2024-024: Continue Improving IT Risk Management Program Applicable to: Department of Social Services Prior Year Finding Number: 2023-014; 2022-030; 2021-026; 2020-027; 2019-063; 2018-025 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Planning; Risk Assessment ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services continues to not have a formal and effective IT risk management program that aligns with the requirements in the Security Standard. Since we first issued this finding in 2018, Social Services remediated some risk management and contingency planning issues. However, Social Services continues not to: accurately verify and validate data and system sensitivity ratings; create risk assessments for 90 percent of its sensitive systems; create system security plans for the 55 current systems identified as sensitive; review risk assessments for 100 percent of its existing documentation; and implement corrective actions identified in risk assessments. We communicated the details of these weaknesses to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing descriptions of security mechanisms. The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ information systems and data. ISRM and TSD defined and documented a new risk assessment policy and procedure in April 2024. Social Services also established a new risk assessment process that engages system administrators and system owners to complete a risk assessment worksheet to submit to ISRM for evaluation. ISRM meets with system administrators, system owners, and the Agency Head, to review the resulting risk assessment report and establish a risk mitigation plan. However, Social Services has not yet matured the new risk assessment process due to recently formalizing the process. Social Services established the Cybersecurity Team as part of TSD in fiscal year 2024; therefore, the Cybersecurity Team and ISRM have not yet assessed and integrated the various risk management processes. Additionally, the new risk assessment procedure does not define and document the requirements and processes Social Services must follow to implement the corrective action responsibilities. ISRM should work with TSD, the Cybersecurity Team, and business units to ensure Social Services establishes and maintains an up-to-date sensitive systems list. The Information Security Officer, in conjunction with system and data owners, should classify agency IT systems and data based on sensitivity. Following its new risk assessment procedure and process, ISRM and the Cybersecurity Team should prioritize completing risk assessments and system security plans for its sensitive systems and review those documents annually to validate that the information reflects the current environment. Additionally, TSD should implement security controls to mitigate the risks and vulnerabilities identified in its risk assessments. Improving the IT risk management program will help to ensure the confidentiality, integrity, and availability of the agency’s sensitive systems and mission-essential functions. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-025: Improve Web Application Security Applicable to: Department of Social Services Prior Year Finding Number: 2023-015; 2022-029; 2021-025; 2020-026; 2019-037 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Audit and Accountability; Configuration Management; Risk Assessment; System and Information Integrity ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services continues to not configure a sensitive web application in accordance with the Security Standard. During fiscal year 2024, Social Services remediated two of the five previously identified weaknesses; however, these two weaknesses existed during the fiscal year under review. Additionally, Social Services has not remediated three of the previously identified weaknesses. We communicated the weaknesses to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing descriptions of security mechanisms. The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ information systems and data. Lacking and insufficient procedures and processes to manage the web application contributed to the five weaknesses outlined in the separate FOIAE document. Social Services prioritizing other projects also contributed to the weaknesses persisting. TSD, ISRM, and business owners should work together to remediate the remaining weaknesses to secure the web application and meet the minimum requirements in its internal policies and the Security Standard. Addressing these weaknesses will help to ensure the confidentiality, integrity, and availability of sensitive and mission-critical data and achieve compliance with both internal policies and the Security Standard. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-035: Improve Information Security Program and IT Governance Applicable to: Department of Social Services Prior Year Finding Number: 2023-027; 2022-022 Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness Information System Security Control Family: Information Security Roles and Responsibilities ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services continues to have an insufficient governance structure to manage and maintain its information security program in accordance with the Security Standard. Specifically, Social Services does not assess information security requirements for its information technology (IT) projects and prioritize information security and IT resources to ensure its information security program effectively protects sensitive Commonwealth data in accordance with the Security Standard. We communicated the control weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to its sensitivity and description of security controls. The Security Standard requires the agency head to maintain an information security program that is sufficient to protect the agency’s IT systems and to ensure the agency documents and effectively communicates the information security program. Not prioritizing IT resources to properly manage its information security program can result in a data breach or unauthorized access to confidential and mission-critical data, leading to data corruption, data loss, or system disruption if accessed by a malicious attacker, either internal or external. The control weaknesses described in the communication marked FOIAE are the result of Social Services not assessing information security requirements prior to project implementation, in addition to Social Services not prioritizing information security within the IT environment. Social Services has hindered its ability to consistently and timely remediate findings from management recommendations issued during prior year audits and bring the information security program in compliance with the Security Standard by not dedicating the necessary IT resources to information security. During fiscal year 2024, Social Services created a cybersecurity team under the Technology Services Division (TSD) to liaison between TSD and the Division of Information Security and Risk Management (ISRM) to help bring the information security program in compliance with the Security Standard. However, due to the magnitude of the project, TSD, the cybersecurity team, ISRM, and the executive team have not yet completed efforts to remediate this finding. TSD, ISRM, and Social Services’ Cybersecurity and Executive teams should continue to work together to bring the IT security program in compliance with the Security Standard. TSD and ISRM should continue to evaluate IT resource levels to ensure sufficient resources are available and dedicated to prioritizing and implementing IT governance changes and address the control deficiencies discussed in the communication marked FOIAE. Additionally, Social Services should evaluate the organizational placement of the Information Security Officer (ISO) to ensure effective implementation of the information security program and controls. Implementing these recommendations will help to ensure Social Services protects the confidentiality, integrity, and availability of its sensitive and mission-critical data. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-041: Evaluate Separation of Duty Conflicts within the Case Management System Applicable to: Department of Social Services Prior Year Finding Number: 2023-034 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Access Control ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Benefit Programs, which is the owner of Social Services’ case management system, has not performed nor documented a conflicting access review to identify the combination of roles that could pose a separation of duties conflict or to ensure compensating controls are in place to mitigate risks arising from those conflicts. Social Services uses the case management system to determine applicant eligibility and authorize benefit payments for the Medicaid, SNAP, CCDF, LIHEAP, and TANF federal grant programs. Social Services authorized over $17 billion in public assistance payments to beneficiaries from these federal programs through its case management system during fiscal year 2024. The Security Standard requires the agency to separate duties of individuals as necessary, document separation of duties of individuals, and define information system access authorizations to support the separation of duties. Further, Social Services’ Information Security Policy states that the system owner is responsible for identifying and documenting separation of duties of individuals and defining system access authorizations to support separation of duties. Without performing and documenting a conflicting access review, Social Services does not know which combination of roles may pose a separation of duties conflict and is unable to implement compensating controls. In effect, this increases the possibility of a system breach or other malicious attack on Social Services’ data and places Social Services’ reputation at risk. Benefit Programs has not yet begun their corrective action efforts and ISRM has not included this finding in its Plan of Actions and Milestones (POAM) report, which is its internal corrective action plan that it shares with Social Services’ Executive Team. As a result, Social Services’ Executive Team was not aware that Social Services continues to be non-compliant with the Security Standard and its Information Security Policy. According to Social Services’ Organizational Structure Report, ISRM provides guidance to system owners about security requirements and is ultimately responsible for protecting Social Services’ information systems by addressing security compliance and risk. Benefit Programs should conduct a conflicting access review for the case management system and collaborate with ISRM to ensure it performs and documents this review in accordance with Social Services’ Information Security Policy. Additionally, ISRM should monitor this finding’s progress through its POAM report and provide periodic updates to Social Services’ Executive Team. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-042: Perform Annual Review of Case Management System Access Applicable to: Department of Social Services Prior Year Finding Number: 2023-035 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Access Control ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Benefit Programs, which is the owner of Social Services’ case management system, continues to not perform the required annual access review. Social Services uses the case management system to determine applicant eligibility and authorize benefit payments for the Medicaid, SNAP, CCDF, LIHEAP, and TANF federal grant programs. Social Services authorized over $17 billion in public assistance payments to beneficiaries from these federal programs through its case management system during fiscal year 2024. The Security Standard requires the agency to review accounts for compliance with account management on an annual basis. Additionally, ISRM’s Procedures Manual for State and Local Security Officers requires system owners and security officers to review user access privileges annually. System owners and security officers must complete this review within 364 days from the completion date of the last security review. Benefit Programs last completed a security review over the case management system in June 2022. Benefit Programs is responsible for obtaining the case management system’s access listing from ISRM, coordinating the annual review with the security officers, and working with ISRM to modify user access privileges as necessary. However, Benefit Programs did not perform the required annual access review for the case management system because it did not initiate the process with ISRM, and ISRM did not include this finding in its POAM report, which is its internal corrective action plan that it shares with Social Services’ Executive Team. As a result, Social Services’ Executive Team was not aware that Social Services continues to be non-compliant with the Security Standard and its Procedures Manual for State and Local Security Officers. According to Social Services’ Organizational Structure Report, ISRM provides guidance to System Owners about security requirements and is ultimately responsible for protecting Social Services’ information systems by addressing security compliance and risk. Social Services increases the risk of improper or unnecessary access to sensitive systems by not reviewing access to the case management system annually, which could potentially result in a system breach or other malicious attack on Social Services’ data and adversely affect its reputation. Benefit Programs should perform the required annual security review for the case management system and collaborate with ISRM to ensure it completes this review in accordance with the Procedures Manual for State and Local Officers. Additionally, ISRM should monitor this finding’s progress through its POAM report and provide periodic updates to Social Services’ Executive Team. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-047: Continue Improving IT Change and Configuration Management Process Applicable to: Department of Social Services Prior Year Finding Number: 2023-049; 2022-052; 2021-049; 2020-044; 2019-038 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Configuration Management ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services continues to improve its IT change and configuration management process to align with the Security Standard. Change management is a key control to evaluate, approve, and verify configuration changes to security components. Two weaknesses remain since our last review, which we communicated to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing description of security mechanisms. The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ information systems and data. Social Services’ Change Management Process Guide details the process Social Services follows to manage changes, but does not include all the required elements, which contributed to the weaknesses remaining. Additionally, Social Services migrated to a new change management system of record in October 2023, which also contributed to the delay in remediating the remaining issues due to Social Services prioritizing the migration project. Not prioritizing and aligning IT change management processes with the Security Standard increases the risk of a data breach or unauthorized access to confidential and mission-critical data, leading to data corruption, data loss, or system disruption if accessed by a malicious attacker, either internal or external. Social Services should resolve the remaining two weaknesses discussed in the communication marked FOIAE in accordance with the Security Standard. Continuing to improve Social Services’ IT change and configuration management process will decrease the risk of unauthorized modifications to sensitive systems and help maintain the confidentiality, integrity, and availability of sensitive and mission-critical data. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-053: Improve Vulnerability Remediation Efforts Applicable to: Department of Medical Assistance Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Risk Assessment ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Medical Assistance Services does not install security patches to mitigate vulnerabilities within its IT environment in accordance with its Vulnerability Scan Management procedure. Specifically, as of November 2024, Medical Assistance Services identified a significant number of vulnerabilities classified with a severity of critical and high and numerous vulnerabilities with a severity of medium or low in its IT environment that remained unmitigated beyond the time limits set in its procedure. Medical Assistance Services’ procedure requires the agency to mitigate and validate vulnerabilities within the following timeframes, depending on the vulnerability’s severity rating: High-severity flaws within 30 calendar days; Medium-severity flaws within 60 calendar days; and All others within 90 calendar days. Additionally, the Security Standard requires Medical Assistance Services to “monitor and scan for vulnerabilities in the system and hosted applications at least once every 30 days, and when new vulnerabilities potentially affecting the system are identified and reported.” The Security Standard also requires Medical Assistance Services to remediate legitimate vulnerabilities within 30 days unless otherwise specified by Commonwealth Security Risk Management (CSRM) in accordance with an organizational assessment of risk. The Commonwealth’s IT Risk Management Standard, SEC520 (Risk Management Standard) requires Medical Assistance Services to “fix vulnerabilities within 30 days of a fix becoming available that are either rated as critical or high according to the National Vulnerability Database or otherwise identified by CSRM.” Additionally, the Risk Management Standard requires Medical Assistance Services to remediate all other vulnerabilities within 90 days of a fix becoming available and acquire an approved security exception for the vulnerability should Medical Assistance Services not remediate it within the timeframes identified. Software vulnerabilities are publicly known flaws that bad actors may exploit and use to circumvent organizational information security controls to infiltrate a network or application. The longer these vulnerabilities exist in an environment, the higher the risk of a compromise and unauthorized access to sensitive and mission-critical systems and data. It is therefore imperative for organizations to respond quickly and mitigate these publicly known flaws as soon as possible. Without appropriate software patching and vulnerability management controls, Medical Assistance Services increases the risk of unauthorized access to sensitive and mission-critical systems. Medical Assistance Services lacks the staffing necessary to remediate the high number of vulnerabilities detected within the timeframes required by its Vulnerability Scan Management procedure. Medical Assistance Services should allocate the necessary resources to apply patches within the Vulnerability Scan Management procedure’s required timeframe to mitigate the vulnerabilities affecting its IT environment. If Medical Assistance Services is unable to mitigate vulnerabilities within the required timeframe, it should obtain an extension approval from CSRM that is based on an organizational assessment of risk. Timely remediation of significant vulnerabilities will help protect the confidentiality, integrity, and availability of Medical Assistance Services’ sensitive and mission-critical information. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-058: Conduct Information Technology Security Audits Applicable to: Department of Social Services Prior Year Finding Number: 2023-056 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Audit and Accountability ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services is making progress in conducting a comprehensive IT security audit on each sensitive system at least once every three years. While Social Services conducted an IT security audit over an additional 22 percent of its sensitive systems, 14 of the 79 sensitive systems (18%) due for an IT Security Audit remain unaudited. Social Services indicates it is on track to complete the remaining IT security audits by the end of calendar year 2025. The Security Standard requires that each IT system classified as sensitive undergo an IT security audit as required by and in accordance with the current version of the Commonwealth’s IT Security Audit Standard, SEC502 (IT Audit Standard). The IT Audit Standard requires that IT systems containing sensitive data, or systems with an assessed sensitivity of high on any of the criteria of confidentiality, integrity, or availability, shall receive an IT security audit at least once every three years. Without conducting full IT security audits for each sensitive system every three years, Social Services increases the risk that IT staff will not detect and mitigate existing weaknesses. Malicious parties taking advantage of continued weaknesses could compromise sensitive and confidential data. Further, such security incidents could lead to mission-critical systems being unavailable. During fiscal year 2024, Social Services’ Audit Services Manager collaborated with the business divisions, TSD, and ISRM to schedule and conduct audits. However, Social Services did not perform the remaining IT security audits due to the large number of sensitive systems requiring an audit. Lack of a documented procedure and process for conducting IT security audits also contributed to the lapse in IT security audits conducted over the last three years. Social Services should define and document a formal procedure and process for conducting IT security audits over each sensitive system at least once every three years that tests the effectiveness of the IT security controls and their compliance with Security Standard requirements. Social Services should then complete all outstanding IT security audits to ensure it meets the Security Standard requirements. Compliance with the IT Audit Standard will help to ensure the confidentiality, integrity, and availability of sensitive and mission critical data. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-061: Develop and Provide Role-Based Security Awareness Training to System Administrators and Data Custodians Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Awareness and Training ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 ISRM does not provide applicable role-based training to system administrators or data custodians that have security roles and responsibilities with elevated privileges. Additionally, ISRM does not document a procedure that outlines the steps it follows to administer the role-based training. An established security awareness training program is essential to protecting agency IT systems and data by ensuring that employees understand their roles and responsibilities in securing sensitive information at the agency. Social Services’ Awareness and Training Policy requires that Social Services’ Information Security Officer or designee provide role-based security and privacy training to personnel with the roles and responsibilities of system administrator and data custodian. Social Services’ Security Awareness and Training Policy and the Security Standard also require that Social Services administer role-based training to personnel before authorizing access to the system, information, or performing assigned duties; and annually thereafter, as well as when required by system changes. Without providing role-based training to all personnel with security-related roles, including personnel with the roles and responsibilities of system administrator and data custodian, Social Services increases the risk of human error and negligence. Additionally, lack of adequate role-based training increases the risk that users will be unaware or lack pertinent skills and knowledge to perform their security-related functions, resulting in an increased security risk. ISRM did not provide role-based training to personnel with designated information security roles due to competing priorities. Additionally, although the Awareness and Training Policy requires role-based training, Social Services does not define and document their process to provide role-based training to personnel with security-related functions, such as the specific training that each role should take, the deadline for role-based training completion, and the enforcement measure resulting from not completing the role-based training timely. ISRM should develop procedures that detail the process to provide role-based training to personnel with designated security roles. ISRM should also develop and administer role-based training for systems administrators and data custodians. Improving the security awareness training program will help protect Social Services from malicious attempts to compromise the confidentiality, integrity, and availability of sensitive data. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-064: Upgrade End-of-Life Technology Applicable to: Department of Social Services Prior Year Finding Number: 2023-058; 2022-060 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: System and Information Integrity ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services uses end-of-life (EOL) technologies in its IT environment and maintains technologies that support mission-essential data on IT systems running software that its vendors no longer support. We communicated the control weaknesses to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing descriptions of security mechanisms. The Security Standard prohibits agencies from using software that is EOL and which the vendor no longer supports to reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ information systems and data. In May 2024, Social Services established a Cybersecurity Team to track and manage technologies but has not yet completed their processes. Using EOL technologies increases the risk of successful cyberattack, exploit, and data breach by malicious parties. Further, vendors do not offer operational and technical support for EOL or end-of-support technology, which affects data availability by increasing the difficulty of restoring system functionality if a technical failure occurs. Social Services should dedicate the necessary resources to evaluate and implement the controls and recommendations discussed in the communication marked FOIAE in accordance with the Security Standard. By dedicating the necessary resources to evaluate and implement these controls and recommendations, Social Services will help to ensure that it adequately secures its IT environment and systems. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-067: Continue Developing Record Retention Requirements and Processes for Electronic Records Applicable to: Department of Social Services Prior Year Finding Number: 2023-066; 2022-064; 2021-047; 2020-041; 2019-049; 2018-054 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Contingency Planning ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services continues to operate without an adequate data retention process that ensures consistent compliance with retention requirements for its case management system and adherence to federal regulations and state law. Social Services’ case management system stores several types of federal benefit program records with varying retention requirements supporting ten programs and services, such as the Medical Assistance (Medicaid), Supplemental Nutrition Assistance (SNAP), Child Care and Development Fund (CCDF), LIHEAP, and TANF federal grant programs. Social Services’ case management system authorized over $17 billion in public assistance payments to beneficiaries from these federal programs during fiscal year 2024. Since fiscal year 2019, Social Services gathered retention requirements from the business divisions that support the federal programs and services. In fiscal year 2022, Social Services finalized and documented policies with retention requirements for the data sets handled by each of the ten programs and services supported by its case management system. Social Services determined that due to the risk and complexity of the project, as well as changes to federal requirements since its first analysis, the retention requirements for all ten programs and services supported by its case management system were not feasible as a single release. Therefore, Social Services planned a phased delivery approach including multiple releases. In November 2023, Social Services defined and documented a purge and retention design document to implement Release 1 of the record purge and retention project for its case management system. Social Services subsequently implemented Release 1 of the record purge and retention project in February 2024. However, Social Services has not completed the process to implement the records retention policies for each of the programs and services to ensure consistent retention and destruction of records in compliance with regulations and laws. Title 45 CFR § 155.1210, governs record retention for Medicaid and requires state agencies to maintain records for ten years. Additionally, the Virginia Public Records Act outlined in § 42.1-91 of the Code of Virginia makes an agency responsible for ensuring that it preserves, maintains, and makes accessible public records throughout their lifecycle, including converting and migrating electronic records as often as necessary so that an agency does not lose information due to hardware, software, or media obsolescence or deterioration. Furthermore, the Virginia Public Records Act in § 42.1-86.1 of the Code of Virginia details requirements for the disposition of records. Section § 42.1-86.1 requires that records created after July 1, 2006, and authorized to be destroyed or discarded, must be discarded in a timely manner and in accordance with the provisions of Chapter 7 of the Virginia Public Records Act. Further, records that contain identifying information as defined by subsection C of § 18.2-186.3 of the Code of Virginia shall be destroyed within six months of the expiration of the records retention period. Finally, the Security Standard requires agencies to implement backup and restoration plans that address the retention of the data in accordance with the records retention policy for every IT system identified as sensitive relative to availability. Without implementing records retention requirements, Social Services increases the risk of a data or privacy breach. Additionally, destroying documents that should be available for business processes or audit, or keeping data longer than stated, could expose Social Services to fines, penalties, or other legal consequences. Further, Social Services may not be able to ensure that backup and restoration efforts will provide mission critical information according to recovery times. Finally, retaining records longer than necessary causes the Commonwealth to spend additional resources to maintain, back-up, and protect information that no longer serves a business purpose. The magnitude and complexity of effectively implementing a retention and purge process for an integrated eligibility system delayed completion of the record purge and retention project. Additionally, following Release 1 implementation, Social Services identified an additional required element of the purge and retention project. For these reasons, Social Services plans to update the purge and retention design document and implement Release 2 in February 2025. Further, Social Services plans to complete the purge and retention project with the final release, Release 3, by September 2025. Social Services should complete the record purge and retention project for its case management system and, thereafter, implement consistent records retention and destruction processes across business divisions to ensure compliance with laws and regulations. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-068: Monitor Internal Controls to Ensure Timely Removal of System Access Applicable to: Department of Social Services Prior Year Finding Number: 2023-043; 2022-059; 2021-038;2021-027;2020-025;2019-027;2018-042 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: Personnel Security ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services continues to implement internal controls to monitor the timely removal of system access. The Security Standard requires the organization to disable information system access within 24 hours of employment termination. In response to the prior audit recommendations, ISRM developed an overarching policy governing system access that addresses the timely removal of system access and Social Services’ Division of Human Resources developed a policy to ensure supervisors follow the appropriate steps to offboard separated employees. Additionally, ISRM and the Division of Human Resources worked collaboratively to develop a process to identify individuals whose separation did not follow the offboarding policy and manually removed their access from Social Services’ access management system. However, because of the extent of its corrective actions, Social Services was not able to implement all of its planned corrective actions by the end of fiscal year 2024. Social Services administers numerous public assistance programs that collect personally identifiable information and other protected information from beneficiaries. Social Services could place its data and reputation at risk by not removing access timely. Additionally, Social Services could incur potential financial liabilities should its information become compromised. Therefore, Social Services should continue its corrective action efforts to implement internal controls to monitor the timely removal of system access. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-071: Continue to Ensure ITISP Suppliers Meet All Contractual Requirements Applicable to: Virginia Information Technologies Agency Prior Year Finding Number: 2023-072; 2022-100; 2021-023; 2020-070 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 VITA has made significant progress to monitor and enforce the contractual requirements for the Information Technology Infrastructure Services Program (ITISP) suppliers. During fiscal year 2024, VITA and the Multisource Service Integration (MSI) continued to evaluate the current service level measurements to ensure they align with the Commonwealth’s needs. VITA and the MSI monitored the service level related to security and vulnerability patching for the entire fiscal year. The requirements of this service level for fiscal year 2024 included a Common Vulnerabilities and Exposures (CVE) threshold, which required that ITISP suppliers install any patch with a CVE score above the threshold within 60 days. If the supplier did not meet the service level threshold, VITA enforced a credit for the Commonwealth. Although VITA monitored the service levels implemented in the prior year, not enough time has passed to prove the effects of the consequences enforced. Our audits at various agencies for fiscal year 2024 found critical and highly important security patches not installed within 30 days as required by the Commonwealth’s Information Security Standard, SEC530 (Security Standard). As a result, the systems missing critical security updates are at an increased risk of cyberattack, exploitation, and data breach by malicious parties. When ITISP suppliers do not meet all contractual requirements (e.g., Service Level Agreements, Critical Deliverables, etc.) it impacts the ability of Commonwealth agencies that rely on the ITISP services to comply with the Security Standard. The Security Standard is a baseline for information security and risk management activities for Commonwealth agencies. Many agencies rely on services provided through ITISP suppliers to ensure compliance with the Security Standard. For example, the Security Standard requires the installation of security-relevant software and firmware updates within at least 30 days of the update’s release or within a timeframe approved by Commonwealth Security and Risk Management (CSRM) . Commonwealth agencies rely on the ITISP suppliers for the installation of security patches in systems that support agencies’ operations. Additionally, during fiscal year 2024, VITA continued to work with the managed security supplier to address the inability of agencies to access the audit log information in the managed detection and response (MDR) platform. VITA implemented a separate security and event management (SIEM) tool at the end of October 2023 to expand agencies’ capabilities to monitor audit log information. While the supplier implemented the MDR platform, VITA and the supplier determined to replace the MDR platform with the VITA-managed SIEM tool as the permanent audit log monitoring tool. However, while the SIEM tool is in production, it also does not include all audit log information in a usable format to allow agencies to adequately monitor their IT environments. The Security Standard requires agencies to review and analyze audit records at least every 30 days for indications of inappropriate or unusual activity. Our audits of various agencies for fiscal year 2024 found that agencies rely on VITA and ITISP suppliers to provide access to a centralized monitoring tool that collects audit log information about activities in the IT environment. Although the supplier was performing audit logging and monitoring, most agencies were unable to obtain access to the audit log information during fiscal year 2024, and thus, were not able to comply with the Security Standard requirements related to audit log monitoring. An inability for all agencies to review and monitor their individual audit logs increases the risk associated with the Commonwealth’s data confidentiality, integrity, and availability. To ensure all agencies that rely on the ITISP’s services comply with the Security Standard, VITA should ensure suppliers meet all contractual requirements (e.g., Service Level Agreements, Critical Deliverables, etc.). If VITA determines suppliers are not meeting these requirements, VITA should implement escalation procedures to compel the ITISP services to comply with the contractual requirements. Additionally, VITA should communicate with the affected agencies and provide guidance on what the agencies can do to comply with the Security Standard while the suppliers work to meet the requirements of the contract. VITA should also continue working with the ITISP suppliers and agencies to import audit log information to the SIEM tool to ensure agencies can review the activities occurring in their IT environments in accordance with the Security Standard. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-082: Perform Responsibilities Outlined in the Agency Monitoring Plan Applicable to: Department of Social Services Prior Year Finding Number: 2023-097; 2022-011; 2021-070; 2020-074; 2019-090; 2018-093 Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.303(a); 2 CFR § 200.332 Known Questioned Costs: $0 Compliance continues to not adhere to its established approach to oversee the agency’s subrecipient monitoring activities, as outlined in its Agency Monitoring Plan. According to Social Services’ Organizational Structure Report, Compliance is responsible for agency-wide compliance and risk mitigation that helps to ensure adherence to state and federal legal and regulatory standards, including subrecipient monitoring. During fiscal year 2024, Social Services disbursed approximately $660 million to 342 subrecipients from 30 federal grant programs. During the audit, we noted the following deviations from the Agency Monitoring Plan: Compliance continues to not review programmatic division annual subrecipient monitoring plans to ensure they implement a risk-based approach. The Agency Monitoring Plan states that Compliance will use a Monitoring Plan Checklist to evaluate and determine if all the required elements for subrecipient monitoring are present in each division’s plan. Compliance does not hold monthly meetings with Subrecipient Monitoring Coordinators, as required by the Agency Monitoring Plan, where divisions can share information concerning risks and federal and/or grant-specific requirements, approaches to assessing risk, and changes that could affect subrecipients and the monitoring processes. Compliance has not reviewed each division’s monitoring activities nor provided quarterly reports of variances and noncompliance from the Agency Monitoring Plan to Social Services’ executive team. As a result, Compliance did not identify that the Division of Benefit Programs (Benefit Programs) did not complete risk assessments for 50 of its 324 (15%) locality subrecipients, properly document considerations for localities with elevated risks, nor perform adequate risk assessments for their non-locality subrecipients. Since the prior audit, Compliance has communicated the Agency Monitoring Plan to the Subrecipient Monitoring Coordinators. Additionally, Compliance has worked with Social Services’ Executive Team to secure funding for a grants management system and additional subrecipient monitor positions. However, Compliance has yet to establish a timeline for when it intends for the system to be fully functional and has not explored alternate options to comply with its Agency Monitoring Plan. Further, Compliance has not collaborated with Subrecipient Monitoring Coordinators to determine how the agency collectively plans to accomplish the goals and objectives set forth within the Agency Monitoring Plan. Collaboration between Compliance and Subrecipient Monitoring Coordinators is imperative to ensuring that Social Services complies with the pass-through entity requirements in 2 CFR § 200.332. Title 2 CFR § 200.303(a) requires pass-through entities to establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the non-Federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Without performing the responsibilities in the Agency Monitoring Plan, Compliance cannot assure that the agency’s subrecipient monitoring efforts are adequate to comply with the regulations at 2 CFR § 200.332. Additionally, Compliance places Social Services at risk of disallowed expenditures and/or suspension or termination of its federal awards by not monitoring the agency’s subrecipient monitoring activities. Because of the scope of this matter and the magnitude of Social Services’ subrecipient monitoring responsibilities, we consider these weaknesses collectively to create a material weakness in internal controls over compliance. Compliance should work collaboratively with Social Services’ Executive Team and the subrecipient monitoring coordinators to fulfil the agency’s responsibilities in the Agency Monitoring Plan. Further, Compliance should explore alternative solutions to track and monitor each division’s subrecipient monitoring activities and report the results to the Executive Team until it develops and implements its grants management system. Evaluating alternative solutions will help Social Services mitigate the risk of incurring federal sanctions because of non-compliance. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
FINDING 2024-001 Subject: Child Nutrition Cluster Federal Agency: Department of Agriculture Federal Programs: School Breakfast Program, National School Lunch Program, Summer Food Service Program for Children, Fresh Fruit and Vegetable Program Assistance Listings Numbers: 10.553, 10.555, 10.559, 10.582 Federal Award Numbers and Years (or Other Identifying Numbers): FY23 & FY24, FY24 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Procurement and Suspension and Debarment Audit Findings: Material Weakness, Other Matters Condition and Context The School Corporation had not properly designed or implemented a system of internal controls, which would include appropriate segregation of duties, that would likely be effective in preventing, or detecting and correcting, noncompliance related to the Procurement and Suspension and Debarment compliance requirement. Prior to entering into subawards and covered transactions with federal award funds, recipients are required to verify that such contractors and subrecipients are not suspended, debarred, or otherwise excluded. "Covered transactions" include, but are not limited to, contracts for goods and services awarded under a nonprocurement transaction (i.e., grant agreement) that are expected to equal or exceed $25,000. The verification is to be done by checking the SAMs exclusions, collecting a certification from that vendor, or adding a clause or condition to the covered transaction with that vendor. During the audit period, the School Corporation had expenditures exceeding $25,000 for one vendor. For this vendor, there was no evidence provided for audit to verify that the vendor was verified to not be suspended, debarred, or otherwise excluded, prior to entering into the transaction. The lack of internal controls and noncompliance was isolated to FY24. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." INDIANA STATE BOARD OF ACCOUNTS 16 GREENWOOD COMMUNITY SCHOOL CORPORATION SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) 2 CFR 180.300 states: "When you enter into a covered transaction with another person at the next lower tier, you must verify that the person with whom you intend to do business is not excluded or disqualified. You do this by: (a) Checking the SAM.gov Exclusions, or (b) Collecting a certification from that person, or (c) Adding a clause or condition to the covered transaction with that person." 2 CFR 180.220 states: "(a) Covered transactions under this part - (1) Do not include any procurement contracts awarded directly by a Federal agency; but (2) Do include some procurement contracts awarded by non-Federal participants in nonprocurement covered transactions. (b) Specifically, a contract for goods or services is a covered transaction if any of the following applies: (1) The contract is awarded by a participant in a nonprocurement transaction that is covered under §180.210, and the amount of the contract is expected to equal or exceed $25,000. (2) The contract requires the consent of an official of a Federal agency. In that case, the contract, regardless of the amount, always is a covered transaction, and it does not matter who awarded it. For example, it could be a subcontract awarded by a contractor at a tier below a nonprocurement transaction, as shown in the appendix to this part. (3) The contract is for Federally required audit services. (c) A subcontract also is a covered transaction if, (1) It is awarded by a participant in a procurement transaction under a nonprocurement transaction of a Federal agency that extends the coverage of paragraph (b)(1) of this section to additional tiers of contracts (see the diagram in the appendix to this part showing that optional lower tier coverage); and (2) The value of the subcontract is expected to equal or exceed $25,000." Cause Management had not developed or implemented a system of internal controls that would have ensured compliance with the grant agreement and the Procurement and Suspension and Debarment compliance requirement. This happened because of a change in staffing where more than one person completed the process. INDIANA STATE BOARD OF ACCOUNTS 17 GREENWOOD COMMUNITY SCHOOL CORPORATION SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Effect Without the proper implementation of an effectively designed system of internal controls, the internal control system cannot be capable of effectively preventing, or detecting and correcting, material noncompliance. Noncompliance with the Procurement and Suspension and Debarment compliance requirement could result in a contract to be awarded to a company that was suspended and debarred. Questioned Costs There were no questioned costs identified. Recommendation We recommended that the management of the School Corporation establish a proper system of internal controls to ensure compliance and comply with the grant agreement and the Procurement and Suspension and Debarment compliance requirement. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.
FINDING 2024-001 Subject: Child Nutrition Cluster Federal Agency: Department of Agriculture Federal Programs: School Breakfast Program, National School Lunch Program, Summer Food Service Program for Children, Fresh Fruit and Vegetable Program Assistance Listings Numbers: 10.553, 10.555, 10.559, 10.582 Federal Award Numbers and Years (or Other Identifying Numbers): FY23 & FY24, FY24 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Procurement and Suspension and Debarment Audit Findings: Material Weakness, Other Matters Condition and Context The School Corporation had not properly designed or implemented a system of internal controls, which would include appropriate segregation of duties, that would likely be effective in preventing, or detecting and correcting, noncompliance related to the Procurement and Suspension and Debarment compliance requirement. Prior to entering into subawards and covered transactions with federal award funds, recipients are required to verify that such contractors and subrecipients are not suspended, debarred, or otherwise excluded. "Covered transactions" include, but are not limited to, contracts for goods and services awarded under a nonprocurement transaction (i.e., grant agreement) that are expected to equal or exceed $25,000. The verification is to be done by checking the SAMs exclusions, collecting a certification from that vendor, or adding a clause or condition to the covered transaction with that vendor. During the audit period, the School Corporation had expenditures exceeding $25,000 for one vendor. For this vendor, there was no evidence provided for audit to verify that the vendor was verified to not be suspended, debarred, or otherwise excluded, prior to entering into the transaction. The lack of internal controls and noncompliance was isolated to FY24. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." INDIANA STATE BOARD OF ACCOUNTS 16 GREENWOOD COMMUNITY SCHOOL CORPORATION SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) 2 CFR 180.300 states: "When you enter into a covered transaction with another person at the next lower tier, you must verify that the person with whom you intend to do business is not excluded or disqualified. You do this by: (a) Checking the SAM.gov Exclusions, or (b) Collecting a certification from that person, or (c) Adding a clause or condition to the covered transaction with that person." 2 CFR 180.220 states: "(a) Covered transactions under this part - (1) Do not include any procurement contracts awarded directly by a Federal agency; but (2) Do include some procurement contracts awarded by non-Federal participants in nonprocurement covered transactions. (b) Specifically, a contract for goods or services is a covered transaction if any of the following applies: (1) The contract is awarded by a participant in a nonprocurement transaction that is covered under §180.210, and the amount of the contract is expected to equal or exceed $25,000. (2) The contract requires the consent of an official of a Federal agency. In that case, the contract, regardless of the amount, always is a covered transaction, and it does not matter who awarded it. For example, it could be a subcontract awarded by a contractor at a tier below a nonprocurement transaction, as shown in the appendix to this part. (3) The contract is for Federally required audit services. (c) A subcontract also is a covered transaction if, (1) It is awarded by a participant in a procurement transaction under a nonprocurement transaction of a Federal agency that extends the coverage of paragraph (b)(1) of this section to additional tiers of contracts (see the diagram in the appendix to this part showing that optional lower tier coverage); and (2) The value of the subcontract is expected to equal or exceed $25,000." Cause Management had not developed or implemented a system of internal controls that would have ensured compliance with the grant agreement and the Procurement and Suspension and Debarment compliance requirement. This happened because of a change in staffing where more than one person completed the process. INDIANA STATE BOARD OF ACCOUNTS 17 GREENWOOD COMMUNITY SCHOOL CORPORATION SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Effect Without the proper implementation of an effectively designed system of internal controls, the internal control system cannot be capable of effectively preventing, or detecting and correcting, material noncompliance. Noncompliance with the Procurement and Suspension and Debarment compliance requirement could result in a contract to be awarded to a company that was suspended and debarred. Questioned Costs There were no questioned costs identified. Recommendation We recommended that the management of the School Corporation establish a proper system of internal controls to ensure compliance and comply with the grant agreement and the Procurement and Suspension and Debarment compliance requirement. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.
FINDING 2024-001 Subject: Child Nutrition Cluster Federal Agency: Department of Agriculture Federal Programs: School Breakfast Program, National School Lunch Program, Summer Food Service Program for Children, Fresh Fruit and Vegetable Program Assistance Listings Numbers: 10.553, 10.555, 10.559, 10.582 Federal Award Numbers and Years (or Other Identifying Numbers): FY23 & FY24, FY24 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Procurement and Suspension and Debarment Audit Findings: Material Weakness, Other Matters Condition and Context The School Corporation had not properly designed or implemented a system of internal controls, which would include appropriate segregation of duties, that would likely be effective in preventing, or detecting and correcting, noncompliance related to the Procurement and Suspension and Debarment compliance requirement. Prior to entering into subawards and covered transactions with federal award funds, recipients are required to verify that such contractors and subrecipients are not suspended, debarred, or otherwise excluded. "Covered transactions" include, but are not limited to, contracts for goods and services awarded under a nonprocurement transaction (i.e., grant agreement) that are expected to equal or exceed $25,000. The verification is to be done by checking the SAMs exclusions, collecting a certification from that vendor, or adding a clause or condition to the covered transaction with that vendor. During the audit period, the School Corporation had expenditures exceeding $25,000 for one vendor. For this vendor, there was no evidence provided for audit to verify that the vendor was verified to not be suspended, debarred, or otherwise excluded, prior to entering into the transaction. The lack of internal controls and noncompliance was isolated to FY24. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." INDIANA STATE BOARD OF ACCOUNTS 16 GREENWOOD COMMUNITY SCHOOL CORPORATION SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) 2 CFR 180.300 states: "When you enter into a covered transaction with another person at the next lower tier, you must verify that the person with whom you intend to do business is not excluded or disqualified. You do this by: (a) Checking the SAM.gov Exclusions, or (b) Collecting a certification from that person, or (c) Adding a clause or condition to the covered transaction with that person." 2 CFR 180.220 states: "(a) Covered transactions under this part - (1) Do not include any procurement contracts awarded directly by a Federal agency; but (2) Do include some procurement contracts awarded by non-Federal participants in nonprocurement covered transactions. (b) Specifically, a contract for goods or services is a covered transaction if any of the following applies: (1) The contract is awarded by a participant in a nonprocurement transaction that is covered under §180.210, and the amount of the contract is expected to equal or exceed $25,000. (2) The contract requires the consent of an official of a Federal agency. In that case, the contract, regardless of the amount, always is a covered transaction, and it does not matter who awarded it. For example, it could be a subcontract awarded by a contractor at a tier below a nonprocurement transaction, as shown in the appendix to this part. (3) The contract is for Federally required audit services. (c) A subcontract also is a covered transaction if, (1) It is awarded by a participant in a procurement transaction under a nonprocurement transaction of a Federal agency that extends the coverage of paragraph (b)(1) of this section to additional tiers of contracts (see the diagram in the appendix to this part showing that optional lower tier coverage); and (2) The value of the subcontract is expected to equal or exceed $25,000." Cause Management had not developed or implemented a system of internal controls that would have ensured compliance with the grant agreement and the Procurement and Suspension and Debarment compliance requirement. This happened because of a change in staffing where more than one person completed the process. INDIANA STATE BOARD OF ACCOUNTS 17 GREENWOOD COMMUNITY SCHOOL CORPORATION SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Effect Without the proper implementation of an effectively designed system of internal controls, the internal control system cannot be capable of effectively preventing, or detecting and correcting, material noncompliance. Noncompliance with the Procurement and Suspension and Debarment compliance requirement could result in a contract to be awarded to a company that was suspended and debarred. Questioned Costs There were no questioned costs identified. Recommendation We recommended that the management of the School Corporation establish a proper system of internal controls to ensure compliance and comply with the grant agreement and the Procurement and Suspension and Debarment compliance requirement. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.
FINDING 2024-001 Subject: Child Nutrition Cluster Federal Agency: Department of Agriculture Federal Programs: School Breakfast Program, National School Lunch Program, Summer Food Service Program for Children, Fresh Fruit and Vegetable Program Assistance Listings Numbers: 10.553, 10.555, 10.559, 10.582 Federal Award Numbers and Years (or Other Identifying Numbers): FY23 & FY24, FY24 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Procurement and Suspension and Debarment Audit Findings: Material Weakness, Other Matters Condition and Context The School Corporation had not properly designed or implemented a system of internal controls, which would include appropriate segregation of duties, that would likely be effective in preventing, or detecting and correcting, noncompliance related to the Procurement and Suspension and Debarment compliance requirement. Prior to entering into subawards and covered transactions with federal award funds, recipients are required to verify that such contractors and subrecipients are not suspended, debarred, or otherwise excluded. "Covered transactions" include, but are not limited to, contracts for goods and services awarded under a nonprocurement transaction (i.e., grant agreement) that are expected to equal or exceed $25,000. The verification is to be done by checking the SAMs exclusions, collecting a certification from that vendor, or adding a clause or condition to the covered transaction with that vendor. During the audit period, the School Corporation had expenditures exceeding $25,000 for one vendor. For this vendor, there was no evidence provided for audit to verify that the vendor was verified to not be suspended, debarred, or otherwise excluded, prior to entering into the transaction. The lack of internal controls and noncompliance was isolated to FY24. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." INDIANA STATE BOARD OF ACCOUNTS 16 GREENWOOD COMMUNITY SCHOOL CORPORATION SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) 2 CFR 180.300 states: "When you enter into a covered transaction with another person at the next lower tier, you must verify that the person with whom you intend to do business is not excluded or disqualified. You do this by: (a) Checking the SAM.gov Exclusions, or (b) Collecting a certification from that person, or (c) Adding a clause or condition to the covered transaction with that person." 2 CFR 180.220 states: "(a) Covered transactions under this part - (1) Do not include any procurement contracts awarded directly by a Federal agency; but (2) Do include some procurement contracts awarded by non-Federal participants in nonprocurement covered transactions. (b) Specifically, a contract for goods or services is a covered transaction if any of the following applies: (1) The contract is awarded by a participant in a nonprocurement transaction that is covered under §180.210, and the amount of the contract is expected to equal or exceed $25,000. (2) The contract requires the consent of an official of a Federal agency. In that case, the contract, regardless of the amount, always is a covered transaction, and it does not matter who awarded it. For example, it could be a subcontract awarded by a contractor at a tier below a nonprocurement transaction, as shown in the appendix to this part. (3) The contract is for Federally required audit services. (c) A subcontract also is a covered transaction if, (1) It is awarded by a participant in a procurement transaction under a nonprocurement transaction of a Federal agency that extends the coverage of paragraph (b)(1) of this section to additional tiers of contracts (see the diagram in the appendix to this part showing that optional lower tier coverage); and (2) The value of the subcontract is expected to equal or exceed $25,000." Cause Management had not developed or implemented a system of internal controls that would have ensured compliance with the grant agreement and the Procurement and Suspension and Debarment compliance requirement. This happened because of a change in staffing where more than one person completed the process. INDIANA STATE BOARD OF ACCOUNTS 17 GREENWOOD COMMUNITY SCHOOL CORPORATION SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Effect Without the proper implementation of an effectively designed system of internal controls, the internal control system cannot be capable of effectively preventing, or detecting and correcting, material noncompliance. Noncompliance with the Procurement and Suspension and Debarment compliance requirement could result in a contract to be awarded to a company that was suspended and debarred. Questioned Costs There were no questioned costs identified. Recommendation We recommended that the management of the School Corporation establish a proper system of internal controls to ensure compliance and comply with the grant agreement and the Procurement and Suspension and Debarment compliance requirement. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.
FINDING 2024-001 Subject: Child Nutrition Cluster Federal Agency: Department of Agriculture Federal Programs: School Breakfast Program, National School Lunch Program, Summer Food Service Program for Children, Fresh Fruit and Vegetable Program Assistance Listings Numbers: 10.553, 10.555, 10.559, 10.582 Federal Award Numbers and Years (or Other Identifying Numbers): FY23 & FY24, FY24 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Procurement and Suspension and Debarment Audit Findings: Material Weakness, Other Matters Condition and Context The School Corporation had not properly designed or implemented a system of internal controls, which would include appropriate segregation of duties, that would likely be effective in preventing, or detecting and correcting, noncompliance related to the Procurement and Suspension and Debarment compliance requirement. Prior to entering into subawards and covered transactions with federal award funds, recipients are required to verify that such contractors and subrecipients are not suspended, debarred, or otherwise excluded. "Covered transactions" include, but are not limited to, contracts for goods and services awarded under a nonprocurement transaction (i.e., grant agreement) that are expected to equal or exceed $25,000. The verification is to be done by checking the SAMs exclusions, collecting a certification from that vendor, or adding a clause or condition to the covered transaction with that vendor. During the audit period, the School Corporation had expenditures exceeding $25,000 for one vendor. For this vendor, there was no evidence provided for audit to verify that the vendor was verified to not be suspended, debarred, or otherwise excluded, prior to entering into the transaction. The lack of internal controls and noncompliance was isolated to FY24. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." INDIANA STATE BOARD OF ACCOUNTS 16 GREENWOOD COMMUNITY SCHOOL CORPORATION SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) 2 CFR 180.300 states: "When you enter into a covered transaction with another person at the next lower tier, you must verify that the person with whom you intend to do business is not excluded or disqualified. You do this by: (a) Checking the SAM.gov Exclusions, or (b) Collecting a certification from that person, or (c) Adding a clause or condition to the covered transaction with that person." 2 CFR 180.220 states: "(a) Covered transactions under this part - (1) Do not include any procurement contracts awarded directly by a Federal agency; but (2) Do include some procurement contracts awarded by non-Federal participants in nonprocurement covered transactions. (b) Specifically, a contract for goods or services is a covered transaction if any of the following applies: (1) The contract is awarded by a participant in a nonprocurement transaction that is covered under §180.210, and the amount of the contract is expected to equal or exceed $25,000. (2) The contract requires the consent of an official of a Federal agency. In that case, the contract, regardless of the amount, always is a covered transaction, and it does not matter who awarded it. For example, it could be a subcontract awarded by a contractor at a tier below a nonprocurement transaction, as shown in the appendix to this part. (3) The contract is for Federally required audit services. (c) A subcontract also is a covered transaction if, (1) It is awarded by a participant in a procurement transaction under a nonprocurement transaction of a Federal agency that extends the coverage of paragraph (b)(1) of this section to additional tiers of contracts (see the diagram in the appendix to this part showing that optional lower tier coverage); and (2) The value of the subcontract is expected to equal or exceed $25,000." Cause Management had not developed or implemented a system of internal controls that would have ensured compliance with the grant agreement and the Procurement and Suspension and Debarment compliance requirement. This happened because of a change in staffing where more than one person completed the process. INDIANA STATE BOARD OF ACCOUNTS 17 GREENWOOD COMMUNITY SCHOOL CORPORATION SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Effect Without the proper implementation of an effectively designed system of internal controls, the internal control system cannot be capable of effectively preventing, or detecting and correcting, material noncompliance. Noncompliance with the Procurement and Suspension and Debarment compliance requirement could result in a contract to be awarded to a company that was suspended and debarred. Questioned Costs There were no questioned costs identified. Recommendation We recommended that the management of the School Corporation establish a proper system of internal controls to ensure compliance and comply with the grant agreement and the Procurement and Suspension and Debarment compliance requirement. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.
FINDING 2024-001 Subject: Child Nutrition Cluster Federal Agency: Department of Agriculture Federal Programs: School Breakfast Program, National School Lunch Program, Summer Food Service Program for Children, Fresh Fruit and Vegetable Program Assistance Listings Numbers: 10.553, 10.555, 10.559, 10.582 Federal Award Numbers and Years (or Other Identifying Numbers): FY23 & FY24, FY24 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Procurement and Suspension and Debarment Audit Findings: Material Weakness, Other Matters Condition and Context The School Corporation had not properly designed or implemented a system of internal controls, which would include appropriate segregation of duties, that would likely be effective in preventing, or detecting and correcting, noncompliance related to the Procurement and Suspension and Debarment compliance requirement. Prior to entering into subawards and covered transactions with federal award funds, recipients are required to verify that such contractors and subrecipients are not suspended, debarred, or otherwise excluded. "Covered transactions" include, but are not limited to, contracts for goods and services awarded under a nonprocurement transaction (i.e., grant agreement) that are expected to equal or exceed $25,000. The verification is to be done by checking the SAMs exclusions, collecting a certification from that vendor, or adding a clause or condition to the covered transaction with that vendor. During the audit period, the School Corporation had expenditures exceeding $25,000 for one vendor. For this vendor, there was no evidence provided for audit to verify that the vendor was verified to not be suspended, debarred, or otherwise excluded, prior to entering into the transaction. The lack of internal controls and noncompliance was isolated to FY24. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." INDIANA STATE BOARD OF ACCOUNTS 16 GREENWOOD COMMUNITY SCHOOL CORPORATION SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) 2 CFR 180.300 states: "When you enter into a covered transaction with another person at the next lower tier, you must verify that the person with whom you intend to do business is not excluded or disqualified. You do this by: (a) Checking the SAM.gov Exclusions, or (b) Collecting a certification from that person, or (c) Adding a clause or condition to the covered transaction with that person." 2 CFR 180.220 states: "(a) Covered transactions under this part - (1) Do not include any procurement contracts awarded directly by a Federal agency; but (2) Do include some procurement contracts awarded by non-Federal participants in nonprocurement covered transactions. (b) Specifically, a contract for goods or services is a covered transaction if any of the following applies: (1) The contract is awarded by a participant in a nonprocurement transaction that is covered under §180.210, and the amount of the contract is expected to equal or exceed $25,000. (2) The contract requires the consent of an official of a Federal agency. In that case, the contract, regardless of the amount, always is a covered transaction, and it does not matter who awarded it. For example, it could be a subcontract awarded by a contractor at a tier below a nonprocurement transaction, as shown in the appendix to this part. (3) The contract is for Federally required audit services. (c) A subcontract also is a covered transaction if, (1) It is awarded by a participant in a procurement transaction under a nonprocurement transaction of a Federal agency that extends the coverage of paragraph (b)(1) of this section to additional tiers of contracts (see the diagram in the appendix to this part showing that optional lower tier coverage); and (2) The value of the subcontract is expected to equal or exceed $25,000." Cause Management had not developed or implemented a system of internal controls that would have ensured compliance with the grant agreement and the Procurement and Suspension and Debarment compliance requirement. This happened because of a change in staffing where more than one person completed the process. INDIANA STATE BOARD OF ACCOUNTS 17 GREENWOOD COMMUNITY SCHOOL CORPORATION SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Effect Without the proper implementation of an effectively designed system of internal controls, the internal control system cannot be capable of effectively preventing, or detecting and correcting, material noncompliance. Noncompliance with the Procurement and Suspension and Debarment compliance requirement could result in a contract to be awarded to a company that was suspended and debarred. Questioned Costs There were no questioned costs identified. Recommendation We recommended that the management of the School Corporation establish a proper system of internal controls to ensure compliance and comply with the grant agreement and the Procurement and Suspension and Debarment compliance requirement. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.
FINDING 2024-001 Subject: Child Nutrition Cluster Federal Agency: Department of Agriculture Federal Programs: School Breakfast Program, National School Lunch Program, Summer Food Service Program for Children, Fresh Fruit and Vegetable Program Assistance Listings Numbers: 10.553, 10.555, 10.559, 10.582 Federal Award Numbers and Years (or Other Identifying Numbers): FY23 & FY24, FY24 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Procurement and Suspension and Debarment Audit Findings: Material Weakness, Other Matters Condition and Context The School Corporation had not properly designed or implemented a system of internal controls, which would include appropriate segregation of duties, that would likely be effective in preventing, or detecting and correcting, noncompliance related to the Procurement and Suspension and Debarment compliance requirement. Prior to entering into subawards and covered transactions with federal award funds, recipients are required to verify that such contractors and subrecipients are not suspended, debarred, or otherwise excluded. "Covered transactions" include, but are not limited to, contracts for goods and services awarded under a nonprocurement transaction (i.e., grant agreement) that are expected to equal or exceed $25,000. The verification is to be done by checking the SAMs exclusions, collecting a certification from that vendor, or adding a clause or condition to the covered transaction with that vendor. During the audit period, the School Corporation had expenditures exceeding $25,000 for one vendor. For this vendor, there was no evidence provided for audit to verify that the vendor was verified to not be suspended, debarred, or otherwise excluded, prior to entering into the transaction. The lack of internal controls and noncompliance was isolated to FY24. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." INDIANA STATE BOARD OF ACCOUNTS 16 GREENWOOD COMMUNITY SCHOOL CORPORATION SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) 2 CFR 180.300 states: "When you enter into a covered transaction with another person at the next lower tier, you must verify that the person with whom you intend to do business is not excluded or disqualified. You do this by: (a) Checking the SAM.gov Exclusions, or (b) Collecting a certification from that person, or (c) Adding a clause or condition to the covered transaction with that person." 2 CFR 180.220 states: "(a) Covered transactions under this part - (1) Do not include any procurement contracts awarded directly by a Federal agency; but (2) Do include some procurement contracts awarded by non-Federal participants in nonprocurement covered transactions. (b) Specifically, a contract for goods or services is a covered transaction if any of the following applies: (1) The contract is awarded by a participant in a nonprocurement transaction that is covered under §180.210, and the amount of the contract is expected to equal or exceed $25,000. (2) The contract requires the consent of an official of a Federal agency. In that case, the contract, regardless of the amount, always is a covered transaction, and it does not matter who awarded it. For example, it could be a subcontract awarded by a contractor at a tier below a nonprocurement transaction, as shown in the appendix to this part. (3) The contract is for Federally required audit services. (c) A subcontract also is a covered transaction if, (1) It is awarded by a participant in a procurement transaction under a nonprocurement transaction of a Federal agency that extends the coverage of paragraph (b)(1) of this section to additional tiers of contracts (see the diagram in the appendix to this part showing that optional lower tier coverage); and (2) The value of the subcontract is expected to equal or exceed $25,000." Cause Management had not developed or implemented a system of internal controls that would have ensured compliance with the grant agreement and the Procurement and Suspension and Debarment compliance requirement. This happened because of a change in staffing where more than one person completed the process. INDIANA STATE BOARD OF ACCOUNTS 17 GREENWOOD COMMUNITY SCHOOL CORPORATION SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Effect Without the proper implementation of an effectively designed system of internal controls, the internal control system cannot be capable of effectively preventing, or detecting and correcting, material noncompliance. Noncompliance with the Procurement and Suspension and Debarment compliance requirement could result in a contract to be awarded to a company that was suspended and debarred. Questioned Costs There were no questioned costs identified. Recommendation We recommended that the management of the School Corporation establish a proper system of internal controls to ensure compliance and comply with the grant agreement and the Procurement and Suspension and Debarment compliance requirement. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.
Information on the federal program: Subject: Education Stabilization Fund – Special Tests and Provisions – Wage Rate Requirements Federal Agency: Department of Education Federal Program: COVID-19 – Education Stabilization Fund Assistance Listing Number: 84.425D, 84.425U Federal Award Number and Year (or Other Identifying Numbers): S425D210013, S425U210013 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Special Tests and Provisions – Wage Rate Requirements Audit Finding: Material Weakness, Material Noncompliance, Modified Opinion Criteria: 2 CFR section 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." 29 CFR 5.5 states in part: (a) The Agency head shall cause or require the contracting officer to insert in full in any contract in excess of $2,000 which is entered into for the actual construction, alteration and/or repair, including painting and decorating, of a public building or public work, or building or work financed in whole or in part from Federal funds or in accordance with guarantees of a Federal agency or financed from funds obtained by pledge of any contract of a Federal agency to make a loan, grant or annual contribution (except where a different meaning is expressly indicated), and which is subject to the labor standards provisions of any of the acts listed in §5.1, the following clauses. (1) Minimum wages. (i) All laborers and mechanics employed or working upon the site of the work (or under the United States Housing Act of 1937 or under the Housing Act of 1949 in the construction or development of the project), will be paid unconditionally and not less often than once a week, and without subsequent deduction or rebate on any account (except such payroll deductions as are permitted by regulations issued by the Secretary of Labor under the Copeland Act (29 CFR part 3)), the full amount of wages and bona fide fringe benefits (or cash equivalents thereof) due at time of payment computed at rates not less than those contained in the wage determination of the Secretary of Labor which is attached hereto and made a part hereof, regardless of any contractual relationship which may be alleged to exist between the contractor and such laborers and mechanics… (D) Davis-Bacon Act, as amended (40 U.S.C. 3141-3148). When required by Federal program legislation, all prime construction contracts in excess of $2,000 awarded by non-Federal entities must include a provision for compliance with the Davis-Bacon Act (40 U.S.C. 3141-3144, and 3146-3148) as supplemented by Department of Labor regulations (29 CFR Part 5, “Labor Standards Provisions Applicable to Contracts Covering Federally Financed and Assisted Construction”). In accordance with the statute, contractors must be required to pay wages to laborers and mechanics at a rate not less than the prevailing wages specified in a wage determination made by the Secretary of Labor. In addition, contractors must be required to pay wages not less than once a week.. . .” Condition: An effective internal control system was not in place at the School Corporation in order to ensure compliance with requirements related to the grant agreement and the Special Tests and Provisions – Wage Rate Requirements compliance requirement. Cause: The School Corporation's management had not developed a system of internal controls to ensure compliance with the compliance requirements listed above. Effect: The failure to design and implement an effective internal control system enabled material noncompliance to go undetected. Noncompliance with the grant agreement and the Special Tests and Provisions - Wage Rate Requirements compliance requirement could result in the loss of future federal funds to the School Corporation. Questioned Costs: There were no questioned costs identified. Context: The School Corporation did not obtain the weekly payroll report certifications from the vendors that performed window and locker replacements in the school buildings in a timely fashion. Therefore, a timely review was not performed to ensure that pay rates complied with the federal wage rate requirements. Additionally, the School Corporation did not have contracts with the companies that included clauses for the federal wage rate requirements. ESSER II funds (ALN 84.425D) were charged $179,194 of these vendor costs while ESSER III funds (ALN 84.425U) were charged to and costs of $747,188 were charged. Identification as a repeat finding, if applicable: No. Recommendation: We recommended that the School Corporation implement a formal process to ensure the required weekly payroll report certifications are collected and reviewed timely to ensure compliance with the wage rate requirements. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
Information on the federal program: Subject: Education Stabilization Fund – Special Tests and Provisions – Wage Rate Requirements Federal Agency: Department of Education Federal Program: COVID-19 – Education Stabilization Fund Assistance Listing Number: 84.425D, 84.425U Federal Award Number and Year (or Other Identifying Numbers): S425D210013, S425U210013 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Special Tests and Provisions – Wage Rate Requirements Audit Finding: Material Weakness, Material Noncompliance, Modified Opinion Criteria: 2 CFR section 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." 29 CFR 5.5 states in part: (a) The Agency head shall cause or require the contracting officer to insert in full in any contract in excess of $2,000 which is entered into for the actual construction, alteration and/or repair, including painting and decorating, of a public building or public work, or building or work financed in whole or in part from Federal funds or in accordance with guarantees of a Federal agency or financed from funds obtained by pledge of any contract of a Federal agency to make a loan, grant or annual contribution (except where a different meaning is expressly indicated), and which is subject to the labor standards provisions of any of the acts listed in §5.1, the following clauses. (1) Minimum wages. (i) All laborers and mechanics employed or working upon the site of the work (or under the United States Housing Act of 1937 or under the Housing Act of 1949 in the construction or development of the project), will be paid unconditionally and not less often than once a week, and without subsequent deduction or rebate on any account (except such payroll deductions as are permitted by regulations issued by the Secretary of Labor under the Copeland Act (29 CFR part 3)), the full amount of wages and bona fide fringe benefits (or cash equivalents thereof) due at time of payment computed at rates not less than those contained in the wage determination of the Secretary of Labor which is attached hereto and made a part hereof, regardless of any contractual relationship which may be alleged to exist between the contractor and such laborers and mechanics… (D) Davis-Bacon Act, as amended (40 U.S.C. 3141-3148). When required by Federal program legislation, all prime construction contracts in excess of $2,000 awarded by non-Federal entities must include a provision for compliance with the Davis-Bacon Act (40 U.S.C. 3141-3144, and 3146-3148) as supplemented by Department of Labor regulations (29 CFR Part 5, “Labor Standards Provisions Applicable to Contracts Covering Federally Financed and Assisted Construction”). In accordance with the statute, contractors must be required to pay wages to laborers and mechanics at a rate not less than the prevailing wages specified in a wage determination made by the Secretary of Labor. In addition, contractors must be required to pay wages not less than once a week.. . .” Condition: An effective internal control system was not in place at the School Corporation in order to ensure compliance with requirements related to the grant agreement and the Special Tests and Provisions – Wage Rate Requirements compliance requirement. Cause: The School Corporation's management had not developed a system of internal controls to ensure compliance with the compliance requirements listed above. Effect: The failure to design and implement an effective internal control system enabled material noncompliance to go undetected. Noncompliance with the grant agreement and the Special Tests and Provisions - Wage Rate Requirements compliance requirement could result in the loss of future federal funds to the School Corporation. Questioned Costs: There were no questioned costs identified. Context: The School Corporation did not obtain the weekly payroll report certifications from the vendors that performed window and locker replacements in the school buildings in a timely fashion. Therefore, a timely review was not performed to ensure that pay rates complied with the federal wage rate requirements. Additionally, the School Corporation did not have contracts with the companies that included clauses for the federal wage rate requirements. ESSER II funds (ALN 84.425D) were charged $179,194 of these vendor costs while ESSER III funds (ALN 84.425U) were charged to and costs of $747,188 were charged. Identification as a repeat finding, if applicable: No. Recommendation: We recommended that the School Corporation implement a formal process to ensure the required weekly payroll report certifications are collected and reviewed timely to ensure compliance with the wage rate requirements. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
Information on the federal program: Subject: Child Nutrition Cluster - Internal Controls Federal Agency: Department of Agriculture Federal Program: School Breakfast Program, National School Lunch Program Assistance Listing Number: 10.553, 10.555 Federal Award Numbers and Years (or Other Identifying Numbers): FY2023, FY2024 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Activities Allowed or Unallowed, Allowable Costs/Cost Principles Audit Finding: Material Weakness Criteria: 2 CFR section 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." Condition: An effective internal control system was not in place at the School Corporation to ensure compliance with requirements related to the grant agreement and the activities allowed or unallowed and allowable costs/cost principle compliance requirements. Cause: The School Corporation's management had not developed a system of internal controls to ensure compliance with the compliance requirements listed above. Effect: The failure to establish an effective internal control system placed the School Corporation at risk of noncompliance with the grant agreement and the compliance requirements. A lack of segregation of duties within an internal control system could have also allowed noncompliance with the compliance requirements and allowed the misuse and mismanagement of federal funds and assets by not having proper oversight, reviews, and approvals over the activities of the programs. Questioned Costs: None. Context: We noted there was no secondary, documented formal review for the forty sample accounts payable vouchers. All the payroll vouchers selected were properly reviewed. Identification as a repeat finding, if applicable: No. Recommendation: We recommend that the School Corporation establish a documented, formal review of all food service accounts payable vouchers before they are paid. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
Information on the federal program: Subject: Child Nutrition Cluster - Internal Controls Federal Agency: Department of Agriculture Federal Program: School Breakfast Program, National School Lunch Program Assistance Listing Number: 10.553, 10.555 Federal Award Numbers and Years (or Other Identifying Numbers): FY2023, FY2024 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Activities Allowed or Unallowed, Allowable Costs/Cost Principles Audit Finding: Material Weakness Criteria: 2 CFR section 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." Condition: An effective internal control system was not in place at the School Corporation to ensure compliance with requirements related to the grant agreement and the activities allowed or unallowed and allowable costs/cost principle compliance requirements. Cause: The School Corporation's management had not developed a system of internal controls to ensure compliance with the compliance requirements listed above. Effect: The failure to establish an effective internal control system placed the School Corporation at risk of noncompliance with the grant agreement and the compliance requirements. A lack of segregation of duties within an internal control system could have also allowed noncompliance with the compliance requirements and allowed the misuse and mismanagement of federal funds and assets by not having proper oversight, reviews, and approvals over the activities of the programs. Questioned Costs: None. Context: We noted there was no secondary, documented formal review for the forty sample accounts payable vouchers. All the payroll vouchers selected were properly reviewed. Identification as a repeat finding, if applicable: No. Recommendation: We recommend that the School Corporation establish a documented, formal review of all food service accounts payable vouchers before they are paid. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
Information on the federal program: Subject: Child Nutrition Cluster - Internal Controls Federal Agency: Department of Agriculture Federal Program: School Breakfast Program, National School Lunch Program Assistance Listing Number: 10.553, 10.555 Federal Award Numbers and Years (or Other Identifying Numbers): FY2023, FY2024 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Activities Allowed or Unallowed, Allowable Costs/Cost Principles Audit Finding: Material Weakness Criteria: 2 CFR section 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." Condition: An effective internal control system was not in place at the School Corporation to ensure compliance with requirements related to the grant agreement and the activities allowed or unallowed and allowable costs/cost principle compliance requirements. Cause: The School Corporation's management had not developed a system of internal controls to ensure compliance with the compliance requirements listed above. Effect: The failure to establish an effective internal control system placed the School Corporation at risk of noncompliance with the grant agreement and the compliance requirements. A lack of segregation of duties within an internal control system could have also allowed noncompliance with the compliance requirements and allowed the misuse and mismanagement of federal funds and assets by not having proper oversight, reviews, and approvals over the activities of the programs. Questioned Costs: None. Context: We noted there was no secondary, documented formal review for the forty sample accounts payable vouchers. All the payroll vouchers selected were properly reviewed. Identification as a repeat finding, if applicable: No. Recommendation: We recommend that the School Corporation establish a documented, formal review of all food service accounts payable vouchers before they are paid. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
Information on the federal program: Subject: Education Stabilization Fund - Internal Controls Federal Agency: Department of Education Federal Program: Education Stabilization Fund Assistance Listing Number: 84.425D Federal Award Numbers and Years (or Other Identifying Numbers): S425D200013, S425D210013 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Activities Allowed or Unallowed, Allowable Costs/Cost Principles Audit Finding: Material Weakness Criteria: 2 CFR section 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." Condition: An effective internal control system was not in place at the School Corporation to ensure compliance with requirements related to the grant agreement and the activities allowed or unallowed and allowable costs/cost principle compliance requirements. Cause: The School Corporation's management had not developed a system of internal controls to ensure compliance with the compliance requirements listed above. Effect: The failure to establish an effective internal control system placed the School Corporation at risk of noncompliance with the grant agreement and the compliance requirements. A lack of segregation of duties within an internal control system could have also allowed noncompliance with the compliance requirements and allowed the misuse and mismanagement of federal funds and assets by not having proper oversight, reviews, and approvals over the activities of the programs. Questioned Costs: None. Context: We noted there was no secondary, documented formal review for the seven sample accounts payable vouchers. All the payroll vouchers selected were properly reviewed. Identification as a repeat finding, if applicable: No. Recommendation: We recommend that the School Corporation establish a documented, formal review of all food service accounts payable vouchers before they are paid. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
Information on the federal program: Subject: Education Stabilization Fund - Internal Controls Federal Agency: Department of Education Federal Program: Education Stabilization Fund Assistance Listing Number: 84.425D Federal Award Numbers and Years (or Other Identifying Numbers): S425D200013, S425D210013 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Activities Allowed or Unallowed, Allowable Costs/Cost Principles Audit Finding: Material Weakness Criteria: 2 CFR section 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." Condition: An effective internal control system was not in place at the School Corporation to ensure compliance with requirements related to the grant agreement and the activities allowed or unallowed and allowable costs/cost principle compliance requirements. Cause: The School Corporation's management had not developed a system of internal controls to ensure compliance with the compliance requirements listed above. Effect: The failure to establish an effective internal control system placed the School Corporation at risk of noncompliance with the grant agreement and the compliance requirements. A lack of segregation of duties within an internal control system could have also allowed noncompliance with the compliance requirements and allowed the misuse and mismanagement of federal funds and assets by not having proper oversight, reviews, and approvals over the activities of the programs. Questioned Costs: None. Context: We noted there was no secondary, documented formal review for the seven sample accounts payable vouchers. All the payroll vouchers selected were properly reviewed. Identification as a repeat finding, if applicable: No. Recommendation: We recommend that the School Corporation establish a documented, formal review of all food service accounts payable vouchers before they are paid. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
Information on the federal program: Subject: Education Stabilization Fund (ESSER) – Internal Controls Federal Agency: Department of Education Federal Program: COVID-19 – Education Stabilization Fund Assistance Listing Number: 84.425D Federal Award Numbers and Years (or Other Identifying Numbers): S425D200013, S425D210013 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Reporting Audit Finding: Material Weakness Criteria: 2 CFR section 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." 2 CFR 200.302(b) states in part: "The financial management system of each non-Federal entity must provide for the following: (2) Accurate, current, and complete disclosure of the financial results of each Federal award or program in accordance with the reporting requirements set forth in §§ 200.328 Financial reporting . . . ." 34 CFR 76.722 states: "A State may require a subgrantee to submit reports in a manner and format that assists the State in complying with the requirements under 34 CFR 76.720 and in carrying out other responsibilities under the program." Condition: An effective internal control system was not in place at the School Corporation in order to ensure compliance with requirements related to the grant agreement and the Reporting compliance requirements. Cause: The School Corporation's management had not developed a system of internal controls to ensure compliance with the compliance requirements listed above. Effect: The failure to establish an effective internal control system placed the School Corporation at risk of noncompliance with the grant agreement and the compliance requirements. A lack of segregation of duties within an internal control system could have also allowed noncompliance with the compliance requirements and allowed the misuse and mismanagement of federal funds and assets by not having proper oversight, reviews, and approvals over the activities of the programs. Questioned Costs: There were no questioned costs identified. Context: The School Corporation was required to submit two Annual Data Reports to the Indiana Department of Education (IDOE) during the audit period to meet federal reporting requirements for ESSER grant awards. We noted that the ESSER I and ESSER II amounts reported for the reports covering the FY22 time period ($90,217 and $238,439, respectively) did not agree to the underlying expenditure records ($81,958 and $400,439 respectively, for the period of July 1, 2021 through June 30, 2022). Identification as a repeat finding: This is a repeat finding form the immediately prior audit. The prior finding number was 2022-002. Recommendation: We recommend someone other than the preparer of the report perform a documented review prior to submission to validate the accuracy and completeness of the data submitted. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
Information on the federal program: Subject: Education Stabilization Fund (ESSER) – Internal Controls Federal Agency: Department of Education Federal Program: COVID-19 – Education Stabilization Fund Assistance Listing Number: 84.425D Federal Award Numbers and Years (or Other Identifying Numbers): S425D200013, S425D210013 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Reporting Audit Finding: Material Weakness Criteria: 2 CFR section 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." 2 CFR 200.302(b) states in part: "The financial management system of each non-Federal entity must provide for the following: (2) Accurate, current, and complete disclosure of the financial results of each Federal award or program in accordance with the reporting requirements set forth in §§ 200.328 Financial reporting . . . ." 34 CFR 76.722 states: "A State may require a subgrantee to submit reports in a manner and format that assists the State in complying with the requirements under 34 CFR 76.720 and in carrying out other responsibilities under the program." Condition: An effective internal control system was not in place at the School Corporation in order to ensure compliance with requirements related to the grant agreement and the Reporting compliance requirements. Cause: The School Corporation's management had not developed a system of internal controls to ensure compliance with the compliance requirements listed above. Effect: The failure to establish an effective internal control system placed the School Corporation at risk of noncompliance with the grant agreement and the compliance requirements. A lack of segregation of duties within an internal control system could have also allowed noncompliance with the compliance requirements and allowed the misuse and mismanagement of federal funds and assets by not having proper oversight, reviews, and approvals over the activities of the programs. Questioned Costs: There were no questioned costs identified. Context: The School Corporation was required to submit two Annual Data Reports to the Indiana Department of Education (IDOE) during the audit period to meet federal reporting requirements for ESSER grant awards. We noted that the ESSER I and ESSER II amounts reported for the reports covering the FY22 time period ($90,217 and $238,439, respectively) did not agree to the underlying expenditure records ($81,958 and $400,439 respectively, for the period of July 1, 2021 through June 30, 2022). Identification as a repeat finding: This is a repeat finding form the immediately prior audit. The prior finding number was 2022-002. Recommendation: We recommend someone other than the preparer of the report perform a documented review prior to submission to validate the accuracy and completeness of the data submitted. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
Information on the federal program: Subject: Child Nutrition Cluster - Internal Controls Federal Agency: Department of Agriculture Federal Program: School Breakfast Program, National School Lunch Program Assistance Listing Number: 10.553, 10.555 Federal Award Numbers and Years (or Other Identifying Numbers): FY2023, FY2024 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Eligibility Audit Finding: Material Weakness Criteria: 2 CFR section 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." 7 CFR 245.3(c) sates in part: Each School Food Authority shall serve free and reduced price meals or free milk in the respective programs to children eligible under its eligibility criteria. Condition: An effective internal control system was not in place at the School Corporation in order to ensure compliance with requirements related to the grant agreement and the eligibility compliance requirement. Cause: The School Corporation's management had not developed a system of internal controls to ensure compliance with eligibility requirements. Effect: The failure to establish an effective internal control system placed the School Corporation at risk of noncompliance with the grant agreement and the compliance requirements. A lack of segregation of duties within an internal control system could have also allowed noncompliance with the compliance requirements and allowed the misuse and mismanagement of federal funds and assets by not having proper oversight, reviews, and approvals over the activities of the programs. Questioned Costs: There were no questioned costs identified. Context: During sample testing of 60 students for eligibility, we noted 3 instances where there was no documented review by someone other than the individual making the eligibility determination. The lack of review was isolated to paper applications. Identification as a repeat finding, if applicable: No. Recommendation: We recommended that the School Corporation’s management establish a formal documented, review over application data entered into the software to ensure the accuracy and completeness of the information entered into the software which is critical to eligibility determination process. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
Information on the federal program: Subject: Child Nutrition Cluster - Internal Controls Federal Agency: Department of Agriculture Federal Program: School Breakfast Program, National School Lunch Program Assistance Listing Number: 10.553, 10.555 Federal Award Numbers and Years (or Other Identifying Numbers): FY2023, FY2024 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Eligibility Audit Finding: Material Weakness Criteria: 2 CFR section 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." 7 CFR 245.3(c) sates in part: Each School Food Authority shall serve free and reduced price meals or free milk in the respective programs to children eligible under its eligibility criteria. Condition: An effective internal control system was not in place at the School Corporation in order to ensure compliance with requirements related to the grant agreement and the eligibility compliance requirement. Cause: The School Corporation's management had not developed a system of internal controls to ensure compliance with eligibility requirements. Effect: The failure to establish an effective internal control system placed the School Corporation at risk of noncompliance with the grant agreement and the compliance requirements. A lack of segregation of duties within an internal control system could have also allowed noncompliance with the compliance requirements and allowed the misuse and mismanagement of federal funds and assets by not having proper oversight, reviews, and approvals over the activities of the programs. Questioned Costs: There were no questioned costs identified. Context: During sample testing of 60 students for eligibility, we noted 3 instances where there was no documented review by someone other than the individual making the eligibility determination. The lack of review was isolated to paper applications. Identification as a repeat finding, if applicable: No. Recommendation: We recommended that the School Corporation’s management establish a formal documented, review over application data entered into the software to ensure the accuracy and completeness of the information entered into the software which is critical to eligibility determination process. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
Information on the federal program: Subject: Child Nutrition Cluster - Internal Controls Federal Agency: Department of Agriculture Federal Program: School Breakfast Program, National School Lunch Program Assistance Listing Number: 10.553, 10.555 Federal Award Numbers and Years (or Other Identifying Numbers): FY2023, FY2024 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Eligibility Audit Finding: Material Weakness Criteria: 2 CFR section 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." 7 CFR 245.3(c) sates in part: Each School Food Authority shall serve free and reduced price meals or free milk in the respective programs to children eligible under its eligibility criteria. Condition: An effective internal control system was not in place at the School Corporation in order to ensure compliance with requirements related to the grant agreement and the eligibility compliance requirement. Cause: The School Corporation's management had not developed a system of internal controls to ensure compliance with eligibility requirements. Effect: The failure to establish an effective internal control system placed the School Corporation at risk of noncompliance with the grant agreement and the compliance requirements. A lack of segregation of duties within an internal control system could have also allowed noncompliance with the compliance requirements and allowed the misuse and mismanagement of federal funds and assets by not having proper oversight, reviews, and approvals over the activities of the programs. Questioned Costs: There were no questioned costs identified. Context: During sample testing of 60 students for eligibility, we noted 3 instances where there was no documented review by someone other than the individual making the eligibility determination. The lack of review was isolated to paper applications. Identification as a repeat finding, if applicable: No. Recommendation: We recommended that the School Corporation’s management establish a formal documented, review over application data entered into the software to ensure the accuracy and completeness of the information entered into the software which is critical to eligibility determination process. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
Information on the federal program: Subject: Child Nutrition Cluster - Internal Controls Federal Agency: Department of Agriculture Federal Program: School Breakfast Program, National School Lunch Program Assistance Listing Number: 10.553, 10.555 Federal Award Numbers and Years (or Other Identifying Numbers): FY 22-23, FY 23-24 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Eligibility Audit Finding: Material Weakness Criteria: 2 CFR section 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." Condition: An effective internal control system was not in place at the School Corporation in order to ensure compliance with requirements related to the grant agreement and the eligibility compliance requirement. Cause: The School Corporation's management had not developed a system of internal controls to ensure compliance with eligibility requirements. Effect: The failure to establish an effective internal control system placed the School Corporation at risk of noncompliance with the grant agreement and the compliance requirements. A lack of segregation of duties within an internal control system could have also allowed noncompliance with the compliance requirements and allowed the misuse and mismanagement of federal funds and assets by not having proper oversight, reviews, and approvals over the activities of the programs. Questioned Costs: There were no questioned costs identified. Context: The School Corporation’s internal controls over eligibility included an annual approval of the food service software’s eligibility guidelines and also a documented review of individual meal applications by Food Service Department staff. During testing of eligibility, we noted 7 applications, out of 60 total students tested for the audit period, that did not have a timely, documented review by Food Service Department staff. The lack of review was isolated to fiscal year 2023. Additionally, there was no documented annual review by School Corporation personnel of the fiscal year 2024 income eligibility guidelines used by the food service software. Identification as a repeat finding, if applicable: No. Recommendation: We recommend School Corporation management review internal controls over eligibility and ensure a documented review occurs annually of income eligibility guidelines used by the food service software. We also recommend management document their review of applications entered into the system and ensure applications are maintained to support eligibility determinations made. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
Information on the federal program: Subject: Child Nutrition Cluster - Internal Controls Federal Agency: Department of Agriculture Federal Program: School Breakfast Program, National School Lunch Program Assistance Listing Number: 10.553, 10.555 Federal Award Numbers and Years (or Other Identifying Numbers): FY 22-23, FY 23-24 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Eligibility Audit Finding: Material Weakness Criteria: 2 CFR section 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." Condition: An effective internal control system was not in place at the School Corporation in order to ensure compliance with requirements related to the grant agreement and the eligibility compliance requirement. Cause: The School Corporation's management had not developed a system of internal controls to ensure compliance with eligibility requirements. Effect: The failure to establish an effective internal control system placed the School Corporation at risk of noncompliance with the grant agreement and the compliance requirements. A lack of segregation of duties within an internal control system could have also allowed noncompliance with the compliance requirements and allowed the misuse and mismanagement of federal funds and assets by not having proper oversight, reviews, and approvals over the activities of the programs. Questioned Costs: There were no questioned costs identified. Context: The School Corporation’s internal controls over eligibility included an annual approval of the food service software’s eligibility guidelines and also a documented review of individual meal applications by Food Service Department staff. During testing of eligibility, we noted 7 applications, out of 60 total students tested for the audit period, that did not have a timely, documented review by Food Service Department staff. The lack of review was isolated to fiscal year 2023. Additionally, there was no documented annual review by School Corporation personnel of the fiscal year 2024 income eligibility guidelines used by the food service software. Identification as a repeat finding, if applicable: No. Recommendation: We recommend School Corporation management review internal controls over eligibility and ensure a documented review occurs annually of income eligibility guidelines used by the food service software. We also recommend management document their review of applications entered into the system and ensure applications are maintained to support eligibility determinations made. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
Information on the federal program: Subject: Child Nutrition Cluster - Internal Controls Federal Agency: Department of Agriculture Federal Program: School Breakfast Program, National School Lunch Program Assistance Listing Number: 10.553, 10.555 Federal Award Numbers and Years (or Other Identifying Numbers): FY 22-23, FY 23-24 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Eligibility Audit Finding: Material Weakness Criteria: 2 CFR section 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." Condition: An effective internal control system was not in place at the School Corporation in order to ensure compliance with requirements related to the grant agreement and the eligibility compliance requirement. Cause: The School Corporation's management had not developed a system of internal controls to ensure compliance with eligibility requirements. Effect: The failure to establish an effective internal control system placed the School Corporation at risk of noncompliance with the grant agreement and the compliance requirements. A lack of segregation of duties within an internal control system could have also allowed noncompliance with the compliance requirements and allowed the misuse and mismanagement of federal funds and assets by not having proper oversight, reviews, and approvals over the activities of the programs. Questioned Costs: There were no questioned costs identified. Context: The School Corporation’s internal controls over eligibility included an annual approval of the food service software’s eligibility guidelines and also a documented review of individual meal applications by Food Service Department staff. During testing of eligibility, we noted 7 applications, out of 60 total students tested for the audit period, that did not have a timely, documented review by Food Service Department staff. The lack of review was isolated to fiscal year 2023. Additionally, there was no documented annual review by School Corporation personnel of the fiscal year 2024 income eligibility guidelines used by the food service software. Identification as a repeat finding, if applicable: No. Recommendation: We recommend School Corporation management review internal controls over eligibility and ensure a documented review occurs annually of income eligibility guidelines used by the food service software. We also recommend management document their review of applications entered into the system and ensure applications are maintained to support eligibility determinations made. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
Information on the federal program: Subject: Child Nutrition Cluster - Internal Controls Federal Agency: Department of Agriculture Federal Program: School Breakfast Program, National School Lunch Program Assistance Listing Number: 10.553, 10.555 Federal Award Numbers and Years (or Other Identifying Numbers): FY 22-23, FY 23-24 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Eligibility Audit Finding: Material Weakness Criteria: 2 CFR section 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." Condition: An effective internal control system was not in place at the School Corporation in order to ensure compliance with requirements related to the grant agreement and the eligibility compliance requirement. Cause: The School Corporation's management had not developed a system of internal controls to ensure compliance with eligibility requirements. Effect: The failure to establish an effective internal control system placed the School Corporation at risk of noncompliance with the grant agreement and the compliance requirements. A lack of segregation of duties within an internal control system could have also allowed noncompliance with the compliance requirements and allowed the misuse and mismanagement of federal funds and assets by not having proper oversight, reviews, and approvals over the activities of the programs. Questioned Costs: There were no questioned costs identified. Context: The School Corporation’s internal controls over eligibility included an annual approval of the food service software’s eligibility guidelines and also a documented review of individual meal applications by Food Service Department staff. During testing of eligibility, we noted 7 applications, out of 60 total students tested for the audit period, that did not have a timely, documented review by Food Service Department staff. The lack of review was isolated to fiscal year 2023. Additionally, there was no documented annual review by School Corporation personnel of the fiscal year 2024 income eligibility guidelines used by the food service software. Identification as a repeat finding, if applicable: No. Recommendation: We recommend School Corporation management review internal controls over eligibility and ensure a documented review occurs annually of income eligibility guidelines used by the food service software. We also recommend management document their review of applications entered into the system and ensure applications are maintained to support eligibility determinations made. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
Information on the federal program: Subject: Education Stabilization Fund – Special Tests and Provisions - Wage Rate Requirements Federal Agency: Department of Education Federal Program: COVID-19 - Education Stabilization Fund Assistance Listing Number: 84.425D Federal Award Numbers: S425D210013 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Special Tests and Provisions - Wage Rate Requirements Audit Findings: Material Weakness Criteria: 2 CFR section 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." 29 CFR 5.5 states in part: a. The Agency head shall cause or require the contracting officer to insert in full in any contract in excess of $2,000 which is entered into for the actual construction, alteration and/or repair, including painting and decorating, of a public building or public work, or building or work financed in whole or in part from Federal funds or in accordance with guarantees of a Federal agency or financed from funds obtained by pledge of any contract of a Federal agency to make a loan, grant or annual contribution (except where a different meaning is expressly indicated), and which is subject to the labor standards provisions of any of the acts listed in §5.1, the following clauses… (1) Minimum wages. (i) All laborers and mechanics employed or working upon the site of the work (or under the United States Housing Act of 1937 or under the Housing Act of 1949 in the construction or development of the project), will be paid unconditionally and not less often than once a week, and without subsequent deduction or rebate on any account (except such payroll deductions as are permitted by regulations issued by the Secretary of Labor under the Copeland Act (29 CFR part 3)), the full amount of wages and bona fide fringe benefits (or cash equivalents thereof) due at time of payment computed at rates not less than those contained in the wage determination of the Secretary of Labor which is attached hereto and made a part hereof, regardless of any contractual relationship which may be alleged to exist between the contractor and such laborers and mechanics… (3)(ii)(A) The contractor shall submit weekly for each week in which any contract work is performed a copy of all payrolls to the (write in name of appropriate federal agency) if the agency is a party to the contract, but if the agency is not such a party, the contractor will submit the payrolls to the applicant, sponsor, or owner, as the case may be, for transmission to the (write in name of agency). 2 CFR 200 Appendix II states in part: In addition to other provisions required by the Federal agency or non-Federal entity; all contracts made by the non-Federal entity under the Federal award must contain provisions covering the following, as applicable. . . . (D) Davis-Bacon Act, as amended (40 U.S.C. 3141-3148). When required by Federal program legislation, all prime construction contracts in excess of $2,000 awarded by non-Federal entities must include a provision for compliance with the Davis-Bacon Act (40 U.S.C. 3141-3144, and 3146-3148) as supplemented by Department of Labor regulations (29 CFR Part 5, “Labor Standards Provisions Applicable to Contracts Covering Federally Financed and Assisted Construction”). In accordance with the statute, contractors must be required to pay wages to laborers and mechanics at a rate not less than the prevailing wages specified in a wage determination made by the Secretary of Labor. In addition, contractors must be required to pay wages not less than once a week.. . .” Condition: An effective internal control system was not in place at the School Corporation in order to ensure compliance with requirements related to the grant agreement and the Special Tests and Provisions – Wage Rate Requirements compliance requirements. The School Corporation did not include Davis Bacon wage rate requirements in its contract with vendor which includes labor installation. The School Corporation did not obtain the weekly payroll reports certifications from vendor installing equipment. Cause: The School Corporation's management had not developed a system of internal controls to ensure compliance with the compliance requirements listed above. Effect: The failure to design and implement an effective internal control system enabled material noncompliance to go undetected. Noncompliance with the grant agreement and the Special Tests and Provisions – Wage Rate Requirements compliance requirement could result in the loss of future federal funds to the School Corporation. Questioned Costs: There were no questioned costs identified. Context: The School Corporation had one project during the audit period which included labor installation costs which were charged to the ESSER II (84.425D) grant award. For the vendor selected for testing, the School Corporation did not include federal wage rate requirement clauses in the contract with the vendor and did not have an internal control designed to collect the weekly payroll reports certifications from vendors and its subcontractors, as applicable, to comply with Davis Bacon wage rate requirements. The amount disbursed for the project during the audit period which includes material and labor totaled $94,444. Identification as a repeat finding, if applicable: No. Recommendation: We recommend the School Corporation include Davis-Bacon wage requirements in vendor contracts which are federally funded and implement a formal process to ensure the required weekly payroll report certifications are collected and reviewed by management to ensure compliance with the federal wage rate requirements. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
Information on the federal program: Subject: Title I Grants to Local Educational Agencies – Special Tests and Provisions – Annual Report Card, High School Graduation Rate Federal Agency: Department of Education Federal Program: Title I Grants to Local Educational Agencies Assistance Listing Number: 84.010A Federal Award Numbers: S010A210014, S010A220014, S010A230014 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Special Tests and Provisions – Annual Report Card, High School Graduation Rate Audit Findings: Significant Deficiency Criteria: 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)...." 20 USC 7801(23)(B) states: "To remove a student from a cohort, a school or local educational agency shall require documentation, or obtain information from the State educational agency, to confirm that the student has transferred out, emigrated to another country, or transferred to a prison or juvenile facility, or deceased." 2 CFR 200.333 states in part: "Financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient..." 2 CFR 200.334 (Revised Uniform Guidance) states in part: “Financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient. . Condition: An effective internal control system was not in place at the School Corporation to ensure compliance with requirements related to the grant agreement and the Special Tests and Provisions - Annual Report Card, High School Graduation Rate compliance requirement. The lack of internal controls and noncompliance were systemic issues throughout the audit period. Cause: Management had not developed nor implemented a system of internal control that would have ensured compliance with the grant agreement and the Special Tests and Provisions compliance requirement. Effect: The failure to establish an effective internal control system could enable noncompliance to go undetected. Noncompliance with the grant agreement and the Special Tests and Provisions – Annual Report Card, High School Graduation Rate compliance requirement could result in loss of future federal funds to the School Corporation. Questioned Costs: There were no questioned costs identified. Context: An effective internal control system was not in place at the School Corporation to ensure compliance with requirements related to the grant agreement and the Special Tests and Provisions - Annual Report Card, High School Graduation Rate compliance requirement. There was no formal documented review of mobility reports in Skyward during our audit period. Identification as a repeat finding: This is a repeat finding from the immediately prior audit report. The prior audit finding number was 2022-003. Recommendation: We recommended that the School Corporation's management establish an effective system of internal control to ensure compliance and comply with the grant agreement and the Special Tests and Provisions - Annual Report Card, High School Graduation Rate compliance requirement. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
Information on the federal program: Subject: Title I Grants to Local Educational Agencies – Special Tests and Provisions – Annual Report Card, High School Graduation Rate Federal Agency: Department of Education Federal Program: Title I Grants to Local Educational Agencies Assistance Listing Number: 84.010A Federal Award Numbers: S010A210014, S010A220014, S010A230014 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Special Tests and Provisions – Annual Report Card, High School Graduation Rate Audit Findings: Significant Deficiency Criteria: 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)...." 20 USC 7801(23)(B) states: "To remove a student from a cohort, a school or local educational agency shall require documentation, or obtain information from the State educational agency, to confirm that the student has transferred out, emigrated to another country, or transferred to a prison or juvenile facility, or deceased." 2 CFR 200.333 states in part: "Financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient..." 2 CFR 200.334 (Revised Uniform Guidance) states in part: “Financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient. . Condition: An effective internal control system was not in place at the School Corporation to ensure compliance with requirements related to the grant agreement and the Special Tests and Provisions - Annual Report Card, High School Graduation Rate compliance requirement. The lack of internal controls and noncompliance were systemic issues throughout the audit period. Cause: Management had not developed nor implemented a system of internal control that would have ensured compliance with the grant agreement and the Special Tests and Provisions compliance requirement. Effect: The failure to establish an effective internal control system could enable noncompliance to go undetected. Noncompliance with the grant agreement and the Special Tests and Provisions – Annual Report Card, High School Graduation Rate compliance requirement could result in loss of future federal funds to the School Corporation. Questioned Costs: There were no questioned costs identified. Context: An effective internal control system was not in place at the School Corporation to ensure compliance with requirements related to the grant agreement and the Special Tests and Provisions - Annual Report Card, High School Graduation Rate compliance requirement. There was no formal documented review of mobility reports in Skyward during our audit period. Identification as a repeat finding: This is a repeat finding from the immediately prior audit report. The prior audit finding number was 2022-003. Recommendation: We recommended that the School Corporation's management establish an effective system of internal control to ensure compliance and comply with the grant agreement and the Special Tests and Provisions - Annual Report Card, High School Graduation Rate compliance requirement. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
Information on the federal program: Subject: Title I Grants to Local Educational Agencies – Special Tests and Provisions – Annual Report Card, High School Graduation Rate Federal Agency: Department of Education Federal Program: Title I Grants to Local Educational Agencies Assistance Listing Number: 84.010A Federal Award Numbers: S010A210014, S010A220014, S010A230014 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Special Tests and Provisions – Annual Report Card, High School Graduation Rate Audit Findings: Significant Deficiency Criteria: 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)...." 20 USC 7801(23)(B) states: "To remove a student from a cohort, a school or local educational agency shall require documentation, or obtain information from the State educational agency, to confirm that the student has transferred out, emigrated to another country, or transferred to a prison or juvenile facility, or deceased." 2 CFR 200.333 states in part: "Financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient..." 2 CFR 200.334 (Revised Uniform Guidance) states in part: “Financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient. . Condition: An effective internal control system was not in place at the School Corporation to ensure compliance with requirements related to the grant agreement and the Special Tests and Provisions - Annual Report Card, High School Graduation Rate compliance requirement. The lack of internal controls and noncompliance were systemic issues throughout the audit period. Cause: Management had not developed nor implemented a system of internal control that would have ensured compliance with the grant agreement and the Special Tests and Provisions compliance requirement. Effect: The failure to establish an effective internal control system could enable noncompliance to go undetected. Noncompliance with the grant agreement and the Special Tests and Provisions – Annual Report Card, High School Graduation Rate compliance requirement could result in loss of future federal funds to the School Corporation. Questioned Costs: There were no questioned costs identified. Context: An effective internal control system was not in place at the School Corporation to ensure compliance with requirements related to the grant agreement and the Special Tests and Provisions - Annual Report Card, High School Graduation Rate compliance requirement. There was no formal documented review of mobility reports in Skyward during our audit period. Identification as a repeat finding: This is a repeat finding from the immediately prior audit report. The prior audit finding number was 2022-003. Recommendation: We recommended that the School Corporation's management establish an effective system of internal control to ensure compliance and comply with the grant agreement and the Special Tests and Provisions - Annual Report Card, High School Graduation Rate compliance requirement. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
Information on the federal program: Subject: COVID-19 – Education Stabilization Fund – Reporting Federal Agency: Department of Education Federal Program: COVID-19 – Education Stabilization Fund Assistance Listing Number: 84.425D, 84.425U Federal Award Numbers and Years (or Other Identifying Numbers): S425D200013, S425D210013, S425U210013 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Reporting Audit Finding: Material Weakness Criteria: 2 CFR section 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." 2 CFR 200.302(b) states in part: "The financial management system of each non-Federal entity must provide for the following: (2) Accurate, current, and complete disclosure of the financial results of each Federal award or program in accordance with the reporting requirements set forth in §§ 200.328 Financial reporting . . . ." 34 CFR 76.722 states: "A State may require a subgrantee to submit reports in a manner and format that assists the State in complying with the requirements under 34 CFR 76.720 and in carrying out other responsibilities under the program." Condition: An effective internal control system was not in place at the School Corporation in order to ensure compliance with requirements related to the grant agreement and the Reporting compliance requirements. Cause: The School District's management had not developed a system of internal controls to ensure compliance with the compliance requirements listed above. Effect: The failure to establish an effective internal control system placed the School Corporation at risk of noncompliance with the grant agreement and the compliance requirements. Internal controls were not adequate to detect and prevent errors in annual data submitted to the Indiana Department of Education. Questioned Costs: There were no questioned costs identified. Context: The School Corporation had not designed nor implemented a system of internal control to ensure that the annual Elementary and Secondary School Emergency Relief (ESSER) annual Data Collection reports (Reports) were complete and accurately submitted. The reports were prepared and submitted in JotForm, the online application used by the Indiana Department of Education to collect information, without an oversight or secondary review process in place to prevent or detect and correct errors. During the testing of the annual data reports, variances were noted in the amounts expended reported on the Year 4 annual data report for the ESSER I and the Year 3 annual data reports for ESSER II and ESSER III grant awards when compared to underlying disbursement detail for the grant funds covering the period of July 1, 2022 through June 30, 2023. The amounts reported as expended in the annual data reports were underreported by $504,240 compared to underlying funds ledger detail. Identification as a repeat finding, if applicable: No. Recommendation: We recommend someone other than the preparer of the report perform a documented, secondary review of the report information prior to submission to validate the accuracy and completeness of the data submitted. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
Information on the federal program: Subject: COVID-19 – Education Stabilization Fund – Reporting Federal Agency: Department of Education Federal Program: COVID-19 – Education Stabilization Fund Assistance Listing Number: 84.425D, 84.425U Federal Award Numbers and Years (or Other Identifying Numbers): S425D200013, S425D210013, S425U210013 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Reporting Audit Finding: Material Weakness Criteria: 2 CFR section 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." 2 CFR 200.302(b) states in part: "The financial management system of each non-Federal entity must provide for the following: (2) Accurate, current, and complete disclosure of the financial results of each Federal award or program in accordance with the reporting requirements set forth in §§ 200.328 Financial reporting . . . ." 34 CFR 76.722 states: "A State may require a subgrantee to submit reports in a manner and format that assists the State in complying with the requirements under 34 CFR 76.720 and in carrying out other responsibilities under the program." Condition: An effective internal control system was not in place at the School Corporation in order to ensure compliance with requirements related to the grant agreement and the Reporting compliance requirements. Cause: The School District's management had not developed a system of internal controls to ensure compliance with the compliance requirements listed above. Effect: The failure to establish an effective internal control system placed the School Corporation at risk of noncompliance with the grant agreement and the compliance requirements. Internal controls were not adequate to detect and prevent errors in annual data submitted to the Indiana Department of Education. Questioned Costs: There were no questioned costs identified. Context: The School Corporation had not designed nor implemented a system of internal control to ensure that the annual Elementary and Secondary School Emergency Relief (ESSER) annual Data Collection reports (Reports) were complete and accurately submitted. The reports were prepared and submitted in JotForm, the online application used by the Indiana Department of Education to collect information, without an oversight or secondary review process in place to prevent or detect and correct errors. During the testing of the annual data reports, variances were noted in the amounts expended reported on the Year 4 annual data report for the ESSER I and the Year 3 annual data reports for ESSER II and ESSER III grant awards when compared to underlying disbursement detail for the grant funds covering the period of July 1, 2022 through June 30, 2023. The amounts reported as expended in the annual data reports were underreported by $504,240 compared to underlying funds ledger detail. Identification as a repeat finding, if applicable: No. Recommendation: We recommend someone other than the preparer of the report perform a documented, secondary review of the report information prior to submission to validate the accuracy and completeness of the data submitted. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
Information on the federal program: Subject: COVID-19 – Education Stabilization Fund – Reporting Federal Agency: Department of Education Federal Program: COVID-19 – Education Stabilization Fund Assistance Listing Number: 84.425D, 84.425U Federal Award Numbers and Years (or Other Identifying Numbers): S425D200013, S425D210013, S425U210013 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Reporting Audit Finding: Material Weakness Criteria: 2 CFR section 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." 2 CFR 200.302(b) states in part: "The financial management system of each non-Federal entity must provide for the following: (2) Accurate, current, and complete disclosure of the financial results of each Federal award or program in accordance with the reporting requirements set forth in §§ 200.328 Financial reporting . . . ." 34 CFR 76.722 states: "A State may require a subgrantee to submit reports in a manner and format that assists the State in complying with the requirements under 34 CFR 76.720 and in carrying out other responsibilities under the program." Condition: An effective internal control system was not in place at the School Corporation in order to ensure compliance with requirements related to the grant agreement and the Reporting compliance requirements. Cause: The School District's management had not developed a system of internal controls to ensure compliance with the compliance requirements listed above. Effect: The failure to establish an effective internal control system placed the School Corporation at risk of noncompliance with the grant agreement and the compliance requirements. Internal controls were not adequate to detect and prevent errors in annual data submitted to the Indiana Department of Education. Questioned Costs: There were no questioned costs identified. Context: The School Corporation had not designed nor implemented a system of internal control to ensure that the annual Elementary and Secondary School Emergency Relief (ESSER) annual Data Collection reports (Reports) were complete and accurately submitted. The reports were prepared and submitted in JotForm, the online application used by the Indiana Department of Education to collect information, without an oversight or secondary review process in place to prevent or detect and correct errors. During the testing of the annual data reports, variances were noted in the amounts expended reported on the Year 4 annual data report for the ESSER I and the Year 3 annual data reports for ESSER II and ESSER III grant awards when compared to underlying disbursement detail for the grant funds covering the period of July 1, 2022 through June 30, 2023. The amounts reported as expended in the annual data reports were underreported by $504,240 compared to underlying funds ledger detail. Identification as a repeat finding, if applicable: No. Recommendation: We recommend someone other than the preparer of the report perform a documented, secondary review of the report information prior to submission to validate the accuracy and completeness of the data submitted. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
Information on the federal program: Subject: COVID-19 – Education Stabilization Fund – Reporting Federal Agency: Department of Education Federal Program: COVID-19 – Education Stabilization Fund Assistance Listing Number: 84.425D, 84.425U Federal Award Numbers and Years (or Other Identifying Numbers): S425D200013, S425D210013, S425U210013 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Reporting Audit Finding: Material Weakness Criteria: 2 CFR section 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." 2 CFR 200.302(b) states in part: "The financial management system of each non-Federal entity must provide for the following: (2) Accurate, current, and complete disclosure of the financial results of each Federal award or program in accordance with the reporting requirements set forth in §§ 200.328 Financial reporting . . . ." 34 CFR 76.722 states: "A State may require a subgrantee to submit reports in a manner and format that assists the State in complying with the requirements under 34 CFR 76.720 and in carrying out other responsibilities under the program." Condition: An effective internal control system was not in place at the School Corporation in order to ensure compliance with requirements related to the grant agreement and the Reporting compliance requirements. Cause: The School District's management had not developed a system of internal controls to ensure compliance with the compliance requirements listed above. Effect: The failure to establish an effective internal control system placed the School Corporation at risk of noncompliance with the grant agreement and the compliance requirements. Internal controls were not adequate to detect and prevent errors in annual data submitted to the Indiana Department of Education. Questioned Costs: There were no questioned costs identified. Context: The School Corporation had not designed nor implemented a system of internal control to ensure that the annual Elementary and Secondary School Emergency Relief (ESSER) annual Data Collection reports (Reports) were complete and accurately submitted. The reports were prepared and submitted in JotForm, the online application used by the Indiana Department of Education to collect information, without an oversight or secondary review process in place to prevent or detect and correct errors. During the testing of the annual data reports, variances were noted in the amounts expended reported on the Year 4 annual data report for the ESSER I and the Year 3 annual data reports for ESSER II and ESSER III grant awards when compared to underlying disbursement detail for the grant funds covering the period of July 1, 2022 through June 30, 2023. The amounts reported as expended in the annual data reports were underreported by $504,240 compared to underlying funds ledger detail. Identification as a repeat finding, if applicable: No. Recommendation: We recommend someone other than the preparer of the report perform a documented, secondary review of the report information prior to submission to validate the accuracy and completeness of the data submitted. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
Information on the federal program: Subject: COVID-19 - Education Stabilization Fund - Internal Controls Federal Agency: Department of Education Federal Program: COVID-19 - Education Stabilization Fund Assistance Listing Number: 84.425D, 84.425U Federal Award Numbers and Years (or Other Identifying Numbers): S245D200013, S425D210013, S425U210013 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Reporting Audit Finding: Material Weakness Criteria: 2 CFR section 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." Condition: Errors were noted in the expenditure amounts reported on the Annual Data Report for the period of July 1, 2022 through June 30, 2023 for the ESSER I, I, and III grant awards when compared to underlying transaction detail of the School Corporation for each award. Cause: The School Corporation's management had not developed a system of internal controls to ensure the quantitative data reported in the Annual Data Report agreed to underlying records. Effect: The annual data reported to the Indiana Department of Education covering the period of July 1, 2022 through June 30, 2023 contained errors. Questioned Costs: There were no questioned costs identified. Context: During the testing of the annual data reports submitted for the reporting period of July 1, 2022 through June 30, 2023, the following variances were noted: The ESSER II annual data report noted $0 disbursements for the reporting period noted above compared to the underlying disbursement detail of $139,139 resulting in understatement of the annual data report by $139,139. The ESSER III annual data report noted $783,822 disbursements for the reporting period noted above compared to the underlying disbursement detail of $214,015 resulting an overstatement of the annual data report by $405,807. Identification as a repeat finding, if applicable: No. Recommendation: We recommended that the School Corporation's management implement an internal control over the annual data reporting process to ensure a secondary, documented review of the data compiled to be submitted in the Annual Data Reports to the Indiana Department of Education is performed prior to submission of the reports. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
Information on the federal program: Subject: COVID-19 - Education Stabilization Fund - Internal Controls Federal Agency: Department of Education Federal Program: COVID-19 - Education Stabilization Fund Assistance Listing Number: 84.425D, 84.425U Federal Award Numbers and Years (or Other Identifying Numbers): S245D200013, S425D210013, S425U210013 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Reporting Audit Finding: Material Weakness Criteria: 2 CFR section 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." Condition: Errors were noted in the expenditure amounts reported on the Annual Data Report for the period of July 1, 2022 through June 30, 2023 for the ESSER I, I, and III grant awards when compared to underlying transaction detail of the School Corporation for each award. Cause: The School Corporation's management had not developed a system of internal controls to ensure the quantitative data reported in the Annual Data Report agreed to underlying records. Effect: The annual data reported to the Indiana Department of Education covering the period of July 1, 2022 through June 30, 2023 contained errors. Questioned Costs: There were no questioned costs identified. Context: During the testing of the annual data reports submitted for the reporting period of July 1, 2022 through June 30, 2023, the following variances were noted: The ESSER II annual data report noted $0 disbursements for the reporting period noted above compared to the underlying disbursement detail of $139,139 resulting in understatement of the annual data report by $139,139. The ESSER III annual data report noted $783,822 disbursements for the reporting period noted above compared to the underlying disbursement detail of $214,015 resulting an overstatement of the annual data report by $405,807. Identification as a repeat finding, if applicable: No. Recommendation: We recommended that the School Corporation's management implement an internal control over the annual data reporting process to ensure a secondary, documented review of the data compiled to be submitted in the Annual Data Reports to the Indiana Department of Education is performed prior to submission of the reports. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
Information on the federal program: Subject: COVID-19 - Education Stabilization Fund - Internal Controls Federal Agency: Department of Education Federal Program: COVID-19 - Education Stabilization Fund Assistance Listing Number: 84.425D, 84.425U Federal Award Numbers and Years (or Other Identifying Numbers): S245D200013, S425D210013, S425U210013 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Reporting Audit Finding: Material Weakness Criteria: 2 CFR section 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." Condition: Errors were noted in the expenditure amounts reported on the Annual Data Report for the period of July 1, 2022 through June 30, 2023 for the ESSER I, I, and III grant awards when compared to underlying transaction detail of the School Corporation for each award. Cause: The School Corporation's management had not developed a system of internal controls to ensure the quantitative data reported in the Annual Data Report agreed to underlying records. Effect: The annual data reported to the Indiana Department of Education covering the period of July 1, 2022 through June 30, 2023 contained errors. Questioned Costs: There were no questioned costs identified. Context: During the testing of the annual data reports submitted for the reporting period of July 1, 2022 through June 30, 2023, the following variances were noted: The ESSER II annual data report noted $0 disbursements for the reporting period noted above compared to the underlying disbursement detail of $139,139 resulting in understatement of the annual data report by $139,139. The ESSER III annual data report noted $783,822 disbursements for the reporting period noted above compared to the underlying disbursement detail of $214,015 resulting an overstatement of the annual data report by $405,807. Identification as a repeat finding, if applicable: No. Recommendation: We recommended that the School Corporation's management implement an internal control over the annual data reporting process to ensure a secondary, documented review of the data compiled to be submitted in the Annual Data Reports to the Indiana Department of Education is performed prior to submission of the reports. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
Information on the federal program: Subject: Education Stabilization Fund – Special Tests and Provisions - Wage Rate Requirements Federal Agency: Department of Education Federal Program: COVID-19 - Education Stabilization Fund Assistance Listing Number: 84.425D, 84.425U Federal Award Numbers and Years (or Other Identifying Numbers): S425D210013, S425U210013 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Special Tests and Provisions - Wage Rate Requirements Audit Findings: Material Weakness, Material Noncompliance, Qualified Opinion Criteria: 2 CFR section 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 29 CFR 5.5 states in part: (1) Minimum wages. (i) All laborers and mechanics employed or working upon the site of the work (or under the United States Housing Act of 1937 or under the Housing Act of 1949 in the construction or development of the project), will be paid unconditionally and not less often than once a week, and without subsequent deduction or rebate on any account (except such payroll deductions as are permitted by regulations issued by the Secretary of Labor under the Copeland Act (29 CFR part 3)), the full amount of wages and bona fide fringe benefits (or cash equivalents thereof) due at time of payment computed at rates not less than those contained in the wage determination of the Secretary of Labor which is attached hereto and made a part hereof, regardless of any contractual relationship which may be alleged to exist between the contractor and such laborers and mechanics… (3)(ii)(A) The contractor shall submit weekly for each week in which any contract work is performed a copy of all payrolls to the (write in name of appropriate federal agency) if the agency is a party to the contract, but if the agency is not such a party, the contractor will submit the payrolls to the applicant, sponsor, or owner, as the case may be, for transmission to the (write in name of agency). 2 CFR 200 Appendix II states in part: In addition to other provisions required by the Federal agency or non-Federal entity; all contracts made by the non-Federal entity under the Federal award must contain provisions covering the following, as applicable. . . . (D) Davis-Bacon Act, as amended (40 U.S.C. 3141-3148). When required by Federal program legislation, all prime construction contracts in excess of $2,000 awarded by non-Federal entities must include a provision for compliance with the Davis-Bacon Act (40 U.S.C. 3141-3144, and 3146-3148) as supplemented by Department of Labor regulations (29 CFR Part 5, “Labor Standards Provisions Applicable to Contracts Covering Federally Financed and Assisted Construction”). In accordance with the statute, contractors must be required to pay wages to laborers and mechanics at a rate not less than the prevailing wages specified in a wage determination made by the Secretary of Labor. In addition, contractors must be required to pay wages not less than once a week.. . .” Condition: An effective internal control system was not in place at the School Corporation in order to ensure compliance with requirements related to the grant agreement and the Special Tests and Provisions – Wage Rate Requirements compliance requirements. Cause: The School Corporation's management had not developed a system of internal controls to ensure compliance with the compliance requirements listed above. Effect: The failure to design and implement an effective internal control system enabled material noncompliance to go undetected. Noncompliance with the grant agreement and the Special Tests and Provisions – Wage Rate Requirements compliance requirement could result in the loss of future federal funds to the School Corporation. Questioned Costs: There were no questioned costs identified. Context: The School Corporation had one project for HVAC replacement in the elementary school gymnasium, which was funded with ESSER II (84.425D) and ESSER III (84.425U) grant awards. The School Corporation properly included Davis-Bacon wage rate requirements in the vendor contract, however, the School Corporation did not obtain the weekly payroll reports certifications from the construction vendor to monitor compliance with Davis-Bacon wage rate requirements. Therefore, no review was performed to ensure that pay rates complied with the federal wage rate requirements. The School Corporation was subsequently able to obtain the payroll certification reports from the contractor to demonstrate compliance with the wage rate requirements. The total project cost disbursed during the audit period was $499,689 which included materials and labor. We estimate approximately 30-40% of the project costs to be labor based on the scheduled values in the contract. Identification as a repeat finding: No. Recommendation: We recommend the School Corporation implement a formal process to ensure the required weekly payroll reports certifications are collected and reviewed for projects requiring labor installation and funded by federal grants subject to Davis-Bacon wage rate requirements to ensure compliance with federal regulations. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
Information on the federal program: Subject: Education Stabilization Fund – Special Tests and Provisions - Wage Rate Requirements Federal Agency: Department of Education Federal Program: COVID-19 - Education Stabilization Fund Assistance Listing Number: 84.425D, 84.425U Federal Award Numbers and Years (or Other Identifying Numbers): S425D210013, S425U210013 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Special Tests and Provisions - Wage Rate Requirements Audit Findings: Material Weakness, Material Noncompliance, Qualified Opinion Criteria: 2 CFR section 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 29 CFR 5.5 states in part: (1) Minimum wages. (i) All laborers and mechanics employed or working upon the site of the work (or under the United States Housing Act of 1937 or under the Housing Act of 1949 in the construction or development of the project), will be paid unconditionally and not less often than once a week, and without subsequent deduction or rebate on any account (except such payroll deductions as are permitted by regulations issued by the Secretary of Labor under the Copeland Act (29 CFR part 3)), the full amount of wages and bona fide fringe benefits (or cash equivalents thereof) due at time of payment computed at rates not less than those contained in the wage determination of the Secretary of Labor which is attached hereto and made a part hereof, regardless of any contractual relationship which may be alleged to exist between the contractor and such laborers and mechanics… (3)(ii)(A) The contractor shall submit weekly for each week in which any contract work is performed a copy of all payrolls to the (write in name of appropriate federal agency) if the agency is a party to the contract, but if the agency is not such a party, the contractor will submit the payrolls to the applicant, sponsor, or owner, as the case may be, for transmission to the (write in name of agency). 2 CFR 200 Appendix II states in part: In addition to other provisions required by the Federal agency or non-Federal entity; all contracts made by the non-Federal entity under the Federal award must contain provisions covering the following, as applicable. . . . (D) Davis-Bacon Act, as amended (40 U.S.C. 3141-3148). When required by Federal program legislation, all prime construction contracts in excess of $2,000 awarded by non-Federal entities must include a provision for compliance with the Davis-Bacon Act (40 U.S.C. 3141-3144, and 3146-3148) as supplemented by Department of Labor regulations (29 CFR Part 5, “Labor Standards Provisions Applicable to Contracts Covering Federally Financed and Assisted Construction”). In accordance with the statute, contractors must be required to pay wages to laborers and mechanics at a rate not less than the prevailing wages specified in a wage determination made by the Secretary of Labor. In addition, contractors must be required to pay wages not less than once a week.. . .” Condition: An effective internal control system was not in place at the School Corporation in order to ensure compliance with requirements related to the grant agreement and the Special Tests and Provisions – Wage Rate Requirements compliance requirements. Cause: The School Corporation's management had not developed a system of internal controls to ensure compliance with the compliance requirements listed above. Effect: The failure to design and implement an effective internal control system enabled material noncompliance to go undetected. Noncompliance with the grant agreement and the Special Tests and Provisions – Wage Rate Requirements compliance requirement could result in the loss of future federal funds to the School Corporation. Questioned Costs: There were no questioned costs identified. Context: The School Corporation had one project for HVAC replacement in the elementary school gymnasium, which was funded with ESSER II (84.425D) and ESSER III (84.425U) grant awards. The School Corporation properly included Davis-Bacon wage rate requirements in the vendor contract, however, the School Corporation did not obtain the weekly payroll reports certifications from the construction vendor to monitor compliance with Davis-Bacon wage rate requirements. Therefore, no review was performed to ensure that pay rates complied with the federal wage rate requirements. The School Corporation was subsequently able to obtain the payroll certification reports from the contractor to demonstrate compliance with the wage rate requirements. The total project cost disbursed during the audit period was $499,689 which included materials and labor. We estimate approximately 30-40% of the project costs to be labor based on the scheduled values in the contract. Identification as a repeat finding: No. Recommendation: We recommend the School Corporation implement a formal process to ensure the required weekly payroll reports certifications are collected and reviewed for projects requiring labor installation and funded by federal grants subject to Davis-Bacon wage rate requirements to ensure compliance with federal regulations. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.