Finding 2024-001 – Equipment and Real Property Management — Material Weakness Department of Health and Human Services Research and Development Cluster Department of Health and Human Services, National Institutes of Health, Assistance Listing No. 93.859 (Biomedical Research and Research Training) Federal award year 2023-2024 Criteria: Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Also, in accordance with 2 CFR 200.313(d)(1), property records must be maintained that included a description of the property, a serial number or other identification number, the source of funding for the property (including the federal award identification number), who holds title, the acquisition date, cost of the property, percentage of federal participation in the project costs for the federal award under which the property was acquired, the location, use and condition of the property, and any ultimate disposition data including the date of disposal and sales price of the property. In accordance with 2 CFR 200.313(d)(2), a physical inventory of equipment and property must be taken, and the results reconciled with property records at least once every two years. Condition: The University’s controls were not operating effectively to reasonably ensure the University maintained property records with the above required information and performed the required physical inventory of equipment within the two previous years. As a result, the University did not comply with the compliance requirements for equipment and real property management. Cause: The University does not have processes and procedures in place related to equipment management, tracking and required physical inventories. Effect or potential effect: The University is not in compliance with federal grant requirements over the tracking and physical inventory of equipment. Improper equipment management procedures could result in actions taken by oversight agencies which could impact future funding. Questioned costs: None Context: The University has five pieces of qualified equipment with an aggregate cost of approximately $119,000. For all sample selections tested in the major program, there was no process of tagging and tracking equipment purchased with federal funding, nor was there any evidence that physical inventories had been performed. Identification as a repeat finding, if applicable: Not applicable. Recommendation: We recommend the University develop processes and procedures to tag and track the equipment purchased with federal funding, and maintain support that physical inventories were performed as required. View of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2024-002 – Procurement and Suspension and Debarment — Material Weakness Department of Health and Human Services Research and Development Cluster Department of Health and Human Services, National Institutes of Health, Assistance Listing No. 93.859 (Biomedical Research and Research Training) Federal award year 2023-2024 Criteria: The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure procurement methods outline by the University are properly followed. In accordance with 2 CFR 200.320, price quotations should be obtained from an adequate number of qualified sources for procurements that meet the small purchase procurement threshold. Condition: The University’s controls were not operating effectively to reasonably ensure the University obtained the proper number of price quotations as required using the small purchase procurement method. The University’s procurement policy requires price quotations be obtained from at least two sources when using the small purchase procurement method. The University only obtained one price quotation and no written documentation as the rational for selection was maintained. As a result, the University did not comply with the compliance requirements for procurement. Cause: The University does not have processes and procedures in place to ensure all procurements of goods and services are in accordance with Uniform Guidance and in accordance with it’s own procurement policy. Effect or potential effect: The University is not in compliance with federal grant requirements over small purchase procurements. Improper procurement procedures could result in actions taken by oversight agencies which could impact future funding. Questioned costs: None Context: For all sample selections tested in the major program, one price quotation was obtained and no documentation was maintained as to the rationale for selection of the underlying vendor. Identification as a repeat finding, if applicable: Not applicable. Recommendation: We recommend the University develop processes and procedures to obtain the required number of price quotations required under the small purchase procurement method, and maintain support for the required number of price quotations received under the small purchase procurement method. View of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2024-003 – Procurement and Suspension and Debarment — Material Weakness Department of Health and Human Services Research and Development Cluster Department of Health and Human Services, National Institutes of Health, Assistance Listing No. 93.859 (Biomedical Research and Research Training) Federal award year 2023-2024 Criteria: The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure vendors are not suspended or debarred. In accordance with 2 CFR 200.212 and 200.318(h)), when a nonfederal entity enters into a contract or purchase with an entity (vendor or subrecipient), the nonfederal entity must verify the entity is not suspended or debarred from participation in federal programs/grants when expending $25,000 or more in a year (or any amount in the case of a subrecipient). Condition: The University’s controls were not operating effectively to reasonably ensure the University verified the vendor was not suspended or debarred from participation in federal programs/grants prior to entering into a contract with the vendor. The University’s procurement policy requires vendor transactions equal to or greater than $25,000 undergo verification to ensure the vendor is not suspended or debarred, prior to entering into a contract with the vendor. Cause: A lack of controls to reasonably ensure this verification was performed. Effect or potential effect: The University did not have controls in place to reasonably ensure compliance with suspension and debarment requirements of the Uniform Guidance. The potential effect is submitting unallowable costs, or loss of federal funding. Questioned costs: $0 Context: For all sample selections tested in the major program, documentation was not maintained that could provide evidence that the University had performed the required verification. None of the samples tested were identified as suspended or debarred entities. Identification as a repeat finding, if applicable: Not applicable. Recommendation: We recommend the University develop proper controls and procedures to determine whether vendors have been suspended or debarred prior to entering into contracts or purchase orders for all transactions, and maintain documentation supporting this verification. View of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2024-004 – Subrecipient Monitoring — Material Weakness Department of Health and Human Services Research and Development Cluster National Science Foundation, Assistance Listing No. 47.076 (STEM Education) Federal award year 2023-2024 Criteria: The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure that risk assessment and monitoring are formally documented over subrecipient monitoring. In accordance with 2 CFR 200.332(b) and 2 CFR 200.332(e), a pass-through entity is required to evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of each sub-award for purposes of determining appropriate subrecipient monitoring requirements. Depending on the risk assessment, the pass-through entity should identify monitoring procedures to be performed in order to ensure proper accountability and compliance with program requirements and achievements of performance goals. Condition: The University’s controls were not operating effectively to reasonably ensure the University performed risk assessment and monitoring procedures for its subrecipients. As a result, the University did not comply with the compliance requirements for subrecipient monitoring. Cause: The University does not have processes and procedures in place related to risk assessment and subrecipient monitoring. Effect or potential effect: The University is not in compliance with federal grant requirements over subrecipient monitoring. Lack of properly documented evidence of subrecipient monitoring policies and procedures performed, including required risk assessments, could result in actions taken by oversight agencies which could impact future funding. Questioned costs: None Context: The University has two active awards under the program with subrecipients with an aggregate award value of approximately $71,000. The University has two subrecipients and for both subrecipients tested in the major program, there was no evidence that a risk assessment or monitoring of those subrecipients was performed. Identification as a repeat finding, if applicable: Not applicable. Recommendation: We recommend the University develop processes and procedures to perform the required risk assessments and related monitoring, and maintain support that the risk assessments and related monitoring were performed as required. View of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2024-001 – Equipment and Real Property Management — Material Weakness Department of Health and Human Services Research and Development Cluster Department of Health and Human Services, National Institutes of Health, Assistance Listing No. 93.859 (Biomedical Research and Research Training) Federal award year 2023-2024 Criteria: Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Also, in accordance with 2 CFR 200.313(d)(1), property records must be maintained that included a description of the property, a serial number or other identification number, the source of funding for the property (including the federal award identification number), who holds title, the acquisition date, cost of the property, percentage of federal participation in the project costs for the federal award under which the property was acquired, the location, use and condition of the property, and any ultimate disposition data including the date of disposal and sales price of the property. In accordance with 2 CFR 200.313(d)(2), a physical inventory of equipment and property must be taken, and the results reconciled with property records at least once every two years. Condition: The University’s controls were not operating effectively to reasonably ensure the University maintained property records with the above required information and performed the required physical inventory of equipment within the two previous years. As a result, the University did not comply with the compliance requirements for equipment and real property management. Cause: The University does not have processes and procedures in place related to equipment management, tracking and required physical inventories. Effect or potential effect: The University is not in compliance with federal grant requirements over the tracking and physical inventory of equipment. Improper equipment management procedures could result in actions taken by oversight agencies which could impact future funding. Questioned costs: None Context: The University has five pieces of qualified equipment with an aggregate cost of approximately $119,000. For all sample selections tested in the major program, there was no process of tagging and tracking equipment purchased with federal funding, nor was there any evidence that physical inventories had been performed. Identification as a repeat finding, if applicable: Not applicable. Recommendation: We recommend the University develop processes and procedures to tag and track the equipment purchased with federal funding, and maintain support that physical inventories were performed as required. View of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2024-002 – Procurement and Suspension and Debarment — Material Weakness Department of Health and Human Services Research and Development Cluster Department of Health and Human Services, National Institutes of Health, Assistance Listing No. 93.859 (Biomedical Research and Research Training) Federal award year 2023-2024 Criteria: The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure procurement methods outline by the University are properly followed. In accordance with 2 CFR 200.320, price quotations should be obtained from an adequate number of qualified sources for procurements that meet the small purchase procurement threshold. Condition: The University’s controls were not operating effectively to reasonably ensure the University obtained the proper number of price quotations as required using the small purchase procurement method. The University’s procurement policy requires price quotations be obtained from at least two sources when using the small purchase procurement method. The University only obtained one price quotation and no written documentation as the rational for selection was maintained. As a result, the University did not comply with the compliance requirements for procurement. Cause: The University does not have processes and procedures in place to ensure all procurements of goods and services are in accordance with Uniform Guidance and in accordance with it’s own procurement policy. Effect or potential effect: The University is not in compliance with federal grant requirements over small purchase procurements. Improper procurement procedures could result in actions taken by oversight agencies which could impact future funding. Questioned costs: None Context: For all sample selections tested in the major program, one price quotation was obtained and no documentation was maintained as to the rationale for selection of the underlying vendor. Identification as a repeat finding, if applicable: Not applicable. Recommendation: We recommend the University develop processes and procedures to obtain the required number of price quotations required under the small purchase procurement method, and maintain support for the required number of price quotations received under the small purchase procurement method. View of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2024-003 – Procurement and Suspension and Debarment — Material Weakness Department of Health and Human Services Research and Development Cluster Department of Health and Human Services, National Institutes of Health, Assistance Listing No. 93.859 (Biomedical Research and Research Training) Federal award year 2023-2024 Criteria: The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure vendors are not suspended or debarred. In accordance with 2 CFR 200.212 and 200.318(h)), when a nonfederal entity enters into a contract or purchase with an entity (vendor or subrecipient), the nonfederal entity must verify the entity is not suspended or debarred from participation in federal programs/grants when expending $25,000 or more in a year (or any amount in the case of a subrecipient). Condition: The University’s controls were not operating effectively to reasonably ensure the University verified the vendor was not suspended or debarred from participation in federal programs/grants prior to entering into a contract with the vendor. The University’s procurement policy requires vendor transactions equal to or greater than $25,000 undergo verification to ensure the vendor is not suspended or debarred, prior to entering into a contract with the vendor. Cause: A lack of controls to reasonably ensure this verification was performed. Effect or potential effect: The University did not have controls in place to reasonably ensure compliance with suspension and debarment requirements of the Uniform Guidance. The potential effect is submitting unallowable costs, or loss of federal funding. Questioned costs: $0 Context: For all sample selections tested in the major program, documentation was not maintained that could provide evidence that the University had performed the required verification. None of the samples tested were identified as suspended or debarred entities. Identification as a repeat finding, if applicable: Not applicable. Recommendation: We recommend the University develop proper controls and procedures to determine whether vendors have been suspended or debarred prior to entering into contracts or purchase orders for all transactions, and maintain documentation supporting this verification. View of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2024-004 – Subrecipient Monitoring — Material Weakness Department of Health and Human Services Research and Development Cluster National Science Foundation, Assistance Listing No. 47.076 (STEM Education) Federal award year 2023-2024 Criteria: The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure that risk assessment and monitoring are formally documented over subrecipient monitoring. In accordance with 2 CFR 200.332(b) and 2 CFR 200.332(e), a pass-through entity is required to evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of each sub-award for purposes of determining appropriate subrecipient monitoring requirements. Depending on the risk assessment, the pass-through entity should identify monitoring procedures to be performed in order to ensure proper accountability and compliance with program requirements and achievements of performance goals. Condition: The University’s controls were not operating effectively to reasonably ensure the University performed risk assessment and monitoring procedures for its subrecipients. As a result, the University did not comply with the compliance requirements for subrecipient monitoring. Cause: The University does not have processes and procedures in place related to risk assessment and subrecipient monitoring. Effect or potential effect: The University is not in compliance with federal grant requirements over subrecipient monitoring. Lack of properly documented evidence of subrecipient monitoring policies and procedures performed, including required risk assessments, could result in actions taken by oversight agencies which could impact future funding. Questioned costs: None Context: The University has two active awards under the program with subrecipients with an aggregate award value of approximately $71,000. The University has two subrecipients and for both subrecipients tested in the major program, there was no evidence that a risk assessment or monitoring of those subrecipients was performed. Identification as a repeat finding, if applicable: Not applicable. Recommendation: We recommend the University develop processes and procedures to perform the required risk assessments and related monitoring, and maintain support that the risk assessments and related monitoring were performed as required. View of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2024-001 – Equipment and Real Property Management — Material Weakness Department of Health and Human Services Research and Development Cluster Department of Health and Human Services, National Institutes of Health, Assistance Listing No. 93.859 (Biomedical Research and Research Training) Federal award year 2023-2024 Criteria: Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Also, in accordance with 2 CFR 200.313(d)(1), property records must be maintained that included a description of the property, a serial number or other identification number, the source of funding for the property (including the federal award identification number), who holds title, the acquisition date, cost of the property, percentage of federal participation in the project costs for the federal award under which the property was acquired, the location, use and condition of the property, and any ultimate disposition data including the date of disposal and sales price of the property. In accordance with 2 CFR 200.313(d)(2), a physical inventory of equipment and property must be taken, and the results reconciled with property records at least once every two years. Condition: The University’s controls were not operating effectively to reasonably ensure the University maintained property records with the above required information and performed the required physical inventory of equipment within the two previous years. As a result, the University did not comply with the compliance requirements for equipment and real property management. Cause: The University does not have processes and procedures in place related to equipment management, tracking and required physical inventories. Effect or potential effect: The University is not in compliance with federal grant requirements over the tracking and physical inventory of equipment. Improper equipment management procedures could result in actions taken by oversight agencies which could impact future funding. Questioned costs: None Context: The University has five pieces of qualified equipment with an aggregate cost of approximately $119,000. For all sample selections tested in the major program, there was no process of tagging and tracking equipment purchased with federal funding, nor was there any evidence that physical inventories had been performed. Identification as a repeat finding, if applicable: Not applicable. Recommendation: We recommend the University develop processes and procedures to tag and track the equipment purchased with federal funding, and maintain support that physical inventories were performed as required. View of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2024-002 – Procurement and Suspension and Debarment — Material Weakness Department of Health and Human Services Research and Development Cluster Department of Health and Human Services, National Institutes of Health, Assistance Listing No. 93.859 (Biomedical Research and Research Training) Federal award year 2023-2024 Criteria: The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure procurement methods outline by the University are properly followed. In accordance with 2 CFR 200.320, price quotations should be obtained from an adequate number of qualified sources for procurements that meet the small purchase procurement threshold. Condition: The University’s controls were not operating effectively to reasonably ensure the University obtained the proper number of price quotations as required using the small purchase procurement method. The University’s procurement policy requires price quotations be obtained from at least two sources when using the small purchase procurement method. The University only obtained one price quotation and no written documentation as the rational for selection was maintained. As a result, the University did not comply with the compliance requirements for procurement. Cause: The University does not have processes and procedures in place to ensure all procurements of goods and services are in accordance with Uniform Guidance and in accordance with it’s own procurement policy. Effect or potential effect: The University is not in compliance with federal grant requirements over small purchase procurements. Improper procurement procedures could result in actions taken by oversight agencies which could impact future funding. Questioned costs: None Context: For all sample selections tested in the major program, one price quotation was obtained and no documentation was maintained as to the rationale for selection of the underlying vendor. Identification as a repeat finding, if applicable: Not applicable. Recommendation: We recommend the University develop processes and procedures to obtain the required number of price quotations required under the small purchase procurement method, and maintain support for the required number of price quotations received under the small purchase procurement method. View of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2024-003 – Procurement and Suspension and Debarment — Material Weakness Department of Health and Human Services Research and Development Cluster Department of Health and Human Services, National Institutes of Health, Assistance Listing No. 93.859 (Biomedical Research and Research Training) Federal award year 2023-2024 Criteria: The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure vendors are not suspended or debarred. In accordance with 2 CFR 200.212 and 200.318(h)), when a nonfederal entity enters into a contract or purchase with an entity (vendor or subrecipient), the nonfederal entity must verify the entity is not suspended or debarred from participation in federal programs/grants when expending $25,000 or more in a year (or any amount in the case of a subrecipient). Condition: The University’s controls were not operating effectively to reasonably ensure the University verified the vendor was not suspended or debarred from participation in federal programs/grants prior to entering into a contract with the vendor. The University’s procurement policy requires vendor transactions equal to or greater than $25,000 undergo verification to ensure the vendor is not suspended or debarred, prior to entering into a contract with the vendor. Cause: A lack of controls to reasonably ensure this verification was performed. Effect or potential effect: The University did not have controls in place to reasonably ensure compliance with suspension and debarment requirements of the Uniform Guidance. The potential effect is submitting unallowable costs, or loss of federal funding. Questioned costs: $0 Context: For all sample selections tested in the major program, documentation was not maintained that could provide evidence that the University had performed the required verification. None of the samples tested were identified as suspended or debarred entities. Identification as a repeat finding, if applicable: Not applicable. Recommendation: We recommend the University develop proper controls and procedures to determine whether vendors have been suspended or debarred prior to entering into contracts or purchase orders for all transactions, and maintain documentation supporting this verification. View of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2024-004 – Subrecipient Monitoring — Material Weakness Department of Health and Human Services Research and Development Cluster National Science Foundation, Assistance Listing No. 47.076 (STEM Education) Federal award year 2023-2024 Criteria: The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure that risk assessment and monitoring are formally documented over subrecipient monitoring. In accordance with 2 CFR 200.332(b) and 2 CFR 200.332(e), a pass-through entity is required to evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of each sub-award for purposes of determining appropriate subrecipient monitoring requirements. Depending on the risk assessment, the pass-through entity should identify monitoring procedures to be performed in order to ensure proper accountability and compliance with program requirements and achievements of performance goals. Condition: The University’s controls were not operating effectively to reasonably ensure the University performed risk assessment and monitoring procedures for its subrecipients. As a result, the University did not comply with the compliance requirements for subrecipient monitoring. Cause: The University does not have processes and procedures in place related to risk assessment and subrecipient monitoring. Effect or potential effect: The University is not in compliance with federal grant requirements over subrecipient monitoring. Lack of properly documented evidence of subrecipient monitoring policies and procedures performed, including required risk assessments, could result in actions taken by oversight agencies which could impact future funding. Questioned costs: None Context: The University has two active awards under the program with subrecipients with an aggregate award value of approximately $71,000. The University has two subrecipients and for both subrecipients tested in the major program, there was no evidence that a risk assessment or monitoring of those subrecipients was performed. Identification as a repeat finding, if applicable: Not applicable. Recommendation: We recommend the University develop processes and procedures to perform the required risk assessments and related monitoring, and maintain support that the risk assessments and related monitoring were performed as required. View of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2024-001 Internal Controls over Compliance – Eligibility (Significant Deficiency) Assistance Listing Number 93.778 – Medical Assistance Program Criteria: 2 CFR 200.303 requires that a federal award recipient must “(a) establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.” Condition: During our review of compliance over eligibility, we identified one individual who was terminated from the program in November 2022, but continued to receive benefits through September 2024. Cause: Internal controls over eligibility compliance requirements were not properly designed and were not placed in operation. Management is responsible for compliance with requirements over eligibility and for the design, implementation, and maintenance of effective internal controls over compliance with the requirements of laws, statutes, regulations, rules, and provisions of grant agreements applicable to its federal program. Effect: As a result of this condition, an individual who was no longer eligible for benefits through the program continued to receive benefits. Recommendation: We recommend that FMAAA establish a process to ensure that terminated participants are properly disenrolled from the program and are no longer receiving benefits after their final date of eligibility. This process should include a secondary review of participant files by someone other than the preparer. Management’s response: See corrective action plan.
Reference Number: 2024-002 Prior Year Finding: 2023-007 Federal Agency: U.S. Department of Treasury Federal Program: COVID-19 – Coronavirus State and Local Fiscal Recovery Funds Assistance Listing Number: 21.027 Award Number and Year: 2021 Compliance Requirement: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Controls over Compliance, Other Matters Criteria or Specific Requirement: Compliance - 2 CFR Section 200.332 – Requirements for Pass-Through Entities states in part, that all pass-through entities must: (a) Verify that every subrecipient is audited as required by Subpart F – Audit Requirements of this part when it is expected that the subrecipient’s Federal award expended during the respective fiscal year equaled or exceeded the threshold set forth in section 200.501 Audit requirements. Control - Per 2 CDF 200.303(a), a non-Federal entity must: Establish a maintain effective internal control over the federal award that provides reasonable assurance that the non-Federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal awards. These internal controls should comply with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The County was not able to provide documentation to show it ensured its subrecipients were audited as required by 2 CFR Part 200 Subpart F – Audit Requirements (Subpart F). Context: Exceptions were noted for 7 of 7 subrecipients selected for testing: • The County was unable to provide support that it ensured the subrecipient was audited as required by Subpart F. The County could not produce evidence of verification that the subrecipient’s Federal awards expended during the fiscal year were below the threshold set forth in section 200.501 Audit Requirements. Cause: The County did not establish effective internal controls and procedures over subrecipient monitoring. Effect: Without ensuring subrecipients have obtained audits as required by Subpart F, there is an increased risk that subrecipients could be inappropriately spending and/or inaccurately tracking and reporting federal funds over multiple years, and these discrepancies may not be properly monitored, detected, and corrected by the County personnel on a timely basis. Questioned Costs: Undetermined. Recommendation: The County should review and enhance internal controls and procedures to ensure that evaluation of independent audits is performed. Views of Responsible Officials: The County agrees with this finding. See separate Correction Action Plan related to this finding.
Reference Number: 2024-002 Prior Year Finding: 2023-007 Federal Agency: U.S. Department of Treasury Federal Program: COVID-19 – Coronavirus State and Local Fiscal Recovery Funds Assistance Listing Number: 21.027 Award Number and Year: 2021 Compliance Requirement: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Controls over Compliance, Other Matters Criteria or Specific Requirement: Compliance - 2 CFR Section 200.332 – Requirements for Pass-Through Entities states in part, that all pass-through entities must: (a) Verify that every subrecipient is audited as required by Subpart F – Audit Requirements of this part when it is expected that the subrecipient’s Federal award expended during the respective fiscal year equaled or exceeded the threshold set forth in section 200.501 Audit requirements. Control - Per 2 CDF 200.303(a), a non-Federal entity must: Establish a maintain effective internal control over the federal award that provides reasonable assurance that the non-Federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal awards. These internal controls should comply with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The County was not able to provide documentation to show it ensured its subrecipients were audited as required by 2 CFR Part 200 Subpart F – Audit Requirements (Subpart F). Context: Exceptions were noted for 7 of 7 subrecipients selected for testing: • The County was unable to provide support that it ensured the subrecipient was audited as required by Subpart F. The County could not produce evidence of verification that the subrecipient’s Federal awards expended during the fiscal year were below the threshold set forth in section 200.501 Audit Requirements. Cause: The County did not establish effective internal controls and procedures over subrecipient monitoring. Effect: Without ensuring subrecipients have obtained audits as required by Subpart F, there is an increased risk that subrecipients could be inappropriately spending and/or inaccurately tracking and reporting federal funds over multiple years, and these discrepancies may not be properly monitored, detected, and corrected by the County personnel on a timely basis. Questioned Costs: Undetermined. Recommendation: The County should review and enhance internal controls and procedures to ensure that evaluation of independent audits is performed. Views of Responsible Officials: The County agrees with this finding. See separate Correction Action Plan related to this finding.
Finding No. 2024-003 – Special Tests and Provisions - Gramm-Leach-Bliley Act–Student Information Security Federal Program ALN 84.007 Federal Supplemental Educational Opportunity Grant Program ALN 84.033 Federal Work-Study Program ALN 84.063 Federal Pell Grant Program ALN 84.268 Federal Direct Student Loan Program Name of Federal Agency Teacher Education Assistance for College and Higher Education Grants (TEACH Grants) U.S. Department of Education (USDE) Type of Finding Internal Control/Compliance Category Significant deficiency Compliance Requirement Special Tests and Provisions Criteria Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. The Gramm-Leach-Bliley Act (GLBA) (Pub. L. No. 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi)). The Standards for Safeguarding Customer Information, required by the GLBA (16 CFR §314.4) requires the University to: a) Designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). b) Provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). c) Provide for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: 1. Implement and periodically review access controls. 2. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. 3. Encrypt customer information on the institution’s system and when it’s in transit. 4. Assess apps developed by the institution. 5. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. 6. Dispose of customer information securely. 7. Anticipate and evaluate changes to the information system or network. 8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. d) Provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). e) Provide for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). f) Address how the institution will oversee its information system service providers (16 CFR 314.4(f)). g) Provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal controls designed to reasonably ensure compliance with Federal laws, statutes, regulations, and the terms and conditions of the Federal award. Furthermore, generally accepted information technology guidance endorses the implementation of a process to identify risk and ensure appropriate safeguards are in place to protect information technology systems and data. Condition During our audit procedures, we noted that the University risk assessment did not fully addressed all the elements required by (16 CFR 314.4). Accordingly, the following elements were missing: 1. Vulnerability test 2. Penetration test 3. No backup test was performed during year ended June 30, 2024. Cause In the past years there’s been a high turnover in the position of the qualified individual responsible for overseeing and implementing the University’s information cyber-security program. As a result, some of the procedures and policies established in the information cyber-security program risk assessment have not been consistently or continuously maintained, accordingly, the student personal information could be at risk. In addition, the USDE has informed through electronic announcements (EA), that “when an audit report that includes a GLBA audit finding is received, they will refer the audit to the Federal Trade Commission (FTC). Effect Once the finding is referred to the FTC, that finding will be considered closed for the USDE audit tracking purposes. The FTC will determine what action may be needed as a result of the GLBA audit finding. Identification of a repeat finding This is not a repeat finding from the immediate previous audit. Questioned cost N/A Context The Gramm-Leach-Bliley Act (GLBA) created a requirement that financial institutions must have certain information privacy protections and safeguards in place. The Federal Trade Commission (FTC) has enforcement authority for the requirements and has determined that institutions of higher education (institutions) are financial institutions under GLBA. Each institution has agreed to comply with GLBA in its Program Participation Agreement with the Department. In addition, as a condition of accessing the Department’s systems, each institution and servicer must sign the Student Aid Internet Gateway (SAIG) Enrollment Agreement, which states that the institution must ensure that all federal student aid applicant information is protected from access by or disclosure to unauthorized personnel. Institutions and third-party servicers are also required to demonstrate administrative capability in accordance with 34 C.F.R. § 668.16, including the maintenance of adequate checks and balances in their systems of internal control. An institution or servicer that does not maintain adequate internal controls over the security of student information may not be considered administratively capable. Recommendation We recommend that the University addresses the cause for the high turnover in the position of the qualified individual responsible for overseeing the implementation of policies and procedures, including internal controls, to ensure that they are in compliance with 16 CFR 314.4(b) and (c). Views of Responsible Officials and Planned Corrective Actions Management of the University agrees with this finding. Please refer to the corrective action plan on pages 61-63.
Finding No. 2024-003 – Special Tests and Provisions - Gramm-Leach-Bliley Act–Student Information Security Federal Program ALN 84.007 Federal Supplemental Educational Opportunity Grant Program ALN 84.033 Federal Work-Study Program ALN 84.063 Federal Pell Grant Program ALN 84.268 Federal Direct Student Loan Program Name of Federal Agency Teacher Education Assistance for College and Higher Education Grants (TEACH Grants) U.S. Department of Education (USDE) Type of Finding Internal Control/Compliance Category Significant deficiency Compliance Requirement Special Tests and Provisions Criteria Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. The Gramm-Leach-Bliley Act (GLBA) (Pub. L. No. 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi)). The Standards for Safeguarding Customer Information, required by the GLBA (16 CFR §314.4) requires the University to: a) Designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). b) Provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). c) Provide for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: 1. Implement and periodically review access controls. 2. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. 3. Encrypt customer information on the institution’s system and when it’s in transit. 4. Assess apps developed by the institution. 5. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. 6. Dispose of customer information securely. 7. Anticipate and evaluate changes to the information system or network. 8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. d) Provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). e) Provide for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). f) Address how the institution will oversee its information system service providers (16 CFR 314.4(f)). g) Provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal controls designed to reasonably ensure compliance with Federal laws, statutes, regulations, and the terms and conditions of the Federal award. Furthermore, generally accepted information technology guidance endorses the implementation of a process to identify risk and ensure appropriate safeguards are in place to protect information technology systems and data. Condition During our audit procedures, we noted that the University risk assessment did not fully addressed all the elements required by (16 CFR 314.4). Accordingly, the following elements were missing: 1. Vulnerability test 2. Penetration test 3. No backup test was performed during year ended June 30, 2024. Cause In the past years there’s been a high turnover in the position of the qualified individual responsible for overseeing and implementing the University’s information cyber-security program. As a result, some of the procedures and policies established in the information cyber-security program risk assessment have not been consistently or continuously maintained, accordingly, the student personal information could be at risk. In addition, the USDE has informed through electronic announcements (EA), that “when an audit report that includes a GLBA audit finding is received, they will refer the audit to the Federal Trade Commission (FTC). Effect Once the finding is referred to the FTC, that finding will be considered closed for the USDE audit tracking purposes. The FTC will determine what action may be needed as a result of the GLBA audit finding. Identification of a repeat finding This is not a repeat finding from the immediate previous audit. Questioned cost N/A Context The Gramm-Leach-Bliley Act (GLBA) created a requirement that financial institutions must have certain information privacy protections and safeguards in place. The Federal Trade Commission (FTC) has enforcement authority for the requirements and has determined that institutions of higher education (institutions) are financial institutions under GLBA. Each institution has agreed to comply with GLBA in its Program Participation Agreement with the Department. In addition, as a condition of accessing the Department’s systems, each institution and servicer must sign the Student Aid Internet Gateway (SAIG) Enrollment Agreement, which states that the institution must ensure that all federal student aid applicant information is protected from access by or disclosure to unauthorized personnel. Institutions and third-party servicers are also required to demonstrate administrative capability in accordance with 34 C.F.R. § 668.16, including the maintenance of adequate checks and balances in their systems of internal control. An institution or servicer that does not maintain adequate internal controls over the security of student information may not be considered administratively capable. Recommendation We recommend that the University addresses the cause for the high turnover in the position of the qualified individual responsible for overseeing the implementation of policies and procedures, including internal controls, to ensure that they are in compliance with 16 CFR 314.4(b) and (c). Views of Responsible Officials and Planned Corrective Actions Management of the University agrees with this finding. Please refer to the corrective action plan on pages 61-63.
Finding No. 2024-003 – Special Tests and Provisions - Gramm-Leach-Bliley Act–Student Information Security Federal Program ALN 84.007 Federal Supplemental Educational Opportunity Grant Program ALN 84.033 Federal Work-Study Program ALN 84.063 Federal Pell Grant Program ALN 84.268 Federal Direct Student Loan Program Name of Federal Agency Teacher Education Assistance for College and Higher Education Grants (TEACH Grants) U.S. Department of Education (USDE) Type of Finding Internal Control/Compliance Category Significant deficiency Compliance Requirement Special Tests and Provisions Criteria Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. The Gramm-Leach-Bliley Act (GLBA) (Pub. L. No. 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi)). The Standards for Safeguarding Customer Information, required by the GLBA (16 CFR §314.4) requires the University to: a) Designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). b) Provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). c) Provide for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: 1. Implement and periodically review access controls. 2. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. 3. Encrypt customer information on the institution’s system and when it’s in transit. 4. Assess apps developed by the institution. 5. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. 6. Dispose of customer information securely. 7. Anticipate and evaluate changes to the information system or network. 8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. d) Provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). e) Provide for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). f) Address how the institution will oversee its information system service providers (16 CFR 314.4(f)). g) Provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal controls designed to reasonably ensure compliance with Federal laws, statutes, regulations, and the terms and conditions of the Federal award. Furthermore, generally accepted information technology guidance endorses the implementation of a process to identify risk and ensure appropriate safeguards are in place to protect information technology systems and data. Condition During our audit procedures, we noted that the University risk assessment did not fully addressed all the elements required by (16 CFR 314.4). Accordingly, the following elements were missing: 1. Vulnerability test 2. Penetration test 3. No backup test was performed during year ended June 30, 2024. Cause In the past years there’s been a high turnover in the position of the qualified individual responsible for overseeing and implementing the University’s information cyber-security program. As a result, some of the procedures and policies established in the information cyber-security program risk assessment have not been consistently or continuously maintained, accordingly, the student personal information could be at risk. In addition, the USDE has informed through electronic announcements (EA), that “when an audit report that includes a GLBA audit finding is received, they will refer the audit to the Federal Trade Commission (FTC). Effect Once the finding is referred to the FTC, that finding will be considered closed for the USDE audit tracking purposes. The FTC will determine what action may be needed as a result of the GLBA audit finding. Identification of a repeat finding This is not a repeat finding from the immediate previous audit. Questioned cost N/A Context The Gramm-Leach-Bliley Act (GLBA) created a requirement that financial institutions must have certain information privacy protections and safeguards in place. The Federal Trade Commission (FTC) has enforcement authority for the requirements and has determined that institutions of higher education (institutions) are financial institutions under GLBA. Each institution has agreed to comply with GLBA in its Program Participation Agreement with the Department. In addition, as a condition of accessing the Department’s systems, each institution and servicer must sign the Student Aid Internet Gateway (SAIG) Enrollment Agreement, which states that the institution must ensure that all federal student aid applicant information is protected from access by or disclosure to unauthorized personnel. Institutions and third-party servicers are also required to demonstrate administrative capability in accordance with 34 C.F.R. § 668.16, including the maintenance of adequate checks and balances in their systems of internal control. An institution or servicer that does not maintain adequate internal controls over the security of student information may not be considered administratively capable. Recommendation We recommend that the University addresses the cause for the high turnover in the position of the qualified individual responsible for overseeing the implementation of policies and procedures, including internal controls, to ensure that they are in compliance with 16 CFR 314.4(b) and (c). Views of Responsible Officials and Planned Corrective Actions Management of the University agrees with this finding. Please refer to the corrective action plan on pages 61-63.
Finding No. 2024-003 – Special Tests and Provisions - Gramm-Leach-Bliley Act–Student Information Security Federal Program ALN 84.007 Federal Supplemental Educational Opportunity Grant Program ALN 84.033 Federal Work-Study Program ALN 84.063 Federal Pell Grant Program ALN 84.268 Federal Direct Student Loan Program Name of Federal Agency Teacher Education Assistance for College and Higher Education Grants (TEACH Grants) U.S. Department of Education (USDE) Type of Finding Internal Control/Compliance Category Significant deficiency Compliance Requirement Special Tests and Provisions Criteria Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. The Gramm-Leach-Bliley Act (GLBA) (Pub. L. No. 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi)). The Standards for Safeguarding Customer Information, required by the GLBA (16 CFR §314.4) requires the University to: a) Designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). b) Provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). c) Provide for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: 1. Implement and periodically review access controls. 2. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. 3. Encrypt customer information on the institution’s system and when it’s in transit. 4. Assess apps developed by the institution. 5. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. 6. Dispose of customer information securely. 7. Anticipate and evaluate changes to the information system or network. 8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. d) Provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). e) Provide for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). f) Address how the institution will oversee its information system service providers (16 CFR 314.4(f)). g) Provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal controls designed to reasonably ensure compliance with Federal laws, statutes, regulations, and the terms and conditions of the Federal award. Furthermore, generally accepted information technology guidance endorses the implementation of a process to identify risk and ensure appropriate safeguards are in place to protect information technology systems and data. Condition During our audit procedures, we noted that the University risk assessment did not fully addressed all the elements required by (16 CFR 314.4). Accordingly, the following elements were missing: 1. Vulnerability test 2. Penetration test 3. No backup test was performed during year ended June 30, 2024. Cause In the past years there’s been a high turnover in the position of the qualified individual responsible for overseeing and implementing the University’s information cyber-security program. As a result, some of the procedures and policies established in the information cyber-security program risk assessment have not been consistently or continuously maintained, accordingly, the student personal information could be at risk. In addition, the USDE has informed through electronic announcements (EA), that “when an audit report that includes a GLBA audit finding is received, they will refer the audit to the Federal Trade Commission (FTC). Effect Once the finding is referred to the FTC, that finding will be considered closed for the USDE audit tracking purposes. The FTC will determine what action may be needed as a result of the GLBA audit finding. Identification of a repeat finding This is not a repeat finding from the immediate previous audit. Questioned cost N/A Context The Gramm-Leach-Bliley Act (GLBA) created a requirement that financial institutions must have certain information privacy protections and safeguards in place. The Federal Trade Commission (FTC) has enforcement authority for the requirements and has determined that institutions of higher education (institutions) are financial institutions under GLBA. Each institution has agreed to comply with GLBA in its Program Participation Agreement with the Department. In addition, as a condition of accessing the Department’s systems, each institution and servicer must sign the Student Aid Internet Gateway (SAIG) Enrollment Agreement, which states that the institution must ensure that all federal student aid applicant information is protected from access by or disclosure to unauthorized personnel. Institutions and third-party servicers are also required to demonstrate administrative capability in accordance with 34 C.F.R. § 668.16, including the maintenance of adequate checks and balances in their systems of internal control. An institution or servicer that does not maintain adequate internal controls over the security of student information may not be considered administratively capable. Recommendation We recommend that the University addresses the cause for the high turnover in the position of the qualified individual responsible for overseeing the implementation of policies and procedures, including internal controls, to ensure that they are in compliance with 16 CFR 314.4(b) and (c). Views of Responsible Officials and Planned Corrective Actions Management of the University agrees with this finding. Please refer to the corrective action plan on pages 61-63.
Finding No. 2024-003 – Special Tests and Provisions - Gramm-Leach-Bliley Act–Student Information Security Federal Program ALN 84.007 Federal Supplemental Educational Opportunity Grant Program ALN 84.033 Federal Work-Study Program ALN 84.063 Federal Pell Grant Program ALN 84.268 Federal Direct Student Loan Program Name of Federal Agency Teacher Education Assistance for College and Higher Education Grants (TEACH Grants) U.S. Department of Education (USDE) Type of Finding Internal Control/Compliance Category Significant deficiency Compliance Requirement Special Tests and Provisions Criteria Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. The Gramm-Leach-Bliley Act (GLBA) (Pub. L. No. 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi)). The Standards for Safeguarding Customer Information, required by the GLBA (16 CFR §314.4) requires the University to: a) Designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). b) Provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). c) Provide for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: 1. Implement and periodically review access controls. 2. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. 3. Encrypt customer information on the institution’s system and when it’s in transit. 4. Assess apps developed by the institution. 5. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. 6. Dispose of customer information securely. 7. Anticipate and evaluate changes to the information system or network. 8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. d) Provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). e) Provide for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). f) Address how the institution will oversee its information system service providers (16 CFR 314.4(f)). g) Provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal controls designed to reasonably ensure compliance with Federal laws, statutes, regulations, and the terms and conditions of the Federal award. Furthermore, generally accepted information technology guidance endorses the implementation of a process to identify risk and ensure appropriate safeguards are in place to protect information technology systems and data. Condition During our audit procedures, we noted that the University risk assessment did not fully addressed all the elements required by (16 CFR 314.4). Accordingly, the following elements were missing: 1. Vulnerability test 2. Penetration test 3. No backup test was performed during year ended June 30, 2024. Cause In the past years there’s been a high turnover in the position of the qualified individual responsible for overseeing and implementing the University’s information cyber-security program. As a result, some of the procedures and policies established in the information cyber-security program risk assessment have not been consistently or continuously maintained, accordingly, the student personal information could be at risk. In addition, the USDE has informed through electronic announcements (EA), that “when an audit report that includes a GLBA audit finding is received, they will refer the audit to the Federal Trade Commission (FTC). Effect Once the finding is referred to the FTC, that finding will be considered closed for the USDE audit tracking purposes. The FTC will determine what action may be needed as a result of the GLBA audit finding. Identification of a repeat finding This is not a repeat finding from the immediate previous audit. Questioned cost N/A Context The Gramm-Leach-Bliley Act (GLBA) created a requirement that financial institutions must have certain information privacy protections and safeguards in place. The Federal Trade Commission (FTC) has enforcement authority for the requirements and has determined that institutions of higher education (institutions) are financial institutions under GLBA. Each institution has agreed to comply with GLBA in its Program Participation Agreement with the Department. In addition, as a condition of accessing the Department’s systems, each institution and servicer must sign the Student Aid Internet Gateway (SAIG) Enrollment Agreement, which states that the institution must ensure that all federal student aid applicant information is protected from access by or disclosure to unauthorized personnel. Institutions and third-party servicers are also required to demonstrate administrative capability in accordance with 34 C.F.R. § 668.16, including the maintenance of adequate checks and balances in their systems of internal control. An institution or servicer that does not maintain adequate internal controls over the security of student information may not be considered administratively capable. Recommendation We recommend that the University addresses the cause for the high turnover in the position of the qualified individual responsible for overseeing the implementation of policies and procedures, including internal controls, to ensure that they are in compliance with 16 CFR 314.4(b) and (c). Views of Responsible Officials and Planned Corrective Actions Management of the University agrees with this finding. Please refer to the corrective action plan on pages 61-63.
Reporting for Federal Funding Accountability and Transparency Act Criteria – The Uniform Guidance, Part 200.303, requires the Department establish and maintain effective internal control over the federal award which provides reasonable assurance the Department is managing the federal award in compliance with federal statutes, regulations and the terms of the federal award. Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282), as amended by Section 6202 of Pub. L. No. 110-252, hereafter referred to as the “Transparency Act” that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Subaward information should be reported no later than the last day of the month following the month in which the subaward was made. Condition – The Department did not report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) for WIOA Cluster subrecipients. Cause – The Department did not have proper procedures in place to ensure the necessary reporting was completed. Effect – The Department was not in compliance with reporting first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS), as required by 2 CFR Part 170. Recommendation – The Department should establish policies and procedures to ensure first-tier subawards of $30,000 or more are reported to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Policies and procedures should ensure the reporting is reviewed and approved by an independent person who is knowledgeable about the program. This independent review should be documented by the reviewer’s signature or initials and date of review prior to submission. Response and Corrective Action Planned – As of the beginning of fiscal year 2025, the Department has established the necessary policies and procedures surrounding FFATA reporting, and all necessary reporting has been completed for the current fiscal year. Conclusion – Response accepted.
Reporting for Federal Funding Accountability and Transparency Act Criteria – The Uniform Guidance, Part 200.303, requires the Department establish and maintain effective internal control over the federal award which provides reasonable assurance the Department is managing the federal award in compliance with federal statutes, regulations and the terms of the federal award. Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282), as amended by Section 6202 of Pub. L. No. 110-252, hereafter referred to as the “Transparency Act” that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Subaward information should be reported no later than the last day of the month following the month in which the subaward was made. Condition – The Department did not report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) for WIOA Cluster subrecipients. Cause – The Department did not have proper procedures in place to ensure the necessary reporting was completed. Effect – The Department was not in compliance with reporting first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS), as required by 2 CFR Part 170. Recommendation – The Department should establish policies and procedures to ensure first-tier subawards of $30,000 or more are reported to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Policies and procedures should ensure the reporting is reviewed and approved by an independent person who is knowledgeable about the program. This independent review should be documented by the reviewer’s signature or initials and date of review prior to submission. Response and Corrective Action Planned – As of the beginning of fiscal year 2025, the Department has established the necessary policies and procedures surrounding FFATA reporting, and all necessary reporting has been completed for the current fiscal year. Conclusion – Response accepted.
Reporting for Federal Funding Accountability and Transparency Act Criteria – The Uniform Guidance, Part 200.303, requires the Department establish and maintain effective internal control over the federal award which provides reasonable assurance the Department is managing the federal award in compliance with federal statutes, regulations and the terms of the federal award. Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282), as amended by Section 6202 of Pub. L. No. 110-252, hereafter referred to as the “Transparency Act” that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Subaward information should be reported no later than the last day of the month following the month in which the subaward was made. Condition – The Department did not report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) for WIOA Cluster subrecipients. Cause – The Department did not have proper procedures in place to ensure the necessary reporting was completed. Effect – The Department was not in compliance with reporting first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS), as required by 2 CFR Part 170. Recommendation – The Department should establish policies and procedures to ensure first-tier subawards of $30,000 or more are reported to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Policies and procedures should ensure the reporting is reviewed and approved by an independent person who is knowledgeable about the program. This independent review should be documented by the reviewer’s signature or initials and date of review prior to submission. Response and Corrective Action Planned – As of the beginning of fiscal year 2025, the Department has established the necessary policies and procedures surrounding FFATA reporting, and all necessary reporting has been completed for the current fiscal year. Conclusion – Response accepted.
Reporting for Federal Funding Accountability and Transparency Act Criteria – The Uniform Guidance, Part 200.303, requires the Department establish and maintain effective internal control over the federal award which provides reasonable assurance the Department is managing the federal award in compliance with federal statutes, regulations and the terms of the federal award. Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282), as amended by Section 6202 of Pub. L. No. 110-252, hereafter referred to as the “Transparency Act” that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Subaward information should be reported no later than the last day of the month following the month in which the subaward was made. Condition – The Department did not report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) for Weatherization Assistance for Low-Income subrecipients. Cause – The Department did not have proper procedures in place to ensure the necessary reporting was completed. Effect – The Department was not in compliance with reporting first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS), as required by 2 CFR Part 170. Recommendation – The Department should establish policies and procedures to ensure first-tier subawards of $30,000 or more are reported to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Policies and procedures should ensure the reporting is reviewed and approved by an independent person who is knowledgeable about the program. This independent review should be documented by the reviewer’s signature or initials and date of review prior to submission. Response and Corrective Action Planned – The Department now has a process in place for obtaining FFATA report information and submitting FFATA reports. The department will update existing policies and procedures to reflect the current process and will clearly assign FFATA reporting duties as well as provide FFATA training to department grant managers. In addition, the department is in the process of implementing monitoring activities to provide oversight of FFATA submission. Conclusion – Response accepted.
Reporting for Federal Funding Accountability and Transparency Act Criteria – The Uniform Guidance, Part 200.303, requires the Department establish and maintain effective internal control over the federal award which provides reasonable assurance the Department is managing the federal award in compliance with federal statutes, regulations and the terms of the federal award. Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282), as amended by Section 6202 of Pub. L. No. 110-252, hereafter referred to as the “Transparency Act” that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Subaward information should be reported no later than the last day of the month following the month in which the subaward was made. Condition – The Department did not report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) for subrecipients. Cause – The Department did not have proper procedures in place to ensure the necessary reporting was completed. Effect – The Department was not in compliance with reporting first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS), as required by 2 CFR Part 170. Recommendation – The Department should establish policies and procedures to ensure first-tier subawards of $30,000 or more are reported to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Policies and procedures should ensure the reporting is reviewed and approved by an independent person who is knowledgeable about the program. This independent review should be documented by the reviewer’s signature or initials and date of review prior to submission. Response and Corrective Action Planned – The Department now has a process in place for obtaining FFATA report information and submitting FFATA reports. Of the awards noted above, FFATA reporting was completed for one of the four awards. The department will update existing policies and procedures to reflect the current process and will clearly assign FFATA reporting duties as well as provide FFATA training to department grant managers. In addition, the department is in the process of implementing monitoring activities to provide oversight of FFATA submission. Conclusion – Response acknowledged. Documentation was not provided which showed completion of FFATA reporting.
Reporting for Federal Funding Accountability and Transparency Act Criteria – The Uniform Guidance, Part 200.303, requires the Department establish and maintain effective internal control over the federal award which provides reasonable assurance the Department is managing the federal award in compliance with federal statutes, regulations and the terms of the federal award. Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282), as amended by Section 6202 of Pub. L. No. 110-252, hereafter referred to as the “Transparency Act” that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Subaward information should be reported no later than the last day of the month following the month in which the subaward was made. Condition – The Department did not report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) for subrecipients. Cause – The Department did not have proper procedures in place to ensure the necessary reporting was completed. Effect – The Department was not in compliance with reporting first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS), as required by 2 CFR Part 170. Recommendation – The Department should establish policies and procedures to ensure first-tier subawards of $30,000 or more are reported to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Policies and procedures should ensure the reporting is reviewed and approved by an independent person who is knowledgeable about the program. This independent review should be documented by the reviewer’s signature or initials and date of review prior to submission. Response and Corrective Action Planned – The Department now has a process in place for obtaining FFATA report information and submitting FFATA reports. Of the awards noted above, FFATA reporting was completed for one of the four awards. The department will update existing policies and procedures to reflect the current process and will clearly assign FFATA reporting duties as well as provide FFATA training to department grant managers. In addition, the department is in the process of implementing monitoring activities to provide oversight of FFATA submission. Conclusion – Response acknowledged. Documentation was not provided which showed completion of FFATA reporting.
Reporting for Federal Funding Accountability and Transparency Act Criteria – The Uniform Guidance, Part 200.303, requires the Department establish and maintain effective internal control over the federal award which provides reasonable assurance the Department is managing the federal award in compliance with federal statutes, regulations and the terms of the federal award. Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282), as amended by Section 6202 of Pub. L. No. 110-252, hereafter referred to as the “Transparency Act” that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Subaward information should be reported no later than the last day of the month following the month in which the subaward was made. Condition – The Department did not report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) for subrecipients. Cause – The Department did not have proper procedures in place to ensure the necessary reporting was completed. Effect – The Department was not in compliance with reporting first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS), as required by 2 CFR Part 170. Recommendation – The Department should establish policies and procedures to ensure first-tier subawards of $30,000 or more are reported to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Policies and procedures should ensure the reporting is reviewed and approved by an independent person who is knowledgeable about the program. This independent review should be documented by the reviewer’s signature or initials and date of review prior to submission. Response and Corrective Action Planned – The Department now has a process in place for obtaining FFATA report information and submitting FFATA reports. Of the awards noted above, FFATA reporting was completed for one of the four awards. The department will update existing policies and procedures to reflect the current process and will clearly assign FFATA reporting duties as well as provide FFATA training to department grant managers. In addition, the department is in the process of implementing monitoring activities to provide oversight of FFATA submission. Conclusion – Response acknowledged. Documentation was not provided which showed completion of FFATA reporting.
Reporting for Federal Funding Accountability and Transparency Act Criteria – The Uniform Guidance, Part 200.303, requires the Department establish and maintain effective internal control over the federal award which provides reasonable assurance the Department is managing the federal award in compliance with federal statutes, regulations and the terms of the federal award. Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282), as amended by Section 6202 of Pub. L. No. 110-252, hereafter referred to as the “Transparency Act” that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Subaward information should be reported no later than the last day of the month following the month in which the subaward was made. Condition – The Department did not report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) for subrecipients. Cause – The Department did not have proper procedures in place to ensure the necessary reporting was completed. Effect – The Department was not in compliance with reporting first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS), as required by 2 CFR Part 170. Recommendation – The Department should establish policies and procedures to ensure first-tier subawards of $30,000 or more are reported to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Policies and procedures should ensure the reporting is reviewed and approved by an independent person who is knowledgeable about the program. This independent review should be documented by the reviewer’s signature or initials and date of review prior to submission. Response and Corrective Action Planned – The Department now has a process in place for obtaining FFATA report information and submitting FFATA reports. Of the awards noted above, FFATA reporting was completed for one of the four awards. The department will update existing policies and procedures to reflect the current process and will clearly assign FFATA reporting duties as well as provide FFATA training to department grant managers. In addition, the department is in the process of implementing monitoring activities to provide oversight of FFATA submission. Conclusion – Response acknowledged. Documentation was not provided which showed completion of FFATA reporting.
Reporting for Federal Funding Accountability and Transparency Act Criteria – The Uniform Guidance, Part 200.303, requires the Department establish and maintain effective internal control over the federal award which provides reasonable assurance the Department is managing the federal award in compliance with federal statutes, regulations and the terms of the federal award. Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282), as amended by Section 6202 of Pub. L. No. 110-252, hereafter referred to as the “Transparency Act” that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Subaward information should be reported no later than the last day of the month following the month in which the subaward was made. Condition – The Department did not report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) for subrecipients. Cause – The Department did not have proper procedures in place to ensure the necessary reporting was completed. Effect – The Department was not in compliance with reporting first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS), as required by 2 CFR Part 170. Recommendation – The Department should establish policies and procedures to ensure first-tier subawards of $30,000 or more are reported to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Policies and procedures should ensure the reporting is reviewed and approved by an independent person who is knowledgeable about the program. This independent review should be documented by the reviewer’s signature or initials and date of review prior to submission. Response and Corrective Action Planned – The Department now has a process in place for obtaining FFATA report information and submitting FFATA reports. Of the awards noted above, FFATA reporting was completed for one of the four awards. The department will update existing policies and procedures to reflect the current process and will clearly assign FFATA reporting duties as well as provide FFATA training to department grant managers. In addition, the department is in the process of implementing monitoring activities to provide oversight of FFATA submission. Conclusion – Response acknowledged. Documentation was not provided which showed completion of FFATA reporting.
2024-005 CASH MANAGEMENT - SIGNIFICANT DEFICIENCY Federal Program Student Financial Assistance Cluster (ALN 84.007, 84.033, 84.063, and 84.268) Criteria The Code of Federal Regulations, 2 CFR 200.303, non-Federal entities receiving Federal awards are required to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations and program compliance requirements. Condition Evidence of approval to drawdown funds from the G5 system were not located by management. Cause Turnover within the accounting office and lack of proper oversight from management led to the lack of evidence to support the timing of drawdowns reported to be located and provided to the auditor. Effect The College’s lack of evidence to support drawdowns did not allow the auditor to test the cash management internal control over compliance requirement for the College. Questioned Costs None. Context There was significant turnover within the accounting office during the 2024 and 2023 fiscal year. The current staff was unable to locate the approval to draw funds from the grant website. It was noted and reviewed that the financial aid staff is performing a reconciliation of loans and awards issued to the applicable federal database. Repeat Finding Yes. 2023-007. Recommendation The College should revisit its internal control procedures to ensure that direct and material compliance requirements are being followed. This would include controls implemented to ensure processes are followed and assign accountability for completion. It is important to include a segregation of duties for the drawdown of grant funding and the reporting of the transaction. These procedures should be documented to allow new employees an understanding of the grant requirements and how they are fulfilled. Management Response See corrective action plan included in this report package.
2024-005 CASH MANAGEMENT - SIGNIFICANT DEFICIENCY Federal Program Student Financial Assistance Cluster (ALN 84.007, 84.033, 84.063, and 84.268) Criteria The Code of Federal Regulations, 2 CFR 200.303, non-Federal entities receiving Federal awards are required to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations and program compliance requirements. Condition Evidence of approval to drawdown funds from the G5 system were not located by management. Cause Turnover within the accounting office and lack of proper oversight from management led to the lack of evidence to support the timing of drawdowns reported to be located and provided to the auditor. Effect The College’s lack of evidence to support drawdowns did not allow the auditor to test the cash management internal control over compliance requirement for the College. Questioned Costs None. Context There was significant turnover within the accounting office during the 2024 and 2023 fiscal year. The current staff was unable to locate the approval to draw funds from the grant website. It was noted and reviewed that the financial aid staff is performing a reconciliation of loans and awards issued to the applicable federal database. Repeat Finding Yes. 2023-007. Recommendation The College should revisit its internal control procedures to ensure that direct and material compliance requirements are being followed. This would include controls implemented to ensure processes are followed and assign accountability for completion. It is important to include a segregation of duties for the drawdown of grant funding and the reporting of the transaction. These procedures should be documented to allow new employees an understanding of the grant requirements and how they are fulfilled. Management Response See corrective action plan included in this report package.
2024-005 CASH MANAGEMENT - SIGNIFICANT DEFICIENCY Federal Program Student Financial Assistance Cluster (ALN 84.007, 84.033, 84.063, and 84.268) Criteria The Code of Federal Regulations, 2 CFR 200.303, non-Federal entities receiving Federal awards are required to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations and program compliance requirements. Condition Evidence of approval to drawdown funds from the G5 system were not located by management. Cause Turnover within the accounting office and lack of proper oversight from management led to the lack of evidence to support the timing of drawdowns reported to be located and provided to the auditor. Effect The College’s lack of evidence to support drawdowns did not allow the auditor to test the cash management internal control over compliance requirement for the College. Questioned Costs None. Context There was significant turnover within the accounting office during the 2024 and 2023 fiscal year. The current staff was unable to locate the approval to draw funds from the grant website. It was noted and reviewed that the financial aid staff is performing a reconciliation of loans and awards issued to the applicable federal database. Repeat Finding Yes. 2023-007. Recommendation The College should revisit its internal control procedures to ensure that direct and material compliance requirements are being followed. This would include controls implemented to ensure processes are followed and assign accountability for completion. It is important to include a segregation of duties for the drawdown of grant funding and the reporting of the transaction. These procedures should be documented to allow new employees an understanding of the grant requirements and how they are fulfilled. Management Response See corrective action plan included in this report package.
2024-005 CASH MANAGEMENT - SIGNIFICANT DEFICIENCY Federal Program Student Financial Assistance Cluster (ALN 84.007, 84.033, 84.063, and 84.268) Criteria The Code of Federal Regulations, 2 CFR 200.303, non-Federal entities receiving Federal awards are required to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations and program compliance requirements. Condition Evidence of approval to drawdown funds from the G5 system were not located by management. Cause Turnover within the accounting office and lack of proper oversight from management led to the lack of evidence to support the timing of drawdowns reported to be located and provided to the auditor. Effect The College’s lack of evidence to support drawdowns did not allow the auditor to test the cash management internal control over compliance requirement for the College. Questioned Costs None. Context There was significant turnover within the accounting office during the 2024 and 2023 fiscal year. The current staff was unable to locate the approval to draw funds from the grant website. It was noted and reviewed that the financial aid staff is performing a reconciliation of loans and awards issued to the applicable federal database. Repeat Finding Yes. 2023-007. Recommendation The College should revisit its internal control procedures to ensure that direct and material compliance requirements are being followed. This would include controls implemented to ensure processes are followed and assign accountability for completion. It is important to include a segregation of duties for the drawdown of grant funding and the reporting of the transaction. These procedures should be documented to allow new employees an understanding of the grant requirements and how they are fulfilled. Management Response See corrective action plan included in this report package.
Finding 2024-3 Internal Controls over Compliance with Activities Allowed or Unallowed Requirement (Significant Deficiency) Identification of the federal program(s): Assistance Listings program titles and numbers: 21.027 Coronavirus State and Local Fiscal Recovery Funds 93.558 Temporary Assistance for Needy Families (TANF) Federal award identification number: 21.027: City of Columbus (award number not provided), Future Ready Five (award number not provided), Franklin County Department of Job and Family Services Award Number 25-22-3647 93.558: Ohio Department of Job and Family Services Award Numbers G-2425-17-0058; Franklin County Department of Job and Family Services Award Numbers 25-23-3662, 25-23-5698, 25-24-5859 Name of the federal agencies: 21.027 Department of the Treasury 93.558 Department of Health and Human Services Name of the applicable pass-through entities: 21.027: City of Columbus, Future Ready Five, Franklin County Department of Job and Family Services 93.558: Ohio Department of Job and Family Services and Franklin County Department of Job and Family Services Criteria or specific requirement (including statutory, regulatory, or other citation): The 2 CFR section 200.303 of the Uniform Guidance requires that non-federal entities receiving federal awards establish and maintain internal control over the federal awards that provides reasonable assurance that the non-federal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. Condition: During the audit, it was noted that AFC was unable to provide journal entry approval for payroll charges for 20 out of 25 selections for both federal programs (20 each, 40 total) due to a recent change in the accounting system where approvals were not retained. During the audit, it was noted that the AFC was unable to provide invoice approvals for 5 out of 25 non-payroll charges to the 93.558 program and 3 out of 25 non-payroll charges related to the 21.027 program. Cause: The change in the accounting system led to disruptions in the documentation process, resulting in the inability to retrieve documentation of approval records for payroll and non-payroll charges to the federal programs. Effect or potential effect: Without adequate internal controls in place to ensure that all charges to the federal program are properly reviewed for allowability, AFC could be noncompliant with the allowability requirement and could request funds for costs that are unallowed. Questioned costs: None Context: AFC’s policies and procedures require that all payroll costs and non-payroll costs charged to federal awards must be supported by adequate approval documentation that demonstrates the allocability, allowability, and reasonableness of the expenses. Identification as a repeat finding, if applicable: Not applicable Recommendation: We recommend that AFC retain all approved documents related to charges to the federal programs. Views of responsible officials: Management agrees with the finding and recommendation.
Finding 2024-4 Internal Controls over Compliance and Compliance with Allowable Costs Requirement (Significant Deficiency) Identification of the federal program(s): Assistance Listings program titles and numbers: 21.027 Coronavirus State and Local Fiscal Recovery Funds Federal award identification number: 21.027: City of Columbus (award number not provided), Future Ready Five (award number not provided), Franklin County Department of Job and Family Services Award Number 25-22-3647 Name of the federal agencies: 21.027 Department of the Treasury Name of the applicable pass-through entities: 21.027: City of Columbus, Future Ready Five, Franklin County Department of Job and Family Services Criteria or specific requirement (including statutory, regulatory, or other citation): The 2 CFR section 200.303 of the Uniform Guidance requires that non-federal entities receiving federal awards establish and maintain internal control over the federal awards that provides reasonable assurance that the non-federal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. Condition: During the audit, it was noted that an employee’s time was improperly allocated to the improper grant. This misallocation resulted in inaccurate payroll expenses being reported for the respective grants/programs. Cause: Employee was miscoded when entering into the payroll register. Effect or potential effect: Without adequate internal controls in place to ensure that all charges to the federal program are properly reviewed for allowable costs, AFC could be noncompliant with the allowable costs requirement and could request funds for costs that are unallowed. Questioned costs: $3,860 Context: AFC’s policies and procedures did not detect a misallocation of employee’s time. An error of $3,860 was found in $14,396 total payroll tested. Identification as a repeat finding, if applicable: Not applicable Recommendation: We recommend that AFC implement a procedure to monitor employee allocations for accurate charging to grant programs. Views of responsible officials: Management agrees with the finding and recommendation.
Finding 2024-5 Internal Controls over Compliance and Compliance with Reporting Requirement (Significant Deficiency) Identification of the federal program(s): Assistance Listings program titles and numbers: 21.027 Coronavirus State and Local Fiscal Recovery Funds 93.558 Temporary Assistance for Needy Families (TANF) Federal award identification number: 21.027: City of Columbus (award number not provided), Future Ready Five (award number not provided), Franklin County Department of Job and Family Services Award Number 25-22-3647 93.558: Ohio Department of Job and Family Services Award Numbers G-2425-17-0058; Franklin County Department of Job and Family Services Award Numbers 25-23-3662, 25-23-5698, 25-24-5859 Name of the federal agencies: 21.027 Department of the Treasury 93.558 Department of Health and Human Services Name of the applicable pass-through entities: 21.027: City of Columbus, Future Ready Five, Franklin County Department of Job and Family Services 93.558: Ohio Department of Job and Family Services and Franklin County Department of Job and Family Services Criteria or specific requirement (including statutory, regulatory, or other citation): The 2 CFR section 200.303 of the Uniform Guidance requires that non-federal entities receiving federal awards establish and maintain internal control over the federal awards that provides reasonable assurance that the non-federal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. Condition: During the audit, it was noted that AFC submitted required reports past their due date according to the grant agreements. During the audit, it was noted that AFC does not have a practice of internally reviewing the required reports before submitting them to grantors. Cause: The delays were attributed to the change in accounting system and change in personnel administering the reports. The absence of an internal review process is due to inadequate internal controls and oversight within the organization. There is no established procedure for verifying the accuracy and completeness of required reports before submission. Effect or potential effect: Without adequate internal controls in place to ensure that reports are submitted timely and are adequately reviewed, AFC could be noncompliant with the reporting requirement. Questioned costs: None Context: Reports were not submitted on time. Identification as a repeat finding, if applicable: Not applicable Recommendation: We recommend that AFC implement a procedure to track reporting due dates and to a procedure for verifying the accuracy and completeness of required reports before submission. Views of responsible officials: Management agrees with the finding and recommendation.
Finding 2024-3 Internal Controls over Compliance with Activities Allowed or Unallowed Requirement (Significant Deficiency) Identification of the federal program(s): Assistance Listings program titles and numbers: 21.027 Coronavirus State and Local Fiscal Recovery Funds 93.558 Temporary Assistance for Needy Families (TANF) Federal award identification number: 21.027: City of Columbus (award number not provided), Future Ready Five (award number not provided), Franklin County Department of Job and Family Services Award Number 25-22-3647 93.558: Ohio Department of Job and Family Services Award Numbers G-2425-17-0058; Franklin County Department of Job and Family Services Award Numbers 25-23-3662, 25-23-5698, 25-24-5859 Name of the federal agencies: 21.027 Department of the Treasury 93.558 Department of Health and Human Services Name of the applicable pass-through entities: 21.027: City of Columbus, Future Ready Five, Franklin County Department of Job and Family Services 93.558: Ohio Department of Job and Family Services and Franklin County Department of Job and Family Services Criteria or specific requirement (including statutory, regulatory, or other citation): The 2 CFR section 200.303 of the Uniform Guidance requires that non-federal entities receiving federal awards establish and maintain internal control over the federal awards that provides reasonable assurance that the non-federal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. Condition: During the audit, it was noted that AFC was unable to provide journal entry approval for payroll charges for 20 out of 25 selections for both federal programs (20 each, 40 total) due to a recent change in the accounting system where approvals were not retained. During the audit, it was noted that the AFC was unable to provide invoice approvals for 5 out of 25 non-payroll charges to the 93.558 program and 3 out of 25 non-payroll charges related to the 21.027 program. Cause: The change in the accounting system led to disruptions in the documentation process, resulting in the inability to retrieve documentation of approval records for payroll and non-payroll charges to the federal programs. Effect or potential effect: Without adequate internal controls in place to ensure that all charges to the federal program are properly reviewed for allowability, AFC could be noncompliant with the allowability requirement and could request funds for costs that are unallowed. Questioned costs: None Context: AFC’s policies and procedures require that all payroll costs and non-payroll costs charged to federal awards must be supported by adequate approval documentation that demonstrates the allocability, allowability, and reasonableness of the expenses. Identification as a repeat finding, if applicable: Not applicable Recommendation: We recommend that AFC retain all approved documents related to charges to the federal programs. Views of responsible officials: Management agrees with the finding and recommendation.
Finding 2024-4 Internal Controls over Compliance and Compliance with Allowable Costs Requirement (Significant Deficiency) Identification of the federal program(s): Assistance Listings program titles and numbers: 21.027 Coronavirus State and Local Fiscal Recovery Funds Federal award identification number: 21.027: City of Columbus (award number not provided), Future Ready Five (award number not provided), Franklin County Department of Job and Family Services Award Number 25-22-3647 Name of the federal agencies: 21.027 Department of the Treasury Name of the applicable pass-through entities: 21.027: City of Columbus, Future Ready Five, Franklin County Department of Job and Family Services Criteria or specific requirement (including statutory, regulatory, or other citation): The 2 CFR section 200.303 of the Uniform Guidance requires that non-federal entities receiving federal awards establish and maintain internal control over the federal awards that provides reasonable assurance that the non-federal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. Condition: During the audit, it was noted that an employee’s time was improperly allocated to the improper grant. This misallocation resulted in inaccurate payroll expenses being reported for the respective grants/programs. Cause: Employee was miscoded when entering into the payroll register. Effect or potential effect: Without adequate internal controls in place to ensure that all charges to the federal program are properly reviewed for allowable costs, AFC could be noncompliant with the allowable costs requirement and could request funds for costs that are unallowed. Questioned costs: $3,860 Context: AFC’s policies and procedures did not detect a misallocation of employee’s time. An error of $3,860 was found in $14,396 total payroll tested. Identification as a repeat finding, if applicable: Not applicable Recommendation: We recommend that AFC implement a procedure to monitor employee allocations for accurate charging to grant programs. Views of responsible officials: Management agrees with the finding and recommendation.
Finding 2024-5 Internal Controls over Compliance and Compliance with Reporting Requirement (Significant Deficiency) Identification of the federal program(s): Assistance Listings program titles and numbers: 21.027 Coronavirus State and Local Fiscal Recovery Funds 93.558 Temporary Assistance for Needy Families (TANF) Federal award identification number: 21.027: City of Columbus (award number not provided), Future Ready Five (award number not provided), Franklin County Department of Job and Family Services Award Number 25-22-3647 93.558: Ohio Department of Job and Family Services Award Numbers G-2425-17-0058; Franklin County Department of Job and Family Services Award Numbers 25-23-3662, 25-23-5698, 25-24-5859 Name of the federal agencies: 21.027 Department of the Treasury 93.558 Department of Health and Human Services Name of the applicable pass-through entities: 21.027: City of Columbus, Future Ready Five, Franklin County Department of Job and Family Services 93.558: Ohio Department of Job and Family Services and Franklin County Department of Job and Family Services Criteria or specific requirement (including statutory, regulatory, or other citation): The 2 CFR section 200.303 of the Uniform Guidance requires that non-federal entities receiving federal awards establish and maintain internal control over the federal awards that provides reasonable assurance that the non-federal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. Condition: During the audit, it was noted that AFC submitted required reports past their due date according to the grant agreements. During the audit, it was noted that AFC does not have a practice of internally reviewing the required reports before submitting them to grantors. Cause: The delays were attributed to the change in accounting system and change in personnel administering the reports. The absence of an internal review process is due to inadequate internal controls and oversight within the organization. There is no established procedure for verifying the accuracy and completeness of required reports before submission. Effect or potential effect: Without adequate internal controls in place to ensure that reports are submitted timely and are adequately reviewed, AFC could be noncompliant with the reporting requirement. Questioned costs: None Context: Reports were not submitted on time. Identification as a repeat finding, if applicable: Not applicable Recommendation: We recommend that AFC implement a procedure to track reporting due dates and to a procedure for verifying the accuracy and completeness of required reports before submission. Views of responsible officials: Management agrees with the finding and recommendation.
Finding 2024-3 Internal Controls over Compliance with Activities Allowed or Unallowed Requirement (Significant Deficiency) Identification of the federal program(s): Assistance Listings program titles and numbers: 21.027 Coronavirus State and Local Fiscal Recovery Funds 93.558 Temporary Assistance for Needy Families (TANF) Federal award identification number: 21.027: City of Columbus (award number not provided), Future Ready Five (award number not provided), Franklin County Department of Job and Family Services Award Number 25-22-3647 93.558: Ohio Department of Job and Family Services Award Numbers G-2425-17-0058; Franklin County Department of Job and Family Services Award Numbers 25-23-3662, 25-23-5698, 25-24-5859 Name of the federal agencies: 21.027 Department of the Treasury 93.558 Department of Health and Human Services Name of the applicable pass-through entities: 21.027: City of Columbus, Future Ready Five, Franklin County Department of Job and Family Services 93.558: Ohio Department of Job and Family Services and Franklin County Department of Job and Family Services Criteria or specific requirement (including statutory, regulatory, or other citation): The 2 CFR section 200.303 of the Uniform Guidance requires that non-federal entities receiving federal awards establish and maintain internal control over the federal awards that provides reasonable assurance that the non-federal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. Condition: During the audit, it was noted that AFC was unable to provide journal entry approval for payroll charges for 20 out of 25 selections for both federal programs (20 each, 40 total) due to a recent change in the accounting system where approvals were not retained. During the audit, it was noted that the AFC was unable to provide invoice approvals for 5 out of 25 non-payroll charges to the 93.558 program and 3 out of 25 non-payroll charges related to the 21.027 program. Cause: The change in the accounting system led to disruptions in the documentation process, resulting in the inability to retrieve documentation of approval records for payroll and non-payroll charges to the federal programs. Effect or potential effect: Without adequate internal controls in place to ensure that all charges to the federal program are properly reviewed for allowability, AFC could be noncompliant with the allowability requirement and could request funds for costs that are unallowed. Questioned costs: None Context: AFC’s policies and procedures require that all payroll costs and non-payroll costs charged to federal awards must be supported by adequate approval documentation that demonstrates the allocability, allowability, and reasonableness of the expenses. Identification as a repeat finding, if applicable: Not applicable Recommendation: We recommend that AFC retain all approved documents related to charges to the federal programs. Views of responsible officials: Management agrees with the finding and recommendation.
Finding 2024-4 Internal Controls over Compliance and Compliance with Allowable Costs Requirement (Significant Deficiency) Identification of the federal program(s): Assistance Listings program titles and numbers: 21.027 Coronavirus State and Local Fiscal Recovery Funds Federal award identification number: 21.027: City of Columbus (award number not provided), Future Ready Five (award number not provided), Franklin County Department of Job and Family Services Award Number 25-22-3647 Name of the federal agencies: 21.027 Department of the Treasury Name of the applicable pass-through entities: 21.027: City of Columbus, Future Ready Five, Franklin County Department of Job and Family Services Criteria or specific requirement (including statutory, regulatory, or other citation): The 2 CFR section 200.303 of the Uniform Guidance requires that non-federal entities receiving federal awards establish and maintain internal control over the federal awards that provides reasonable assurance that the non-federal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. Condition: During the audit, it was noted that an employee’s time was improperly allocated to the improper grant. This misallocation resulted in inaccurate payroll expenses being reported for the respective grants/programs. Cause: Employee was miscoded when entering into the payroll register. Effect or potential effect: Without adequate internal controls in place to ensure that all charges to the federal program are properly reviewed for allowable costs, AFC could be noncompliant with the allowable costs requirement and could request funds for costs that are unallowed. Questioned costs: $3,860 Context: AFC’s policies and procedures did not detect a misallocation of employee’s time. An error of $3,860 was found in $14,396 total payroll tested. Identification as a repeat finding, if applicable: Not applicable Recommendation: We recommend that AFC implement a procedure to monitor employee allocations for accurate charging to grant programs. Views of responsible officials: Management agrees with the finding and recommendation.
Finding 2024-5 Internal Controls over Compliance and Compliance with Reporting Requirement (Significant Deficiency) Identification of the federal program(s): Assistance Listings program titles and numbers: 21.027 Coronavirus State and Local Fiscal Recovery Funds 93.558 Temporary Assistance for Needy Families (TANF) Federal award identification number: 21.027: City of Columbus (award number not provided), Future Ready Five (award number not provided), Franklin County Department of Job and Family Services Award Number 25-22-3647 93.558: Ohio Department of Job and Family Services Award Numbers G-2425-17-0058; Franklin County Department of Job and Family Services Award Numbers 25-23-3662, 25-23-5698, 25-24-5859 Name of the federal agencies: 21.027 Department of the Treasury 93.558 Department of Health and Human Services Name of the applicable pass-through entities: 21.027: City of Columbus, Future Ready Five, Franklin County Department of Job and Family Services 93.558: Ohio Department of Job and Family Services and Franklin County Department of Job and Family Services Criteria or specific requirement (including statutory, regulatory, or other citation): The 2 CFR section 200.303 of the Uniform Guidance requires that non-federal entities receiving federal awards establish and maintain internal control over the federal awards that provides reasonable assurance that the non-federal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. Condition: During the audit, it was noted that AFC submitted required reports past their due date according to the grant agreements. During the audit, it was noted that AFC does not have a practice of internally reviewing the required reports before submitting them to grantors. Cause: The delays were attributed to the change in accounting system and change in personnel administering the reports. The absence of an internal review process is due to inadequate internal controls and oversight within the organization. There is no established procedure for verifying the accuracy and completeness of required reports before submission. Effect or potential effect: Without adequate internal controls in place to ensure that reports are submitted timely and are adequately reviewed, AFC could be noncompliant with the reporting requirement. Questioned costs: None Context: Reports were not submitted on time. Identification as a repeat finding, if applicable: Not applicable Recommendation: We recommend that AFC implement a procedure to track reporting due dates and to a procedure for verifying the accuracy and completeness of required reports before submission. Views of responsible officials: Management agrees with the finding and recommendation.
Finding 2024-3 Internal Controls over Compliance with Activities Allowed or Unallowed Requirement (Significant Deficiency) Identification of the federal program(s): Assistance Listings program titles and numbers: 21.027 Coronavirus State and Local Fiscal Recovery Funds 93.558 Temporary Assistance for Needy Families (TANF) Federal award identification number: 21.027: City of Columbus (award number not provided), Future Ready Five (award number not provided), Franklin County Department of Job and Family Services Award Number 25-22-3647 93.558: Ohio Department of Job and Family Services Award Numbers G-2425-17-0058; Franklin County Department of Job and Family Services Award Numbers 25-23-3662, 25-23-5698, 25-24-5859 Name of the federal agencies: 21.027 Department of the Treasury 93.558 Department of Health and Human Services Name of the applicable pass-through entities: 21.027: City of Columbus, Future Ready Five, Franklin County Department of Job and Family Services 93.558: Ohio Department of Job and Family Services and Franklin County Department of Job and Family Services Criteria or specific requirement (including statutory, regulatory, or other citation): The 2 CFR section 200.303 of the Uniform Guidance requires that non-federal entities receiving federal awards establish and maintain internal control over the federal awards that provides reasonable assurance that the non-federal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. Condition: During the audit, it was noted that AFC was unable to provide journal entry approval for payroll charges for 20 out of 25 selections for both federal programs (20 each, 40 total) due to a recent change in the accounting system where approvals were not retained. During the audit, it was noted that the AFC was unable to provide invoice approvals for 5 out of 25 non-payroll charges to the 93.558 program and 3 out of 25 non-payroll charges related to the 21.027 program. Cause: The change in the accounting system led to disruptions in the documentation process, resulting in the inability to retrieve documentation of approval records for payroll and non-payroll charges to the federal programs. Effect or potential effect: Without adequate internal controls in place to ensure that all charges to the federal program are properly reviewed for allowability, AFC could be noncompliant with the allowability requirement and could request funds for costs that are unallowed. Questioned costs: None Context: AFC’s policies and procedures require that all payroll costs and non-payroll costs charged to federal awards must be supported by adequate approval documentation that demonstrates the allocability, allowability, and reasonableness of the expenses. Identification as a repeat finding, if applicable: Not applicable Recommendation: We recommend that AFC retain all approved documents related to charges to the federal programs. Views of responsible officials: Management agrees with the finding and recommendation.
Finding 2024-5 Internal Controls over Compliance and Compliance with Reporting Requirement (Significant Deficiency) Identification of the federal program(s): Assistance Listings program titles and numbers: 21.027 Coronavirus State and Local Fiscal Recovery Funds 93.558 Temporary Assistance for Needy Families (TANF) Federal award identification number: 21.027: City of Columbus (award number not provided), Future Ready Five (award number not provided), Franklin County Department of Job and Family Services Award Number 25-22-3647 93.558: Ohio Department of Job and Family Services Award Numbers G-2425-17-0058; Franklin County Department of Job and Family Services Award Numbers 25-23-3662, 25-23-5698, 25-24-5859 Name of the federal agencies: 21.027 Department of the Treasury 93.558 Department of Health and Human Services Name of the applicable pass-through entities: 21.027: City of Columbus, Future Ready Five, Franklin County Department of Job and Family Services 93.558: Ohio Department of Job and Family Services and Franklin County Department of Job and Family Services Criteria or specific requirement (including statutory, regulatory, or other citation): The 2 CFR section 200.303 of the Uniform Guidance requires that non-federal entities receiving federal awards establish and maintain internal control over the federal awards that provides reasonable assurance that the non-federal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. Condition: During the audit, it was noted that AFC submitted required reports past their due date according to the grant agreements. During the audit, it was noted that AFC does not have a practice of internally reviewing the required reports before submitting them to grantors. Cause: The delays were attributed to the change in accounting system and change in personnel administering the reports. The absence of an internal review process is due to inadequate internal controls and oversight within the organization. There is no established procedure for verifying the accuracy and completeness of required reports before submission. Effect or potential effect: Without adequate internal controls in place to ensure that reports are submitted timely and are adequately reviewed, AFC could be noncompliant with the reporting requirement. Questioned costs: None Context: Reports were not submitted on time. Identification as a repeat finding, if applicable: Not applicable Recommendation: We recommend that AFC implement a procedure to track reporting due dates and to a procedure for verifying the accuracy and completeness of required reports before submission. Views of responsible officials: Management agrees with the finding and recommendation.
Finding 2024-3 Internal Controls over Compliance with Activities Allowed or Unallowed Requirement (Significant Deficiency) Identification of the federal program(s): Assistance Listings program titles and numbers: 21.027 Coronavirus State and Local Fiscal Recovery Funds 93.558 Temporary Assistance for Needy Families (TANF) Federal award identification number: 21.027: City of Columbus (award number not provided), Future Ready Five (award number not provided), Franklin County Department of Job and Family Services Award Number 25-22-3647 93.558: Ohio Department of Job and Family Services Award Numbers G-2425-17-0058; Franklin County Department of Job and Family Services Award Numbers 25-23-3662, 25-23-5698, 25-24-5859 Name of the federal agencies: 21.027 Department of the Treasury 93.558 Department of Health and Human Services Name of the applicable pass-through entities: 21.027: City of Columbus, Future Ready Five, Franklin County Department of Job and Family Services 93.558: Ohio Department of Job and Family Services and Franklin County Department of Job and Family Services Criteria or specific requirement (including statutory, regulatory, or other citation): The 2 CFR section 200.303 of the Uniform Guidance requires that non-federal entities receiving federal awards establish and maintain internal control over the federal awards that provides reasonable assurance that the non-federal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. Condition: During the audit, it was noted that AFC was unable to provide journal entry approval for payroll charges for 20 out of 25 selections for both federal programs (20 each, 40 total) due to a recent change in the accounting system where approvals were not retained. During the audit, it was noted that the AFC was unable to provide invoice approvals for 5 out of 25 non-payroll charges to the 93.558 program and 3 out of 25 non-payroll charges related to the 21.027 program. Cause: The change in the accounting system led to disruptions in the documentation process, resulting in the inability to retrieve documentation of approval records for payroll and non-payroll charges to the federal programs. Effect or potential effect: Without adequate internal controls in place to ensure that all charges to the federal program are properly reviewed for allowability, AFC could be noncompliant with the allowability requirement and could request funds for costs that are unallowed. Questioned costs: None Context: AFC’s policies and procedures require that all payroll costs and non-payroll costs charged to federal awards must be supported by adequate approval documentation that demonstrates the allocability, allowability, and reasonableness of the expenses. Identification as a repeat finding, if applicable: Not applicable Recommendation: We recommend that AFC retain all approved documents related to charges to the federal programs. Views of responsible officials: Management agrees with the finding and recommendation.
Finding 2024-5 Internal Controls over Compliance and Compliance with Reporting Requirement (Significant Deficiency) Identification of the federal program(s): Assistance Listings program titles and numbers: 21.027 Coronavirus State and Local Fiscal Recovery Funds 93.558 Temporary Assistance for Needy Families (TANF) Federal award identification number: 21.027: City of Columbus (award number not provided), Future Ready Five (award number not provided), Franklin County Department of Job and Family Services Award Number 25-22-3647 93.558: Ohio Department of Job and Family Services Award Numbers G-2425-17-0058; Franklin County Department of Job and Family Services Award Numbers 25-23-3662, 25-23-5698, 25-24-5859 Name of the federal agencies: 21.027 Department of the Treasury 93.558 Department of Health and Human Services Name of the applicable pass-through entities: 21.027: City of Columbus, Future Ready Five, Franklin County Department of Job and Family Services 93.558: Ohio Department of Job and Family Services and Franklin County Department of Job and Family Services Criteria or specific requirement (including statutory, regulatory, or other citation): The 2 CFR section 200.303 of the Uniform Guidance requires that non-federal entities receiving federal awards establish and maintain internal control over the federal awards that provides reasonable assurance that the non-federal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. Condition: During the audit, it was noted that AFC submitted required reports past their due date according to the grant agreements. During the audit, it was noted that AFC does not have a practice of internally reviewing the required reports before submitting them to grantors. Cause: The delays were attributed to the change in accounting system and change in personnel administering the reports. The absence of an internal review process is due to inadequate internal controls and oversight within the organization. There is no established procedure for verifying the accuracy and completeness of required reports before submission. Effect or potential effect: Without adequate internal controls in place to ensure that reports are submitted timely and are adequately reviewed, AFC could be noncompliant with the reporting requirement. Questioned costs: None Context: Reports were not submitted on time. Identification as a repeat finding, if applicable: Not applicable Recommendation: We recommend that AFC implement a procedure to track reporting due dates and to a procedure for verifying the accuracy and completeness of required reports before submission. Views of responsible officials: Management agrees with the finding and recommendation.
Finding 2024-3 Internal Controls over Compliance with Activities Allowed or Unallowed Requirement (Significant Deficiency) Identification of the federal program(s): Assistance Listings program titles and numbers: 21.027 Coronavirus State and Local Fiscal Recovery Funds 93.558 Temporary Assistance for Needy Families (TANF) Federal award identification number: 21.027: City of Columbus (award number not provided), Future Ready Five (award number not provided), Franklin County Department of Job and Family Services Award Number 25-22-3647 93.558: Ohio Department of Job and Family Services Award Numbers G-2425-17-0058; Franklin County Department of Job and Family Services Award Numbers 25-23-3662, 25-23-5698, 25-24-5859 Name of the federal agencies: 21.027 Department of the Treasury 93.558 Department of Health and Human Services Name of the applicable pass-through entities: 21.027: City of Columbus, Future Ready Five, Franklin County Department of Job and Family Services 93.558: Ohio Department of Job and Family Services and Franklin County Department of Job and Family Services Criteria or specific requirement (including statutory, regulatory, or other citation): The 2 CFR section 200.303 of the Uniform Guidance requires that non-federal entities receiving federal awards establish and maintain internal control over the federal awards that provides reasonable assurance that the non-federal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. Condition: During the audit, it was noted that AFC was unable to provide journal entry approval for payroll charges for 20 out of 25 selections for both federal programs (20 each, 40 total) due to a recent change in the accounting system where approvals were not retained. During the audit, it was noted that the AFC was unable to provide invoice approvals for 5 out of 25 non-payroll charges to the 93.558 program and 3 out of 25 non-payroll charges related to the 21.027 program. Cause: The change in the accounting system led to disruptions in the documentation process, resulting in the inability to retrieve documentation of approval records for payroll and non-payroll charges to the federal programs. Effect or potential effect: Without adequate internal controls in place to ensure that all charges to the federal program are properly reviewed for allowability, AFC could be noncompliant with the allowability requirement and could request funds for costs that are unallowed. Questioned costs: None Context: AFC’s policies and procedures require that all payroll costs and non-payroll costs charged to federal awards must be supported by adequate approval documentation that demonstrates the allocability, allowability, and reasonableness of the expenses. Identification as a repeat finding, if applicable: Not applicable Recommendation: We recommend that AFC retain all approved documents related to charges to the federal programs. Views of responsible officials: Management agrees with the finding and recommendation.
Finding 2024-5 Internal Controls over Compliance and Compliance with Reporting Requirement (Significant Deficiency) Identification of the federal program(s): Assistance Listings program titles and numbers: 21.027 Coronavirus State and Local Fiscal Recovery Funds 93.558 Temporary Assistance for Needy Families (TANF) Federal award identification number: 21.027: City of Columbus (award number not provided), Future Ready Five (award number not provided), Franklin County Department of Job and Family Services Award Number 25-22-3647 93.558: Ohio Department of Job and Family Services Award Numbers G-2425-17-0058; Franklin County Department of Job and Family Services Award Numbers 25-23-3662, 25-23-5698, 25-24-5859 Name of the federal agencies: 21.027 Department of the Treasury 93.558 Department of Health and Human Services Name of the applicable pass-through entities: 21.027: City of Columbus, Future Ready Five, Franklin County Department of Job and Family Services 93.558: Ohio Department of Job and Family Services and Franklin County Department of Job and Family Services Criteria or specific requirement (including statutory, regulatory, or other citation): The 2 CFR section 200.303 of the Uniform Guidance requires that non-federal entities receiving federal awards establish and maintain internal control over the federal awards that provides reasonable assurance that the non-federal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. Condition: During the audit, it was noted that AFC submitted required reports past their due date according to the grant agreements. During the audit, it was noted that AFC does not have a practice of internally reviewing the required reports before submitting them to grantors. Cause: The delays were attributed to the change in accounting system and change in personnel administering the reports. The absence of an internal review process is due to inadequate internal controls and oversight within the organization. There is no established procedure for verifying the accuracy and completeness of required reports before submission. Effect or potential effect: Without adequate internal controls in place to ensure that reports are submitted timely and are adequately reviewed, AFC could be noncompliant with the reporting requirement. Questioned costs: None Context: Reports were not submitted on time. Identification as a repeat finding, if applicable: Not applicable Recommendation: We recommend that AFC implement a procedure to track reporting due dates and to a procedure for verifying the accuracy and completeness of required reports before submission. Views of responsible officials: Management agrees with the finding and recommendation.
Assistance Listing Number: 21.027 Program Title: Coronavirus State and Local Fiscal Recovery Funds Federal Award Number: N/A Federal Award Year: 2023/2024 Pass Through Entity: Chicago Cook Workforce Partnership Criteria: In accordance with 2 CFR 200.303, the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non- Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. Condition: The Organization is either lacking or has nonconforming written policies and procedures for the following administrative functions, required by0 the Uniform Guidance: 1. Financial management - 2 CFR 200.302(b)(6) - spacing 2. Allowable Costs - 2 CFR 200.302(b)(7) 3. Federal payment - 2 CFR 200.305(b)(1) 4. Procurement - 2 CFR 200.318(a) and 2 CFR 200.318(c)(1) 5. Competition - 2 CFR 200.319(d) 6. Methods of procurement to be followed - 2 CFR 200.320 7. Compensation (Personal Services) - 2 CFR 200.430(a)(1) 8. Compensation (Fringe Benefits - Leave) - 2 CFR 200.431(b)(1) 9. Relocation costs of employees - 2 CFR 200.464(a)(2) 10. Travel costs - 2 CFR 200.474 Questioned Costs: There are no questioned costs related to the items described above. Context: The conditions outlined above are based on our review of the Organization’s policies and procedures, which were found to be not in accordance with Uniform Guidance. Cause: The Organization was not aware of the specific Uniform Guidance requirements for certain written policies and procedures. Effect: The Organization did not have these policies and procedures in place to reasonably ensure that program functions are achieved effectively, efficiently and in compliance with Federal statutes, regulations, and the terms and conditions of the award. The Organization was not in compliance with the administrative requirements set forth in the Uniform Guidance. Repeat Finding: This is not a repeat finding. Recommendation: We recommend that the Organization design procedures and implement internal control procedures to ensure that the Uniform Guidance administrative requirements are met. Views of Responsible Officials and Corrective Action Plan: See corrective action plan attached to financial statements.
Criteria Requirement: According to 34 CFR Section 685.309, under the Federal Direct loan program, institutions must complete and return the Enrollment Reporting roster file via National Student Loan Data System (NSLDS) within 15 days of receipt. An institution determines how often it receives the Enrollment Reporting roster file with the default set at a minimum of every 60 days to ensure attendance changes for students are reported within 60 days of the change. An institution must notify the Secretary of Education if it discovers that a loan under Title IV of the Act was made to or on behalf of a student who was enrolled or accepted for enrollment at the school, and the student has ceased to be enrolled on at least a half -time basis or failed to enroll on at least a half-time basis for the period for which the loan was intended. Further, in accordance with 2 CFR 200.303(a), non-Federal entities must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non_x0002_Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition and Context: During our audit we found three (3) of forty (40) students selected for testing whose change in enrollment status from full time to withdrawn was not transmitted to NSLDS timely. The College reported the withdrawn status changes for these three students 61-65 days after they became aware of the status change. In addition, of these three students, the effective dates for two of the students were reported as 12/15/2023, however the effective date per supporting documentation was 12/16/2023. Cause and Effect: The condition resulted from the College’s internal controls not being designed at a level of precision to ensure all enrollment status changes are accurately and timely transmitted to NSLDS. Inaccurate and delayed submission of student enrollment status information affects the determinations that lenders and servicers of student loans make related to in-school status, deferments, grace periods, and repayment schedules, as well as the federal government's payment of interest subsidies. Identification of Questioned Costs: None. Whether the Sampling was a Statistically Valid Sample: The sample was not intended to be, and was not, a statistically valid sample. Identification of Whether the Audit Finding was a Repeat Finding: This is not a repeat finding. Recommendation: We recommend that the College review its processes to ensure that all enrollment changes are reported as intended within the required 60-day time frame. The College should work with NSC as needed to ensure proper protocols of transmission to NSLDS occur. Additionally, a review of the submitted enrollment changes to the NSLDS should be performed to ensure current student status is properly reflected.