2 CFR 200 § 200.303

Findings Citing § 200.303

Internal controls.

Total Findings
99,459
Across all audits in database
Showing Page
397 of 1990
50 findings per page
About this section
Section 200.303 requires recipients and subrecipients of Federal awards to establish and maintain effective internal controls to ensure compliance with Federal laws and award conditions. This section affects organizations receiving Federal funding, mandating them to monitor compliance, address noncompliance promptly, and protect sensitive information.
View full section details →
FY End: 2024-06-30
Rising Sun - Ohio County Community School Corporation
Compliance Requirement: L
FINDING 2024-002 Subject: COVID-19 - Education Stabilization Fund - Reporting Federal Agency: Department of Education Federal Program: COVID-19 - Education Stabilization Fund Assistance Listings Numbers: 84.425D, 84.425U Federal Award Numbers and Years (or Other Identifying Numbers): S425D210013, S425U210013 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Reporting Audit Findings: Material Weakness, Other Matters Condition and Context An effective internal control sy...

FINDING 2024-002 Subject: COVID-19 - Education Stabilization Fund - Reporting Federal Agency: Department of Education Federal Program: COVID-19 - Education Stabilization Fund Assistance Listings Numbers: 84.425D, 84.425U Federal Award Numbers and Years (or Other Identifying Numbers): S425D210013, S425U210013 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Reporting Audit Findings: Material Weakness, Other Matters Condition and Context An effective internal control system was not designed or implemented at the School Corporation to ensure compliance with requirements related to the grant agreement and the Reporting compliance requirement. The School Corporation had not designed, nor implemented, a system of internal controls to ensure that the annual Elementary and Secondary School Emergency Relief (ESSER) Data Collection reports (Reports) were complete and accurately submitted. The Reports were prepared and submitted by one employee without a documented oversight, review, or approval process in place to prevent, or detect and correct, errors. Due to the lack of effective internal controls, one of the four reports submitted during the audit period was not supported by the School Corporation's records. The following error was noted:  For the ESSER III, Year 3 Report, which covered the period July 1, 2022 to June 30, 2023, total expenses reported for Property: Addressing Physical Health and Safety - Mandatory Subgrant funds was $236,023. Total expenses reported for Personnel Services: Meeting Student's Academic, Social, Emotional, and Other Needs was $66,387, for a total of $302,410. This was an overstatement of $271,004. The lack of internal controls was a systemic issue throughout the audit period. Noncompliance was isolated to the ESSER III, Year 3 Report. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." 2 CFR 200.334 states in part: "Financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for the Federal awards that are renewed quarterly or annual, from the date of submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient. . . ." 2 CFR 200.302(b) states in part: "The financial management system of each non-Federal entity must provide for the following . . . (2) Accurate, current, and complete disclosure of the financial results of each Federal award or program in accordance with the reporting requirements set forth in §§ 200.328 and 200.329. . . ." 34 CFR 76.722 states: "A State may require a subgrantee to submit reports in a manner and format that assists the State in complying with the requirements under 34 CFR 76.720 and in carrying out other responsibilities under the program." Cause A proper system of internal controls was not designed by management of the School Corporation. Two employees collaborated on the preparation of the reports, but there was no documented review of the completed reports by someone other than the preparers to detect errors prior to submission. Effect Without the proper implementation of an effectively designed system of internal controls, the internal control system cannot be capable of effectively preventing, or detecting and correcting, material noncompliance. As a result, the ESSER III, Year 3 Report was not supported by the School Corporation's records. Questioned Costs There were no questioned costs identified. Recommendation We recommended that management of the School Corporation establish a proper system of internal controls and develop policies and procedures to ensure that all reports are supported by the School Corporation's records. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.

FY End: 2024-06-30
California Baptist University
Compliance Requirement: N
Criteria: In accordance with 34 CFR Section 668.173 (b) and 2 CFR 200.303, the institutional portion of unearned aid must be returned to the appropriate Title IV, HEA program or Federal Family Education Loan (“FFEL”) lender no later than 45 days after the date of the institution’s determination that the student withdrew. Furthermore, the institution must determine the amount of Title IV grant or loan assistance that the student earned as of the student’s withdrawal date. The Compliance Supplemen...

Criteria: In accordance with 34 CFR Section 668.173 (b) and 2 CFR 200.303, the institutional portion of unearned aid must be returned to the appropriate Title IV, HEA program or Federal Family Education Loan (“FFEL”) lender no later than 45 days after the date of the institution’s determination that the student withdrew. Furthermore, the institution must determine the amount of Title IV grant or loan assistance that the student earned as of the student’s withdrawal date. The Compliance Supplement issued by the Office of Management and Budget requires auditors to review the return of Title IV funds determinations/calculations for conformity with Title IV requirements. Furthermore, according to 34 CFR 668.22, all grant funds relating to post-withdrawal disbursements that are not disbursed to the student’s account, must be disbursed to the student no later than 180 days after the date of the institution’s determination that the student withdrew. Condition: It was noted during our testing of R2T4 calculations that two of 40 students selected for testing had instances of non-compliance. Specifically, one student’s return was not received within the 45-day time limit and one student’s return was not calculated correctly. Questioned Costs: $1,886 Context: During our audit procedures, we noted below instances for R2T4 testing: - One of the 40 total students’ return was not returned within the 45-days requirement. - One of the 40 total student’s R2T4 was incorrectly calculated, resulting in $1,866 in excess funds being returned by the University. Cause: The University implemented controls during the year to improve compliance with Title IV regulations, resulting in a significant reduction in the number of instances of noncompliance (from seven in prior year to one in the current year). Due to the timing of the implementation of these controls, instances of noncompliance with Title IV regulations were still identified. Effect: The cause identified resulted in noncompliance with Title IV regulations. Repeat Finding: Yes, see Finding 2023-001. Recommendation: We recommend that the University improve the existing procedures and controls to ensure compliance with the aforementioned criteria. Views of responsible officials: Management concurs with the finding.

FY End: 2024-06-30
California Baptist University
Compliance Requirement: N
Criteria: In accordance with 34 CFR Section 668.173 (b) and 2 CFR 200.303, the institutional portion of unearned aid must be returned to the appropriate Title IV, HEA program or Federal Family Education Loan (“FFEL”) lender no later than 45 days after the date of the institution’s determination that the student withdrew. Furthermore, the institution must determine the amount of Title IV grant or loan assistance that the student earned as of the student’s withdrawal date. The Compliance Supplemen...

Criteria: In accordance with 34 CFR Section 668.173 (b) and 2 CFR 200.303, the institutional portion of unearned aid must be returned to the appropriate Title IV, HEA program or Federal Family Education Loan (“FFEL”) lender no later than 45 days after the date of the institution’s determination that the student withdrew. Furthermore, the institution must determine the amount of Title IV grant or loan assistance that the student earned as of the student’s withdrawal date. The Compliance Supplement issued by the Office of Management and Budget requires auditors to review the return of Title IV funds determinations/calculations for conformity with Title IV requirements. Furthermore, according to 34 CFR 668.22, all grant funds relating to post-withdrawal disbursements that are not disbursed to the student’s account, must be disbursed to the student no later than 180 days after the date of the institution’s determination that the student withdrew. Condition: It was noted during our testing of R2T4 calculations that two of 40 students selected for testing had instances of non-compliance. Specifically, one student’s return was not received within the 45-day time limit and one student’s return was not calculated correctly. Questioned Costs: $1,886 Context: During our audit procedures, we noted below instances for R2T4 testing: - One of the 40 total students’ return was not returned within the 45-days requirement. - One of the 40 total student’s R2T4 was incorrectly calculated, resulting in $1,866 in excess funds being returned by the University. Cause: The University implemented controls during the year to improve compliance with Title IV regulations, resulting in a significant reduction in the number of instances of noncompliance (from seven in prior year to one in the current year). Due to the timing of the implementation of these controls, instances of noncompliance with Title IV regulations were still identified. Effect: The cause identified resulted in noncompliance with Title IV regulations. Repeat Finding: Yes, see Finding 2023-001. Recommendation: We recommend that the University improve the existing procedures and controls to ensure compliance with the aforementioned criteria. Views of responsible officials: Management concurs with the finding.

FY End: 2024-06-30
California Baptist University
Compliance Requirement: N
Criteria: In accordance with 34 CFR Section 668.173 (b) and 2 CFR 200.303, the institutional portion of unearned aid must be returned to the appropriate Title IV, HEA program or Federal Family Education Loan (“FFEL”) lender no later than 45 days after the date of the institution’s determination that the student withdrew. Furthermore, the institution must determine the amount of Title IV grant or loan assistance that the student earned as of the student’s withdrawal date. The Compliance Supplemen...

Criteria: In accordance with 34 CFR Section 668.173 (b) and 2 CFR 200.303, the institutional portion of unearned aid must be returned to the appropriate Title IV, HEA program or Federal Family Education Loan (“FFEL”) lender no later than 45 days after the date of the institution’s determination that the student withdrew. Furthermore, the institution must determine the amount of Title IV grant or loan assistance that the student earned as of the student’s withdrawal date. The Compliance Supplement issued by the Office of Management and Budget requires auditors to review the return of Title IV funds determinations/calculations for conformity with Title IV requirements. Furthermore, according to 34 CFR 668.22, all grant funds relating to post-withdrawal disbursements that are not disbursed to the student’s account, must be disbursed to the student no later than 180 days after the date of the institution’s determination that the student withdrew. Condition: It was noted during our testing of R2T4 calculations that two of 40 students selected for testing had instances of non-compliance. Specifically, one student’s return was not received within the 45-day time limit and one student’s return was not calculated correctly. Questioned Costs: $1,886 Context: During our audit procedures, we noted below instances for R2T4 testing: - One of the 40 total students’ return was not returned within the 45-days requirement. - One of the 40 total student’s R2T4 was incorrectly calculated, resulting in $1,866 in excess funds being returned by the University. Cause: The University implemented controls during the year to improve compliance with Title IV regulations, resulting in a significant reduction in the number of instances of noncompliance (from seven in prior year to one in the current year). Due to the timing of the implementation of these controls, instances of noncompliance with Title IV regulations were still identified. Effect: The cause identified resulted in noncompliance with Title IV regulations. Repeat Finding: Yes, see Finding 2023-001. Recommendation: We recommend that the University improve the existing procedures and controls to ensure compliance with the aforementioned criteria. Views of responsible officials: Management concurs with the finding.

FY End: 2024-06-30
California Baptist University
Compliance Requirement: N
Criteria: In accordance with 34 CFR Section 668.173 (b) and 2 CFR 200.303, the institutional portion of unearned aid must be returned to the appropriate Title IV, HEA program or Federal Family Education Loan (“FFEL”) lender no later than 45 days after the date of the institution’s determination that the student withdrew. Furthermore, the institution must determine the amount of Title IV grant or loan assistance that the student earned as of the student’s withdrawal date. The Compliance Supplemen...

Criteria: In accordance with 34 CFR Section 668.173 (b) and 2 CFR 200.303, the institutional portion of unearned aid must be returned to the appropriate Title IV, HEA program or Federal Family Education Loan (“FFEL”) lender no later than 45 days after the date of the institution’s determination that the student withdrew. Furthermore, the institution must determine the amount of Title IV grant or loan assistance that the student earned as of the student’s withdrawal date. The Compliance Supplement issued by the Office of Management and Budget requires auditors to review the return of Title IV funds determinations/calculations for conformity with Title IV requirements. Furthermore, according to 34 CFR 668.22, all grant funds relating to post-withdrawal disbursements that are not disbursed to the student’s account, must be disbursed to the student no later than 180 days after the date of the institution’s determination that the student withdrew. Condition: It was noted during our testing of R2T4 calculations that two of 40 students selected for testing had instances of non-compliance. Specifically, one student’s return was not received within the 45-day time limit and one student’s return was not calculated correctly. Questioned Costs: $1,886 Context: During our audit procedures, we noted below instances for R2T4 testing: - One of the 40 total students’ return was not returned within the 45-days requirement. - One of the 40 total student’s R2T4 was incorrectly calculated, resulting in $1,866 in excess funds being returned by the University. Cause: The University implemented controls during the year to improve compliance with Title IV regulations, resulting in a significant reduction in the number of instances of noncompliance (from seven in prior year to one in the current year). Due to the timing of the implementation of these controls, instances of noncompliance with Title IV regulations were still identified. Effect: The cause identified resulted in noncompliance with Title IV regulations. Repeat Finding: Yes, see Finding 2023-001. Recommendation: We recommend that the University improve the existing procedures and controls to ensure compliance with the aforementioned criteria. Views of responsible officials: Management concurs with the finding.

FY End: 2024-06-30
California Baptist University
Compliance Requirement: N
Criteria: In accordance with 34 CFR Section 668.173 (b) and 2 CFR 200.303, the institutional portion of unearned aid must be returned to the appropriate Title IV, HEA program or Federal Family Education Loan (“FFEL”) lender no later than 45 days after the date of the institution’s determination that the student withdrew. Furthermore, the institution must determine the amount of Title IV grant or loan assistance that the student earned as of the student’s withdrawal date. The Compliance Supplemen...

Criteria: In accordance with 34 CFR Section 668.173 (b) and 2 CFR 200.303, the institutional portion of unearned aid must be returned to the appropriate Title IV, HEA program or Federal Family Education Loan (“FFEL”) lender no later than 45 days after the date of the institution’s determination that the student withdrew. Furthermore, the institution must determine the amount of Title IV grant or loan assistance that the student earned as of the student’s withdrawal date. The Compliance Supplement issued by the Office of Management and Budget requires auditors to review the return of Title IV funds determinations/calculations for conformity with Title IV requirements. Furthermore, according to 34 CFR 668.22, all grant funds relating to post-withdrawal disbursements that are not disbursed to the student’s account, must be disbursed to the student no later than 180 days after the date of the institution’s determination that the student withdrew. Condition: It was noted during our testing of R2T4 calculations that two of 40 students selected for testing had instances of non-compliance. Specifically, one student’s return was not received within the 45-day time limit and one student’s return was not calculated correctly. Questioned Costs: $1,886 Context: During our audit procedures, we noted below instances for R2T4 testing: - One of the 40 total students’ return was not returned within the 45-days requirement. - One of the 40 total student’s R2T4 was incorrectly calculated, resulting in $1,866 in excess funds being returned by the University. Cause: The University implemented controls during the year to improve compliance with Title IV regulations, resulting in a significant reduction in the number of instances of noncompliance (from seven in prior year to one in the current year). Due to the timing of the implementation of these controls, instances of noncompliance with Title IV regulations were still identified. Effect: The cause identified resulted in noncompliance with Title IV regulations. Repeat Finding: Yes, see Finding 2023-001. Recommendation: We recommend that the University improve the existing procedures and controls to ensure compliance with the aforementioned criteria. Views of responsible officials: Management concurs with the finding.

FY End: 2024-06-30
California Baptist University
Compliance Requirement: N
Criteria: In accordance with 34 CFR Section 668.173 (b) and 2 CFR 200.303, the institutional portion of unearned aid must be returned to the appropriate Title IV, HEA program or Federal Family Education Loan (“FFEL”) lender no later than 45 days after the date of the institution’s determination that the student withdrew. Furthermore, the institution must determine the amount of Title IV grant or loan assistance that the student earned as of the student’s withdrawal date. The Compliance Supplemen...

Criteria: In accordance with 34 CFR Section 668.173 (b) and 2 CFR 200.303, the institutional portion of unearned aid must be returned to the appropriate Title IV, HEA program or Federal Family Education Loan (“FFEL”) lender no later than 45 days after the date of the institution’s determination that the student withdrew. Furthermore, the institution must determine the amount of Title IV grant or loan assistance that the student earned as of the student’s withdrawal date. The Compliance Supplement issued by the Office of Management and Budget requires auditors to review the return of Title IV funds determinations/calculations for conformity with Title IV requirements. Furthermore, according to 34 CFR 668.22, all grant funds relating to post-withdrawal disbursements that are not disbursed to the student’s account, must be disbursed to the student no later than 180 days after the date of the institution’s determination that the student withdrew. Condition: It was noted during our testing of R2T4 calculations that two of 40 students selected for testing had instances of non-compliance. Specifically, one student’s return was not received within the 45-day time limit and one student’s return was not calculated correctly. Questioned Costs: $1,886 Context: During our audit procedures, we noted below instances for R2T4 testing: - One of the 40 total students’ return was not returned within the 45-days requirement. - One of the 40 total student’s R2T4 was incorrectly calculated, resulting in $1,866 in excess funds being returned by the University. Cause: The University implemented controls during the year to improve compliance with Title IV regulations, resulting in a significant reduction in the number of instances of noncompliance (from seven in prior year to one in the current year). Due to the timing of the implementation of these controls, instances of noncompliance with Title IV regulations were still identified. Effect: The cause identified resulted in noncompliance with Title IV regulations. Repeat Finding: Yes, see Finding 2023-001. Recommendation: We recommend that the University improve the existing procedures and controls to ensure compliance with the aforementioned criteria. Views of responsible officials: Management concurs with the finding.

FY End: 2024-06-30
California Baptist University
Compliance Requirement: N
Criteria: In accordance with 34 CFR Section 668.173 (b) and 2 CFR 200.303, the institutional portion of unearned aid must be returned to the appropriate Title IV, HEA program or Federal Family Education Loan (“FFEL”) lender no later than 45 days after the date of the institution’s determination that the student withdrew. Furthermore, the institution must determine the amount of Title IV grant or loan assistance that the student earned as of the student’s withdrawal date. The Compliance Supplemen...

Criteria: In accordance with 34 CFR Section 668.173 (b) and 2 CFR 200.303, the institutional portion of unearned aid must be returned to the appropriate Title IV, HEA program or Federal Family Education Loan (“FFEL”) lender no later than 45 days after the date of the institution’s determination that the student withdrew. Furthermore, the institution must determine the amount of Title IV grant or loan assistance that the student earned as of the student’s withdrawal date. The Compliance Supplement issued by the Office of Management and Budget requires auditors to review the return of Title IV funds determinations/calculations for conformity with Title IV requirements. Furthermore, according to 34 CFR 668.22, all grant funds relating to post-withdrawal disbursements that are not disbursed to the student’s account, must be disbursed to the student no later than 180 days after the date of the institution’s determination that the student withdrew. Condition: It was noted during our testing of R2T4 calculations that two of 40 students selected for testing had instances of non-compliance. Specifically, one student’s return was not received within the 45-day time limit and one student’s return was not calculated correctly. Questioned Costs: $1,886 Context: During our audit procedures, we noted below instances for R2T4 testing: - One of the 40 total students’ return was not returned within the 45-days requirement. - One of the 40 total student’s R2T4 was incorrectly calculated, resulting in $1,866 in excess funds being returned by the University. Cause: The University implemented controls during the year to improve compliance with Title IV regulations, resulting in a significant reduction in the number of instances of noncompliance (from seven in prior year to one in the current year). Due to the timing of the implementation of these controls, instances of noncompliance with Title IV regulations were still identified. Effect: The cause identified resulted in noncompliance with Title IV regulations. Repeat Finding: Yes, see Finding 2023-001. Recommendation: We recommend that the University improve the existing procedures and controls to ensure compliance with the aforementioned criteria. Views of responsible officials: Management concurs with the finding.

FY End: 2024-06-30
California Baptist University
Compliance Requirement: N
Criteria: In accordance with 34 CFR Section 668.173 (b) and 2 CFR 200.303, the institutional portion of unearned aid must be returned to the appropriate Title IV, HEA program or Federal Family Education Loan (“FFEL”) lender no later than 45 days after the date of the institution’s determination that the student withdrew. Furthermore, the institution must determine the amount of Title IV grant or loan assistance that the student earned as of the student’s withdrawal date. The Compliance Supplemen...

Criteria: In accordance with 34 CFR Section 668.173 (b) and 2 CFR 200.303, the institutional portion of unearned aid must be returned to the appropriate Title IV, HEA program or Federal Family Education Loan (“FFEL”) lender no later than 45 days after the date of the institution’s determination that the student withdrew. Furthermore, the institution must determine the amount of Title IV grant or loan assistance that the student earned as of the student’s withdrawal date. The Compliance Supplement issued by the Office of Management and Budget requires auditors to review the return of Title IV funds determinations/calculations for conformity with Title IV requirements. Furthermore, according to 34 CFR 668.22, all grant funds relating to post-withdrawal disbursements that are not disbursed to the student’s account, must be disbursed to the student no later than 180 days after the date of the institution’s determination that the student withdrew. Condition: It was noted during our testing of R2T4 calculations that two of 40 students selected for testing had instances of non-compliance. Specifically, one student’s return was not received within the 45-day time limit and one student’s return was not calculated correctly. Questioned Costs: $1,886 Context: During our audit procedures, we noted below instances for R2T4 testing: - One of the 40 total students’ return was not returned within the 45-days requirement. - One of the 40 total student’s R2T4 was incorrectly calculated, resulting in $1,866 in excess funds being returned by the University. Cause: The University implemented controls during the year to improve compliance with Title IV regulations, resulting in a significant reduction in the number of instances of noncompliance (from seven in prior year to one in the current year). Due to the timing of the implementation of these controls, instances of noncompliance with Title IV regulations were still identified. Effect: The cause identified resulted in noncompliance with Title IV regulations. Repeat Finding: Yes, see Finding 2023-001. Recommendation: We recommend that the University improve the existing procedures and controls to ensure compliance with the aforementioned criteria. Views of responsible officials: Management concurs with the finding.

FY End: 2024-06-30
Mount St. Mary's University
Compliance Requirement: F
Finding 2024-001 – Equipment and Real Property Management — Material Weakness Department of Health and Human Services Research and Development Cluster Department of Health and Human Services, National Institutes of Health, Assistance Listing No. 93.859 (Biomedical Research and Research Training) Federal award year 2023-2024 Criteria: Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure co...

Finding 2024-001 – Equipment and Real Property Management — Material Weakness Department of Health and Human Services Research and Development Cluster Department of Health and Human Services, National Institutes of Health, Assistance Listing No. 93.859 (Biomedical Research and Research Training) Federal award year 2023-2024 Criteria: Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Also, in accordance with 2 CFR 200.313(d)(1), property records must be maintained that included a description of the property, a serial number or other identification number, the source of funding for the property (including the federal award identification number), who holds title, the acquisition date, cost of the property, percentage of federal participation in the project costs for the federal award under which the property was acquired, the location, use and condition of the property, and any ultimate disposition data including the date of disposal and sales price of the property. In accordance with 2 CFR 200.313(d)(2), a physical inventory of equipment and property must be taken, and the results reconciled with property records at least once every two years. Condition: The University’s controls were not operating effectively to reasonably ensure the University maintained property records with the above required information and performed the required physical inventory of equipment within the two previous years. As a result, the University did not comply with the compliance requirements for equipment and real property management. Cause: The University does not have processes and procedures in place related to equipment management, tracking and required physical inventories. Effect or potential effect: The University is not in compliance with federal grant requirements over the tracking and physical inventory of equipment. Improper equipment management procedures could result in actions taken by oversight agencies which could impact future funding. Questioned costs: None Context: The University has five pieces of qualified equipment with an aggregate cost of approximately $119,000. For all sample selections tested in the major program, there was no process of tagging and tracking equipment purchased with federal funding, nor was there any evidence that physical inventories had been performed. Identification as a repeat finding, if applicable: Not applicable. Recommendation: We recommend the University develop processes and procedures to tag and track the equipment purchased with federal funding, and maintain support that physical inventories were performed as required. View of responsible officials: Management agrees with this finding. See corrective action plan.

FY End: 2024-06-30
Mount St. Mary's University
Compliance Requirement: I
Finding 2024-002 – Procurement and Suspension and Debarment — Material Weakness Department of Health and Human Services Research and Development Cluster Department of Health and Human Services, National Institutes of Health, Assistance Listing No. 93.859 (Biomedical Research and Research Training) Federal award year 2023-2024 Criteria: The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ens...

Finding 2024-002 – Procurement and Suspension and Debarment — Material Weakness Department of Health and Human Services Research and Development Cluster Department of Health and Human Services, National Institutes of Health, Assistance Listing No. 93.859 (Biomedical Research and Research Training) Federal award year 2023-2024 Criteria: The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure procurement methods outline by the University are properly followed. In accordance with 2 CFR 200.320, price quotations should be obtained from an adequate number of qualified sources for procurements that meet the small purchase procurement threshold. Condition: The University’s controls were not operating effectively to reasonably ensure the University obtained the proper number of price quotations as required using the small purchase procurement method. The University’s procurement policy requires price quotations be obtained from at least two sources when using the small purchase procurement method. The University only obtained one price quotation and no written documentation as the rational for selection was maintained. As a result, the University did not comply with the compliance requirements for procurement. Cause: The University does not have processes and procedures in place to ensure all procurements of goods and services are in accordance with Uniform Guidance and in accordance with it’s own procurement policy. Effect or potential effect: The University is not in compliance with federal grant requirements over small purchase procurements. Improper procurement procedures could result in actions taken by oversight agencies which could impact future funding. Questioned costs: None Context: For all sample selections tested in the major program, one price quotation was obtained and no documentation was maintained as to the rationale for selection of the underlying vendor. Identification as a repeat finding, if applicable: Not applicable. Recommendation: We recommend the University develop processes and procedures to obtain the required number of price quotations required under the small purchase procurement method, and maintain support for the required number of price quotations received under the small purchase procurement method. View of responsible officials: Management agrees with this finding. See corrective action plan.

FY End: 2024-06-30
Mount St. Mary's University
Compliance Requirement: I
Finding 2024-003 – Procurement and Suspension and Debarment — Material Weakness Department of Health and Human Services Research and Development Cluster Department of Health and Human Services, National Institutes of Health, Assistance Listing No. 93.859 (Biomedical Research and Research Training) Federal award year 2023-2024 Criteria: The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensu...

Finding 2024-003 – Procurement and Suspension and Debarment — Material Weakness Department of Health and Human Services Research and Development Cluster Department of Health and Human Services, National Institutes of Health, Assistance Listing No. 93.859 (Biomedical Research and Research Training) Federal award year 2023-2024 Criteria: The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure vendors are not suspended or debarred. In accordance with 2 CFR 200.212 and 200.318(h)), when a nonfederal entity enters into a contract or purchase with an entity (vendor or subrecipient), the nonfederal entity must verify the entity is not suspended or debarred from participation in federal programs/grants when expending $25,000 or more in a year (or any amount in the case of a subrecipient). Condition: The University’s controls were not operating effectively to reasonably ensure the University verified the vendor was not suspended or debarred from participation in federal programs/grants prior to entering into a contract with the vendor. The University’s procurement policy requires vendor transactions equal to or greater than $25,000 undergo verification to ensure the vendor is not suspended or debarred, prior to entering into a contract with the vendor. Cause: A lack of controls to reasonably ensure this verification was performed. Effect or potential effect: The University did not have controls in place to reasonably ensure compliance with suspension and debarment requirements of the Uniform Guidance. The potential effect is submitting unallowable costs, or loss of federal funding. Questioned costs: $0 Context: For all sample selections tested in the major program, documentation was not maintained that could provide evidence that the University had performed the required verification. None of the samples tested were identified as suspended or debarred entities. Identification as a repeat finding, if applicable: Not applicable. Recommendation: We recommend the University develop proper controls and procedures to determine whether vendors have been suspended or debarred prior to entering into contracts or purchase orders for all transactions, and maintain documentation supporting this verification. View of responsible officials: Management agrees with this finding. See corrective action plan.

FY End: 2024-06-30
Mount St. Mary's University
Compliance Requirement: M
Finding 2024-004 – Subrecipient Monitoring — Material Weakness Department of Health and Human Services Research and Development Cluster National Science Foundation, Assistance Listing No. 47.076 (STEM Education) Federal award year 2023-2024 Criteria: The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Eff...

Finding 2024-004 – Subrecipient Monitoring — Material Weakness Department of Health and Human Services Research and Development Cluster National Science Foundation, Assistance Listing No. 47.076 (STEM Education) Federal award year 2023-2024 Criteria: The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure that risk assessment and monitoring are formally documented over subrecipient monitoring. In accordance with 2 CFR 200.332(b) and 2 CFR 200.332(e), a pass-through entity is required to evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of each sub-award for purposes of determining appropriate subrecipient monitoring requirements. Depending on the risk assessment, the pass-through entity should identify monitoring procedures to be performed in order to ensure proper accountability and compliance with program requirements and achievements of performance goals. Condition: The University’s controls were not operating effectively to reasonably ensure the University performed risk assessment and monitoring procedures for its subrecipients. As a result, the University did not comply with the compliance requirements for subrecipient monitoring. Cause: The University does not have processes and procedures in place related to risk assessment and subrecipient monitoring. Effect or potential effect: The University is not in compliance with federal grant requirements over subrecipient monitoring. Lack of properly documented evidence of subrecipient monitoring policies and procedures performed, including required risk assessments, could result in actions taken by oversight agencies which could impact future funding. Questioned costs: None Context: The University has two active awards under the program with subrecipients with an aggregate award value of approximately $71,000. The University has two subrecipients and for both subrecipients tested in the major program, there was no evidence that a risk assessment or monitoring of those subrecipients was performed. Identification as a repeat finding, if applicable: Not applicable. Recommendation: We recommend the University develop processes and procedures to perform the required risk assessments and related monitoring, and maintain support that the risk assessments and related monitoring were performed as required. View of responsible officials: Management agrees with this finding. See corrective action plan.

FY End: 2024-06-30
Mount St. Mary's University
Compliance Requirement: F
Finding 2024-001 – Equipment and Real Property Management — Material Weakness Department of Health and Human Services Research and Development Cluster Department of Health and Human Services, National Institutes of Health, Assistance Listing No. 93.859 (Biomedical Research and Research Training) Federal award year 2023-2024 Criteria: Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure co...

Finding 2024-001 – Equipment and Real Property Management — Material Weakness Department of Health and Human Services Research and Development Cluster Department of Health and Human Services, National Institutes of Health, Assistance Listing No. 93.859 (Biomedical Research and Research Training) Federal award year 2023-2024 Criteria: Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Also, in accordance with 2 CFR 200.313(d)(1), property records must be maintained that included a description of the property, a serial number or other identification number, the source of funding for the property (including the federal award identification number), who holds title, the acquisition date, cost of the property, percentage of federal participation in the project costs for the federal award under which the property was acquired, the location, use and condition of the property, and any ultimate disposition data including the date of disposal and sales price of the property. In accordance with 2 CFR 200.313(d)(2), a physical inventory of equipment and property must be taken, and the results reconciled with property records at least once every two years. Condition: The University’s controls were not operating effectively to reasonably ensure the University maintained property records with the above required information and performed the required physical inventory of equipment within the two previous years. As a result, the University did not comply with the compliance requirements for equipment and real property management. Cause: The University does not have processes and procedures in place related to equipment management, tracking and required physical inventories. Effect or potential effect: The University is not in compliance with federal grant requirements over the tracking and physical inventory of equipment. Improper equipment management procedures could result in actions taken by oversight agencies which could impact future funding. Questioned costs: None Context: The University has five pieces of qualified equipment with an aggregate cost of approximately $119,000. For all sample selections tested in the major program, there was no process of tagging and tracking equipment purchased with federal funding, nor was there any evidence that physical inventories had been performed. Identification as a repeat finding, if applicable: Not applicable. Recommendation: We recommend the University develop processes and procedures to tag and track the equipment purchased with federal funding, and maintain support that physical inventories were performed as required. View of responsible officials: Management agrees with this finding. See corrective action plan.

FY End: 2024-06-30
Mount St. Mary's University
Compliance Requirement: I
Finding 2024-002 – Procurement and Suspension and Debarment — Material Weakness Department of Health and Human Services Research and Development Cluster Department of Health and Human Services, National Institutes of Health, Assistance Listing No. 93.859 (Biomedical Research and Research Training) Federal award year 2023-2024 Criteria: The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ens...

Finding 2024-002 – Procurement and Suspension and Debarment — Material Weakness Department of Health and Human Services Research and Development Cluster Department of Health and Human Services, National Institutes of Health, Assistance Listing No. 93.859 (Biomedical Research and Research Training) Federal award year 2023-2024 Criteria: The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure procurement methods outline by the University are properly followed. In accordance with 2 CFR 200.320, price quotations should be obtained from an adequate number of qualified sources for procurements that meet the small purchase procurement threshold. Condition: The University’s controls were not operating effectively to reasonably ensure the University obtained the proper number of price quotations as required using the small purchase procurement method. The University’s procurement policy requires price quotations be obtained from at least two sources when using the small purchase procurement method. The University only obtained one price quotation and no written documentation as the rational for selection was maintained. As a result, the University did not comply with the compliance requirements for procurement. Cause: The University does not have processes and procedures in place to ensure all procurements of goods and services are in accordance with Uniform Guidance and in accordance with it’s own procurement policy. Effect or potential effect: The University is not in compliance with federal grant requirements over small purchase procurements. Improper procurement procedures could result in actions taken by oversight agencies which could impact future funding. Questioned costs: None Context: For all sample selections tested in the major program, one price quotation was obtained and no documentation was maintained as to the rationale for selection of the underlying vendor. Identification as a repeat finding, if applicable: Not applicable. Recommendation: We recommend the University develop processes and procedures to obtain the required number of price quotations required under the small purchase procurement method, and maintain support for the required number of price quotations received under the small purchase procurement method. View of responsible officials: Management agrees with this finding. See corrective action plan.

FY End: 2024-06-30
Mount St. Mary's University
Compliance Requirement: I
Finding 2024-003 – Procurement and Suspension and Debarment — Material Weakness Department of Health and Human Services Research and Development Cluster Department of Health and Human Services, National Institutes of Health, Assistance Listing No. 93.859 (Biomedical Research and Research Training) Federal award year 2023-2024 Criteria: The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensu...

Finding 2024-003 – Procurement and Suspension and Debarment — Material Weakness Department of Health and Human Services Research and Development Cluster Department of Health and Human Services, National Institutes of Health, Assistance Listing No. 93.859 (Biomedical Research and Research Training) Federal award year 2023-2024 Criteria: The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure vendors are not suspended or debarred. In accordance with 2 CFR 200.212 and 200.318(h)), when a nonfederal entity enters into a contract or purchase with an entity (vendor or subrecipient), the nonfederal entity must verify the entity is not suspended or debarred from participation in federal programs/grants when expending $25,000 or more in a year (or any amount in the case of a subrecipient). Condition: The University’s controls were not operating effectively to reasonably ensure the University verified the vendor was not suspended or debarred from participation in federal programs/grants prior to entering into a contract with the vendor. The University’s procurement policy requires vendor transactions equal to or greater than $25,000 undergo verification to ensure the vendor is not suspended or debarred, prior to entering into a contract with the vendor. Cause: A lack of controls to reasonably ensure this verification was performed. Effect or potential effect: The University did not have controls in place to reasonably ensure compliance with suspension and debarment requirements of the Uniform Guidance. The potential effect is submitting unallowable costs, or loss of federal funding. Questioned costs: $0 Context: For all sample selections tested in the major program, documentation was not maintained that could provide evidence that the University had performed the required verification. None of the samples tested were identified as suspended or debarred entities. Identification as a repeat finding, if applicable: Not applicable. Recommendation: We recommend the University develop proper controls and procedures to determine whether vendors have been suspended or debarred prior to entering into contracts or purchase orders for all transactions, and maintain documentation supporting this verification. View of responsible officials: Management agrees with this finding. See corrective action plan.

FY End: 2024-06-30
Mount St. Mary's University
Compliance Requirement: M
Finding 2024-004 – Subrecipient Monitoring — Material Weakness Department of Health and Human Services Research and Development Cluster National Science Foundation, Assistance Listing No. 47.076 (STEM Education) Federal award year 2023-2024 Criteria: The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Eff...

Finding 2024-004 – Subrecipient Monitoring — Material Weakness Department of Health and Human Services Research and Development Cluster National Science Foundation, Assistance Listing No. 47.076 (STEM Education) Federal award year 2023-2024 Criteria: The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure that risk assessment and monitoring are formally documented over subrecipient monitoring. In accordance with 2 CFR 200.332(b) and 2 CFR 200.332(e), a pass-through entity is required to evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of each sub-award for purposes of determining appropriate subrecipient monitoring requirements. Depending on the risk assessment, the pass-through entity should identify monitoring procedures to be performed in order to ensure proper accountability and compliance with program requirements and achievements of performance goals. Condition: The University’s controls were not operating effectively to reasonably ensure the University performed risk assessment and monitoring procedures for its subrecipients. As a result, the University did not comply with the compliance requirements for subrecipient monitoring. Cause: The University does not have processes and procedures in place related to risk assessment and subrecipient monitoring. Effect or potential effect: The University is not in compliance with federal grant requirements over subrecipient monitoring. Lack of properly documented evidence of subrecipient monitoring policies and procedures performed, including required risk assessments, could result in actions taken by oversight agencies which could impact future funding. Questioned costs: None Context: The University has two active awards under the program with subrecipients with an aggregate award value of approximately $71,000. The University has two subrecipients and for both subrecipients tested in the major program, there was no evidence that a risk assessment or monitoring of those subrecipients was performed. Identification as a repeat finding, if applicable: Not applicable. Recommendation: We recommend the University develop processes and procedures to perform the required risk assessments and related monitoring, and maintain support that the risk assessments and related monitoring were performed as required. View of responsible officials: Management agrees with this finding. See corrective action plan.

FY End: 2024-06-30
Mount St. Mary's University
Compliance Requirement: F
Finding 2024-001 – Equipment and Real Property Management — Material Weakness Department of Health and Human Services Research and Development Cluster Department of Health and Human Services, National Institutes of Health, Assistance Listing No. 93.859 (Biomedical Research and Research Training) Federal award year 2023-2024 Criteria: Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure co...

Finding 2024-001 – Equipment and Real Property Management — Material Weakness Department of Health and Human Services Research and Development Cluster Department of Health and Human Services, National Institutes of Health, Assistance Listing No. 93.859 (Biomedical Research and Research Training) Federal award year 2023-2024 Criteria: Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Also, in accordance with 2 CFR 200.313(d)(1), property records must be maintained that included a description of the property, a serial number or other identification number, the source of funding for the property (including the federal award identification number), who holds title, the acquisition date, cost of the property, percentage of federal participation in the project costs for the federal award under which the property was acquired, the location, use and condition of the property, and any ultimate disposition data including the date of disposal and sales price of the property. In accordance with 2 CFR 200.313(d)(2), a physical inventory of equipment and property must be taken, and the results reconciled with property records at least once every two years. Condition: The University’s controls were not operating effectively to reasonably ensure the University maintained property records with the above required information and performed the required physical inventory of equipment within the two previous years. As a result, the University did not comply with the compliance requirements for equipment and real property management. Cause: The University does not have processes and procedures in place related to equipment management, tracking and required physical inventories. Effect or potential effect: The University is not in compliance with federal grant requirements over the tracking and physical inventory of equipment. Improper equipment management procedures could result in actions taken by oversight agencies which could impact future funding. Questioned costs: None Context: The University has five pieces of qualified equipment with an aggregate cost of approximately $119,000. For all sample selections tested in the major program, there was no process of tagging and tracking equipment purchased with federal funding, nor was there any evidence that physical inventories had been performed. Identification as a repeat finding, if applicable: Not applicable. Recommendation: We recommend the University develop processes and procedures to tag and track the equipment purchased with federal funding, and maintain support that physical inventories were performed as required. View of responsible officials: Management agrees with this finding. See corrective action plan.

FY End: 2024-06-30
Mount St. Mary's University
Compliance Requirement: I
Finding 2024-002 – Procurement and Suspension and Debarment — Material Weakness Department of Health and Human Services Research and Development Cluster Department of Health and Human Services, National Institutes of Health, Assistance Listing No. 93.859 (Biomedical Research and Research Training) Federal award year 2023-2024 Criteria: The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ens...

Finding 2024-002 – Procurement and Suspension and Debarment — Material Weakness Department of Health and Human Services Research and Development Cluster Department of Health and Human Services, National Institutes of Health, Assistance Listing No. 93.859 (Biomedical Research and Research Training) Federal award year 2023-2024 Criteria: The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure procurement methods outline by the University are properly followed. In accordance with 2 CFR 200.320, price quotations should be obtained from an adequate number of qualified sources for procurements that meet the small purchase procurement threshold. Condition: The University’s controls were not operating effectively to reasonably ensure the University obtained the proper number of price quotations as required using the small purchase procurement method. The University’s procurement policy requires price quotations be obtained from at least two sources when using the small purchase procurement method. The University only obtained one price quotation and no written documentation as the rational for selection was maintained. As a result, the University did not comply with the compliance requirements for procurement. Cause: The University does not have processes and procedures in place to ensure all procurements of goods and services are in accordance with Uniform Guidance and in accordance with it’s own procurement policy. Effect or potential effect: The University is not in compliance with federal grant requirements over small purchase procurements. Improper procurement procedures could result in actions taken by oversight agencies which could impact future funding. Questioned costs: None Context: For all sample selections tested in the major program, one price quotation was obtained and no documentation was maintained as to the rationale for selection of the underlying vendor. Identification as a repeat finding, if applicable: Not applicable. Recommendation: We recommend the University develop processes and procedures to obtain the required number of price quotations required under the small purchase procurement method, and maintain support for the required number of price quotations received under the small purchase procurement method. View of responsible officials: Management agrees with this finding. See corrective action plan.

FY End: 2024-06-30
Mount St. Mary's University
Compliance Requirement: I
Finding 2024-003 – Procurement and Suspension and Debarment — Material Weakness Department of Health and Human Services Research and Development Cluster Department of Health and Human Services, National Institutes of Health, Assistance Listing No. 93.859 (Biomedical Research and Research Training) Federal award year 2023-2024 Criteria: The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensu...

Finding 2024-003 – Procurement and Suspension and Debarment — Material Weakness Department of Health and Human Services Research and Development Cluster Department of Health and Human Services, National Institutes of Health, Assistance Listing No. 93.859 (Biomedical Research and Research Training) Federal award year 2023-2024 Criteria: The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure vendors are not suspended or debarred. In accordance with 2 CFR 200.212 and 200.318(h)), when a nonfederal entity enters into a contract or purchase with an entity (vendor or subrecipient), the nonfederal entity must verify the entity is not suspended or debarred from participation in federal programs/grants when expending $25,000 or more in a year (or any amount in the case of a subrecipient). Condition: The University’s controls were not operating effectively to reasonably ensure the University verified the vendor was not suspended or debarred from participation in federal programs/grants prior to entering into a contract with the vendor. The University’s procurement policy requires vendor transactions equal to or greater than $25,000 undergo verification to ensure the vendor is not suspended or debarred, prior to entering into a contract with the vendor. Cause: A lack of controls to reasonably ensure this verification was performed. Effect or potential effect: The University did not have controls in place to reasonably ensure compliance with suspension and debarment requirements of the Uniform Guidance. The potential effect is submitting unallowable costs, or loss of federal funding. Questioned costs: $0 Context: For all sample selections tested in the major program, documentation was not maintained that could provide evidence that the University had performed the required verification. None of the samples tested were identified as suspended or debarred entities. Identification as a repeat finding, if applicable: Not applicable. Recommendation: We recommend the University develop proper controls and procedures to determine whether vendors have been suspended or debarred prior to entering into contracts or purchase orders for all transactions, and maintain documentation supporting this verification. View of responsible officials: Management agrees with this finding. See corrective action plan.

FY End: 2024-06-30
Mount St. Mary's University
Compliance Requirement: M
Finding 2024-004 – Subrecipient Monitoring — Material Weakness Department of Health and Human Services Research and Development Cluster National Science Foundation, Assistance Listing No. 47.076 (STEM Education) Federal award year 2023-2024 Criteria: The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Eff...

Finding 2024-004 – Subrecipient Monitoring — Material Weakness Department of Health and Human Services Research and Development Cluster National Science Foundation, Assistance Listing No. 47.076 (STEM Education) Federal award year 2023-2024 Criteria: The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure that risk assessment and monitoring are formally documented over subrecipient monitoring. In accordance with 2 CFR 200.332(b) and 2 CFR 200.332(e), a pass-through entity is required to evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of each sub-award for purposes of determining appropriate subrecipient monitoring requirements. Depending on the risk assessment, the pass-through entity should identify monitoring procedures to be performed in order to ensure proper accountability and compliance with program requirements and achievements of performance goals. Condition: The University’s controls were not operating effectively to reasonably ensure the University performed risk assessment and monitoring procedures for its subrecipients. As a result, the University did not comply with the compliance requirements for subrecipient monitoring. Cause: The University does not have processes and procedures in place related to risk assessment and subrecipient monitoring. Effect or potential effect: The University is not in compliance with federal grant requirements over subrecipient monitoring. Lack of properly documented evidence of subrecipient monitoring policies and procedures performed, including required risk assessments, could result in actions taken by oversight agencies which could impact future funding. Questioned costs: None Context: The University has two active awards under the program with subrecipients with an aggregate award value of approximately $71,000. The University has two subrecipients and for both subrecipients tested in the major program, there was no evidence that a risk assessment or monitoring of those subrecipients was performed. Identification as a repeat finding, if applicable: Not applicable. Recommendation: We recommend the University develop processes and procedures to perform the required risk assessments and related monitoring, and maintain support that the risk assessments and related monitoring were performed as required. View of responsible officials: Management agrees with this finding. See corrective action plan.

FY End: 2024-06-30
Mount St. Mary's University
Compliance Requirement: F
Finding 2024-001 – Equipment and Real Property Management — Material Weakness Department of Health and Human Services Research and Development Cluster Department of Health and Human Services, National Institutes of Health, Assistance Listing No. 93.859 (Biomedical Research and Research Training) Federal award year 2023-2024 Criteria: Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure co...

Finding 2024-001 – Equipment and Real Property Management — Material Weakness Department of Health and Human Services Research and Development Cluster Department of Health and Human Services, National Institutes of Health, Assistance Listing No. 93.859 (Biomedical Research and Research Training) Federal award year 2023-2024 Criteria: Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Also, in accordance with 2 CFR 200.313(d)(1), property records must be maintained that included a description of the property, a serial number or other identification number, the source of funding for the property (including the federal award identification number), who holds title, the acquisition date, cost of the property, percentage of federal participation in the project costs for the federal award under which the property was acquired, the location, use and condition of the property, and any ultimate disposition data including the date of disposal and sales price of the property. In accordance with 2 CFR 200.313(d)(2), a physical inventory of equipment and property must be taken, and the results reconciled with property records at least once every two years. Condition: The University’s controls were not operating effectively to reasonably ensure the University maintained property records with the above required information and performed the required physical inventory of equipment within the two previous years. As a result, the University did not comply with the compliance requirements for equipment and real property management. Cause: The University does not have processes and procedures in place related to equipment management, tracking and required physical inventories. Effect or potential effect: The University is not in compliance with federal grant requirements over the tracking and physical inventory of equipment. Improper equipment management procedures could result in actions taken by oversight agencies which could impact future funding. Questioned costs: None Context: The University has five pieces of qualified equipment with an aggregate cost of approximately $119,000. For all sample selections tested in the major program, there was no process of tagging and tracking equipment purchased with federal funding, nor was there any evidence that physical inventories had been performed. Identification as a repeat finding, if applicable: Not applicable. Recommendation: We recommend the University develop processes and procedures to tag and track the equipment purchased with federal funding, and maintain support that physical inventories were performed as required. View of responsible officials: Management agrees with this finding. See corrective action plan.

FY End: 2024-06-30
Mount St. Mary's University
Compliance Requirement: I
Finding 2024-002 – Procurement and Suspension and Debarment — Material Weakness Department of Health and Human Services Research and Development Cluster Department of Health and Human Services, National Institutes of Health, Assistance Listing No. 93.859 (Biomedical Research and Research Training) Federal award year 2023-2024 Criteria: The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ens...

Finding 2024-002 – Procurement and Suspension and Debarment — Material Weakness Department of Health and Human Services Research and Development Cluster Department of Health and Human Services, National Institutes of Health, Assistance Listing No. 93.859 (Biomedical Research and Research Training) Federal award year 2023-2024 Criteria: The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure procurement methods outline by the University are properly followed. In accordance with 2 CFR 200.320, price quotations should be obtained from an adequate number of qualified sources for procurements that meet the small purchase procurement threshold. Condition: The University’s controls were not operating effectively to reasonably ensure the University obtained the proper number of price quotations as required using the small purchase procurement method. The University’s procurement policy requires price quotations be obtained from at least two sources when using the small purchase procurement method. The University only obtained one price quotation and no written documentation as the rational for selection was maintained. As a result, the University did not comply with the compliance requirements for procurement. Cause: The University does not have processes and procedures in place to ensure all procurements of goods and services are in accordance with Uniform Guidance and in accordance with it’s own procurement policy. Effect or potential effect: The University is not in compliance with federal grant requirements over small purchase procurements. Improper procurement procedures could result in actions taken by oversight agencies which could impact future funding. Questioned costs: None Context: For all sample selections tested in the major program, one price quotation was obtained and no documentation was maintained as to the rationale for selection of the underlying vendor. Identification as a repeat finding, if applicable: Not applicable. Recommendation: We recommend the University develop processes and procedures to obtain the required number of price quotations required under the small purchase procurement method, and maintain support for the required number of price quotations received under the small purchase procurement method. View of responsible officials: Management agrees with this finding. See corrective action plan.

FY End: 2024-06-30
Mount St. Mary's University
Compliance Requirement: I
Finding 2024-003 – Procurement and Suspension and Debarment — Material Weakness Department of Health and Human Services Research and Development Cluster Department of Health and Human Services, National Institutes of Health, Assistance Listing No. 93.859 (Biomedical Research and Research Training) Federal award year 2023-2024 Criteria: The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensu...

Finding 2024-003 – Procurement and Suspension and Debarment — Material Weakness Department of Health and Human Services Research and Development Cluster Department of Health and Human Services, National Institutes of Health, Assistance Listing No. 93.859 (Biomedical Research and Research Training) Federal award year 2023-2024 Criteria: The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure vendors are not suspended or debarred. In accordance with 2 CFR 200.212 and 200.318(h)), when a nonfederal entity enters into a contract or purchase with an entity (vendor or subrecipient), the nonfederal entity must verify the entity is not suspended or debarred from participation in federal programs/grants when expending $25,000 or more in a year (or any amount in the case of a subrecipient). Condition: The University’s controls were not operating effectively to reasonably ensure the University verified the vendor was not suspended or debarred from participation in federal programs/grants prior to entering into a contract with the vendor. The University’s procurement policy requires vendor transactions equal to or greater than $25,000 undergo verification to ensure the vendor is not suspended or debarred, prior to entering into a contract with the vendor. Cause: A lack of controls to reasonably ensure this verification was performed. Effect or potential effect: The University did not have controls in place to reasonably ensure compliance with suspension and debarment requirements of the Uniform Guidance. The potential effect is submitting unallowable costs, or loss of federal funding. Questioned costs: $0 Context: For all sample selections tested in the major program, documentation was not maintained that could provide evidence that the University had performed the required verification. None of the samples tested were identified as suspended or debarred entities. Identification as a repeat finding, if applicable: Not applicable. Recommendation: We recommend the University develop proper controls and procedures to determine whether vendors have been suspended or debarred prior to entering into contracts or purchase orders for all transactions, and maintain documentation supporting this verification. View of responsible officials: Management agrees with this finding. See corrective action plan.

FY End: 2024-06-30
Mount St. Mary's University
Compliance Requirement: M
Finding 2024-004 – Subrecipient Monitoring — Material Weakness Department of Health and Human Services Research and Development Cluster National Science Foundation, Assistance Listing No. 47.076 (STEM Education) Federal award year 2023-2024 Criteria: The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Eff...

Finding 2024-004 – Subrecipient Monitoring — Material Weakness Department of Health and Human Services Research and Development Cluster National Science Foundation, Assistance Listing No. 47.076 (STEM Education) Federal award year 2023-2024 Criteria: The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure that risk assessment and monitoring are formally documented over subrecipient monitoring. In accordance with 2 CFR 200.332(b) and 2 CFR 200.332(e), a pass-through entity is required to evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of each sub-award for purposes of determining appropriate subrecipient monitoring requirements. Depending on the risk assessment, the pass-through entity should identify monitoring procedures to be performed in order to ensure proper accountability and compliance with program requirements and achievements of performance goals. Condition: The University’s controls were not operating effectively to reasonably ensure the University performed risk assessment and monitoring procedures for its subrecipients. As a result, the University did not comply with the compliance requirements for subrecipient monitoring. Cause: The University does not have processes and procedures in place related to risk assessment and subrecipient monitoring. Effect or potential effect: The University is not in compliance with federal grant requirements over subrecipient monitoring. Lack of properly documented evidence of subrecipient monitoring policies and procedures performed, including required risk assessments, could result in actions taken by oversight agencies which could impact future funding. Questioned costs: None Context: The University has two active awards under the program with subrecipients with an aggregate award value of approximately $71,000. The University has two subrecipients and for both subrecipients tested in the major program, there was no evidence that a risk assessment or monitoring of those subrecipients was performed. Identification as a repeat finding, if applicable: Not applicable. Recommendation: We recommend the University develop processes and procedures to perform the required risk assessments and related monitoring, and maintain support that the risk assessments and related monitoring were performed as required. View of responsible officials: Management agrees with this finding. See corrective action plan.

FY End: 2024-06-30
Fresno Madera Area Agency on Aging
Compliance Requirement: E
Finding 2024-001 Internal Controls over Compliance – Eligibility (Significant Deficiency) Assistance Listing Number 93.778 – Medical Assistance Program Criteria: 2 CFR 200.303 requires that a federal award recipient must “(a) establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.” Cond...

Finding 2024-001 Internal Controls over Compliance – Eligibility (Significant Deficiency) Assistance Listing Number 93.778 – Medical Assistance Program Criteria: 2 CFR 200.303 requires that a federal award recipient must “(a) establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.” Condition: During our review of compliance over eligibility, we identified one individual who was terminated from the program in November 2022, but continued to receive benefits through September 2024. Cause: Internal controls over eligibility compliance requirements were not properly designed and were not placed in operation. Management is responsible for compliance with requirements over eligibility and for the design, implementation, and maintenance of effective internal controls over compliance with the requirements of laws, statutes, regulations, rules, and provisions of grant agreements applicable to its federal program. Effect: As a result of this condition, an individual who was no longer eligible for benefits through the program continued to receive benefits. Recommendation: We recommend that FMAAA establish a process to ensure that terminated participants are properly disenrolled from the program and are no longer receiving benefits after their final date of eligibility. This process should include a secondary review of participant files by someone other than the preparer. Management’s response: See corrective action plan.

FY End: 2024-06-30
Baltimore County, Maryland
Compliance Requirement: M
Reference Number: 2024-002 Prior Year Finding: 2023-007 Federal Agency: U.S. Department of Treasury Federal Program: COVID-19 – Coronavirus State and Local Fiscal Recovery Funds Assistance Listing Number: 21.027 Award Number and Year: 2021 Compliance Requirement: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Controls over Compliance, Other Matters Criteria or Specific Requirement: Compliance - 2 CFR Section 200.332 – Requirements for Pass-Through Entities states in ...

Reference Number: 2024-002 Prior Year Finding: 2023-007 Federal Agency: U.S. Department of Treasury Federal Program: COVID-19 – Coronavirus State and Local Fiscal Recovery Funds Assistance Listing Number: 21.027 Award Number and Year: 2021 Compliance Requirement: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Controls over Compliance, Other Matters Criteria or Specific Requirement: Compliance - 2 CFR Section 200.332 – Requirements for Pass-Through Entities states in part, that all pass-through entities must: (a) Verify that every subrecipient is audited as required by Subpart F – Audit Requirements of this part when it is expected that the subrecipient’s Federal award expended during the respective fiscal year equaled or exceeded the threshold set forth in section 200.501 Audit requirements. Control - Per 2 CDF 200.303(a), a non-Federal entity must: Establish a maintain effective internal control over the federal award that provides reasonable assurance that the non-Federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal awards. These internal controls should comply with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The County was not able to provide documentation to show it ensured its subrecipients were audited as required by 2 CFR Part 200 Subpart F – Audit Requirements (Subpart F). Context: Exceptions were noted for 7 of 7 subrecipients selected for testing: • The County was unable to provide support that it ensured the subrecipient was audited as required by Subpart F. The County could not produce evidence of verification that the subrecipient’s Federal awards expended during the fiscal year were below the threshold set forth in section 200.501 Audit Requirements. Cause: The County did not establish effective internal controls and procedures over subrecipient monitoring. Effect: Without ensuring subrecipients have obtained audits as required by Subpart F, there is an increased risk that subrecipients could be inappropriately spending and/or inaccurately tracking and reporting federal funds over multiple years, and these discrepancies may not be properly monitored, detected, and corrected by the County personnel on a timely basis. Questioned Costs: Undetermined. Recommendation: The County should review and enhance internal controls and procedures to ensure that evaluation of independent audits is performed. Views of Responsible Officials: The County agrees with this finding. See separate Correction Action Plan related to this finding.

FY End: 2024-06-30
Baltimore County, Maryland
Compliance Requirement: M
Reference Number: 2024-002 Prior Year Finding: 2023-007 Federal Agency: U.S. Department of Treasury Federal Program: COVID-19 – Coronavirus State and Local Fiscal Recovery Funds Assistance Listing Number: 21.027 Award Number and Year: 2021 Compliance Requirement: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Controls over Compliance, Other Matters Criteria or Specific Requirement: Compliance - 2 CFR Section 200.332 – Requirements for Pass-Through Entities states in ...

Reference Number: 2024-002 Prior Year Finding: 2023-007 Federal Agency: U.S. Department of Treasury Federal Program: COVID-19 – Coronavirus State and Local Fiscal Recovery Funds Assistance Listing Number: 21.027 Award Number and Year: 2021 Compliance Requirement: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Controls over Compliance, Other Matters Criteria or Specific Requirement: Compliance - 2 CFR Section 200.332 – Requirements for Pass-Through Entities states in part, that all pass-through entities must: (a) Verify that every subrecipient is audited as required by Subpart F – Audit Requirements of this part when it is expected that the subrecipient’s Federal award expended during the respective fiscal year equaled or exceeded the threshold set forth in section 200.501 Audit requirements. Control - Per 2 CDF 200.303(a), a non-Federal entity must: Establish a maintain effective internal control over the federal award that provides reasonable assurance that the non-Federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal awards. These internal controls should comply with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The County was not able to provide documentation to show it ensured its subrecipients were audited as required by 2 CFR Part 200 Subpart F – Audit Requirements (Subpart F). Context: Exceptions were noted for 7 of 7 subrecipients selected for testing: • The County was unable to provide support that it ensured the subrecipient was audited as required by Subpart F. The County could not produce evidence of verification that the subrecipient’s Federal awards expended during the fiscal year were below the threshold set forth in section 200.501 Audit Requirements. Cause: The County did not establish effective internal controls and procedures over subrecipient monitoring. Effect: Without ensuring subrecipients have obtained audits as required by Subpart F, there is an increased risk that subrecipients could be inappropriately spending and/or inaccurately tracking and reporting federal funds over multiple years, and these discrepancies may not be properly monitored, detected, and corrected by the County personnel on a timely basis. Questioned Costs: Undetermined. Recommendation: The County should review and enhance internal controls and procedures to ensure that evaluation of independent audits is performed. Views of Responsible Officials: The County agrees with this finding. See separate Correction Action Plan related to this finding.

FY End: 2024-06-30
Universidad Central De Bayamon INC
Compliance Requirement: N
Finding No. 2024-003 – Special Tests and Provisions - Gramm-Leach-Bliley Act–Student Information Security Federal Program ALN 84.007 Federal Supplemental Educational Opportunity Grant Program ...

Finding No. 2024-003 – Special Tests and Provisions - Gramm-Leach-Bliley Act–Student Information Security Federal Program ALN 84.007 Federal Supplemental Educational Opportunity Grant Program ALN 84.033 Federal Work-Study Program ALN 84.063 Federal Pell Grant Program ALN 84.268 Federal Direct Student Loan Program Name of Federal Agency Teacher Education Assistance for College and Higher Education Grants (TEACH Grants) U.S. Department of Education (USDE) Type of Finding Internal Control/Compliance Category Significant deficiency Compliance Requirement Special Tests and Provisions Criteria Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. The Gramm-Leach-Bliley Act (GLBA) (Pub. L. No. 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi)). The Standards for Safeguarding Customer Information, required by the GLBA (16 CFR §314.4) requires the University to: a) Designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). b) Provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). c) Provide for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: 1. Implement and periodically review access controls. 2. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. 3. Encrypt customer information on the institution’s system and when it’s in transit. 4. Assess apps developed by the institution. 5. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. 6. Dispose of customer information securely. 7. Anticipate and evaluate changes to the information system or network. 8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. d) Provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). e) Provide for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). f) Address how the institution will oversee its information system service providers (16 CFR 314.4(f)). g) Provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal controls designed to reasonably ensure compliance with Federal laws, statutes, regulations, and the terms and conditions of the Federal award. Furthermore, generally accepted information technology guidance endorses the implementation of a process to identify risk and ensure appropriate safeguards are in place to protect information technology systems and data. Condition During our audit procedures, we noted that the University risk assessment did not fully addressed all the elements required by (16 CFR 314.4). Accordingly, the following elements were missing: 1. Vulnerability test 2. Penetration test 3. No backup test was performed during year ended June 30, 2024. Cause In the past years there’s been a high turnover in the position of the qualified individual responsible for overseeing and implementing the University’s information cyber-security program. As a result, some of the procedures and policies established in the information cyber-security program risk assessment have not been consistently or continuously maintained, accordingly, the student personal information could be at risk. In addition, the USDE has informed through electronic announcements (EA), that “when an audit report that includes a GLBA audit finding is received, they will refer the audit to the Federal Trade Commission (FTC). Effect Once the finding is referred to the FTC, that finding will be considered closed for the USDE audit tracking purposes. The FTC will determine what action may be needed as a result of the GLBA audit finding. Identification of a repeat finding This is not a repeat finding from the immediate previous audit. Questioned cost N/A Context The Gramm-Leach-Bliley Act (GLBA) created a requirement that financial institutions must have certain information privacy protections and safeguards in place. The Federal Trade Commission (FTC) has enforcement authority for the requirements and has determined that institutions of higher education (institutions) are financial institutions under GLBA. Each institution has agreed to comply with GLBA in its Program Participation Agreement with the Department. In addition, as a condition of accessing the Department’s systems, each institution and servicer must sign the Student Aid Internet Gateway (SAIG) Enrollment Agreement, which states that the institution must ensure that all federal student aid applicant information is protected from access by or disclosure to unauthorized personnel. Institutions and third-party servicers are also required to demonstrate administrative capability in accordance with 34 C.F.R. § 668.16, including the maintenance of adequate checks and balances in their systems of internal control. An institution or servicer that does not maintain adequate internal controls over the security of student information may not be considered administratively capable. Recommendation We recommend that the University addresses the cause for the high turnover in the position of the qualified individual responsible for overseeing the implementation of policies and procedures, including internal controls, to ensure that they are in compliance with 16 CFR 314.4(b) and (c). Views of Responsible Officials and Planned Corrective Actions Management of the University agrees with this finding. Please refer to the corrective action plan on pages 61-63.

FY End: 2024-06-30
Universidad Central De Bayamon INC
Compliance Requirement: N
Finding No. 2024-003 – Special Tests and Provisions - Gramm-Leach-Bliley Act–Student Information Security Federal Program ALN 84.007 Federal Supplemental Educational Opportunity Grant Program ...

Finding No. 2024-003 – Special Tests and Provisions - Gramm-Leach-Bliley Act–Student Information Security Federal Program ALN 84.007 Federal Supplemental Educational Opportunity Grant Program ALN 84.033 Federal Work-Study Program ALN 84.063 Federal Pell Grant Program ALN 84.268 Federal Direct Student Loan Program Name of Federal Agency Teacher Education Assistance for College and Higher Education Grants (TEACH Grants) U.S. Department of Education (USDE) Type of Finding Internal Control/Compliance Category Significant deficiency Compliance Requirement Special Tests and Provisions Criteria Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. The Gramm-Leach-Bliley Act (GLBA) (Pub. L. No. 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi)). The Standards for Safeguarding Customer Information, required by the GLBA (16 CFR §314.4) requires the University to: a) Designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). b) Provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). c) Provide for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: 1. Implement and periodically review access controls. 2. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. 3. Encrypt customer information on the institution’s system and when it’s in transit. 4. Assess apps developed by the institution. 5. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. 6. Dispose of customer information securely. 7. Anticipate and evaluate changes to the information system or network. 8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. d) Provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). e) Provide for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). f) Address how the institution will oversee its information system service providers (16 CFR 314.4(f)). g) Provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal controls designed to reasonably ensure compliance with Federal laws, statutes, regulations, and the terms and conditions of the Federal award. Furthermore, generally accepted information technology guidance endorses the implementation of a process to identify risk and ensure appropriate safeguards are in place to protect information technology systems and data. Condition During our audit procedures, we noted that the University risk assessment did not fully addressed all the elements required by (16 CFR 314.4). Accordingly, the following elements were missing: 1. Vulnerability test 2. Penetration test 3. No backup test was performed during year ended June 30, 2024. Cause In the past years there’s been a high turnover in the position of the qualified individual responsible for overseeing and implementing the University’s information cyber-security program. As a result, some of the procedures and policies established in the information cyber-security program risk assessment have not been consistently or continuously maintained, accordingly, the student personal information could be at risk. In addition, the USDE has informed through electronic announcements (EA), that “when an audit report that includes a GLBA audit finding is received, they will refer the audit to the Federal Trade Commission (FTC). Effect Once the finding is referred to the FTC, that finding will be considered closed for the USDE audit tracking purposes. The FTC will determine what action may be needed as a result of the GLBA audit finding. Identification of a repeat finding This is not a repeat finding from the immediate previous audit. Questioned cost N/A Context The Gramm-Leach-Bliley Act (GLBA) created a requirement that financial institutions must have certain information privacy protections and safeguards in place. The Federal Trade Commission (FTC) has enforcement authority for the requirements and has determined that institutions of higher education (institutions) are financial institutions under GLBA. Each institution has agreed to comply with GLBA in its Program Participation Agreement with the Department. In addition, as a condition of accessing the Department’s systems, each institution and servicer must sign the Student Aid Internet Gateway (SAIG) Enrollment Agreement, which states that the institution must ensure that all federal student aid applicant information is protected from access by or disclosure to unauthorized personnel. Institutions and third-party servicers are also required to demonstrate administrative capability in accordance with 34 C.F.R. § 668.16, including the maintenance of adequate checks and balances in their systems of internal control. An institution or servicer that does not maintain adequate internal controls over the security of student information may not be considered administratively capable. Recommendation We recommend that the University addresses the cause for the high turnover in the position of the qualified individual responsible for overseeing the implementation of policies and procedures, including internal controls, to ensure that they are in compliance with 16 CFR 314.4(b) and (c). Views of Responsible Officials and Planned Corrective Actions Management of the University agrees with this finding. Please refer to the corrective action plan on pages 61-63.

FY End: 2024-06-30
Universidad Central De Bayamon INC
Compliance Requirement: N
Finding No. 2024-003 – Special Tests and Provisions - Gramm-Leach-Bliley Act–Student Information Security Federal Program ALN 84.007 Federal Supplemental Educational Opportunity Grant Program ...

Finding No. 2024-003 – Special Tests and Provisions - Gramm-Leach-Bliley Act–Student Information Security Federal Program ALN 84.007 Federal Supplemental Educational Opportunity Grant Program ALN 84.033 Federal Work-Study Program ALN 84.063 Federal Pell Grant Program ALN 84.268 Federal Direct Student Loan Program Name of Federal Agency Teacher Education Assistance for College and Higher Education Grants (TEACH Grants) U.S. Department of Education (USDE) Type of Finding Internal Control/Compliance Category Significant deficiency Compliance Requirement Special Tests and Provisions Criteria Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. The Gramm-Leach-Bliley Act (GLBA) (Pub. L. No. 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi)). The Standards for Safeguarding Customer Information, required by the GLBA (16 CFR §314.4) requires the University to: a) Designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). b) Provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). c) Provide for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: 1. Implement and periodically review access controls. 2. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. 3. Encrypt customer information on the institution’s system and when it’s in transit. 4. Assess apps developed by the institution. 5. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. 6. Dispose of customer information securely. 7. Anticipate and evaluate changes to the information system or network. 8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. d) Provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). e) Provide for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). f) Address how the institution will oversee its information system service providers (16 CFR 314.4(f)). g) Provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal controls designed to reasonably ensure compliance with Federal laws, statutes, regulations, and the terms and conditions of the Federal award. Furthermore, generally accepted information technology guidance endorses the implementation of a process to identify risk and ensure appropriate safeguards are in place to protect information technology systems and data. Condition During our audit procedures, we noted that the University risk assessment did not fully addressed all the elements required by (16 CFR 314.4). Accordingly, the following elements were missing: 1. Vulnerability test 2. Penetration test 3. No backup test was performed during year ended June 30, 2024. Cause In the past years there’s been a high turnover in the position of the qualified individual responsible for overseeing and implementing the University’s information cyber-security program. As a result, some of the procedures and policies established in the information cyber-security program risk assessment have not been consistently or continuously maintained, accordingly, the student personal information could be at risk. In addition, the USDE has informed through electronic announcements (EA), that “when an audit report that includes a GLBA audit finding is received, they will refer the audit to the Federal Trade Commission (FTC). Effect Once the finding is referred to the FTC, that finding will be considered closed for the USDE audit tracking purposes. The FTC will determine what action may be needed as a result of the GLBA audit finding. Identification of a repeat finding This is not a repeat finding from the immediate previous audit. Questioned cost N/A Context The Gramm-Leach-Bliley Act (GLBA) created a requirement that financial institutions must have certain information privacy protections and safeguards in place. The Federal Trade Commission (FTC) has enforcement authority for the requirements and has determined that institutions of higher education (institutions) are financial institutions under GLBA. Each institution has agreed to comply with GLBA in its Program Participation Agreement with the Department. In addition, as a condition of accessing the Department’s systems, each institution and servicer must sign the Student Aid Internet Gateway (SAIG) Enrollment Agreement, which states that the institution must ensure that all federal student aid applicant information is protected from access by or disclosure to unauthorized personnel. Institutions and third-party servicers are also required to demonstrate administrative capability in accordance with 34 C.F.R. § 668.16, including the maintenance of adequate checks and balances in their systems of internal control. An institution or servicer that does not maintain adequate internal controls over the security of student information may not be considered administratively capable. Recommendation We recommend that the University addresses the cause for the high turnover in the position of the qualified individual responsible for overseeing the implementation of policies and procedures, including internal controls, to ensure that they are in compliance with 16 CFR 314.4(b) and (c). Views of Responsible Officials and Planned Corrective Actions Management of the University agrees with this finding. Please refer to the corrective action plan on pages 61-63.

FY End: 2024-06-30
Universidad Central De Bayamon INC
Compliance Requirement: N
Finding No. 2024-003 – Special Tests and Provisions - Gramm-Leach-Bliley Act–Student Information Security Federal Program ALN 84.007 Federal Supplemental Educational Opportunity Grant Program ...

Finding No. 2024-003 – Special Tests and Provisions - Gramm-Leach-Bliley Act–Student Information Security Federal Program ALN 84.007 Federal Supplemental Educational Opportunity Grant Program ALN 84.033 Federal Work-Study Program ALN 84.063 Federal Pell Grant Program ALN 84.268 Federal Direct Student Loan Program Name of Federal Agency Teacher Education Assistance for College and Higher Education Grants (TEACH Grants) U.S. Department of Education (USDE) Type of Finding Internal Control/Compliance Category Significant deficiency Compliance Requirement Special Tests and Provisions Criteria Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. The Gramm-Leach-Bliley Act (GLBA) (Pub. L. No. 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi)). The Standards for Safeguarding Customer Information, required by the GLBA (16 CFR §314.4) requires the University to: a) Designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). b) Provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). c) Provide for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: 1. Implement and periodically review access controls. 2. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. 3. Encrypt customer information on the institution’s system and when it’s in transit. 4. Assess apps developed by the institution. 5. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. 6. Dispose of customer information securely. 7. Anticipate and evaluate changes to the information system or network. 8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. d) Provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). e) Provide for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). f) Address how the institution will oversee its information system service providers (16 CFR 314.4(f)). g) Provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal controls designed to reasonably ensure compliance with Federal laws, statutes, regulations, and the terms and conditions of the Federal award. Furthermore, generally accepted information technology guidance endorses the implementation of a process to identify risk and ensure appropriate safeguards are in place to protect information technology systems and data. Condition During our audit procedures, we noted that the University risk assessment did not fully addressed all the elements required by (16 CFR 314.4). Accordingly, the following elements were missing: 1. Vulnerability test 2. Penetration test 3. No backup test was performed during year ended June 30, 2024. Cause In the past years there’s been a high turnover in the position of the qualified individual responsible for overseeing and implementing the University’s information cyber-security program. As a result, some of the procedures and policies established in the information cyber-security program risk assessment have not been consistently or continuously maintained, accordingly, the student personal information could be at risk. In addition, the USDE has informed through electronic announcements (EA), that “when an audit report that includes a GLBA audit finding is received, they will refer the audit to the Federal Trade Commission (FTC). Effect Once the finding is referred to the FTC, that finding will be considered closed for the USDE audit tracking purposes. The FTC will determine what action may be needed as a result of the GLBA audit finding. Identification of a repeat finding This is not a repeat finding from the immediate previous audit. Questioned cost N/A Context The Gramm-Leach-Bliley Act (GLBA) created a requirement that financial institutions must have certain information privacy protections and safeguards in place. The Federal Trade Commission (FTC) has enforcement authority for the requirements and has determined that institutions of higher education (institutions) are financial institutions under GLBA. Each institution has agreed to comply with GLBA in its Program Participation Agreement with the Department. In addition, as a condition of accessing the Department’s systems, each institution and servicer must sign the Student Aid Internet Gateway (SAIG) Enrollment Agreement, which states that the institution must ensure that all federal student aid applicant information is protected from access by or disclosure to unauthorized personnel. Institutions and third-party servicers are also required to demonstrate administrative capability in accordance with 34 C.F.R. § 668.16, including the maintenance of adequate checks and balances in their systems of internal control. An institution or servicer that does not maintain adequate internal controls over the security of student information may not be considered administratively capable. Recommendation We recommend that the University addresses the cause for the high turnover in the position of the qualified individual responsible for overseeing the implementation of policies and procedures, including internal controls, to ensure that they are in compliance with 16 CFR 314.4(b) and (c). Views of Responsible Officials and Planned Corrective Actions Management of the University agrees with this finding. Please refer to the corrective action plan on pages 61-63.

FY End: 2024-06-30
Universidad Central De Bayamon INC
Compliance Requirement: N
Finding No. 2024-003 – Special Tests and Provisions - Gramm-Leach-Bliley Act–Student Information Security Federal Program ALN 84.007 Federal Supplemental Educational Opportunity Grant Program ...

Finding No. 2024-003 – Special Tests and Provisions - Gramm-Leach-Bliley Act–Student Information Security Federal Program ALN 84.007 Federal Supplemental Educational Opportunity Grant Program ALN 84.033 Federal Work-Study Program ALN 84.063 Federal Pell Grant Program ALN 84.268 Federal Direct Student Loan Program Name of Federal Agency Teacher Education Assistance for College and Higher Education Grants (TEACH Grants) U.S. Department of Education (USDE) Type of Finding Internal Control/Compliance Category Significant deficiency Compliance Requirement Special Tests and Provisions Criteria Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. The Gramm-Leach-Bliley Act (GLBA) (Pub. L. No. 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi)). The Standards for Safeguarding Customer Information, required by the GLBA (16 CFR §314.4) requires the University to: a) Designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). b) Provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). c) Provide for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: 1. Implement and periodically review access controls. 2. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. 3. Encrypt customer information on the institution’s system and when it’s in transit. 4. Assess apps developed by the institution. 5. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. 6. Dispose of customer information securely. 7. Anticipate and evaluate changes to the information system or network. 8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. d) Provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). e) Provide for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). f) Address how the institution will oversee its information system service providers (16 CFR 314.4(f)). g) Provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal controls designed to reasonably ensure compliance with Federal laws, statutes, regulations, and the terms and conditions of the Federal award. Furthermore, generally accepted information technology guidance endorses the implementation of a process to identify risk and ensure appropriate safeguards are in place to protect information technology systems and data. Condition During our audit procedures, we noted that the University risk assessment did not fully addressed all the elements required by (16 CFR 314.4). Accordingly, the following elements were missing: 1. Vulnerability test 2. Penetration test 3. No backup test was performed during year ended June 30, 2024. Cause In the past years there’s been a high turnover in the position of the qualified individual responsible for overseeing and implementing the University’s information cyber-security program. As a result, some of the procedures and policies established in the information cyber-security program risk assessment have not been consistently or continuously maintained, accordingly, the student personal information could be at risk. In addition, the USDE has informed through electronic announcements (EA), that “when an audit report that includes a GLBA audit finding is received, they will refer the audit to the Federal Trade Commission (FTC). Effect Once the finding is referred to the FTC, that finding will be considered closed for the USDE audit tracking purposes. The FTC will determine what action may be needed as a result of the GLBA audit finding. Identification of a repeat finding This is not a repeat finding from the immediate previous audit. Questioned cost N/A Context The Gramm-Leach-Bliley Act (GLBA) created a requirement that financial institutions must have certain information privacy protections and safeguards in place. The Federal Trade Commission (FTC) has enforcement authority for the requirements and has determined that institutions of higher education (institutions) are financial institutions under GLBA. Each institution has agreed to comply with GLBA in its Program Participation Agreement with the Department. In addition, as a condition of accessing the Department’s systems, each institution and servicer must sign the Student Aid Internet Gateway (SAIG) Enrollment Agreement, which states that the institution must ensure that all federal student aid applicant information is protected from access by or disclosure to unauthorized personnel. Institutions and third-party servicers are also required to demonstrate administrative capability in accordance with 34 C.F.R. § 668.16, including the maintenance of adequate checks and balances in their systems of internal control. An institution or servicer that does not maintain adequate internal controls over the security of student information may not be considered administratively capable. Recommendation We recommend that the University addresses the cause for the high turnover in the position of the qualified individual responsible for overseeing the implementation of policies and procedures, including internal controls, to ensure that they are in compliance with 16 CFR 314.4(b) and (c). Views of Responsible Officials and Planned Corrective Actions Management of the University agrees with this finding. Please refer to the corrective action plan on pages 61-63.

FY End: 2024-06-30
State of Iowa
Compliance Requirement: L
Reporting for Federal Funding Accountability and Transparency Act Criteria – The Uniform Guidance, Part 200.303, requires the Department establish and maintain effective internal control over the federal award which provides reasonable assurance the Department is managing the federal award in compliance with federal statutes, regulations and the terms of the federal award. Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282), as amended by Se...

Reporting for Federal Funding Accountability and Transparency Act Criteria – The Uniform Guidance, Part 200.303, requires the Department establish and maintain effective internal control over the federal award which provides reasonable assurance the Department is managing the federal award in compliance with federal statutes, regulations and the terms of the federal award. Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282), as amended by Section 6202 of Pub. L. No. 110-252, hereafter referred to as the “Transparency Act” that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Subaward information should be reported no later than the last day of the month following the month in which the subaward was made. Condition – The Department did not report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) for WIOA Cluster subrecipients. Cause – The Department did not have proper procedures in place to ensure the necessary reporting was completed. Effect – The Department was not in compliance with reporting first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS), as required by 2 CFR Part 170. Recommendation – The Department should establish policies and procedures to ensure first-tier subawards of $30,000 or more are reported to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Policies and procedures should ensure the reporting is reviewed and approved by an independent person who is knowledgeable about the program. This independent review should be documented by the reviewer’s signature or initials and date of review prior to submission. Response and Corrective Action Planned – As of the beginning of fiscal year 2025, the Department has established the necessary policies and procedures surrounding FFATA reporting, and all necessary reporting has been completed for the current fiscal year. Conclusion – Response accepted.

FY End: 2024-06-30
State of Iowa
Compliance Requirement: L
Reporting for Federal Funding Accountability and Transparency Act Criteria – The Uniform Guidance, Part 200.303, requires the Department establish and maintain effective internal control over the federal award which provides reasonable assurance the Department is managing the federal award in compliance with federal statutes, regulations and the terms of the federal award. Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282), as amended by Se...

Reporting for Federal Funding Accountability and Transparency Act Criteria – The Uniform Guidance, Part 200.303, requires the Department establish and maintain effective internal control over the federal award which provides reasonable assurance the Department is managing the federal award in compliance with federal statutes, regulations and the terms of the federal award. Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282), as amended by Section 6202 of Pub. L. No. 110-252, hereafter referred to as the “Transparency Act” that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Subaward information should be reported no later than the last day of the month following the month in which the subaward was made. Condition – The Department did not report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) for WIOA Cluster subrecipients. Cause – The Department did not have proper procedures in place to ensure the necessary reporting was completed. Effect – The Department was not in compliance with reporting first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS), as required by 2 CFR Part 170. Recommendation – The Department should establish policies and procedures to ensure first-tier subawards of $30,000 or more are reported to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Policies and procedures should ensure the reporting is reviewed and approved by an independent person who is knowledgeable about the program. This independent review should be documented by the reviewer’s signature or initials and date of review prior to submission. Response and Corrective Action Planned – As of the beginning of fiscal year 2025, the Department has established the necessary policies and procedures surrounding FFATA reporting, and all necessary reporting has been completed for the current fiscal year. Conclusion – Response accepted.

FY End: 2024-06-30
State of Iowa
Compliance Requirement: L
Reporting for Federal Funding Accountability and Transparency Act Criteria – The Uniform Guidance, Part 200.303, requires the Department establish and maintain effective internal control over the federal award which provides reasonable assurance the Department is managing the federal award in compliance with federal statutes, regulations and the terms of the federal award. Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282), as amended by Se...

Reporting for Federal Funding Accountability and Transparency Act Criteria – The Uniform Guidance, Part 200.303, requires the Department establish and maintain effective internal control over the federal award which provides reasonable assurance the Department is managing the federal award in compliance with federal statutes, regulations and the terms of the federal award. Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282), as amended by Section 6202 of Pub. L. No. 110-252, hereafter referred to as the “Transparency Act” that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Subaward information should be reported no later than the last day of the month following the month in which the subaward was made. Condition – The Department did not report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) for WIOA Cluster subrecipients. Cause – The Department did not have proper procedures in place to ensure the necessary reporting was completed. Effect – The Department was not in compliance with reporting first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS), as required by 2 CFR Part 170. Recommendation – The Department should establish policies and procedures to ensure first-tier subawards of $30,000 or more are reported to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Policies and procedures should ensure the reporting is reviewed and approved by an independent person who is knowledgeable about the program. This independent review should be documented by the reviewer’s signature or initials and date of review prior to submission. Response and Corrective Action Planned – As of the beginning of fiscal year 2025, the Department has established the necessary policies and procedures surrounding FFATA reporting, and all necessary reporting has been completed for the current fiscal year. Conclusion – Response accepted.

FY End: 2024-06-30
State of Iowa
Compliance Requirement: L
Reporting for Federal Funding Accountability and Transparency Act Criteria – The Uniform Guidance, Part 200.303, requires the Department establish and maintain effective internal control over the federal award which provides reasonable assurance the Department is managing the federal award in compliance with federal statutes, regulations and the terms of the federal award. Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282), as amended by Sect...

Reporting for Federal Funding Accountability and Transparency Act Criteria – The Uniform Guidance, Part 200.303, requires the Department establish and maintain effective internal control over the federal award which provides reasonable assurance the Department is managing the federal award in compliance with federal statutes, regulations and the terms of the federal award. Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282), as amended by Section 6202 of Pub. L. No. 110-252, hereafter referred to as the “Transparency Act” that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Subaward information should be reported no later than the last day of the month following the month in which the subaward was made. Condition – The Department did not report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) for Weatherization Assistance for Low-Income subrecipients. Cause – The Department did not have proper procedures in place to ensure the necessary reporting was completed. Effect – The Department was not in compliance with reporting first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS), as required by 2 CFR Part 170. Recommendation – The Department should establish policies and procedures to ensure first-tier subawards of $30,000 or more are reported to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Policies and procedures should ensure the reporting is reviewed and approved by an independent person who is knowledgeable about the program. This independent review should be documented by the reviewer’s signature or initials and date of review prior to submission. Response and Corrective Action Planned – The Department now has a process in place for obtaining FFATA report information and submitting FFATA reports. The department will update existing policies and procedures to reflect the current process and will clearly assign FFATA reporting duties as well as provide FFATA training to department grant managers. In addition, the department is in the process of implementing monitoring activities to provide oversight of FFATA submission. Conclusion – Response accepted.

FY End: 2024-06-30
State of Iowa
Compliance Requirement: L
Reporting for Federal Funding Accountability and Transparency Act Criteria – The Uniform Guidance, Part 200.303, requires the Department establish and maintain effective internal control over the federal award which provides reasonable assurance the Department is managing the federal award in compliance with federal statutes, regulations and the terms of the federal award. Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282), as amended by Secti...

Reporting for Federal Funding Accountability and Transparency Act Criteria – The Uniform Guidance, Part 200.303, requires the Department establish and maintain effective internal control over the federal award which provides reasonable assurance the Department is managing the federal award in compliance with federal statutes, regulations and the terms of the federal award. Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282), as amended by Section 6202 of Pub. L. No. 110-252, hereafter referred to as the “Transparency Act” that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Subaward information should be reported no later than the last day of the month following the month in which the subaward was made. Condition – The Department did not report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) for subrecipients. Cause – The Department did not have proper procedures in place to ensure the necessary reporting was completed. Effect – The Department was not in compliance with reporting first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS), as required by 2 CFR Part 170. Recommendation – The Department should establish policies and procedures to ensure first-tier subawards of $30,000 or more are reported to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Policies and procedures should ensure the reporting is reviewed and approved by an independent person who is knowledgeable about the program. This independent review should be documented by the reviewer’s signature or initials and date of review prior to submission. Response and Corrective Action Planned – The Department now has a process in place for obtaining FFATA report information and submitting FFATA reports. Of the awards noted above, FFATA reporting was completed for one of the four awards. The department will update existing policies and procedures to reflect the current process and will clearly assign FFATA reporting duties as well as provide FFATA training to department grant managers. In addition, the department is in the process of implementing monitoring activities to provide oversight of FFATA submission. Conclusion – Response acknowledged. Documentation was not provided which showed completion of FFATA reporting.

FY End: 2024-06-30
State of Iowa
Compliance Requirement: L
Reporting for Federal Funding Accountability and Transparency Act Criteria – The Uniform Guidance, Part 200.303, requires the Department establish and maintain effective internal control over the federal award which provides reasonable assurance the Department is managing the federal award in compliance with federal statutes, regulations and the terms of the federal award. Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282), as amended by Secti...

Reporting for Federal Funding Accountability and Transparency Act Criteria – The Uniform Guidance, Part 200.303, requires the Department establish and maintain effective internal control over the federal award which provides reasonable assurance the Department is managing the federal award in compliance with federal statutes, regulations and the terms of the federal award. Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282), as amended by Section 6202 of Pub. L. No. 110-252, hereafter referred to as the “Transparency Act” that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Subaward information should be reported no later than the last day of the month following the month in which the subaward was made. Condition – The Department did not report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) for subrecipients. Cause – The Department did not have proper procedures in place to ensure the necessary reporting was completed. Effect – The Department was not in compliance with reporting first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS), as required by 2 CFR Part 170. Recommendation – The Department should establish policies and procedures to ensure first-tier subawards of $30,000 or more are reported to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Policies and procedures should ensure the reporting is reviewed and approved by an independent person who is knowledgeable about the program. This independent review should be documented by the reviewer’s signature or initials and date of review prior to submission. Response and Corrective Action Planned – The Department now has a process in place for obtaining FFATA report information and submitting FFATA reports. Of the awards noted above, FFATA reporting was completed for one of the four awards. The department will update existing policies and procedures to reflect the current process and will clearly assign FFATA reporting duties as well as provide FFATA training to department grant managers. In addition, the department is in the process of implementing monitoring activities to provide oversight of FFATA submission. Conclusion – Response acknowledged. Documentation was not provided which showed completion of FFATA reporting.

FY End: 2024-06-30
State of Iowa
Compliance Requirement: L
Reporting for Federal Funding Accountability and Transparency Act Criteria – The Uniform Guidance, Part 200.303, requires the Department establish and maintain effective internal control over the federal award which provides reasonable assurance the Department is managing the federal award in compliance with federal statutes, regulations and the terms of the federal award. Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282), as amended by Secti...

Reporting for Federal Funding Accountability and Transparency Act Criteria – The Uniform Guidance, Part 200.303, requires the Department establish and maintain effective internal control over the federal award which provides reasonable assurance the Department is managing the federal award in compliance with federal statutes, regulations and the terms of the federal award. Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282), as amended by Section 6202 of Pub. L. No. 110-252, hereafter referred to as the “Transparency Act” that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Subaward information should be reported no later than the last day of the month following the month in which the subaward was made. Condition – The Department did not report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) for subrecipients. Cause – The Department did not have proper procedures in place to ensure the necessary reporting was completed. Effect – The Department was not in compliance with reporting first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS), as required by 2 CFR Part 170. Recommendation – The Department should establish policies and procedures to ensure first-tier subawards of $30,000 or more are reported to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Policies and procedures should ensure the reporting is reviewed and approved by an independent person who is knowledgeable about the program. This independent review should be documented by the reviewer’s signature or initials and date of review prior to submission. Response and Corrective Action Planned – The Department now has a process in place for obtaining FFATA report information and submitting FFATA reports. Of the awards noted above, FFATA reporting was completed for one of the four awards. The department will update existing policies and procedures to reflect the current process and will clearly assign FFATA reporting duties as well as provide FFATA training to department grant managers. In addition, the department is in the process of implementing monitoring activities to provide oversight of FFATA submission. Conclusion – Response acknowledged. Documentation was not provided which showed completion of FFATA reporting.

FY End: 2024-06-30
State of Iowa
Compliance Requirement: L
Reporting for Federal Funding Accountability and Transparency Act Criteria – The Uniform Guidance, Part 200.303, requires the Department establish and maintain effective internal control over the federal award which provides reasonable assurance the Department is managing the federal award in compliance with federal statutes, regulations and the terms of the federal award. Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282), as amended by Secti...

Reporting for Federal Funding Accountability and Transparency Act Criteria – The Uniform Guidance, Part 200.303, requires the Department establish and maintain effective internal control over the federal award which provides reasonable assurance the Department is managing the federal award in compliance with federal statutes, regulations and the terms of the federal award. Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282), as amended by Section 6202 of Pub. L. No. 110-252, hereafter referred to as the “Transparency Act” that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Subaward information should be reported no later than the last day of the month following the month in which the subaward was made. Condition – The Department did not report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) for subrecipients. Cause – The Department did not have proper procedures in place to ensure the necessary reporting was completed. Effect – The Department was not in compliance with reporting first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS), as required by 2 CFR Part 170. Recommendation – The Department should establish policies and procedures to ensure first-tier subawards of $30,000 or more are reported to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Policies and procedures should ensure the reporting is reviewed and approved by an independent person who is knowledgeable about the program. This independent review should be documented by the reviewer’s signature or initials and date of review prior to submission. Response and Corrective Action Planned – The Department now has a process in place for obtaining FFATA report information and submitting FFATA reports. Of the awards noted above, FFATA reporting was completed for one of the four awards. The department will update existing policies and procedures to reflect the current process and will clearly assign FFATA reporting duties as well as provide FFATA training to department grant managers. In addition, the department is in the process of implementing monitoring activities to provide oversight of FFATA submission. Conclusion – Response acknowledged. Documentation was not provided which showed completion of FFATA reporting.

FY End: 2024-06-30
State of Iowa
Compliance Requirement: L
Reporting for Federal Funding Accountability and Transparency Act Criteria – The Uniform Guidance, Part 200.303, requires the Department establish and maintain effective internal control over the federal award which provides reasonable assurance the Department is managing the federal award in compliance with federal statutes, regulations and the terms of the federal award. Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282), as amended by Secti...

Reporting for Federal Funding Accountability and Transparency Act Criteria – The Uniform Guidance, Part 200.303, requires the Department establish and maintain effective internal control over the federal award which provides reasonable assurance the Department is managing the federal award in compliance with federal statutes, regulations and the terms of the federal award. Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282), as amended by Section 6202 of Pub. L. No. 110-252, hereafter referred to as the “Transparency Act” that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Subaward information should be reported no later than the last day of the month following the month in which the subaward was made. Condition – The Department did not report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) for subrecipients. Cause – The Department did not have proper procedures in place to ensure the necessary reporting was completed. Effect – The Department was not in compliance with reporting first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS), as required by 2 CFR Part 170. Recommendation – The Department should establish policies and procedures to ensure first-tier subawards of $30,000 or more are reported to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Policies and procedures should ensure the reporting is reviewed and approved by an independent person who is knowledgeable about the program. This independent review should be documented by the reviewer’s signature or initials and date of review prior to submission. Response and Corrective Action Planned – The Department now has a process in place for obtaining FFATA report information and submitting FFATA reports. Of the awards noted above, FFATA reporting was completed for one of the four awards. The department will update existing policies and procedures to reflect the current process and will clearly assign FFATA reporting duties as well as provide FFATA training to department grant managers. In addition, the department is in the process of implementing monitoring activities to provide oversight of FFATA submission. Conclusion – Response acknowledged. Documentation was not provided which showed completion of FFATA reporting.

FY End: 2024-06-30
Delaware County Community College
Compliance Requirement: C
2024-005 CASH MANAGEMENT - SIGNIFICANT DEFICIENCY Federal Program Student Financial Assistance Cluster (ALN 84.007, 84.033, 84.063, and 84.268) Criteria The Code of Federal Regulations, 2 CFR 200.303, non-Federal entities receiving Federal awards are required to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations and program compliance requirements. Condition Evidence of approval to drawdown funds from the G5 system were not located...

2024-005 CASH MANAGEMENT - SIGNIFICANT DEFICIENCY Federal Program Student Financial Assistance Cluster (ALN 84.007, 84.033, 84.063, and 84.268) Criteria The Code of Federal Regulations, 2 CFR 200.303, non-Federal entities receiving Federal awards are required to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations and program compliance requirements. Condition Evidence of approval to drawdown funds from the G5 system were not located by management. Cause Turnover within the accounting office and lack of proper oversight from management led to the lack of evidence to support the timing of drawdowns reported to be located and provided to the auditor. Effect The College’s lack of evidence to support drawdowns did not allow the auditor to test the cash management internal control over compliance requirement for the College. Questioned Costs None. Context There was significant turnover within the accounting office during the 2024 and 2023 fiscal year. The current staff was unable to locate the approval to draw funds from the grant website. It was noted and reviewed that the financial aid staff is performing a reconciliation of loans and awards issued to the applicable federal database. Repeat Finding Yes. 2023-007. Recommendation The College should revisit its internal control procedures to ensure that direct and material compliance requirements are being followed. This would include controls implemented to ensure processes are followed and assign accountability for completion. It is important to include a segregation of duties for the drawdown of grant funding and the reporting of the transaction. These procedures should be documented to allow new employees an understanding of the grant requirements and how they are fulfilled. Management Response See corrective action plan included in this report package.

FY End: 2024-06-30
Delaware County Community College
Compliance Requirement: C
2024-005 CASH MANAGEMENT - SIGNIFICANT DEFICIENCY Federal Program Student Financial Assistance Cluster (ALN 84.007, 84.033, 84.063, and 84.268) Criteria The Code of Federal Regulations, 2 CFR 200.303, non-Federal entities receiving Federal awards are required to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations and program compliance requirements. Condition Evidence of approval to drawdown funds from the G5 system were not located...

2024-005 CASH MANAGEMENT - SIGNIFICANT DEFICIENCY Federal Program Student Financial Assistance Cluster (ALN 84.007, 84.033, 84.063, and 84.268) Criteria The Code of Federal Regulations, 2 CFR 200.303, non-Federal entities receiving Federal awards are required to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations and program compliance requirements. Condition Evidence of approval to drawdown funds from the G5 system were not located by management. Cause Turnover within the accounting office and lack of proper oversight from management led to the lack of evidence to support the timing of drawdowns reported to be located and provided to the auditor. Effect The College’s lack of evidence to support drawdowns did not allow the auditor to test the cash management internal control over compliance requirement for the College. Questioned Costs None. Context There was significant turnover within the accounting office during the 2024 and 2023 fiscal year. The current staff was unable to locate the approval to draw funds from the grant website. It was noted and reviewed that the financial aid staff is performing a reconciliation of loans and awards issued to the applicable federal database. Repeat Finding Yes. 2023-007. Recommendation The College should revisit its internal control procedures to ensure that direct and material compliance requirements are being followed. This would include controls implemented to ensure processes are followed and assign accountability for completion. It is important to include a segregation of duties for the drawdown of grant funding and the reporting of the transaction. These procedures should be documented to allow new employees an understanding of the grant requirements and how they are fulfilled. Management Response See corrective action plan included in this report package.

FY End: 2024-06-30
Delaware County Community College
Compliance Requirement: C
2024-005 CASH MANAGEMENT - SIGNIFICANT DEFICIENCY Federal Program Student Financial Assistance Cluster (ALN 84.007, 84.033, 84.063, and 84.268) Criteria The Code of Federal Regulations, 2 CFR 200.303, non-Federal entities receiving Federal awards are required to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations and program compliance requirements. Condition Evidence of approval to drawdown funds from the G5 system were not located...

2024-005 CASH MANAGEMENT - SIGNIFICANT DEFICIENCY Federal Program Student Financial Assistance Cluster (ALN 84.007, 84.033, 84.063, and 84.268) Criteria The Code of Federal Regulations, 2 CFR 200.303, non-Federal entities receiving Federal awards are required to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations and program compliance requirements. Condition Evidence of approval to drawdown funds from the G5 system were not located by management. Cause Turnover within the accounting office and lack of proper oversight from management led to the lack of evidence to support the timing of drawdowns reported to be located and provided to the auditor. Effect The College’s lack of evidence to support drawdowns did not allow the auditor to test the cash management internal control over compliance requirement for the College. Questioned Costs None. Context There was significant turnover within the accounting office during the 2024 and 2023 fiscal year. The current staff was unable to locate the approval to draw funds from the grant website. It was noted and reviewed that the financial aid staff is performing a reconciliation of loans and awards issued to the applicable federal database. Repeat Finding Yes. 2023-007. Recommendation The College should revisit its internal control procedures to ensure that direct and material compliance requirements are being followed. This would include controls implemented to ensure processes are followed and assign accountability for completion. It is important to include a segregation of duties for the drawdown of grant funding and the reporting of the transaction. These procedures should be documented to allow new employees an understanding of the grant requirements and how they are fulfilled. Management Response See corrective action plan included in this report package.

FY End: 2024-06-30
Delaware County Community College
Compliance Requirement: C
2024-005 CASH MANAGEMENT - SIGNIFICANT DEFICIENCY Federal Program Student Financial Assistance Cluster (ALN 84.007, 84.033, 84.063, and 84.268) Criteria The Code of Federal Regulations, 2 CFR 200.303, non-Federal entities receiving Federal awards are required to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations and program compliance requirements. Condition Evidence of approval to drawdown funds from the G5 system were not located...

2024-005 CASH MANAGEMENT - SIGNIFICANT DEFICIENCY Federal Program Student Financial Assistance Cluster (ALN 84.007, 84.033, 84.063, and 84.268) Criteria The Code of Federal Regulations, 2 CFR 200.303, non-Federal entities receiving Federal awards are required to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations and program compliance requirements. Condition Evidence of approval to drawdown funds from the G5 system were not located by management. Cause Turnover within the accounting office and lack of proper oversight from management led to the lack of evidence to support the timing of drawdowns reported to be located and provided to the auditor. Effect The College’s lack of evidence to support drawdowns did not allow the auditor to test the cash management internal control over compliance requirement for the College. Questioned Costs None. Context There was significant turnover within the accounting office during the 2024 and 2023 fiscal year. The current staff was unable to locate the approval to draw funds from the grant website. It was noted and reviewed that the financial aid staff is performing a reconciliation of loans and awards issued to the applicable federal database. Repeat Finding Yes. 2023-007. Recommendation The College should revisit its internal control procedures to ensure that direct and material compliance requirements are being followed. This would include controls implemented to ensure processes are followed and assign accountability for completion. It is important to include a segregation of duties for the drawdown of grant funding and the reporting of the transaction. These procedures should be documented to allow new employees an understanding of the grant requirements and how they are fulfilled. Management Response See corrective action plan included in this report package.

FY End: 2024-06-30
Action for Children
Compliance Requirement: A
Finding 2024-3 Internal Controls over Compliance with Activities Allowed or Unallowed Requirement (Significant Deficiency) Identification of the federal program(s): Assistance Listings program titles and numbers: 21.027 Coronavirus State and Local Fiscal Recovery Funds 93.558 Temporary Assistance for Needy Families (TANF) Federal award identification number: 21.027: City of Columbus (award number not provided), Future Ready Five (award number not provided), Franklin County Department of Job an...

Finding 2024-3 Internal Controls over Compliance with Activities Allowed or Unallowed Requirement (Significant Deficiency) Identification of the federal program(s): Assistance Listings program titles and numbers: 21.027 Coronavirus State and Local Fiscal Recovery Funds 93.558 Temporary Assistance for Needy Families (TANF) Federal award identification number: 21.027: City of Columbus (award number not provided), Future Ready Five (award number not provided), Franklin County Department of Job and Family Services Award Number 25-22-3647 93.558: Ohio Department of Job and Family Services Award Numbers G-2425-17-0058; Franklin County Department of Job and Family Services Award Numbers 25-23-3662, 25-23-5698, 25-24-5859 Name of the federal agencies: 21.027 Department of the Treasury 93.558 Department of Health and Human Services Name of the applicable pass-through entities: 21.027: City of Columbus, Future Ready Five, Franklin County Department of Job and Family Services 93.558: Ohio Department of Job and Family Services and Franklin County Department of Job and Family Services Criteria or specific requirement (including statutory, regulatory, or other citation): The 2 CFR section 200.303 of the Uniform Guidance requires that non-federal entities receiving federal awards establish and maintain internal control over the federal awards that provides reasonable assurance that the non-federal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. Condition: During the audit, it was noted that AFC was unable to provide journal entry approval for payroll charges for 20 out of 25 selections for both federal programs (20 each, 40 total) due to a recent change in the accounting system where approvals were not retained. During the audit, it was noted that the AFC was unable to provide invoice approvals for 5 out of 25 non-payroll charges to the 93.558 program and 3 out of 25 non-payroll charges related to the 21.027 program. Cause: The change in the accounting system led to disruptions in the documentation process, resulting in the inability to retrieve documentation of approval records for payroll and non-payroll charges to the federal programs. Effect or potential effect: Without adequate internal controls in place to ensure that all charges to the federal program are properly reviewed for allowability, AFC could be noncompliant with the allowability requirement and could request funds for costs that are unallowed. Questioned costs: None Context: AFC’s policies and procedures require that all payroll costs and non-payroll costs charged to federal awards must be supported by adequate approval documentation that demonstrates the allocability, allowability, and reasonableness of the expenses. Identification as a repeat finding, if applicable: Not applicable Recommendation: We recommend that AFC retain all approved documents related to charges to the federal programs. Views of responsible officials: Management agrees with the finding and recommendation.

FY End: 2024-06-30
Action for Children
Compliance Requirement: B
Finding 2024-4 Internal Controls over Compliance and Compliance with Allowable Costs Requirement (Significant Deficiency) Identification of the federal program(s): Assistance Listings program titles and numbers: 21.027 Coronavirus State and Local Fiscal Recovery Funds Federal award identification number: 21.027: City of Columbus (award number not provided), Future Ready Five (award number not provided), Franklin County Department of Job and Family Services Award Number 25-22-3647 ...

Finding 2024-4 Internal Controls over Compliance and Compliance with Allowable Costs Requirement (Significant Deficiency) Identification of the federal program(s): Assistance Listings program titles and numbers: 21.027 Coronavirus State and Local Fiscal Recovery Funds Federal award identification number: 21.027: City of Columbus (award number not provided), Future Ready Five (award number not provided), Franklin County Department of Job and Family Services Award Number 25-22-3647 Name of the federal agencies: 21.027 Department of the Treasury Name of the applicable pass-through entities: 21.027: City of Columbus, Future Ready Five, Franklin County Department of Job and Family Services Criteria or specific requirement (including statutory, regulatory, or other citation): The 2 CFR section 200.303 of the Uniform Guidance requires that non-federal entities receiving federal awards establish and maintain internal control over the federal awards that provides reasonable assurance that the non-federal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. Condition: During the audit, it was noted that an employee’s time was improperly allocated to the improper grant. This misallocation resulted in inaccurate payroll expenses being reported for the respective grants/programs. Cause: Employee was miscoded when entering into the payroll register. Effect or potential effect: Without adequate internal controls in place to ensure that all charges to the federal program are properly reviewed for allowable costs, AFC could be noncompliant with the allowable costs requirement and could request funds for costs that are unallowed. Questioned costs: $3,860 Context: AFC’s policies and procedures did not detect a misallocation of employee’s time. An error of $3,860 was found in $14,396 total payroll tested. Identification as a repeat finding, if applicable: Not applicable Recommendation: We recommend that AFC implement a procedure to monitor employee allocations for accurate charging to grant programs. Views of responsible officials: Management agrees with the finding and recommendation.

FY End: 2024-06-30
Action for Children
Compliance Requirement: L
Finding 2024-5 Internal Controls over Compliance and Compliance with Reporting Requirement (Significant Deficiency) Identification of the federal program(s): Assistance Listings program titles and numbers: 21.027 Coronavirus State and Local Fiscal Recovery Funds 93.558 Temporary Assistance for Needy Families (TANF) Federal award identification number: 21.027: City of Columbus (award number not provided), Future Ready Five (award number not provided), Franklin County Department of Job and Fam...

Finding 2024-5 Internal Controls over Compliance and Compliance with Reporting Requirement (Significant Deficiency) Identification of the federal program(s): Assistance Listings program titles and numbers: 21.027 Coronavirus State and Local Fiscal Recovery Funds 93.558 Temporary Assistance for Needy Families (TANF) Federal award identification number: 21.027: City of Columbus (award number not provided), Future Ready Five (award number not provided), Franklin County Department of Job and Family Services Award Number 25-22-3647 93.558: Ohio Department of Job and Family Services Award Numbers G-2425-17-0058; Franklin County Department of Job and Family Services Award Numbers 25-23-3662, 25-23-5698, 25-24-5859 Name of the federal agencies: 21.027 Department of the Treasury 93.558 Department of Health and Human Services Name of the applicable pass-through entities: 21.027: City of Columbus, Future Ready Five, Franklin County Department of Job and Family Services 93.558: Ohio Department of Job and Family Services and Franklin County Department of Job and Family Services   Criteria or specific requirement (including statutory, regulatory, or other citation): The 2 CFR section 200.303 of the Uniform Guidance requires that non-federal entities receiving federal awards establish and maintain internal control over the federal awards that provides reasonable assurance that the non-federal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. Condition: During the audit, it was noted that AFC submitted required reports past their due date according to the grant agreements. During the audit, it was noted that AFC does not have a practice of internally reviewing the required reports before submitting them to grantors. Cause: The delays were attributed to the change in accounting system and change in personnel administering the reports. The absence of an internal review process is due to inadequate internal controls and oversight within the organization. There is no established procedure for verifying the accuracy and completeness of required reports before submission. Effect or potential effect: Without adequate internal controls in place to ensure that reports are submitted timely and are adequately reviewed, AFC could be noncompliant with the reporting requirement. Questioned costs: None Context: Reports were not submitted on time. Identification as a repeat finding, if applicable: Not applicable Recommendation: We recommend that AFC implement a procedure to track reporting due dates and to a procedure for verifying the accuracy and completeness of required reports before submission. Views of responsible officials: Management agrees with the finding and recommendation.

FY End: 2024-06-30
Action for Children
Compliance Requirement: A
Finding 2024-3 Internal Controls over Compliance with Activities Allowed or Unallowed Requirement (Significant Deficiency) Identification of the federal program(s): Assistance Listings program titles and numbers: 21.027 Coronavirus State and Local Fiscal Recovery Funds 93.558 Temporary Assistance for Needy Families (TANF) Federal award identification number: 21.027: City of Columbus (award number not provided), Future Ready Five (award number not provided), Franklin County Department of Job an...

Finding 2024-3 Internal Controls over Compliance with Activities Allowed or Unallowed Requirement (Significant Deficiency) Identification of the federal program(s): Assistance Listings program titles and numbers: 21.027 Coronavirus State and Local Fiscal Recovery Funds 93.558 Temporary Assistance for Needy Families (TANF) Federal award identification number: 21.027: City of Columbus (award number not provided), Future Ready Five (award number not provided), Franklin County Department of Job and Family Services Award Number 25-22-3647 93.558: Ohio Department of Job and Family Services Award Numbers G-2425-17-0058; Franklin County Department of Job and Family Services Award Numbers 25-23-3662, 25-23-5698, 25-24-5859 Name of the federal agencies: 21.027 Department of the Treasury 93.558 Department of Health and Human Services Name of the applicable pass-through entities: 21.027: City of Columbus, Future Ready Five, Franklin County Department of Job and Family Services 93.558: Ohio Department of Job and Family Services and Franklin County Department of Job and Family Services Criteria or specific requirement (including statutory, regulatory, or other citation): The 2 CFR section 200.303 of the Uniform Guidance requires that non-federal entities receiving federal awards establish and maintain internal control over the federal awards that provides reasonable assurance that the non-federal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. Condition: During the audit, it was noted that AFC was unable to provide journal entry approval for payroll charges for 20 out of 25 selections for both federal programs (20 each, 40 total) due to a recent change in the accounting system where approvals were not retained. During the audit, it was noted that the AFC was unable to provide invoice approvals for 5 out of 25 non-payroll charges to the 93.558 program and 3 out of 25 non-payroll charges related to the 21.027 program. Cause: The change in the accounting system led to disruptions in the documentation process, resulting in the inability to retrieve documentation of approval records for payroll and non-payroll charges to the federal programs. Effect or potential effect: Without adequate internal controls in place to ensure that all charges to the federal program are properly reviewed for allowability, AFC could be noncompliant with the allowability requirement and could request funds for costs that are unallowed. Questioned costs: None Context: AFC’s policies and procedures require that all payroll costs and non-payroll costs charged to federal awards must be supported by adequate approval documentation that demonstrates the allocability, allowability, and reasonableness of the expenses. Identification as a repeat finding, if applicable: Not applicable Recommendation: We recommend that AFC retain all approved documents related to charges to the federal programs. Views of responsible officials: Management agrees with the finding and recommendation.

« 1 395 396 398 399 1990 »