I Grants to Local Educational Agencies - Special Tests and Provisions - Assessment System Security Federal Agency: Department of Education Federal Program: Title I Grants to Local Educational Agencies Assistance Listings Number: 84.010 Federal Award Numbers and Years (or Other Identifying Numbers): S010A210014, S010A220014, S010A230014 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Special Tests and Provisions - Assessment System Security Audit Findings: Material Weakness, Other Matters Condition and Context State educational agencies (SEA), in consultation with local educational agencies (LEA), are required to establish and maintain an assessment security system that is valid, reliable, and consistent with relevant professional and technical standards. Within their assessment system, SEAs must have policies and procedures to maintain test security measures and ensure that LEAs implement those policies and procedures. As such, the Indiana Department of Education created and published the Indiana Assessment Policy Manual. As a part of the assessment security, any individual who administers, handles, or has access to secure test materials at the school or school corporation shall complete assessment training and sign a testing security and integrity statement that remains on file in the appropriate building-level office each year. Each individual required to sign the testing integrity agreement shall sign the form by an established date. The School Corporation had a process to provide assessment system security training and to ensure each employee that attended training signed the agreement indicating training was received. However, there was no process in place to ensure that all documentation of school employees being trained was retained for audit. Due to the lack of internal controls over maintaining the supporting documentation, some of the Indiana Testing and Security agreements were not provided for review. A sample of 40 employees was selected for testing from the School Corporation's roster. Of the 40 employees tested, 8 did not have a signed agreement on file indicating training was received as required. The lack of internal controls and noncompliance was isolated to the 2022-2023 school year for 3 of the buildings. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." INDIANA STATE BOARD OF ACCOUNTS 22 MADISON CONSOLIDATED SCHOOLS SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) 511 IAC 5-5-5(b) states: "Any individual who administers, handles, or has access to secure test materials at the school or school corporation shall complete assessment training and sign a testing security and integrity agreement to remain on file in the appropriate building-level office each year." Cause A proper system of internal controls was not designed by management of the School Corporation to ensure that all Indiana Testing and Security agreements were on file and could be presented for audit. Agreements for 8 employees selected for testing could not be located. Effect Without the proper implementation of an effectively designed system of internal controls, the internal control system cannot be capable of effectively preventing, or detecting and correcting, material noncompliance. As a result, not all required employees have the required Indiana Testing Security and Integrity agreement maintained for Assessment System Security. Noncompliance with the grant agreement and the compliance requirement could result in the loss of future federal funds to the School Corporation. Questioned Costs There were no questioned costs identified. Recommendation We recommended that management of the School Corporation establish a proper system of internal controls and develop policies and procedures to ensure that all required employees complete assessment security training and that the signed appropriate forms are retained for audit. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.
FINDING 2024-005 Subject: Title I Grants to Local Educational Agencies - Eligibility Federal Agency: Department of Education Federal Program: Title I Grants to Local Educational Agencies Assistance Listings Number: 84.010 Federal Award Numbers and Years (or Other Identifying Numbers): S010A210014, S010A220014, S010A230014 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Eligibility Audit Findings: Material Weakness, Modified Opinion Repeat Finding This is a repeat finding from the immediately prior audit report. The prior audit finding number was 2022-003. INDIANA STATE BOARD OF ACCOUNTS 23 MADISON CONSOLIDATED SCHOOLS SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Condition and Context Eligibility for Title I is determined on the Eligible School Summary of the Tile I application. Enrollment and Poverty numbers are automatically pulled from the Indiana Department of Education's (IDOE) Official Pupil Enrollment (PE) count for each school into the Eligible School Summary page of the Tile I application. These counts that are prepopulated should be based on the School Corporation's records as of October of the prior fiscal year. One person compiled and uploaded enrollment data, including poverty status for Real Time (RT) reports, to the IDOE without a documented oversight or review process to ensure that the information was accurate and retained for audit. In addition, there was no review by the School Corporation of the enrollment and poverty counts that were prepopulated into the School Corporation's Title I grant application. The IDOE used the October 1 RT reports for fiscal years 2021-2022 and 2022-2023, as provided by the School Corporation, to determine Eligibility for the 2022-2023 and 2023-2024 grant programs, respectively. The October 1 RT report could not be presented for audit for 2021-2022, which would have been used to pull in enrollment and poverty information for the 2022-2023 grant. As such, we were unable to verify the amounts reported in the grant application. Additionally, the Indiana State Board of Accounts was unable to verify if the correct socioeconomic status was properly reported for any of the students. Enrollment and poverty numbers for any nonpublic schools are manually entered into the application by the School Corporation. The School Corporation had not established an effective process to review the listing of students from the nonpublic schools for enrollment and poverty counts to be entered into the Title I application and to retain this information for audit. We were unable to determine if the enrolled student count and their poverty status in the application was accurate. The lack of internal controls and lack of information submitted for audit was a systemic issue throughout the audit period. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." 2 CFR 200.334 states in part: "Financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for the Federal awards that are renewed quarterly or annual, from the date of submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient. . . ." INDIANA STATE BOARD OF ACCOUNTS 24 MADISON CONSOLIDATED SCHOOLS SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Cause A proper system of internal controls was not designed by management of the School Corporation, which would include segregation of key functions, to ensure all records pertinent to the federal award were retained for audit. After a change in software providers, information from the previous provider could not be obtained for audit. Effect Without the proper implementation of an effectively designed system of internal controls, the internal control system cannot be capable of effectively preventing, or detecting and correcting, material noncompliance. As a result, RT reports and nonpublic school enrollment documentation were not maintained for audit, and, as such, the Indiana State Board of Accounts could not determine if the School Corporation complied with the Eligibility compliance requirement. Noncompliance with the provisions of federal statutes, regulations, and the terms and conditions of the federal award could result in the loss of future federal funding to the School Corporation. Questioned Costs There were no questioned costs identified. Recommendation We recommended that the management of the School Corporation establish a proper system of internal controls and develop policies and procedures to ensure RT reports, and nonpublic school enrollment documentation are maintained for audit. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.
FINDING 2024-005 Subject: Title I Grants to Local Educational Agencies - Eligibility Federal Agency: Department of Education Federal Program: Title I Grants to Local Educational Agencies Assistance Listings Number: 84.010 Federal Award Numbers and Years (or Other Identifying Numbers): S010A210014, S010A220014, S010A230014 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Eligibility Audit Findings: Material Weakness, Modified Opinion Repeat Finding This is a repeat finding from the immediately prior audit report. The prior audit finding number was 2022-003. INDIANA STATE BOARD OF ACCOUNTS 23 MADISON CONSOLIDATED SCHOOLS SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Condition and Context Eligibility for Title I is determined on the Eligible School Summary of the Tile I application. Enrollment and Poverty numbers are automatically pulled from the Indiana Department of Education's (IDOE) Official Pupil Enrollment (PE) count for each school into the Eligible School Summary page of the Tile I application. These counts that are prepopulated should be based on the School Corporation's records as of October of the prior fiscal year. One person compiled and uploaded enrollment data, including poverty status for Real Time (RT) reports, to the IDOE without a documented oversight or review process to ensure that the information was accurate and retained for audit. In addition, there was no review by the School Corporation of the enrollment and poverty counts that were prepopulated into the School Corporation's Title I grant application. The IDOE used the October 1 RT reports for fiscal years 2021-2022 and 2022-2023, as provided by the School Corporation, to determine Eligibility for the 2022-2023 and 2023-2024 grant programs, respectively. The October 1 RT report could not be presented for audit for 2021-2022, which would have been used to pull in enrollment and poverty information for the 2022-2023 grant. As such, we were unable to verify the amounts reported in the grant application. Additionally, the Indiana State Board of Accounts was unable to verify if the correct socioeconomic status was properly reported for any of the students. Enrollment and poverty numbers for any nonpublic schools are manually entered into the application by the School Corporation. The School Corporation had not established an effective process to review the listing of students from the nonpublic schools for enrollment and poverty counts to be entered into the Title I application and to retain this information for audit. We were unable to determine if the enrolled student count and their poverty status in the application was accurate. The lack of internal controls and lack of information submitted for audit was a systemic issue throughout the audit period. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." 2 CFR 200.334 states in part: "Financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for the Federal awards that are renewed quarterly or annual, from the date of submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient. . . ." INDIANA STATE BOARD OF ACCOUNTS 24 MADISON CONSOLIDATED SCHOOLS SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Cause A proper system of internal controls was not designed by management of the School Corporation, which would include segregation of key functions, to ensure all records pertinent to the federal award were retained for audit. After a change in software providers, information from the previous provider could not be obtained for audit. Effect Without the proper implementation of an effectively designed system of internal controls, the internal control system cannot be capable of effectively preventing, or detecting and correcting, material noncompliance. As a result, RT reports and nonpublic school enrollment documentation were not maintained for audit, and, as such, the Indiana State Board of Accounts could not determine if the School Corporation complied with the Eligibility compliance requirement. Noncompliance with the provisions of federal statutes, regulations, and the terms and conditions of the federal award could result in the loss of future federal funding to the School Corporation. Questioned Costs There were no questioned costs identified. Recommendation We recommended that the management of the School Corporation establish a proper system of internal controls and develop policies and procedures to ensure RT reports, and nonpublic school enrollment documentation are maintained for audit. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.
FINDING 2024-006 Subject: Special Education Cluster (IDEA) - Procurement and Suspension and Debarment Federal Agency: Department of Education Federal Programs: Special Education Grants to States, Special Education Preschool Grants, COVID-19 - Special Education Grants to States, COVID-19 - Special Education Preschool Grants Assistance Listings Numbers: 84.027, 84.173 Federal Award Numbers and Years (or Other Identifying Numbers): HO27A220084, 21611-127-PN01, 22611-127-ARP, 22611-127-PN01, 23611-127-PN01, 23619-127-ARP, 22619-127-PN01, 23619-127-PN01 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Procurement and Suspension and Debarment Audit Finding: Significant Deficiency Condition and Context An effective internal control system was not in place at the School Corporation to ensure compliance with requirements related to the grant agreement and suspension and debarment compliance requirements. INDIANA STATE BOARD OF ACCOUNTS 25 MADISON CONSOLIDATED SCHOOLS SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Prior to entering into subawards and covered transactions with the Special Education Cluster (SPED) award funds, recipients are required to verify that such contractors and subrecipients are not suspended, debarred, or otherwise excluded. "Covered transactions" include, but are not limited to, contracts for goods and services awarded under a nonprocurement transaction (i.e., grant agreement) that are expected to equal or exceed $25,000. The verification is to be done by checking the Excluded Parties List System, collecting a certification from that person, or adding a clause or condition to the covered transactions with that person. There was no internal control in place, such as an oversight, review, or approval process, to ensure that contractors or subrecipients were not suspended, debarred, or otherwise excluded. The lack of internal controls was a systemic issue throughout the audit period. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." Cause The School Corporation did not have internal controls in pace to ensure the suspension and debarment status for covered transactions it intended to pay with federal funds of the major program were properly verified. Effect Without the proper design or implementation of internal controls, the internal control system cannot be capable of effectively preventing, or detecting and correcting, material noncompliance. This could result in the School Corporation paying a contractor who has been suspended or debarred, which would be unallowable. Questioned Costs There were no questioned costs identified. Recommendation We recommended that management of the School Corporation strengthen its system of internal controls to ensure that suspension and debarment is verified for all covered transactions of $25,000 or more. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report
FINDING 2024-006 Subject: Special Education Cluster (IDEA) - Procurement and Suspension and Debarment Federal Agency: Department of Education Federal Programs: Special Education Grants to States, Special Education Preschool Grants, COVID-19 - Special Education Grants to States, COVID-19 - Special Education Preschool Grants Assistance Listings Numbers: 84.027, 84.173 Federal Award Numbers and Years (or Other Identifying Numbers): HO27A220084, 21611-127-PN01, 22611-127-ARP, 22611-127-PN01, 23611-127-PN01, 23619-127-ARP, 22619-127-PN01, 23619-127-PN01 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Procurement and Suspension and Debarment Audit Finding: Significant Deficiency Condition and Context An effective internal control system was not in place at the School Corporation to ensure compliance with requirements related to the grant agreement and suspension and debarment compliance requirements. INDIANA STATE BOARD OF ACCOUNTS 25 MADISON CONSOLIDATED SCHOOLS SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Prior to entering into subawards and covered transactions with the Special Education Cluster (SPED) award funds, recipients are required to verify that such contractors and subrecipients are not suspended, debarred, or otherwise excluded. "Covered transactions" include, but are not limited to, contracts for goods and services awarded under a nonprocurement transaction (i.e., grant agreement) that are expected to equal or exceed $25,000. The verification is to be done by checking the Excluded Parties List System, collecting a certification from that person, or adding a clause or condition to the covered transactions with that person. There was no internal control in place, such as an oversight, review, or approval process, to ensure that contractors or subrecipients were not suspended, debarred, or otherwise excluded. The lack of internal controls was a systemic issue throughout the audit period. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." Cause The School Corporation did not have internal controls in pace to ensure the suspension and debarment status for covered transactions it intended to pay with federal funds of the major program were properly verified. Effect Without the proper design or implementation of internal controls, the internal control system cannot be capable of effectively preventing, or detecting and correcting, material noncompliance. This could result in the School Corporation paying a contractor who has been suspended or debarred, which would be unallowable. Questioned Costs There were no questioned costs identified. Recommendation We recommended that management of the School Corporation strengthen its system of internal controls to ensure that suspension and debarment is verified for all covered transactions of $25,000 or more. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report
FINDING 2024-006 Subject: Special Education Cluster (IDEA) - Procurement and Suspension and Debarment Federal Agency: Department of Education Federal Programs: Special Education Grants to States, Special Education Preschool Grants, COVID-19 - Special Education Grants to States, COVID-19 - Special Education Preschool Grants Assistance Listings Numbers: 84.027, 84.173 Federal Award Numbers and Years (or Other Identifying Numbers): HO27A220084, 21611-127-PN01, 22611-127-ARP, 22611-127-PN01, 23611-127-PN01, 23619-127-ARP, 22619-127-PN01, 23619-127-PN01 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Procurement and Suspension and Debarment Audit Finding: Significant Deficiency Condition and Context An effective internal control system was not in place at the School Corporation to ensure compliance with requirements related to the grant agreement and suspension and debarment compliance requirements. INDIANA STATE BOARD OF ACCOUNTS 25 MADISON CONSOLIDATED SCHOOLS SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Prior to entering into subawards and covered transactions with the Special Education Cluster (SPED) award funds, recipients are required to verify that such contractors and subrecipients are not suspended, debarred, or otherwise excluded. "Covered transactions" include, but are not limited to, contracts for goods and services awarded under a nonprocurement transaction (i.e., grant agreement) that are expected to equal or exceed $25,000. The verification is to be done by checking the Excluded Parties List System, collecting a certification from that person, or adding a clause or condition to the covered transactions with that person. There was no internal control in place, such as an oversight, review, or approval process, to ensure that contractors or subrecipients were not suspended, debarred, or otherwise excluded. The lack of internal controls was a systemic issue throughout the audit period. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." Cause The School Corporation did not have internal controls in pace to ensure the suspension and debarment status for covered transactions it intended to pay with federal funds of the major program were properly verified. Effect Without the proper design or implementation of internal controls, the internal control system cannot be capable of effectively preventing, or detecting and correcting, material noncompliance. This could result in the School Corporation paying a contractor who has been suspended or debarred, which would be unallowable. Questioned Costs There were no questioned costs identified. Recommendation We recommended that management of the School Corporation strengthen its system of internal controls to ensure that suspension and debarment is verified for all covered transactions of $25,000 or more. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report
FINDING 2024-006 Subject: Special Education Cluster (IDEA) - Procurement and Suspension and Debarment Federal Agency: Department of Education Federal Programs: Special Education Grants to States, Special Education Preschool Grants, COVID-19 - Special Education Grants to States, COVID-19 - Special Education Preschool Grants Assistance Listings Numbers: 84.027, 84.173 Federal Award Numbers and Years (or Other Identifying Numbers): HO27A220084, 21611-127-PN01, 22611-127-ARP, 22611-127-PN01, 23611-127-PN01, 23619-127-ARP, 22619-127-PN01, 23619-127-PN01 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Procurement and Suspension and Debarment Audit Finding: Significant Deficiency Condition and Context An effective internal control system was not in place at the School Corporation to ensure compliance with requirements related to the grant agreement and suspension and debarment compliance requirements. INDIANA STATE BOARD OF ACCOUNTS 25 MADISON CONSOLIDATED SCHOOLS SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Prior to entering into subawards and covered transactions with the Special Education Cluster (SPED) award funds, recipients are required to verify that such contractors and subrecipients are not suspended, debarred, or otherwise excluded. "Covered transactions" include, but are not limited to, contracts for goods and services awarded under a nonprocurement transaction (i.e., grant agreement) that are expected to equal or exceed $25,000. The verification is to be done by checking the Excluded Parties List System, collecting a certification from that person, or adding a clause or condition to the covered transactions with that person. There was no internal control in place, such as an oversight, review, or approval process, to ensure that contractors or subrecipients were not suspended, debarred, or otherwise excluded. The lack of internal controls was a systemic issue throughout the audit period. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." Cause The School Corporation did not have internal controls in pace to ensure the suspension and debarment status for covered transactions it intended to pay with federal funds of the major program were properly verified. Effect Without the proper design or implementation of internal controls, the internal control system cannot be capable of effectively preventing, or detecting and correcting, material noncompliance. This could result in the School Corporation paying a contractor who has been suspended or debarred, which would be unallowable. Questioned Costs There were no questioned costs identified. Recommendation We recommended that management of the School Corporation strengthen its system of internal controls to ensure that suspension and debarment is verified for all covered transactions of $25,000 or more. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report
FINDING 2024-006 Subject: Special Education Cluster (IDEA) - Procurement and Suspension and Debarment Federal Agency: Department of Education Federal Programs: Special Education Grants to States, Special Education Preschool Grants, COVID-19 - Special Education Grants to States, COVID-19 - Special Education Preschool Grants Assistance Listings Numbers: 84.027, 84.173 Federal Award Numbers and Years (or Other Identifying Numbers): HO27A220084, 21611-127-PN01, 22611-127-ARP, 22611-127-PN01, 23611-127-PN01, 23619-127-ARP, 22619-127-PN01, 23619-127-PN01 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Procurement and Suspension and Debarment Audit Finding: Significant Deficiency Condition and Context An effective internal control system was not in place at the School Corporation to ensure compliance with requirements related to the grant agreement and suspension and debarment compliance requirements. INDIANA STATE BOARD OF ACCOUNTS 25 MADISON CONSOLIDATED SCHOOLS SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Prior to entering into subawards and covered transactions with the Special Education Cluster (SPED) award funds, recipients are required to verify that such contractors and subrecipients are not suspended, debarred, or otherwise excluded. "Covered transactions" include, but are not limited to, contracts for goods and services awarded under a nonprocurement transaction (i.e., grant agreement) that are expected to equal or exceed $25,000. The verification is to be done by checking the Excluded Parties List System, collecting a certification from that person, or adding a clause or condition to the covered transactions with that person. There was no internal control in place, such as an oversight, review, or approval process, to ensure that contractors or subrecipients were not suspended, debarred, or otherwise excluded. The lack of internal controls was a systemic issue throughout the audit period. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." Cause The School Corporation did not have internal controls in pace to ensure the suspension and debarment status for covered transactions it intended to pay with federal funds of the major program were properly verified. Effect Without the proper design or implementation of internal controls, the internal control system cannot be capable of effectively preventing, or detecting and correcting, material noncompliance. This could result in the School Corporation paying a contractor who has been suspended or debarred, which would be unallowable. Questioned Costs There were no questioned costs identified. Recommendation We recommended that management of the School Corporation strengthen its system of internal controls to ensure that suspension and debarment is verified for all covered transactions of $25,000 or more. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report
Criteria or Specific Requirement: The Uniform Guidance in 2 CFR Section 200.303, Internal Controls, requires that non-Federal recipients and subrecipients must establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance the award is in compliance with the Federal Statutes, regulations, and the terms and conditions of the Federal award. Condition: The District's control over maintaining the monthly Eligibility Direct Certification reports for the School Breakfast, National School Lunch, and Summer Food Service Programs was not followed and insufficient documentation was retained. One instance in which annual eligibility determination was incorrect. Questioned Costs: No Context: A sample of 40 applications were selected for testing: • 16 direct certification eligibility determinations were unable to be compared to the State’s direct certify reports. • 1 annual eligibility determination was eligible under the 'Free' meal classification and was incorrectly classified as 'Paid'. Cause: The District did not retain any of the State’s monthly direct certification reports. The District relied on their food service system for determination of eligibility instead of calculating it themselves resulting in an applicant not receiving the benefits they were entitled to. Effect: Lack of documentation retention could result in students receiving benefits they are not entitled to or students not receiving benefits that they are entitled. Repeat Finding: No Recommendation: We recommend the District retain all direct certification reports from the State and for the District to review applications submitted electronically through food service system to determine correct eligibility determination is made. Views of Responsible Officials: There is no disagreement with the audit finding.
Criteria or Specific Requirement: The Uniform Guidance in 2 CFR Section 200.303, Internal Controls, requires that non-Federal recipients and subrecipients must establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance the award is in compliance with the Federal Statutes, regulations, and the terms and conditions of the Federal award. Condition: The District's control over maintaining the monthly Eligibility Direct Certification reports for the School Breakfast, National School Lunch, and Summer Food Service Programs was not followed and insufficient documentation was retained. One instance in which annual eligibility determination was incorrect. Questioned Costs: No Context: A sample of 40 applications were selected for testing: • 16 direct certification eligibility determinations were unable to be compared to the State’s direct certify reports. • 1 annual eligibility determination was eligible under the 'Free' meal classification and was incorrectly classified as 'Paid'. Cause: The District did not retain any of the State’s monthly direct certification reports. The District relied on their food service system for determination of eligibility instead of calculating it themselves resulting in an applicant not receiving the benefits they were entitled to. Effect: Lack of documentation retention could result in students receiving benefits they are not entitled to or students not receiving benefits that they are entitled. Repeat Finding: No Recommendation: We recommend the District retain all direct certification reports from the State and for the District to review applications submitted electronically through food service system to determine correct eligibility determination is made. Views of Responsible Officials: There is no disagreement with the audit finding.
Criteria or Specific Requirement: The Uniform Guidance in 2 CFR Section 200.303, Internal Controls, requires that non-Federal recipients and subrecipients must establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance the award is in compliance with the Federal Statutes, regulations, and the terms and conditions of the Federal award. Condition: The District's control over maintaining the monthly Eligibility Direct Certification reports for the School Breakfast, National School Lunch, and Summer Food Service Programs was not followed and insufficient documentation was retained. One instance in which annual eligibility determination was incorrect. Questioned Costs: No Context: A sample of 40 applications were selected for testing: • 16 direct certification eligibility determinations were unable to be compared to the State’s direct certify reports. • 1 annual eligibility determination was eligible under the 'Free' meal classification and was incorrectly classified as 'Paid'. Cause: The District did not retain any of the State’s monthly direct certification reports. The District relied on their food service system for determination of eligibility instead of calculating it themselves resulting in an applicant not receiving the benefits they were entitled to. Effect: Lack of documentation retention could result in students receiving benefits they are not entitled to or students not receiving benefits that they are entitled. Repeat Finding: No Recommendation: We recommend the District retain all direct certification reports from the State and for the District to review applications submitted electronically through food service system to determine correct eligibility determination is made. Views of Responsible Officials: There is no disagreement with the audit finding.
Criteria or Specific Requirement: The Uniform Guidance in 2 CFR Section 200.303, Internal Controls, requires that non-Federal recipients and subrecipients must establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance the award is in compliance with the Federal Statutes, regulations, and the terms and conditions of the Federal award. Condition: The District's control over maintaining the monthly Eligibility Direct Certification reports for the School Breakfast, National School Lunch, and Summer Food Service Programs was not followed and insufficient documentation was retained. One instance in which annual eligibility determination was incorrect. Questioned Costs: No Context: A sample of 40 applications were selected for testing: • 16 direct certification eligibility determinations were unable to be compared to the State’s direct certify reports. • 1 annual eligibility determination was eligible under the 'Free' meal classification and was incorrectly classified as 'Paid'. Cause: The District did not retain any of the State’s monthly direct certification reports. The District relied on their food service system for determination of eligibility instead of calculating it themselves resulting in an applicant not receiving the benefits they were entitled to. Effect: Lack of documentation retention could result in students receiving benefits they are not entitled to or students not receiving benefits that they are entitled. Repeat Finding: No Recommendation: We recommend the District retain all direct certification reports from the State and for the District to review applications submitted electronically through food service system to determine correct eligibility determination is made. Views of Responsible Officials: There is no disagreement with the audit finding.
Criteria or Specific Requirement: The Uniform Guidance in 2 CFR Section 200.303, Internal Controls, requires that non-Federal recipients and subrecipients must establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance the award is in compliance with the Federal Statutes, regulations, and the terms and conditions of the Federal award. Condition: The District's control over maintaining the monthly Eligibility Direct Certification reports for the School Breakfast, National School Lunch, and Summer Food Service Programs was not followed and insufficient documentation was retained. One instance in which annual eligibility determination was incorrect. Questioned Costs: No Context: A sample of 40 applications were selected for testing: • 16 direct certification eligibility determinations were unable to be compared to the State’s direct certify reports. • 1 annual eligibility determination was eligible under the 'Free' meal classification and was incorrectly classified as 'Paid'. Cause: The District did not retain any of the State’s monthly direct certification reports. The District relied on their food service system for determination of eligibility instead of calculating it themselves resulting in an applicant not receiving the benefits they were entitled to. Effect: Lack of documentation retention could result in students receiving benefits they are not entitled to or students not receiving benefits that they are entitled. Repeat Finding: No Recommendation: We recommend the District retain all direct certification reports from the State and for the District to review applications submitted electronically through food service system to determine correct eligibility determination is made. Views of Responsible Officials: There is no disagreement with the audit finding.
Information on the federal program: Subject: Child Nutrition Cluster - Internal Controls Federal Agency: Department of Agriculture Federal Program: School Breakfast Program, National School Lunch Program Assistance Listing Number: 10.553, 10.555 Federal Award Numbers and Years (or Other Identifying Numbers): FY2023, FY2024 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Eligibility Audit Finding: Material Weakness Criteria: 2 CFR section 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." Condition: An effective internal control system was not in place at the School Corporation in order to ensure compliance with requirements related to the grant agreement and the eligibility compliance requirement. Cause: The School Corporation's management had not developed a system of internal controls to ensure compliance with eligibility requirements. Effect: The failure to establish an effective internal control system placed the School Corporation at risk of noncompliance with the grant agreement and the compliance requirements. A lack of segregation of duties within an internal control system could have also allowed noncompliance with the compliance requirements and allowed the misuse and mismanagement of federal funds and assets by not having proper oversight, reviews, and approvals over the activities of the programs. Questioned Costs: There were no questioned costs identified. Context: During testing over controls for eligibility, we noted there was no formal, secondary review for the applications entered in the food service software determining eligibility. Additionally, there was no documented annual review by School Corporation personnel of the income eligibility guidelines used by the food service software. Identification as a repeat finding, if applicable: No. Recommendation: We recommended that the School Corporation's management establish a system of internal controls related to the grant agreement and eligibility compliance requirements. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
Information on the federal program: Subject: Child Nutrition Cluster - Internal Controls Federal Agency: Department of Agriculture Federal Program: School Breakfast Program, National School Lunch Program Assistance Listing Number: 10.553, 10.555 Federal Award Numbers and Years (or Other Identifying Numbers): FY2023, FY2024 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Eligibility Audit Finding: Material Weakness Criteria: 2 CFR section 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." Condition: An effective internal control system was not in place at the School Corporation in order to ensure compliance with requirements related to the grant agreement and the eligibility compliance requirement. Cause: The School Corporation's management had not developed a system of internal controls to ensure compliance with eligibility requirements. Effect: The failure to establish an effective internal control system placed the School Corporation at risk of noncompliance with the grant agreement and the compliance requirements. A lack of segregation of duties within an internal control system could have also allowed noncompliance with the compliance requirements and allowed the misuse and mismanagement of federal funds and assets by not having proper oversight, reviews, and approvals over the activities of the programs. Questioned Costs: There were no questioned costs identified. Context: During testing over controls for eligibility, we noted there was no formal, secondary review for the applications entered in the food service software determining eligibility. Additionally, there was no documented annual review by School Corporation personnel of the income eligibility guidelines used by the food service software. Identification as a repeat finding, if applicable: No. Recommendation: We recommended that the School Corporation's management establish a system of internal controls related to the grant agreement and eligibility compliance requirements. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
Information on the federal program: Subject: Child Nutrition Cluster - Internal Controls Federal Agency: Department of Agriculture Federal Program: School Breakfast Program, National School Lunch Program Assistance Listing Number: 10.553, 10.555 Federal Award Numbers and Years (or Other Identifying Numbers): FY2023, FY2024 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Eligibility Audit Finding: Material Weakness Criteria: 2 CFR section 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." Condition: An effective internal control system was not in place at the School Corporation in order to ensure compliance with requirements related to the grant agreement and the eligibility compliance requirement. Cause: The School Corporation's management had not developed a system of internal controls to ensure compliance with eligibility requirements. Effect: The failure to establish an effective internal control system placed the School Corporation at risk of noncompliance with the grant agreement and the compliance requirements. A lack of segregation of duties within an internal control system could have also allowed noncompliance with the compliance requirements and allowed the misuse and mismanagement of federal funds and assets by not having proper oversight, reviews, and approvals over the activities of the programs. Questioned Costs: There were no questioned costs identified. Context: During testing over controls for eligibility, we noted there was no formal, secondary review for the applications entered in the food service software determining eligibility. Additionally, there was no documented annual review by School Corporation personnel of the income eligibility guidelines used by the food service software. Identification as a repeat finding, if applicable: No. Recommendation: We recommended that the School Corporation's management establish a system of internal controls related to the grant agreement and eligibility compliance requirements. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
Information on the federal program: Subject: Child Nutrition Cluster - Internal Controls Federal Agency: Department of Agriculture Federal Program: School Breakfast Program, National School Lunch Program Assistance Listing Number: 10.553, 10.555 Federal Award Numbers and Years (or Other Identifying Numbers): FY2023, FY2024 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Reporting Audit Finding: Material Weakness Criteria: 2 CFR section 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." Condition: An effective internal control system was not in place at the School Corporation in order to ensure compliance with requirements related to the grant agreement and the reporting compliance requirement. Cause: The School Corporation's management had not developed a system of internal controls to ensure compliance with the reporting requirements. Effect: The failure to establish an effective internal control system placed the School Corporation at risk of noncompliance with the grant agreement and the compliance requirements. A lack of segregation of duties within an internal control system could have also allowed noncompliance with the compliance requirements and allowed the misuse and mismanagement of federal funds and assets by not having proper oversight, reviews, and approvals over the activities of the programs. Questioned Costs: $349 overstatement, $161 understatement of claimed meals Context: We noted that for two claims in a sample of four, the Food Service Director prepared the reimbursement claim without a secondary, documented review to ensure the accuracy of the reimbursement claim. Additionally, the number of meals claimed on two of the four claims sampled did not agree to the supporting meal system reports. There was a gross overstatement of meals claimed of $349 and a gross understatement of meals claimed of $161 resulting in a net over reimbursement amount of $188. Identification as a repeat finding, if applicable: This is a repeat finding from the immediately prior audit. The prior finding number was 2022-004. Recommendation: We recommended that the School Corporation implement a documented, formal review of the claims before they are submitted for reimbursement. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
Information on the federal program: Subject: Child Nutrition Cluster - Internal Controls Federal Agency: Department of Agriculture Federal Program: School Breakfast Program, National School Lunch Program Assistance Listing Number: 10.553, 10.555 Federal Award Numbers and Years (or Other Identifying Numbers): FY2023, FY2024 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Reporting Audit Finding: Material Weakness Criteria: 2 CFR section 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." Condition: An effective internal control system was not in place at the School Corporation in order to ensure compliance with requirements related to the grant agreement and the reporting compliance requirement. Cause: The School Corporation's management had not developed a system of internal controls to ensure compliance with the reporting requirements. Effect: The failure to establish an effective internal control system placed the School Corporation at risk of noncompliance with the grant agreement and the compliance requirements. A lack of segregation of duties within an internal control system could have also allowed noncompliance with the compliance requirements and allowed the misuse and mismanagement of federal funds and assets by not having proper oversight, reviews, and approvals over the activities of the programs. Questioned Costs: $349 overstatement, $161 understatement of claimed meals Context: We noted that for two claims in a sample of four, the Food Service Director prepared the reimbursement claim without a secondary, documented review to ensure the accuracy of the reimbursement claim. Additionally, the number of meals claimed on two of the four claims sampled did not agree to the supporting meal system reports. There was a gross overstatement of meals claimed of $349 and a gross understatement of meals claimed of $161 resulting in a net over reimbursement amount of $188. Identification as a repeat finding, if applicable: This is a repeat finding from the immediately prior audit. The prior finding number was 2022-004. Recommendation: We recommended that the School Corporation implement a documented, formal review of the claims before they are submitted for reimbursement. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
Information on the federal program: Subject: Child Nutrition Cluster - Internal Controls Federal Agency: Department of Agriculture Federal Program: School Breakfast Program, National School Lunch Program Assistance Listing Number: 10.553, 10.555 Federal Award Numbers and Years (or Other Identifying Numbers): FY2023, FY2024 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Reporting Audit Finding: Material Weakness Criteria: 2 CFR section 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." Condition: An effective internal control system was not in place at the School Corporation in order to ensure compliance with requirements related to the grant agreement and the reporting compliance requirement. Cause: The School Corporation's management had not developed a system of internal controls to ensure compliance with the reporting requirements. Effect: The failure to establish an effective internal control system placed the School Corporation at risk of noncompliance with the grant agreement and the compliance requirements. A lack of segregation of duties within an internal control system could have also allowed noncompliance with the compliance requirements and allowed the misuse and mismanagement of federal funds and assets by not having proper oversight, reviews, and approvals over the activities of the programs. Questioned Costs: $349 overstatement, $161 understatement of claimed meals Context: We noted that for two claims in a sample of four, the Food Service Director prepared the reimbursement claim without a secondary, documented review to ensure the accuracy of the reimbursement claim. Additionally, the number of meals claimed on two of the four claims sampled did not agree to the supporting meal system reports. There was a gross overstatement of meals claimed of $349 and a gross understatement of meals claimed of $161 resulting in a net over reimbursement amount of $188. Identification as a repeat finding, if applicable: This is a repeat finding from the immediately prior audit. The prior finding number was 2022-004. Recommendation: We recommended that the School Corporation implement a documented, formal review of the claims before they are submitted for reimbursement. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
Information on the federal program: Subject: Child Nutrition Cluster – Internal Controls Federal Agency: Department of Agriculture Federal Program: School Breakfast Program, National School Lunch Program Assistance Listing Number: 10.553, 10.555 Federal Award Numbers and Years (or Other Identifying Numbers): FY2023, FY2024 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Procurement and Suspension and Debarment Audit Finding: Material Weakness Criteria: 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." 2 CFR 200.318(a) states: "The non-Federal entity must use its own documented procurement procedures which reflect applicable State, local, and tribal laws and regulations, provided that the procurements conform to applicable Federal law and the standards identified in this part." 2 CFR 200.320 states in part: "The non-Federal Entity must use one of the following methods of procurement. . . . (b) Procurement by small purchase procedures. Small purchase procedures are those relatively simple and informal procurement methods for securing services, supplies, or other property that do not cost more than the Simplified Acquisition Threshold. If small purchase procedures are used, price or rate quotations must be obtained from an adequate number of qualified sources. Condition: An effective internal control system was not in place at the School Corporation to ensure compliance with requirements related to the Child Nutrition Program and Procurement and Suspension and Debarment compliance requirements. Cause: The School Corporation's management had not developed a system of internal controls that would have ensured compliance with the Procurement and Suspension and Debarment compliance requirement. Effect: The failure to establish an effective internal control system placed the School Corporation at risk of noncompliance with the grant agreement and the compliance requirements. A lack of segregation of duties within an internal control system could have also allowed noncompliance with the compliance requirements and allowed the misuse and mismanagement of federal funds and assets by not having proper oversight, reviews, and approvals over the activities of the programs. Questioned Costs: There were no questioned costs identified. Context: The School Corporation had one vendor which exceeded the simplified acquisition threshold which was selected for testing. The School Corporation was unable to provide any supporting documentation for the procurement process required under School Corporation policy. The sample item amount disbursed was $160,827 for food purchases in FY23. Additionally, the School Corporation did not have any support to show the vendor was not debarred or suspended. Identification as a repeat finding, if applicable: This is a repeat finding from the immediately prior audit. The prior finding number was 2022-003. Recommendation: We recommended that the School Corporation's management establish a system of internal controls related to ensure that the School Corporation’s procurement policy is adhered to and all documentation is maintained for the procurements performed by the School Corporation. Additionally, we recommend management monitor annual vendor activity to ensure vendors that exceed small purchase threshold and suspension and debarment threshold in aggregate are reviewed for potential analysis and suspension and debarment checks required by federal and state regulations. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
Information on the federal program: Subject: Child Nutrition Cluster – Internal Controls Federal Agency: Department of Agriculture Federal Program: School Breakfast Program, National School Lunch Program Assistance Listing Number: 10.553, 10.555 Federal Award Numbers and Years (or Other Identifying Numbers): FY2023, FY2024 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Procurement and Suspension and Debarment Audit Finding: Material Weakness Criteria: 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." 2 CFR 200.318(a) states: "The non-Federal entity must use its own documented procurement procedures which reflect applicable State, local, and tribal laws and regulations, provided that the procurements conform to applicable Federal law and the standards identified in this part." 2 CFR 200.320 states in part: "The non-Federal Entity must use one of the following methods of procurement. . . . (b) Procurement by small purchase procedures. Small purchase procedures are those relatively simple and informal procurement methods for securing services, supplies, or other property that do not cost more than the Simplified Acquisition Threshold. If small purchase procedures are used, price or rate quotations must be obtained from an adequate number of qualified sources. Condition: An effective internal control system was not in place at the School Corporation to ensure compliance with requirements related to the Child Nutrition Program and Procurement and Suspension and Debarment compliance requirements. Cause: The School Corporation's management had not developed a system of internal controls that would have ensured compliance with the Procurement and Suspension and Debarment compliance requirement. Effect: The failure to establish an effective internal control system placed the School Corporation at risk of noncompliance with the grant agreement and the compliance requirements. A lack of segregation of duties within an internal control system could have also allowed noncompliance with the compliance requirements and allowed the misuse and mismanagement of federal funds and assets by not having proper oversight, reviews, and approvals over the activities of the programs. Questioned Costs: There were no questioned costs identified. Context: The School Corporation had one vendor which exceeded the simplified acquisition threshold which was selected for testing. The School Corporation was unable to provide any supporting documentation for the procurement process required under School Corporation policy. The sample item amount disbursed was $160,827 for food purchases in FY23. Additionally, the School Corporation did not have any support to show the vendor was not debarred or suspended. Identification as a repeat finding, if applicable: This is a repeat finding from the immediately prior audit. The prior finding number was 2022-003. Recommendation: We recommended that the School Corporation's management establish a system of internal controls related to ensure that the School Corporation’s procurement policy is adhered to and all documentation is maintained for the procurements performed by the School Corporation. Additionally, we recommend management monitor annual vendor activity to ensure vendors that exceed small purchase threshold and suspension and debarment threshold in aggregate are reviewed for potential analysis and suspension and debarment checks required by federal and state regulations. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
Information on the federal program: Subject: Child Nutrition Cluster – Internal Controls Federal Agency: Department of Agriculture Federal Program: School Breakfast Program, National School Lunch Program Assistance Listing Number: 10.553, 10.555 Federal Award Numbers and Years (or Other Identifying Numbers): FY2023, FY2024 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Procurement and Suspension and Debarment Audit Finding: Material Weakness Criteria: 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." 2 CFR 200.318(a) states: "The non-Federal entity must use its own documented procurement procedures which reflect applicable State, local, and tribal laws and regulations, provided that the procurements conform to applicable Federal law and the standards identified in this part." 2 CFR 200.320 states in part: "The non-Federal Entity must use one of the following methods of procurement. . . . (b) Procurement by small purchase procedures. Small purchase procedures are those relatively simple and informal procurement methods for securing services, supplies, or other property that do not cost more than the Simplified Acquisition Threshold. If small purchase procedures are used, price or rate quotations must be obtained from an adequate number of qualified sources. Condition: An effective internal control system was not in place at the School Corporation to ensure compliance with requirements related to the Child Nutrition Program and Procurement and Suspension and Debarment compliance requirements. Cause: The School Corporation's management had not developed a system of internal controls that would have ensured compliance with the Procurement and Suspension and Debarment compliance requirement. Effect: The failure to establish an effective internal control system placed the School Corporation at risk of noncompliance with the grant agreement and the compliance requirements. A lack of segregation of duties within an internal control system could have also allowed noncompliance with the compliance requirements and allowed the misuse and mismanagement of federal funds and assets by not having proper oversight, reviews, and approvals over the activities of the programs. Questioned Costs: There were no questioned costs identified. Context: The School Corporation had one vendor which exceeded the simplified acquisition threshold which was selected for testing. The School Corporation was unable to provide any supporting documentation for the procurement process required under School Corporation policy. The sample item amount disbursed was $160,827 for food purchases in FY23. Additionally, the School Corporation did not have any support to show the vendor was not debarred or suspended. Identification as a repeat finding, if applicable: This is a repeat finding from the immediately prior audit. The prior finding number was 2022-003. Recommendation: We recommended that the School Corporation's management establish a system of internal controls related to ensure that the School Corporation’s procurement policy is adhered to and all documentation is maintained for the procurements performed by the School Corporation. Additionally, we recommend management monitor annual vendor activity to ensure vendors that exceed small purchase threshold and suspension and debarment threshold in aggregate are reviewed for potential analysis and suspension and debarment checks required by federal and state regulations. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
2024-010: Obtain, Review, and Document System and Organization Control Reports of Third-Party Service Providers Applicable to: Department of Social Services Prior Year Finding Number: 2023-085; 2022-089; 2021-019 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Pandemic EBT Food Benefits - 10.542 Federal Award Number and Year: Not Applicable - 2024 Name of Federal Agency: U.S. Department of Agriculture Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(a) Known Questioned Costs: $0 Social Services continues to not obtain, review, and document System and Organization Controls (SOC) reports, specifically SOC 1, Type 2 reports, to gain assurance over its third-party service providers’ internal controls relevant to financial reporting. SOC 1, Type 2 reports address the service organization’s internal controls and the effect those internal controls may have on the user entity’s financial statements. Social Services uses service organizations to perform functions that are significant to its financial operations such as administering the electronic benefit transfer (EBT) process for several of its public assistance programs. For instance, during fiscal year 2024, one of Social Services’ third-party service providers issued more than $2 billion in financial assistance to beneficiaries on EBT cards. Topic 10305 of the CAPP Manual requires agencies to have adequate interaction with service providers to appropriately understand the service provider’s internal control environment and maintain oversight over service providers to gain assurance over outsourced operations. Additionally, 2 CFR § 200.303(a) requires non-federal entities to establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Social Services’ tasks contract administrators with responsibility for obtaining, reviewing, and documenting SOC 1, Type 2 reports. However, contract administrators are often not familiar with the CAPP Manual requirements, and Social Services has not made them aware of the expectations for obtaining, reviewing, and documenting SOC 1, Type 2 reports through a documented policy and procedure. As a result, contract administrators have not been obtaining, reviewing, and documenting SOC 1, Type 2 reports. Without adopting a policy and procedure over SOC 1, Type 2 reports and communicating those expectations to contract administrators, Social Services is unable to ensure its complementary user entity controls are sufficient to support their reliance on the service providers’ control design, implementation, and operating effectiveness. Additionally, Social Services is unable to address any internal control deficiencies and/or exceptions identified in the SOC 1, Type 2 reports. In effect, Social Services is increasing the risk that it will not detect a weakness in a service provider’s environment by not obtaining the necessary SOC 1, Type 2 reports timely or properly documenting its review of the reports. Social Services should designate a resource within the agency, who is knowledgeable of the CAPP Manual and SOC 1, Type 2 report requirements, with responsibility for developing an office-wide policy and procedure that contract administrators can use for obtaining, reviewing, and documenting SOC 1, Type 2 reports. At a minimum, Social Services’ policy and procedure should include the timeframes for obtaining SOC 1, Type 2 reports from service providers, documentation requirements for user entity complementary controls, the steps needed to address internal control deficiencies and/or exceptions found in reviews, and the staff responsible for any corrective actions necessary to mitigate the risk to the Commonwealth until the service provider corrects the deficiency. Thereafter, Social Services should communicate the policy and procedure to all individuals responsible for overseeing service provider operations to ensure compliance with federal and state regulations. Finally, Social Services should retain this information as part of its annual Agency Risk Management and Internal Control Standard certification. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-032: Improve Database Security Applicable to: Department of Education - Direct Aid to Public Education Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Configuration Management; Audit and Accountability ALPT or Cluster Name and ALN: Coronavirus State and Local Fiscal Recovery Funds (CSLFRF) - 21.027; Supporting Effective Instruction State Grants (formerly Improving Teacher Quality State Grants) - 84.367 Federal Award Number and Year: Various - 2024 Name of Federal Agency: U.S. Department of Treasury; U.S. Department of Education Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Education does not implement some of the required controls to protect the database that supports Education’s system of record. The Commonwealth’s Information Security Standard, SEC530 (Security Standard), and industry best practices, such as the Center for Internet Security, prescribe certain required and recommended security controls to safeguard systems that contain or process sensitive data. The Security Standard requires and industry best practices recommend implementing specific controls to reduce unnecessary risk to data confidentiality, integrity, and availability. We communicated three control weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. By not meeting the minimum requirements in the Security Standard and not aligning the database’s settings and configurations with industry best practices, Education cannot appropriately manage and maintain the database and ensure data integrity. Education should allocate the necessary resources to ensure database configurations, controls, and processes align with the requirements in the Security Standard and industry best practices. Implementing these controls will help maintain the confidentiality, integrity, and availability of the sensitive and mission critical data stored or processed in the database. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-032: Improve Database Security Applicable to: Department of Education - Direct Aid to Public Education Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Configuration Management; Audit and Accountability ALPT or Cluster Name and ALN: Coronavirus State and Local Fiscal Recovery Funds (CSLFRF) - 21.027; Supporting Effective Instruction State Grants (formerly Improving Teacher Quality State Grants) - 84.367 Federal Award Number and Year: Various - 2024 Name of Federal Agency: U.S. Department of Treasury; U.S. Department of Education Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Education does not implement some of the required controls to protect the database that supports Education’s system of record. The Commonwealth’s Information Security Standard, SEC530 (Security Standard), and industry best practices, such as the Center for Internet Security, prescribe certain required and recommended security controls to safeguard systems that contain or process sensitive data. The Security Standard requires and industry best practices recommend implementing specific controls to reduce unnecessary risk to data confidentiality, integrity, and availability. We communicated three control weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. By not meeting the minimum requirements in the Security Standard and not aligning the database’s settings and configurations with industry best practices, Education cannot appropriately manage and maintain the database and ensure data integrity. Education should allocate the necessary resources to ensure database configurations, controls, and processes align with the requirements in the Security Standard and industry best practices. Implementing these controls will help maintain the confidentiality, integrity, and availability of the sensitive and mission critical data stored or processed in the database. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-032: Improve Database Security Applicable to: Department of Education - Direct Aid to Public Education Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Configuration Management; Audit and Accountability ALPT or Cluster Name and ALN: Coronavirus State and Local Fiscal Recovery Funds (CSLFRF) - 21.027; Supporting Effective Instruction State Grants (formerly Improving Teacher Quality State Grants) - 84.367 Federal Award Number and Year: Various - 2024 Name of Federal Agency: U.S. Department of Treasury; U.S. Department of Education Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Education does not implement some of the required controls to protect the database that supports Education’s system of record. The Commonwealth’s Information Security Standard, SEC530 (Security Standard), and industry best practices, such as the Center for Internet Security, prescribe certain required and recommended security controls to safeguard systems that contain or process sensitive data. The Security Standard requires and industry best practices recommend implementing specific controls to reduce unnecessary risk to data confidentiality, integrity, and availability. We communicated three control weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. By not meeting the minimum requirements in the Security Standard and not aligning the database’s settings and configurations with industry best practices, Education cannot appropriately manage and maintain the database and ensure data integrity. Education should allocate the necessary resources to ensure database configurations, controls, and processes align with the requirements in the Security Standard and industry best practices. Implementing these controls will help maintain the confidentiality, integrity, and availability of the sensitive and mission critical data stored or processed in the database. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-032: Improve Database Security Applicable to: Department of Education - Direct Aid to Public Education Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Configuration Management; Audit and Accountability ALPT or Cluster Name and ALN: Coronavirus State and Local Fiscal Recovery Funds (CSLFRF) - 21.027; Supporting Effective Instruction State Grants (formerly Improving Teacher Quality State Grants) - 84.367 Federal Award Number and Year: Various - 2024 Name of Federal Agency: U.S. Department of Treasury; U.S. Department of Education Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Education does not implement some of the required controls to protect the database that supports Education’s system of record. The Commonwealth’s Information Security Standard, SEC530 (Security Standard), and industry best practices, such as the Center for Internet Security, prescribe certain required and recommended security controls to safeguard systems that contain or process sensitive data. The Security Standard requires and industry best practices recommend implementing specific controls to reduce unnecessary risk to data confidentiality, integrity, and availability. We communicated three control weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. By not meeting the minimum requirements in the Security Standard and not aligning the database’s settings and configurations with industry best practices, Education cannot appropriately manage and maintain the database and ensure data integrity. Education should allocate the necessary resources to ensure database configurations, controls, and processes align with the requirements in the Security Standard and industry best practices. Implementing these controls will help maintain the confidentiality, integrity, and availability of the sensitive and mission critical data stored or processed in the database. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-032: Improve Database Security Applicable to: Department of Education - Direct Aid to Public Education Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Configuration Management; Audit and Accountability ALPT or Cluster Name and ALN: Coronavirus State and Local Fiscal Recovery Funds (CSLFRF) - 21.027; Supporting Effective Instruction State Grants (formerly Improving Teacher Quality State Grants) - 84.367 Federal Award Number and Year: Various - 2024 Name of Federal Agency: U.S. Department of Treasury; U.S. Department of Education Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Education does not implement some of the required controls to protect the database that supports Education’s system of record. The Commonwealth’s Information Security Standard, SEC530 (Security Standard), and industry best practices, such as the Center for Internet Security, prescribe certain required and recommended security controls to safeguard systems that contain or process sensitive data. The Security Standard requires and industry best practices recommend implementing specific controls to reduce unnecessary risk to data confidentiality, integrity, and availability. We communicated three control weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. By not meeting the minimum requirements in the Security Standard and not aligning the database’s settings and configurations with industry best practices, Education cannot appropriately manage and maintain the database and ensure data integrity. Education should allocate the necessary resources to ensure database configurations, controls, and processes align with the requirements in the Security Standard and industry best practices. Implementing these controls will help maintain the confidentiality, integrity, and availability of the sensitive and mission critical data stored or processed in the database. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-089: Perform an Evaluation of Student Information System Access Roles Applicable to: Northern Virginia Community College Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Student Financial Assistance Cluster Federal Award Number and Year: Various - 2024 Name of Federal Agency: U.S. Department of Education Type of Compliance Requirement - Criteria: Other - 16 CFR § 200.303(e) Known Questioned Costs: $0 NVCC staff did not properly grant student information system roles and privileges. Specifically, we found seven of 45 (16%) employees have access to financial aid data beyond the requirements to complete their job responsibilities. The underlying cause of improper access is due to management not aligning the assignment of access roles with the concept of least privilege and not properly reviewing access levels of staff. By not properly assigning access based on job responsibilities, NVCC increases the risk it will have employees with improper access levels that do not align with concept of least privilege nor allow for segregation of duties. In accordance with 16 CFR § 200.303(e), the non-federal entity must take reasonable measures to safeguard protected personally identifiable information and other information the federal awarding agency or pass-through entity designates as sensitive, or the non-federal entity considers sensitive, consistent with applicable, federal, state, and local laws regarding privacy and responsibility over confidentiality. In addition, the International Organization for Standardization and International Electrotechnical Commission Standard (ISO Standard), states that care should be taken with role-based access control systems to ensure that employees are not granted conflicting roles. Roles should be carefully designed and provisioned to minimize access problems if a role is removed or reassigned. The ISO Standard further states that care should be taken when specifying access control rules to consider establishing rules based on the premise of least privilege. NVCC information security staff and management should perform a thorough evaluation of employees and grant student information system roles based upon the concept of least privilege and considering job responsibilities. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-089: Perform an Evaluation of Student Information System Access Roles Applicable to: Northern Virginia Community College Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Student Financial Assistance Cluster Federal Award Number and Year: Various - 2024 Name of Federal Agency: U.S. Department of Education Type of Compliance Requirement - Criteria: Other - 16 CFR § 200.303(e) Known Questioned Costs: $0 NVCC staff did not properly grant student information system roles and privileges. Specifically, we found seven of 45 (16%) employees have access to financial aid data beyond the requirements to complete their job responsibilities. The underlying cause of improper access is due to management not aligning the assignment of access roles with the concept of least privilege and not properly reviewing access levels of staff. By not properly assigning access based on job responsibilities, NVCC increases the risk it will have employees with improper access levels that do not align with concept of least privilege nor allow for segregation of duties. In accordance with 16 CFR § 200.303(e), the non-federal entity must take reasonable measures to safeguard protected personally identifiable information and other information the federal awarding agency or pass-through entity designates as sensitive, or the non-federal entity considers sensitive, consistent with applicable, federal, state, and local laws regarding privacy and responsibility over confidentiality. In addition, the International Organization for Standardization and International Electrotechnical Commission Standard (ISO Standard), states that care should be taken with role-based access control systems to ensure that employees are not granted conflicting roles. Roles should be carefully designed and provisioned to minimize access problems if a role is removed or reassigned. The ISO Standard further states that care should be taken when specifying access control rules to consider establishing rules based on the premise of least privilege. NVCC information security staff and management should perform a thorough evaluation of employees and grant student information system roles based upon the concept of least privilege and considering job responsibilities. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-089: Perform an Evaluation of Student Information System Access Roles Applicable to: Northern Virginia Community College Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Student Financial Assistance Cluster Federal Award Number and Year: Various - 2024 Name of Federal Agency: U.S. Department of Education Type of Compliance Requirement - Criteria: Other - 16 CFR § 200.303(e) Known Questioned Costs: $0 NVCC staff did not properly grant student information system roles and privileges. Specifically, we found seven of 45 (16%) employees have access to financial aid data beyond the requirements to complete their job responsibilities. The underlying cause of improper access is due to management not aligning the assignment of access roles with the concept of least privilege and not properly reviewing access levels of staff. By not properly assigning access based on job responsibilities, NVCC increases the risk it will have employees with improper access levels that do not align with concept of least privilege nor allow for segregation of duties. In accordance with 16 CFR § 200.303(e), the non-federal entity must take reasonable measures to safeguard protected personally identifiable information and other information the federal awarding agency or pass-through entity designates as sensitive, or the non-federal entity considers sensitive, consistent with applicable, federal, state, and local laws regarding privacy and responsibility over confidentiality. In addition, the International Organization for Standardization and International Electrotechnical Commission Standard (ISO Standard), states that care should be taken with role-based access control systems to ensure that employees are not granted conflicting roles. Roles should be carefully designed and provisioned to minimize access problems if a role is removed or reassigned. The ISO Standard further states that care should be taken when specifying access control rules to consider establishing rules based on the premise of least privilege. NVCC information security staff and management should perform a thorough evaluation of employees and grant student information system roles based upon the concept of least privilege and considering job responsibilities. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-089: Perform an Evaluation of Student Information System Access Roles Applicable to: Northern Virginia Community College Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Student Financial Assistance Cluster Federal Award Number and Year: Various - 2024 Name of Federal Agency: U.S. Department of Education Type of Compliance Requirement - Criteria: Other - 16 CFR § 200.303(e) Known Questioned Costs: $0 NVCC staff did not properly grant student information system roles and privileges. Specifically, we found seven of 45 (16%) employees have access to financial aid data beyond the requirements to complete their job responsibilities. The underlying cause of improper access is due to management not aligning the assignment of access roles with the concept of least privilege and not properly reviewing access levels of staff. By not properly assigning access based on job responsibilities, NVCC increases the risk it will have employees with improper access levels that do not align with concept of least privilege nor allow for segregation of duties. In accordance with 16 CFR § 200.303(e), the non-federal entity must take reasonable measures to safeguard protected personally identifiable information and other information the federal awarding agency or pass-through entity designates as sensitive, or the non-federal entity considers sensitive, consistent with applicable, federal, state, and local laws regarding privacy and responsibility over confidentiality. In addition, the International Organization for Standardization and International Electrotechnical Commission Standard (ISO Standard), states that care should be taken with role-based access control systems to ensure that employees are not granted conflicting roles. Roles should be carefully designed and provisioned to minimize access problems if a role is removed or reassigned. The ISO Standard further states that care should be taken when specifying access control rules to consider establishing rules based on the premise of least privilege. NVCC information security staff and management should perform a thorough evaluation of employees and grant student information system roles based upon the concept of least privilege and considering job responsibilities. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.