Major Program: Community Service Block Grant AL #93.569 Compliance Requirement: Eligibility Questioned Costs: None Type of Finding: Significant Deficiency in Internal Control over Compliance of Major Programs Criteria: The Community Action Agency must establish and maintain effective internal control over federal awards that provides reasonable assurance of compliance with applicable federal statutes, regulations, and the terms and conditions of the award, in accordance with 2 CFR §200.303. For the eligibility compliance requirement, documentation must clearly demonstrate that eligibility was determined prior to the provision of benefits, and that all required approvals were contemporaneously documented. Condition: During eligibility testing, it was identified that one intake form out of a sample of 40 exhibited a discrepancy in the timing of documentation completion and staff review. Specifically, for a client who received food pantry services on January 25, 2024, the client received and signed the Food Pantry Service Sheet on that same day, confirming eligibility determination. However, the CAASTLC staff member did not sign the form until January 31, 2024, several days after the client had received services. The MIS intake report reflects a date of February 2, 2024, which corresponds to when the data was entered into the system, rather than the date eligibility was actually determine. Cause: The procedures in place prioritized maintaining traffic flow during drive-through food pantry operations over contemporaneous documentation practices. As a result, the staff review and signature confirming eligibility were delayed and not completed on the date of service. Effect: Although eligibility was assessed and determined prior to the provision of services, the absence of timely staff signatures weakens the audit trail. This increases the risk that services may be provided without proper approval or that documentation may not adequately support compliance with eligibility requirements during an audit or program review. Recommendation: The Organization should strengthen internal controls and provide additional staff training to ensure all eligibility documentation—including staff review and signatures—is completed contemporaneously with client service. Where operational constraints exist, the Organization should consider implementing procedures to document eligibility determinations in real-time, or adopt digital tools to capture staff approval at the point of intake. View of Responsible Officials: See Corrective Action Plan.
U.S. Department of State: Bureau of Population and Refugees and Migration: Oversees Refugee Assistance Programs for Africa: Advancing access to integrated life-saving assistance and protection services to promote selfreliance and resilience for refugees and host communities in Uganda (ALN 19.517, award number SPRMCO23CA0106) U.S. Agency for International Development: USAID Foreign Assistance for Programs Oversees: Holistic prevention and response services to support people affected by forced displacement to restore and rebuild their lives (ALN 98.001, award number 720BHA22GR00304) Statistically valid sample: No, and it was not intended to be. Repeat finding: Not a repeat finding. Finding Type: Noncompliance and Significant Deficiency Criteria: Under the requirements of the Federal Funding Accountability and Transparency Act (FFATA) (Pub. L. No. 109-282), as amended by Section 6202 of Public Law 110-252, (Transparency Act) that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Aspects of the Transparency Act that relate to subaward reporting (1) under grants and cooperative agreements were implemented in OMB in 2 CFR Part 170 and (2) under contracts, by the regulatory agencies responsible for the Federal Acquisition Regulation (FAR at 5 FR 39414 et seq., July 8, 2010). The requirements pertain to recipients (i.e., direct recipients) of grants or cooperative agreements who make first-tier subawards and contractors (i.e., prime contractors) that award first-tier subcontracts. Title 45 U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards for HHS Awards, section 75.2 defines Subaward as an award provided by a pass-through entity to a subrecipient for the subrecipient to carry out part of a federal award received by the pass-through entity. It does not include payments to a contractor or payments to an individual that is a beneficiary of a federal program. A subaward may be provided through any form of legal agreement, including an agreement that the pass-through entity considers a contract. Further, 45 CFR 75.2 defines Subrecipient as a non-federal entity that receives a subaward from a passthrough entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other federal awards directly from a federal awarding agency. Additionally, per 2 CFR 200.303, non-federal entities must establish and maintain effective internal control over federal awards that provide reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. The following subaward data elements to be reported include the following: • Subawardee Name • Subawardee Unique Entity Identifier • Amount of Subaward • Subaward Obligation/Action Date • Date of Report Submission • Subaward Number • Subaward Project Description • Subawardee Names and Compensation of Highly Compensated Officers, if applicable The information is required to be reported in FSRS no later than the last day of the month following the month in which the subaward/subaward amendment obligation was made. Additionally, in accordance with federal requirements, a non-federal entity shall maintain internal controls over federal programs designed to provide reasonable assurance that reports are accurately and timely filed in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Condition and context: For ALN 19.517, there were 3 new or amended subawardee agreements entered into during fiscal year 2024. We selected all three of these agreements for test work and noted that while all the key data elements were accurately submitted, the information for all three agreements was not submitted timely. All of the agreements were entered into on October 1, 2023 and the information was submitted in January 2024. During our testwork over this program, we noted IRC did not establish control procedures to submit FFATA reports for all subawards on a timely basis. We noted the following exceptions: Transactions Tested - 3 Subaward not reported - 0 Report not timely - 3 Subaward amount incorrect - 0 Subaward incorrect key elements - 0 Dollar Amount of Tested Transactions - $957,943 Subaward not reported - $0 Report not timely - $957,943 Subaward amount incorrect - $0 Subaward incorrect key elements - $0 For ALN 98.001, there were 23 new or amended subawardee agreements entered into during fiscal year 2024. We selected four for test work and noted that while all the key data elements were accurately submitted, the information for two of these agreements was not submitted timely. These two agreements were entered into on January 1, 2024 and March 1, 2024 and the information was not submitted until November of 2024. During our testwork over this program, we noted IRC did not establish control procedures to submit FFATA reports for certain subawards on a timely basis. We noted the following exceptions: Transactions Tested - 4 Subaward not reported - 0 Report not timely - 2 Subaward amount incorrect - 0 Subaward incorrect key elements - 0 Dollar Amount of Tested Transactions - $1,349,750 Subaward not reported - $0 Report not timely - $112,617 Subaward amount incorrect - $0 Subaward incorrect key elements - $0 Cause: Responsible staff encountered challenges accessing SAM.gov due to credential errors, which resulted in delays in submitting or updating subrecipient details in a timely manner. Effect: Delayed reporting can lead to reduced transparency, hindering public access to information about how federal funds are being used. Questioned Costs: None. Recommendation: IRC should continue to communicate to all field office personnel responsible for FFATA submissions the importance of timely reporting. We recommend adding another level of review from headquarters to ensure reporting is taking place once a subawardee agreement is finalized. Views of Responsible Officials: Management agrees with this finding and will take the necessary actions to ensure its FFATA reporting is more timely.
U.S. Department of State: Bureau of Population and Refugees and Migration: Oversees Refugee Assistance Programs for Africa: Advancing access to integrated life-saving assistance and protection services to promote selfreliance and resilience for refugees and host communities in Uganda (ALN 19.517, award number SPRMCO23CA0106) U.S. Agency for International Development: USAID Foreign Assistance for Programs Oversees: Holistic prevention and response services to support people affected by forced displacement to restore and rebuild their lives (ALN 98.001, award number 720BHA22GR00304) Statistically valid sample: No, and it was not intended to be. Repeat finding: Not a repeat finding. Finding Type: Noncompliance and Significant Deficiency Criteria: Under the requirements of the Federal Funding Accountability and Transparency Act (FFATA) (Pub. L. No. 109-282), as amended by Section 6202 of Public Law 110-252, (Transparency Act) that are codified in 2 CFR Part 170, recipients (i.e., direct recipients) of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Aspects of the Transparency Act that relate to subaward reporting (1) under grants and cooperative agreements were implemented in OMB in 2 CFR Part 170 and (2) under contracts, by the regulatory agencies responsible for the Federal Acquisition Regulation (FAR at 5 FR 39414 et seq., July 8, 2010). The requirements pertain to recipients (i.e., direct recipients) of grants or cooperative agreements who make first-tier subawards and contractors (i.e., prime contractors) that award first-tier subcontracts. Title 45 U.S. Code of Federal Regulations Part 75 (45 CFR 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards for HHS Awards, section 75.2 defines Subaward as an award provided by a pass-through entity to a subrecipient for the subrecipient to carry out part of a federal award received by the pass-through entity. It does not include payments to a contractor or payments to an individual that is a beneficiary of a federal program. A subaward may be provided through any form of legal agreement, including an agreement that the pass-through entity considers a contract. Further, 45 CFR 75.2 defines Subrecipient as a non-federal entity that receives a subaward from a passthrough entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other federal awards directly from a federal awarding agency. Additionally, per 2 CFR 200.303, non-federal entities must establish and maintain effective internal control over federal awards that provide reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. The following subaward data elements to be reported include the following: • Subawardee Name • Subawardee Unique Entity Identifier • Amount of Subaward • Subaward Obligation/Action Date • Date of Report Submission • Subaward Number • Subaward Project Description • Subawardee Names and Compensation of Highly Compensated Officers, if applicable The information is required to be reported in FSRS no later than the last day of the month following the month in which the subaward/subaward amendment obligation was made. Additionally, in accordance with federal requirements, a non-federal entity shall maintain internal controls over federal programs designed to provide reasonable assurance that reports are accurately and timely filed in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Condition and context: For ALN 19.517, there were 3 new or amended subawardee agreements entered into during fiscal year 2024. We selected all three of these agreements for test work and noted that while all the key data elements were accurately submitted, the information for all three agreements was not submitted timely. All of the agreements were entered into on October 1, 2023 and the information was submitted in January 2024. During our testwork over this program, we noted IRC did not establish control procedures to submit FFATA reports for all subawards on a timely basis. We noted the following exceptions: Transactions Tested - 3 Subaward not reported - 0 Report not timely - 3 Subaward amount incorrect - 0 Subaward incorrect key elements - 0 Dollar Amount of Tested Transactions - $957,943 Subaward not reported - $0 Report not timely - $957,943 Subaward amount incorrect - $0 Subaward incorrect key elements - $0 For ALN 98.001, there were 23 new or amended subawardee agreements entered into during fiscal year 2024. We selected four for test work and noted that while all the key data elements were accurately submitted, the information for two of these agreements was not submitted timely. These two agreements were entered into on January 1, 2024 and March 1, 2024 and the information was not submitted until November of 2024. During our testwork over this program, we noted IRC did not establish control procedures to submit FFATA reports for certain subawards on a timely basis. We noted the following exceptions: Transactions Tested - 4 Subaward not reported - 0 Report not timely - 2 Subaward amount incorrect - 0 Subaward incorrect key elements - 0 Dollar Amount of Tested Transactions - $1,349,750 Subaward not reported - $0 Report not timely - $112,617 Subaward amount incorrect - $0 Subaward incorrect key elements - $0 Cause: Responsible staff encountered challenges accessing SAM.gov due to credential errors, which resulted in delays in submitting or updating subrecipient details in a timely manner. Effect: Delayed reporting can lead to reduced transparency, hindering public access to information about how federal funds are being used. Questioned Costs: None. Recommendation: IRC should continue to communicate to all field office personnel responsible for FFATA submissions the importance of timely reporting. We recommend adding another level of review from headquarters to ensure reporting is taking place once a subawardee agreement is finalized. Views of Responsible Officials: Management agrees with this finding and will take the necessary actions to ensure its FFATA reporting is more timely.
MW 2024‐001 REPORTING United States Environmental Protection Agency ALN 66.456 – National Estuary Program Federal Award ID Number: CE‐00D90119, 4T‐02D39922, CE‐02D56923 2024 Funding Criteria: Per 2 CFR 200.303, non‐Federal entities must establish and maintain effective internal controls to provide reasonable assurance of compliance with the Uniform Guidance and the terms and conditions outlined by the Environmental Protection Agency. EPA recipients must submit the Federal Financial Report (SF‐425) at least annually. EPA recipients must submit the SF‐425 no later than 90 calendar days for annual reports. Final reports are due no later than 120 calendar days after the end date of the period of performance of the award. Condition: The Federal Financial Report Standard Form 425 was submitted late to the Environmental Protection Agency on March 10, 2025. Cause: The Environmental Protection Agency had informed the Council that these reports were only due at closeout of the grant; therefore, the Council did not submit these reports. However, the Office of Inspector General (OIG) stated that this was not the correct procedure. As a result of the OIG's EPA audit, the Council filed these reports on March 10, 2025 with the EPA to be in compliance. Effect: Potential for unintended errors to occur without being immediately identified and corrected. The Council was not in compliance with the Uniform Guidance and the National Estuary Program. Questioned Costs: None. Perspective: All of the reports identified above were not reviewed. Recommendation: The Chief Operating Officer should obtain in writing any adjustments or clarifications to the grant awards to ensure the requested reports are prepared and reviewed. Management Response: EPA has never requested the SF425 (Federal Financial Reporting Form) from year’s prior and we were told verbally that we were only required to submit them at grant closeout. During a current EPA OIG audit, we were informed that the procedural process we were following was incorrect and that yearly reports were required to be submitted. To bring the IRL Council back into compliance with all federal awards, the Chief Operating Officer completed the FY 2024 forms and submitted them to EPA on March 10, 2025.
MW 2024‐001 REPORTING United States Environmental Protection Agency ALN 66.456 – National Estuary Program Federal Award ID Number: CE‐00D90119, 4T‐02D39922, CE‐02D56923 2024 Funding Criteria: Per 2 CFR 200.303, non‐Federal entities must establish and maintain effective internal controls to provide reasonable assurance of compliance with the Uniform Guidance and the terms and conditions outlined by the Environmental Protection Agency. EPA recipients must submit the Federal Financial Report (SF‐425) at least annually. EPA recipients must submit the SF‐425 no later than 90 calendar days for annual reports. Final reports are due no later than 120 calendar days after the end date of the period of performance of the award. Condition: The Federal Financial Report Standard Form 425 was submitted late to the Environmental Protection Agency on March 10, 2025. Cause: The Environmental Protection Agency had informed the Council that these reports were only due at closeout of the grant; therefore, the Council did not submit these reports. However, the Office of Inspector General (OIG) stated that this was not the correct procedure. As a result of the OIG's EPA audit, the Council filed these reports on March 10, 2025 with the EPA to be in compliance. Effect: Potential for unintended errors to occur without being immediately identified and corrected. The Council was not in compliance with the Uniform Guidance and the National Estuary Program. Questioned Costs: None. Perspective: All of the reports identified above were not reviewed. Recommendation: The Chief Operating Officer should obtain in writing any adjustments or clarifications to the grant awards to ensure the requested reports are prepared and reviewed. Management Response: EPA has never requested the SF425 (Federal Financial Reporting Form) from year’s prior and we were told verbally that we were only required to submit them at grant closeout. During a current EPA OIG audit, we were informed that the procedural process we were following was incorrect and that yearly reports were required to be submitted. To bring the IRL Council back into compliance with all federal awards, the Chief Operating Officer completed the FY 2024 forms and submitted them to EPA on March 10, 2025.
MW 2024‐001 REPORTING United States Environmental Protection Agency ALN 66.456 – National Estuary Program Federal Award ID Number: CE‐00D90119, 4T‐02D39922, CE‐02D56923 2024 Funding Criteria: Per 2 CFR 200.303, non‐Federal entities must establish and maintain effective internal controls to provide reasonable assurance of compliance with the Uniform Guidance and the terms and conditions outlined by the Environmental Protection Agency. EPA recipients must submit the Federal Financial Report (SF‐425) at least annually. EPA recipients must submit the SF‐425 no later than 90 calendar days for annual reports. Final reports are due no later than 120 calendar days after the end date of the period of performance of the award. Condition: The Federal Financial Report Standard Form 425 was submitted late to the Environmental Protection Agency on March 10, 2025. Cause: The Environmental Protection Agency had informed the Council that these reports were only due at closeout of the grant; therefore, the Council did not submit these reports. However, the Office of Inspector General (OIG) stated that this was not the correct procedure. As a result of the OIG's EPA audit, the Council filed these reports on March 10, 2025 with the EPA to be in compliance. Effect: Potential for unintended errors to occur without being immediately identified and corrected. The Council was not in compliance with the Uniform Guidance and the National Estuary Program. Questioned Costs: None. Perspective: All of the reports identified above were not reviewed. Recommendation: The Chief Operating Officer should obtain in writing any adjustments or clarifications to the grant awards to ensure the requested reports are prepared and reviewed. Management Response: EPA has never requested the SF425 (Federal Financial Reporting Form) from year’s prior and we were told verbally that we were only required to submit them at grant closeout. During a current EPA OIG audit, we were informed that the procedural process we were following was incorrect and that yearly reports were required to be submitted. To bring the IRL Council back into compliance with all federal awards, the Chief Operating Officer completed the FY 2024 forms and submitted them to EPA on March 10, 2025.
SD 2024‐002 SUSPENSION AND DEBARMENT United States Environmental Protection Agency ALN 66.456 – National Estuary Program Federal Award ID Number: CE‐00D90119, 4T‐02D39922, CE‐02D56923 2024 Funding Repeat finding Criteria: 2 CFR 200.303 requires non‐federal entities to establish and maintain effective internal controls. Pursuant to 2 CFR section 180.300, the Council may not contract with or make subawards to parties that are identified as being suspended or debarred by the Federal Government. The Council must verify the parties’ eligibility to receive payment from a program funded by a Federal grant prior to entering a covered transaction (as defined in 2 CFR section 180.220). Condition: The Council did not have a process in place to verify that subrecipients and vendors for covered transactions were not suspended or debarred. Cause: Management was not aware of this procurement requirement. Effect: The Council could inadvertently enter a covered transaction with a suspended or debarred party, resulting in the disallowance of payments made to that party as eligible costs under the Federal program. Questioned Costs: None. Perspective: Many of the subawards made by the Council were to other local governments or universities, which are entities unlikely to be suspended or debarred. As part of our compliance testing, we tested a sample of subrecipients and vendors for suspension and debarment, noting no exceptions. Recommendation: We recommend the Council continue with the controls that were implemented in late 2024 to ensure the Council does not enter a subaward or other covered transaction with a party that is suspended, debarred or otherwise excluded from participating in federal awards. As the control was not in place for the majority of 2024, it is a repeat finding. Management Response: The IRL Council amended its Operating Procedures following the FY 2023 finding to include suspension and debarment procedures into procurement methods for activities that are federally funded. The IRL Council Chief Operating Officer, immediately checked all current vendors for compliance within SAM.gov and all new or amended agreements have since been checked in SAM.gov for compliance. As noted by Carr, Riggs, and Ingram there were no instances of exception in their testing. Due to the timing of the FY 2023 finding, FY 2024 would also be considered a finding regardless of any corrective action taken.
SD 2024‐002 SUSPENSION AND DEBARMENT United States Environmental Protection Agency ALN 66.456 – National Estuary Program Federal Award ID Number: CE‐00D90119, 4T‐02D39922, CE‐02D56923 2024 Funding Repeat finding Criteria: 2 CFR 200.303 requires non‐federal entities to establish and maintain effective internal controls. Pursuant to 2 CFR section 180.300, the Council may not contract with or make subawards to parties that are identified as being suspended or debarred by the Federal Government. The Council must verify the parties’ eligibility to receive payment from a program funded by a Federal grant prior to entering a covered transaction (as defined in 2 CFR section 180.220). Condition: The Council did not have a process in place to verify that subrecipients and vendors for covered transactions were not suspended or debarred. Cause: Management was not aware of this procurement requirement. Effect: The Council could inadvertently enter a covered transaction with a suspended or debarred party, resulting in the disallowance of payments made to that party as eligible costs under the Federal program. Questioned Costs: None. Perspective: Many of the subawards made by the Council were to other local governments or universities, which are entities unlikely to be suspended or debarred. As part of our compliance testing, we tested a sample of subrecipients and vendors for suspension and debarment, noting no exceptions. Recommendation: We recommend the Council continue with the controls that were implemented in late 2024 to ensure the Council does not enter a subaward or other covered transaction with a party that is suspended, debarred or otherwise excluded from participating in federal awards. As the control was not in place for the majority of 2024, it is a repeat finding. Management Response: The IRL Council amended its Operating Procedures following the FY 2023 finding to include suspension and debarment procedures into procurement methods for activities that are federally funded. The IRL Council Chief Operating Officer, immediately checked all current vendors for compliance within SAM.gov and all new or amended agreements have since been checked in SAM.gov for compliance. As noted by Carr, Riggs, and Ingram there were no instances of exception in their testing. Due to the timing of the FY 2023 finding, FY 2024 would also be considered a finding regardless of any corrective action taken.
SD 2024‐002 SUSPENSION AND DEBARMENT United States Environmental Protection Agency ALN 66.456 – National Estuary Program Federal Award ID Number: CE‐00D90119, 4T‐02D39922, CE‐02D56923 2024 Funding Repeat finding Criteria: 2 CFR 200.303 requires non‐federal entities to establish and maintain effective internal controls. Pursuant to 2 CFR section 180.300, the Council may not contract with or make subawards to parties that are identified as being suspended or debarred by the Federal Government. The Council must verify the parties’ eligibility to receive payment from a program funded by a Federal grant prior to entering a covered transaction (as defined in 2 CFR section 180.220). Condition: The Council did not have a process in place to verify that subrecipients and vendors for covered transactions were not suspended or debarred. Cause: Management was not aware of this procurement requirement. Effect: The Council could inadvertently enter a covered transaction with a suspended or debarred party, resulting in the disallowance of payments made to that party as eligible costs under the Federal program. Questioned Costs: None. Perspective: Many of the subawards made by the Council were to other local governments or universities, which are entities unlikely to be suspended or debarred. As part of our compliance testing, we tested a sample of subrecipients and vendors for suspension and debarment, noting no exceptions. Recommendation: We recommend the Council continue with the controls that were implemented in late 2024 to ensure the Council does not enter a subaward or other covered transaction with a party that is suspended, debarred or otherwise excluded from participating in federal awards. As the control was not in place for the majority of 2024, it is a repeat finding. Management Response: The IRL Council amended its Operating Procedures following the FY 2023 finding to include suspension and debarment procedures into procurement methods for activities that are federally funded. The IRL Council Chief Operating Officer, immediately checked all current vendors for compliance within SAM.gov and all new or amended agreements have since been checked in SAM.gov for compliance. As noted by Carr, Riggs, and Ingram there were no instances of exception in their testing. Due to the timing of the FY 2023 finding, FY 2024 would also be considered a finding regardless of any corrective action taken.
SD 2024‐003 SUBRECIPIENT MONITORING United States Environmental Protection Agency ALN 66.456 – National Estuary Program Federal Award ID Number: CE‐00D90119, 4T‐02D39922, CE‐02D56923 2024 Funding Repeat finding Criteria: 2 CFR 200.303 requires non‐federal entities to establish and maintain effective internal controls. The use of subrecipients in achieving the goals of the federal award requires the establishment of controls over the monitoring of subrecipients pursuant to 2 CFR section 200.331 and 200.332. This includes all requirements imposed by the pass‐through entity on the subrecipient so that the Federal award is used in accordance with Federal statutes, regulations and the terms and conditions of the Federal award and any additional requirements that the pass‐through entity imposes on the subrecipient in order for the pass‐through entity to meet its own responsibility to the Federal awarding agency including identification of any required financial and performance reports. Condition: The Council did not have controls in place to obtain and review subrecipient single audit reports as a means to ensure the subrecipients are taking timely and appropriate action on deficiencies, if any, pertaining to the Federal award. Cause: The Council requested audits from it's subrecipients; however, if the most recent year was not yet available the prior fiscal year's audit was not requested to review for any deficiencies. Effect: Without the monitoring of the results of audits and on‐site reviews, the Council may not have sufficient information to evaluate the risks of noncompliance associated with a subrecipient. Questioned Costs: None. Perspective: The Council did perform monitoring activities related to the use of funds by subrecipients; however, not all controls required for subrecipient monitoring to comply with 2 CFR section 200.331 and 200.332 were fully implemented for the fiscal year under audit. For the 8 subrecipients sampled, audit reports were obtained for 4 subrecipients. Recommendation: If the most recent subrecipient audit report is not yet available, management should request the prior fiscal year if not already obtained. Management Response: The IRL Council put controls in place to be more effective at subrecipient monitoring following the FY 2023 finding which included the following actions: The IRL Council reviewed all projects and activities currently allocated and funded by federal sources to ensure the Uniform Guidance was in place within their respective agreements, and they were amended as needed. All new subrecipient agreements funded by federal sources were not executed until the respective federal award was in place and the Uniform Guidance language was included. The IRL Council did request audit reports from subrecipients and made statements on them, however for the ones who had not completed their FY 2024 audit, a prior year audit report was not immediately requested and statements for those subrecipients had not yet been made. The IRL Council will implement a control to request prior year Financial Statements/audit reports from subrecipients who have not yet completed their report for the year being requested during the Council’s monitoring.
SD 2024‐003 SUBRECIPIENT MONITORING United States Environmental Protection Agency ALN 66.456 – National Estuary Program Federal Award ID Number: CE‐00D90119, 4T‐02D39922, CE‐02D56923 2024 Funding Repeat finding Criteria: 2 CFR 200.303 requires non‐federal entities to establish and maintain effective internal controls. The use of subrecipients in achieving the goals of the federal award requires the establishment of controls over the monitoring of subrecipients pursuant to 2 CFR section 200.331 and 200.332. This includes all requirements imposed by the pass‐through entity on the subrecipient so that the Federal award is used in accordance with Federal statutes, regulations and the terms and conditions of the Federal award and any additional requirements that the pass‐through entity imposes on the subrecipient in order for the pass‐through entity to meet its own responsibility to the Federal awarding agency including identification of any required financial and performance reports. Condition: The Council did not have controls in place to obtain and review subrecipient single audit reports as a means to ensure the subrecipients are taking timely and appropriate action on deficiencies, if any, pertaining to the Federal award. Cause: The Council requested audits from it's subrecipients; however, if the most recent year was not yet available the prior fiscal year's audit was not requested to review for any deficiencies. Effect: Without the monitoring of the results of audits and on‐site reviews, the Council may not have sufficient information to evaluate the risks of noncompliance associated with a subrecipient. Questioned Costs: None. Perspective: The Council did perform monitoring activities related to the use of funds by subrecipients; however, not all controls required for subrecipient monitoring to comply with 2 CFR section 200.331 and 200.332 were fully implemented for the fiscal year under audit. For the 8 subrecipients sampled, audit reports were obtained for 4 subrecipients. Recommendation: If the most recent subrecipient audit report is not yet available, management should request the prior fiscal year if not already obtained. Management Response: The IRL Council put controls in place to be more effective at subrecipient monitoring following the FY 2023 finding which included the following actions: The IRL Council reviewed all projects and activities currently allocated and funded by federal sources to ensure the Uniform Guidance was in place within their respective agreements, and they were amended as needed. All new subrecipient agreements funded by federal sources were not executed until the respective federal award was in place and the Uniform Guidance language was included. The IRL Council did request audit reports from subrecipients and made statements on them, however for the ones who had not completed their FY 2024 audit, a prior year audit report was not immediately requested and statements for those subrecipients had not yet been made. The IRL Council will implement a control to request prior year Financial Statements/audit reports from subrecipients who have not yet completed their report for the year being requested during the Council’s monitoring.
SD 2024‐003 SUBRECIPIENT MONITORING United States Environmental Protection Agency ALN 66.456 – National Estuary Program Federal Award ID Number: CE‐00D90119, 4T‐02D39922, CE‐02D56923 2024 Funding Repeat finding Criteria: 2 CFR 200.303 requires non‐federal entities to establish and maintain effective internal controls. The use of subrecipients in achieving the goals of the federal award requires the establishment of controls over the monitoring of subrecipients pursuant to 2 CFR section 200.331 and 200.332. This includes all requirements imposed by the pass‐through entity on the subrecipient so that the Federal award is used in accordance with Federal statutes, regulations and the terms and conditions of the Federal award and any additional requirements that the pass‐through entity imposes on the subrecipient in order for the pass‐through entity to meet its own responsibility to the Federal awarding agency including identification of any required financial and performance reports. Condition: The Council did not have controls in place to obtain and review subrecipient single audit reports as a means to ensure the subrecipients are taking timely and appropriate action on deficiencies, if any, pertaining to the Federal award. Cause: The Council requested audits from it's subrecipients; however, if the most recent year was not yet available the prior fiscal year's audit was not requested to review for any deficiencies. Effect: Without the monitoring of the results of audits and on‐site reviews, the Council may not have sufficient information to evaluate the risks of noncompliance associated with a subrecipient. Questioned Costs: None. Perspective: The Council did perform monitoring activities related to the use of funds by subrecipients; however, not all controls required for subrecipient monitoring to comply with 2 CFR section 200.331 and 200.332 were fully implemented for the fiscal year under audit. For the 8 subrecipients sampled, audit reports were obtained for 4 subrecipients. Recommendation: If the most recent subrecipient audit report is not yet available, management should request the prior fiscal year if not already obtained. Management Response: The IRL Council put controls in place to be more effective at subrecipient monitoring following the FY 2023 finding which included the following actions: The IRL Council reviewed all projects and activities currently allocated and funded by federal sources to ensure the Uniform Guidance was in place within their respective agreements, and they were amended as needed. All new subrecipient agreements funded by federal sources were not executed until the respective federal award was in place and the Uniform Guidance language was included. The IRL Council did request audit reports from subrecipients and made statements on them, however for the ones who had not completed their FY 2024 audit, a prior year audit report was not immediately requested and statements for those subrecipients had not yet been made. The IRL Council will implement a control to request prior year Financial Statements/audit reports from subrecipients who have not yet completed their report for the year being requested during the Council’s monitoring.
Identification of the Federal Program - Meat and Poultry Intermediary Lending Program - Assistance Listing Number 10.382. Criteria - The criteria is based on the guidelines and regulations set forth by the funding agency, the United States Department of Ariculture and the Compliance and Reporting Guidance included in the grant agreements. According to these requirements, recipients must submit Federal financial reports 30 days after the close of the reporting period to ensure timely accounting of the use of USDA funds. 2 CFR 200.303, Internal Controls, requires that recipients establish and maintain effective internal control over Federal awards that provides reasonable assurance that the recipient is managing Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal awards. Condition - There was a lack of monitoring and appropriate review by the Authority to ensure certain reports were prepared in a timely manner. Effect - There were three reporting periods during the fiscal year under audit. The reports for two reporting periods were not submitted timely. The semiannual reports were not submitted within 30 days after period end. Cause - The Authority's policies and procedures over federal award reporting were not adequate. Recommendation - The Authority should implement policies and procedures related to federal award reporting to comply with reporting requirements. Views of Responsible Officials - The Authority agrees with the finding. The Authority will implement additional oversight over the timely preparation and submittal of required grant reporting documents.
Item 2024‐001 Special Tests and Provisions – Wage Rate Requirements (Repeat) Education Stabilization Fund (ESF) ALN# 84.425U U.S. Department of Education Passed through the State Department of Education Grant period beginning during fiscal year ended September 30, 2021 (84.425U) Criteria – Grantees should have controls in place to ensure that contractors and subcontractors are notified of the requirement to pay prevailing wage rates to all laborers and mechanics employed on construction contracts in excess of $2,000 financed by federal assistance funds and to submit weekly certified payrolls for each week in which contract work is performed. 2 CFR 200.303 requires the non-Federal entity to “(a) establish and maintain effective internal controls over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal statutes, regulations, and the terms and conditions of the Federal award.” 2 CFR 200.326 and 29 CFR Part 5, Labor Standards Provisions Applicable to Contracts Governing Federally Financed and Assisted Construction (DOL Regulations) require the contractor or subcontractor to submit to the nonfederal entity weekly, for each week in which any contract work is performed, a copy of the payroll and a statement of compliance (certified payrolls). Condition – Adequate controls were not in place to ensure that contractors and subcontractors provided timely certified payrolls throughout the construction projects. Cause –There was a lack of sufficient controls over the communication of this requirement to ensure the accuracy and completeness of the certified payrolls being provided to the Board. Effect – Lack of supporting documentation could lead to disallowed costs. However, our audit disclosed no instances of unallowable costs. Questioned Costs – $27,406. Recommendation – We recommend the strengthening of controls to ensure certified payrolls are received for each week in which construction work is performed. Management’s Response – The Board will strengthen the controls in place to provide assurance that all certified payrolls are received each week in which construction work is performed.
2024-001 Report Review and Approval Federal Agency: U.S Department of Treasury Federal Program Name: COVID-19 - Coronavirus State and Local Fiscal Recovery Funds Assistance Listing Number: 21.027 Federal Award Identification Number and Year: SLFRP0125 2022 Pass-through Agency: Florida Department of Environmental Protection Award Period: January 30, 2023 through December 31, 2025 Type of Finding: Significant Deficiency in Internal Control over Compliance Criteria: Compliance: 2 CFR 200.302(b)(3) states that records that identify adequately the source and application of funds for federally-funded activities. These records must contain information pertaining to Federal awards, authorizations, financial obligations, unobligated balances, assets, expenditures, income and interest and be supported by source documentation. Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should comply with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the ”Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: It was observed that quarterly progress reports lacked documentation of review and approval by management prior to submission. Questioned Costs: None. Context: Two of two quarterly progress reports selected for testing lacked documented review and approval. Cause: The lack of review and approval of grant quarterly progress report submissions may be attributed to insufficient training of staff on the importance of the review process, inadequate staffing levels, or a lack of clear guidelines and procedures for the review and approval process. Effect: The lack of a proper review and approval process for grant quarterly progress report submissions can result in the submission of inaccurate and incomplete reimbursement requests and reports, which may lead to non-compliance with grant requirements and potential financial penalties. Repeat Finding: No Recommendation: We recommend that the organization implement a review and approval process for all quarterly progress report submissions. This should include: - Training staff on the importance of the review and approval process. - Ensuring adequate staffing levels to handle the review process. - Developing clear guidelines and procedures for the review and approval process. - Regularly monitoring and auditing the review process to ensure compliance. View of Responsible Official and Planned Corrective Actions: Management concurs with the auditor’s recommendations. Additional fiscal staff has been hired to assist with various fiscal tasks including grant compliance and reporting. The guidelines are being updated, the checklist expanded, and documentation of secondary approval of reports is being retained. Grant guidelines, procedures, and checklists will be utilized to ensure compliance is maintained.
2024-001 Report Review and Approval Federal Agency: U.S Department of Treasury Federal Program Name: COVID-19 - Coronavirus State and Local Fiscal Recovery Funds Assistance Listing Number: 21.027 Federal Award Identification Number and Year: SLFRP0125 2022 Pass-through Agency: Florida Department of Environmental Protection Award Period: January 30, 2023 through December 31, 2025 Type of Finding: Significant Deficiency in Internal Control over Compliance Criteria: Compliance: 2 CFR 200.302(b)(3) states that records that identify adequately the source and application of funds for federally-funded activities. These records must contain information pertaining to Federal awards, authorizations, financial obligations, unobligated balances, assets, expenditures, income and interest and be supported by source documentation. Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should comply with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the ”Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: It was observed that quarterly progress reports lacked documentation of review and approval by management prior to submission. Questioned Costs: None. Context: Two of two quarterly progress reports selected for testing lacked documented review and approval. Cause: The lack of review and approval of grant quarterly progress report submissions may be attributed to insufficient training of staff on the importance of the review process, inadequate staffing levels, or a lack of clear guidelines and procedures for the review and approval process. Effect: The lack of a proper review and approval process for grant quarterly progress report submissions can result in the submission of inaccurate and incomplete reimbursement requests and reports, which may lead to non-compliance with grant requirements and potential financial penalties. Repeat Finding: No Recommendation: We recommend that the organization implement a review and approval process for all quarterly progress report submissions. This should include: - Training staff on the importance of the review and approval process. - Ensuring adequate staffing levels to handle the review process. - Developing clear guidelines and procedures for the review and approval process. - Regularly monitoring and auditing the review process to ensure compliance. View of Responsible Official and Planned Corrective Actions: Management concurs with the auditor’s recommendations. Additional fiscal staff has been hired to assist with various fiscal tasks including grant compliance and reporting. The guidelines are being updated, the checklist expanded, and documentation of secondary approval of reports is being retained. Grant guidelines, procedures, and checklists will be utilized to ensure compliance is maintained.
Assistance Listing, Federal Agency, and Program Name - ALN 10.557, U.S. Department of Agriculture, Special Supplemental Nutrition Program for Women, Infants, and Children (WIC) Federal Award Identification Number and Year - E20243647-002 (2024) and E20243640-001 (2024) Pass-through Entity - Michigan Department of Health and Human Services Finding Type - Material weakness Repeat Finding - Yes 2023-001 Criteria - Per the grant agreement, the County is required to initially certify recipients to ensure eligibility criteria are met for the WIC program and benefits are provided to eligible participants as defined by 7 CFR sections 246.7(c), (d), (e), (g), and (l). Per 2 CFR 200.303(a), nonfederal entities must establish and maintain effective internal control over the federal award that provides resonable assurance that the non federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States or the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition - During testing, it was noted that, although there was a process in place to review eligibility criteria received by program, there was no independent review or control to ensure eligibility was accurate for 11 months of the year. Questioned Costs - None If questioned costs are not determinable, description of why known questioned costs were undetermined or otherwise could not be reported - Not applicable Identification of How Questioned Costs Were Computed - Not applicable Context - From October 1, 2023 through September 30, 2024, all new participants requesting participation in the program are required to provide eligibility criteria to be evaluated by the County for eligibility determination. Upon receiving this information, the County has one individual reviewing and entering the eligibility criteria into the system for both programs and determining eligibility. This was the case for the first 11 months of the fiscal year. Given this was a prior year finding, the County implemented a new control with a secondary review that started in September 2024. Cause and Effect - There was no control in place to check eligibility after initial entry and recording of eligibility information within the program system. Although no ineligible participants were discovered through testing performed, the lack of controls could result in a possibility of participants who are ineligible receiving benefits. Recommendation - We recommend that the County continue the internal control that was implemented in September 2024 to ensure that there is a subsequent check of eligibility information and determinations made after the initial entry and recording of eligibility information. Views of Responsible Officials and Corrective Action Plan - After the initial review for eligibility, a second employee will verify that eligibility was properly determined and provide a signoff to document review. This was implemented in September of 2024.
Assistance Listing, Federal Agency, and Program Name - ALN 10.557, U.S. Department of Agriculture, Special Supplemental Nutrition Program for Women, Infants, and Children (WIC) Federal Award Identification Number and Year - E20243647-002 (2024) and E20243640-001 (2024) Pass-through Entity - Michigan Department of Health and Human Services Finding Type - Material weakness Repeat Finding - Yes 2023-001 Criteria - Per the grant agreement, the County is required to initially certify recipients to ensure eligibility criteria are met for the WIC program and benefits are provided to eligible participants as defined by 7 CFR sections 246.7(c), (d), (e), (g), and (l). Per 2 CFR 200.303(a), nonfederal entities must establish and maintain effective internal control over the federal award that provides resonable assurance that the non federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States or the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition - During testing, it was noted that, although there was a process in place to review eligibility criteria received by program, there was no independent review or control to ensure eligibility was accurate for 11 months of the year. Questioned Costs - None If questioned costs are not determinable, description of why known questioned costs were undetermined or otherwise could not be reported - Not applicable Identification of How Questioned Costs Were Computed - Not applicable Context - From October 1, 2023 through September 30, 2024, all new participants requesting participation in the program are required to provide eligibility criteria to be evaluated by the County for eligibility determination. Upon receiving this information, the County has one individual reviewing and entering the eligibility criteria into the system for both programs and determining eligibility. This was the case for the first 11 months of the fiscal year. Given this was a prior year finding, the County implemented a new control with a secondary review that started in September 2024. Cause and Effect - There was no control in place to check eligibility after initial entry and recording of eligibility information within the program system. Although no ineligible participants were discovered through testing performed, the lack of controls could result in a possibility of participants who are ineligible receiving benefits. Recommendation - We recommend that the County continue the internal control that was implemented in September 2024 to ensure that there is a subsequent check of eligibility information and determinations made after the initial entry and recording of eligibility information. Views of Responsible Officials and Corrective Action Plan - After the initial review for eligibility, a second employee will verify that eligibility was properly determined and provide a signoff to document review. This was implemented in September of 2024.
Assistance Listing, Federal Agency, and Program Name - ALN 10.557, U.S. Department of Agriculture, Special Supplemental Nutrition Program for Women, Infants, and Children (WIC) Federal Award Identification Number and Year - E20243647-002 (2024) and E20243640-001 (2024) Pass-through Entity - Michigan Department of Health and Human Services Finding Type - Material weakness Repeat Finding - Yes 2023-001 Criteria - Per the grant agreement, the County is required to initially certify recipients to ensure eligibility criteria are met for the WIC program and benefits are provided to eligible participants as defined by 7 CFR sections 246.7(c), (d), (e), (g), and (l). Per 2 CFR 200.303(a), nonfederal entities must establish and maintain effective internal control over the federal award that provides resonable assurance that the non federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States or the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition - During testing, it was noted that, although there was a process in place to review eligibility criteria received by program, there was no independent review or control to ensure eligibility was accurate for 11 months of the year. Questioned Costs - None If questioned costs are not determinable, description of why known questioned costs were undetermined or otherwise could not be reported - Not applicable Identification of How Questioned Costs Were Computed - Not applicable Context - From October 1, 2023 through September 30, 2024, all new participants requesting participation in the program are required to provide eligibility criteria to be evaluated by the County for eligibility determination. Upon receiving this information, the County has one individual reviewing and entering the eligibility criteria into the system for both programs and determining eligibility. This was the case for the first 11 months of the fiscal year. Given this was a prior year finding, the County implemented a new control with a secondary review that started in September 2024. Cause and Effect - There was no control in place to check eligibility after initial entry and recording of eligibility information within the program system. Although no ineligible participants were discovered through testing performed, the lack of controls could result in a possibility of participants who are ineligible receiving benefits. Recommendation - We recommend that the County continue the internal control that was implemented in September 2024 to ensure that there is a subsequent check of eligibility information and determinations made after the initial entry and recording of eligibility information. Views of Responsible Officials and Corrective Action Plan - After the initial review for eligibility, a second employee will verify that eligibility was properly determined and provide a signoff to document review. This was implemented in September of 2024.
Assistance Listing, Federal Agency, and Program Name - ALN 10.557, U.S. Department of Agriculture, Special Supplemental Nutrition Program for Women, Infants, and Children (WIC) Federal Award Identification Number and Year - E20243647-002 (2024) and E20243640-001 (2024) Pass-through Entity - Michigan Department of Health and Human Services Finding Type - Material weakness Repeat Finding - Yes 2023-001 Criteria - Per the grant agreement, the County is required to initially certify recipients to ensure eligibility criteria are met for the WIC program and benefits are provided to eligible participants as defined by 7 CFR sections 246.7(c), (d), (e), (g), and (l). Per 2 CFR 200.303(a), nonfederal entities must establish and maintain effective internal control over the federal award that provides resonable assurance that the non federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States or the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition - During testing, it was noted that, although there was a process in place to review eligibility criteria received by program, there was no independent review or control to ensure eligibility was accurate for 11 months of the year. Questioned Costs - None If questioned costs are not determinable, description of why known questioned costs were undetermined or otherwise could not be reported - Not applicable Identification of How Questioned Costs Were Computed - Not applicable Context - From October 1, 2023 through September 30, 2024, all new participants requesting participation in the program are required to provide eligibility criteria to be evaluated by the County for eligibility determination. Upon receiving this information, the County has one individual reviewing and entering the eligibility criteria into the system for both programs and determining eligibility. This was the case for the first 11 months of the fiscal year. Given this was a prior year finding, the County implemented a new control with a secondary review that started in September 2024. Cause and Effect - There was no control in place to check eligibility after initial entry and recording of eligibility information within the program system. Although no ineligible participants were discovered through testing performed, the lack of controls could result in a possibility of participants who are ineligible receiving benefits. Recommendation - We recommend that the County continue the internal control that was implemented in September 2024 to ensure that there is a subsequent check of eligibility information and determinations made after the initial entry and recording of eligibility information. Views of Responsible Officials and Corrective Action Plan - After the initial review for eligibility, a second employee will verify that eligibility was properly determined and provide a signoff to document review. This was implemented in September of 2024.
Section III – Federal Award Findings and Questioned Costs Finding 2024-001 – Reporting – Federal Funding Accountability and Transparency Act (FFATA) Identification of the federal program: Federal Agency: United States Agency for International Development United States Department of State Assistance Listing: 98.001 – USAID Foreign Assistance for Programs Overseas 19.421 – Department of State Bureau of Educational and Cultural Affairs: Academic Exchange Programs – English Language Program Federal Award Identification Number 98.001 – 7200AA22CA00016; 72048619CA00001; 7200AA18CA00011; 7200AA19CA00002; 19.421 – SECAGD19CA0156 Award Year: FY 2024 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR Section 200.303 of the Uniform Guidance states the following regarding internal control: “The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in ‘Standards for Internal Control in the Federal Government’ issued by the Comptroller General of the United States or the ‘Internal Control Integrated Framework,’ issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” As per 2 CFR Part 170, direct recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). The subaward information should be reported no later than the end of the month following the month in which the obligation was made. Condition: We noted the following matters during our testing of the Federal Funding Accountability and Transparency Act (FFATA) reporting compliance requirements: Under Assistance Listing 19.421, we tested a total of five subrecipients, for which subaward agreements were executed in FY 2024 or had modifications to existing subaward agreements in FY 2024, and noted the following "See chart in the audit report" Under Assistance Listing 98.001, we tested a total of 43 subrecipients, for which subaward agreements were executed in FY 2024 or had modifications to existing sub-award agreements in FY 2024, and noted the following: ""See chart in the audit report" Cause: A detailed review of all new subaward agreements and/or modifications made during fiscal year 2024 was not performed to identify reports that should have been submitted timely. Effect or Potential Effect: FHI 360 did not submit the required reports or submitted the reports late for first-tier subawards of $30,000 or more causing them not to be in compliance with federal reporting requirements. Questioned Costs: None Context: Under the Transparency Act reporting requirements, each FFATA report includes the following key data elements: 1) Subawardee name, 2) Subawardee DUNS #, 3) Amount of Subaward, 4) Subaward Obligation/Action Date, 5) Subaward Number, 6) Subaward Project Description, 7) Subawardee Names and Compensation of Highly Compensated Officers, if thresholds are met, and 8) Date of Report Submission. Testing of the FFATA reports included each of these data elements as well as verifying for timely submissions. The table presented above lists the untimely or non-submission of the reports. Total federal expenditures and total subrecipient expenditures for Assistance Listing 19.421, as reported on the Schedule of Expenditures of Federal Awards (SEFA) for fiscal year ended September 30, 2024 were $27,632,329 and $928,247, respectively. Total federal expenditures and total subrecipient expenditures for Assistance Listing 98.001, as reported on the SEFA for fiscal year ended September 30, 2024 were $491,851,680 and $165,282,920, respectively. Identification as a Repeat Finding: This is a repeat finding from prior year (2023-001 and 2022-001). Recommendation: We recommend FHI 360 strengthen its internal controls and procedures over FFATA reporting to ensure they are submitted timely to be in compliance with the federal reporting requirements. Views of Responsible Officials: Management will continue to implement actions to enhance and strengthen previous year corrective action plan activities including global communications and meetings with key management teams, targeted and detailed refresher training recommendations on FFATA requirements and completion of the FSRS template via an e-module, and additional review of FFATA submissions via a centralized team to identify prospective transactions and perform a final review of data quality prior to data entry in FSRS. The additional review will focus on completeness and accuracy of submitted data and timeliness of submissions. Further, management is currently implementing a system-based enhancement to capture signature data to provide centralized monitoring of execution date ensuring timely reporting based on execution dates of subawards.
Section III – Federal Award Findings and Questioned Costs Finding 2024-001 – Reporting – Federal Funding Accountability and Transparency Act (FFATA) Identification of the federal program: Federal Agency: United States Agency for International Development United States Department of State Assistance Listing: 98.001 – USAID Foreign Assistance for Programs Overseas 19.421 – Department of State Bureau of Educational and Cultural Affairs: Academic Exchange Programs – English Language Program Federal Award Identification Number 98.001 – 7200AA22CA00016; 72048619CA00001; 7200AA18CA00011; 7200AA19CA00002; 19.421 – SECAGD19CA0156 Award Year: FY 2024 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR Section 200.303 of the Uniform Guidance states the following regarding internal control: “The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in ‘Standards for Internal Control in the Federal Government’ issued by the Comptroller General of the United States or the ‘Internal Control Integrated Framework,’ issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” As per 2 CFR Part 170, direct recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). The subaward information should be reported no later than the end of the month following the month in which the obligation was made. Condition: We noted the following matters during our testing of the Federal Funding Accountability and Transparency Act (FFATA) reporting compliance requirements: Under Assistance Listing 19.421, we tested a total of five subrecipients, for which subaward agreements were executed in FY 2024 or had modifications to existing subaward agreements in FY 2024, and noted the following "See chart in the audit report" Under Assistance Listing 98.001, we tested a total of 43 subrecipients, for which subaward agreements were executed in FY 2024 or had modifications to existing sub-award agreements in FY 2024, and noted the following: ""See chart in the audit report" Cause: A detailed review of all new subaward agreements and/or modifications made during fiscal year 2024 was not performed to identify reports that should have been submitted timely. Effect or Potential Effect: FHI 360 did not submit the required reports or submitted the reports late for first-tier subawards of $30,000 or more causing them not to be in compliance with federal reporting requirements. Questioned Costs: None Context: Under the Transparency Act reporting requirements, each FFATA report includes the following key data elements: 1) Subawardee name, 2) Subawardee DUNS #, 3) Amount of Subaward, 4) Subaward Obligation/Action Date, 5) Subaward Number, 6) Subaward Project Description, 7) Subawardee Names and Compensation of Highly Compensated Officers, if thresholds are met, and 8) Date of Report Submission. Testing of the FFATA reports included each of these data elements as well as verifying for timely submissions. The table presented above lists the untimely or non-submission of the reports. Total federal expenditures and total subrecipient expenditures for Assistance Listing 19.421, as reported on the Schedule of Expenditures of Federal Awards (SEFA) for fiscal year ended September 30, 2024 were $27,632,329 and $928,247, respectively. Total federal expenditures and total subrecipient expenditures for Assistance Listing 98.001, as reported on the SEFA for fiscal year ended September 30, 2024 were $491,851,680 and $165,282,920, respectively. Identification as a Repeat Finding: This is a repeat finding from prior year (2023-001 and 2022-001). Recommendation: We recommend FHI 360 strengthen its internal controls and procedures over FFATA reporting to ensure they are submitted timely to be in compliance with the federal reporting requirements. Views of Responsible Officials: Management will continue to implement actions to enhance and strengthen previous year corrective action plan activities including global communications and meetings with key management teams, targeted and detailed refresher training recommendations on FFATA requirements and completion of the FSRS template via an e-module, and additional review of FFATA submissions via a centralized team to identify prospective transactions and perform a final review of data quality prior to data entry in FSRS. The additional review will focus on completeness and accuracy of submitted data and timeliness of submissions. Further, management is currently implementing a system-based enhancement to capture signature data to provide centralized monitoring of execution date ensuring timely reporting based on execution dates of subawards.
Section III – Federal Award Findings and Questioned Costs Finding 2024-001 – Reporting – Federal Funding Accountability and Transparency Act (FFATA) Identification of the federal program: Federal Agency: United States Agency for International Development United States Department of State Assistance Listing: 98.001 – USAID Foreign Assistance for Programs Overseas 19.421 – Department of State Bureau of Educational and Cultural Affairs: Academic Exchange Programs – English Language Program Federal Award Identification Number 98.001 – 7200AA22CA00016; 72048619CA00001; 7200AA18CA00011; 7200AA19CA00002; 19.421 – SECAGD19CA0156 Award Year: FY 2024 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR Section 200.303 of the Uniform Guidance states the following regarding internal control: “The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in ‘Standards for Internal Control in the Federal Government’ issued by the Comptroller General of the United States or the ‘Internal Control Integrated Framework,’ issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” As per 2 CFR Part 170, direct recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). The subaward information should be reported no later than the end of the month following the month in which the obligation was made. Condition: We noted the following matters during our testing of the Federal Funding Accountability and Transparency Act (FFATA) reporting compliance requirements: Under Assistance Listing 19.421, we tested a total of five subrecipients, for which subaward agreements were executed in FY 2024 or had modifications to existing subaward agreements in FY 2024, and noted the following "See chart in the audit report" Under Assistance Listing 98.001, we tested a total of 43 subrecipients, for which subaward agreements were executed in FY 2024 or had modifications to existing sub-award agreements in FY 2024, and noted the following: ""See chart in the audit report" Cause: A detailed review of all new subaward agreements and/or modifications made during fiscal year 2024 was not performed to identify reports that should have been submitted timely. Effect or Potential Effect: FHI 360 did not submit the required reports or submitted the reports late for first-tier subawards of $30,000 or more causing them not to be in compliance with federal reporting requirements. Questioned Costs: None Context: Under the Transparency Act reporting requirements, each FFATA report includes the following key data elements: 1) Subawardee name, 2) Subawardee DUNS #, 3) Amount of Subaward, 4) Subaward Obligation/Action Date, 5) Subaward Number, 6) Subaward Project Description, 7) Subawardee Names and Compensation of Highly Compensated Officers, if thresholds are met, and 8) Date of Report Submission. Testing of the FFATA reports included each of these data elements as well as verifying for timely submissions. The table presented above lists the untimely or non-submission of the reports. Total federal expenditures and total subrecipient expenditures for Assistance Listing 19.421, as reported on the Schedule of Expenditures of Federal Awards (SEFA) for fiscal year ended September 30, 2024 were $27,632,329 and $928,247, respectively. Total federal expenditures and total subrecipient expenditures for Assistance Listing 98.001, as reported on the SEFA for fiscal year ended September 30, 2024 were $491,851,680 and $165,282,920, respectively. Identification as a Repeat Finding: This is a repeat finding from prior year (2023-001 and 2022-001). Recommendation: We recommend FHI 360 strengthen its internal controls and procedures over FFATA reporting to ensure they are submitted timely to be in compliance with the federal reporting requirements. Views of Responsible Officials: Management will continue to implement actions to enhance and strengthen previous year corrective action plan activities including global communications and meetings with key management teams, targeted and detailed refresher training recommendations on FFATA requirements and completion of the FSRS template via an e-module, and additional review of FFATA submissions via a centralized team to identify prospective transactions and perform a final review of data quality prior to data entry in FSRS. The additional review will focus on completeness and accuracy of submitted data and timeliness of submissions. Further, management is currently implementing a system-based enhancement to capture signature data to provide centralized monitoring of execution date ensuring timely reporting based on execution dates of subawards.
Section III – Federal Award Findings and Questioned Costs Finding 2024-001 – Reporting – Federal Funding Accountability and Transparency Act (FFATA) Identification of the federal program: Federal Agency: United States Agency for International Development United States Department of State Assistance Listing: 98.001 – USAID Foreign Assistance for Programs Overseas 19.421 – Department of State Bureau of Educational and Cultural Affairs: Academic Exchange Programs – English Language Program Federal Award Identification Number 98.001 – 7200AA22CA00016; 72048619CA00001; 7200AA18CA00011; 7200AA19CA00002; 19.421 – SECAGD19CA0156 Award Year: FY 2024 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR Section 200.303 of the Uniform Guidance states the following regarding internal control: “The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in ‘Standards for Internal Control in the Federal Government’ issued by the Comptroller General of the United States or the ‘Internal Control Integrated Framework,’ issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” As per 2 CFR Part 170, direct recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). The subaward information should be reported no later than the end of the month following the month in which the obligation was made. Condition: We noted the following matters during our testing of the Federal Funding Accountability and Transparency Act (FFATA) reporting compliance requirements: Under Assistance Listing 19.421, we tested a total of five subrecipients, for which subaward agreements were executed in FY 2024 or had modifications to existing subaward agreements in FY 2024, and noted the following "See chart in the audit report" Under Assistance Listing 98.001, we tested a total of 43 subrecipients, for which subaward agreements were executed in FY 2024 or had modifications to existing sub-award agreements in FY 2024, and noted the following: ""See chart in the audit report" Cause: A detailed review of all new subaward agreements and/or modifications made during fiscal year 2024 was not performed to identify reports that should have been submitted timely. Effect or Potential Effect: FHI 360 did not submit the required reports or submitted the reports late for first-tier subawards of $30,000 or more causing them not to be in compliance with federal reporting requirements. Questioned Costs: None Context: Under the Transparency Act reporting requirements, each FFATA report includes the following key data elements: 1) Subawardee name, 2) Subawardee DUNS #, 3) Amount of Subaward, 4) Subaward Obligation/Action Date, 5) Subaward Number, 6) Subaward Project Description, 7) Subawardee Names and Compensation of Highly Compensated Officers, if thresholds are met, and 8) Date of Report Submission. Testing of the FFATA reports included each of these data elements as well as verifying for timely submissions. The table presented above lists the untimely or non-submission of the reports. Total federal expenditures and total subrecipient expenditures for Assistance Listing 19.421, as reported on the Schedule of Expenditures of Federal Awards (SEFA) for fiscal year ended September 30, 2024 were $27,632,329 and $928,247, respectively. Total federal expenditures and total subrecipient expenditures for Assistance Listing 98.001, as reported on the SEFA for fiscal year ended September 30, 2024 were $491,851,680 and $165,282,920, respectively. Identification as a Repeat Finding: This is a repeat finding from prior year (2023-001 and 2022-001). Recommendation: We recommend FHI 360 strengthen its internal controls and procedures over FFATA reporting to ensure they are submitted timely to be in compliance with the federal reporting requirements. Views of Responsible Officials: Management will continue to implement actions to enhance and strengthen previous year corrective action plan activities including global communications and meetings with key management teams, targeted and detailed refresher training recommendations on FFATA requirements and completion of the FSRS template via an e-module, and additional review of FFATA submissions via a centralized team to identify prospective transactions and perform a final review of data quality prior to data entry in FSRS. The additional review will focus on completeness and accuracy of submitted data and timeliness of submissions. Further, management is currently implementing a system-based enhancement to capture signature data to provide centralized monitoring of execution date ensuring timely reporting based on execution dates of subawards.
Section III – Federal Award Findings and Questioned Costs Finding 2024-001 – Reporting – Federal Funding Accountability and Transparency Act (FFATA) Identification of the federal program: Federal Agency: United States Agency for International Development United States Department of State Assistance Listing: 98.001 – USAID Foreign Assistance for Programs Overseas 19.421 – Department of State Bureau of Educational and Cultural Affairs: Academic Exchange Programs – English Language Program Federal Award Identification Number 98.001 – 7200AA22CA00016; 72048619CA00001; 7200AA18CA00011; 7200AA19CA00002; 19.421 – SECAGD19CA0156 Award Year: FY 2024 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR Section 200.303 of the Uniform Guidance states the following regarding internal control: “The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in ‘Standards for Internal Control in the Federal Government’ issued by the Comptroller General of the United States or the ‘Internal Control Integrated Framework,’ issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” As per 2 CFR Part 170, direct recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). The subaward information should be reported no later than the end of the month following the month in which the obligation was made. Condition: We noted the following matters during our testing of the Federal Funding Accountability and Transparency Act (FFATA) reporting compliance requirements: Under Assistance Listing 19.421, we tested a total of five subrecipients, for which subaward agreements were executed in FY 2024 or had modifications to existing subaward agreements in FY 2024, and noted the following "See chart in the audit report" Under Assistance Listing 98.001, we tested a total of 43 subrecipients, for which subaward agreements were executed in FY 2024 or had modifications to existing sub-award agreements in FY 2024, and noted the following: ""See chart in the audit report" Cause: A detailed review of all new subaward agreements and/or modifications made during fiscal year 2024 was not performed to identify reports that should have been submitted timely. Effect or Potential Effect: FHI 360 did not submit the required reports or submitted the reports late for first-tier subawards of $30,000 or more causing them not to be in compliance with federal reporting requirements. Questioned Costs: None Context: Under the Transparency Act reporting requirements, each FFATA report includes the following key data elements: 1) Subawardee name, 2) Subawardee DUNS #, 3) Amount of Subaward, 4) Subaward Obligation/Action Date, 5) Subaward Number, 6) Subaward Project Description, 7) Subawardee Names and Compensation of Highly Compensated Officers, if thresholds are met, and 8) Date of Report Submission. Testing of the FFATA reports included each of these data elements as well as verifying for timely submissions. The table presented above lists the untimely or non-submission of the reports. Total federal expenditures and total subrecipient expenditures for Assistance Listing 19.421, as reported on the Schedule of Expenditures of Federal Awards (SEFA) for fiscal year ended September 30, 2024 were $27,632,329 and $928,247, respectively. Total federal expenditures and total subrecipient expenditures for Assistance Listing 98.001, as reported on the SEFA for fiscal year ended September 30, 2024 were $491,851,680 and $165,282,920, respectively. Identification as a Repeat Finding: This is a repeat finding from prior year (2023-001 and 2022-001). Recommendation: We recommend FHI 360 strengthen its internal controls and procedures over FFATA reporting to ensure they are submitted timely to be in compliance with the federal reporting requirements. Views of Responsible Officials: Management will continue to implement actions to enhance and strengthen previous year corrective action plan activities including global communications and meetings with key management teams, targeted and detailed refresher training recommendations on FFATA requirements and completion of the FSRS template via an e-module, and additional review of FFATA submissions via a centralized team to identify prospective transactions and perform a final review of data quality prior to data entry in FSRS. The additional review will focus on completeness and accuracy of submitted data and timeliness of submissions. Further, management is currently implementing a system-based enhancement to capture signature data to provide centralized monitoring of execution date ensuring timely reporting based on execution dates of subawards.
Finding 2024-001: Preparation of Schedule of Expenditures of Federal Awards (SEFA) Program Name: Multiple federal programs Criteria 1. The code of federal regulations – 2 CFR 200.302 Financial management requires that: (a) Each State must expend and account for the Federal award in accordance with State laws and procedures for expending and accounting for the State’s funds. All recipient and subrecipient financial management systems, including records documenting compliance with Federal statutes, regulations, and the terms and conditions of the Federal award, must be sufficient to permit the preparation of reports required by the terms and conditions; and tracking expenditures to establish that funds have been used in accordance with Federal statutes, regulations, and the terms and conditions of the Federal award. (b) The recipient’s and subrecipient’s financial management system must provide for the following: (1) Identification of all Federal awards received and expended and the Federal programs under which they were received. Federal program and Federal award identification must include, as applicable, the Assistance Listings title and number, Federal award identification number, year the Federal award was issued, and name of the Federal agency or pass-through entity. (2) Accurate, current, and complete disclosure of the financial results of each Federal award or program in accordance with the reporting requirements in § 200.328 and § 200.329. When a Federal agency or pass-through entity requires reporting on an accrual basis from a recipient or subrecipient that maintains its records other than on an accrual basis, the recipient or subrecipient must not be required to establish an accrual accounting system. This recipient or subrecipient may develop accrual data for its reports based on an analysis of the documentation on hand. 2. The code of federal regulations – 2 CFR 200.303 Internal controls requires that recipients and subrecipients must: (a) Establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). (b) Comply with the U.S. Constitution, Federal statutes, regulations, and the terms and conditions of the Federal award. (c) Evaluate and monitor the recipient’s or subrecipient’s compliance with statutes, regulations, and the terms and conditions of Federal awards. (d) Take prompt action when instances of noncompliance are identified. Condition The following exceptions to the criteria were observed during the performance of the audit procedures: 1. After the completion of internal review and approval process that Amtrak has established for SEFA preparation and review, we have received multiple updated versions of the schedule with changes to FY24 expenditure amounts for three Assistance Listings included on the SEFA. Total expenditures increased by $80.2 million from version 1 to the final version received. 2. The starting point of the SEFA preparation for the current year was not the audited FY23 SEFA submitted to Federal Audit Clearinghouse, as we have identified that Amtrak subsequently made changes to the FY23 internal SEFA document without reconciling the changes to the audited FY23 SEFA, which resulted in the total cumulative expenditures as of 9/30/2023 to be updated and as such impacting the FY24 expenditures for the respective federal programs. One of the adjustments related to the Hudson Yards Concrete Casing project (HYCC-3) which initially incorrectly recorded $25.0 million of prepaid expenditures. 3. As Assistance Listing #20.314 has been obligated as of 9/27/2024, Amtrak has recorded expenditures related to the HYCC-3 project under this program for the established pre-award period, which dated from January 30, 2023 as part of the FY24 expenditures. Previously, a portion of the total expenditures was included within the FY23 SEFA under Assistance Listing #20.315, for the total amount of $15.6 million. This amount was not adjusted out of the cumulative expenditures for Assistance Listing #20.315 until 2025. Consequently, these expenditures were listed both within the FY23 SEFA under Assistance Listing #20.315 and under the FY24 SEFA as Assistance Listing #20.314 expenditures. 4. As part of SEFA preparation as it relates to allocation of operating expenditures across multiple funding sources, certain projects were incorrectly mapped to annual grants funding source, which resulted in approximately $0.3 million of operating expenses to be included within Assistance Listing #20.315 that were also reported under Assistance Listing #97.075. Cause Amtrak’s control procedures in place as it relates to the preparation of the SEFA were not operating in a manner that would timely identify the conditions noted. Additionally, Amtrak’s controls around allocation of federal funding to project codes were not designed in a manner that would timely identify the conditions noted. In reviewing management’s controls around the SEFA preparation, the design of key controls identified by management does not include an overarching review of the SEFA and reconciliation of what’s been reported on the SEFA from individual projects’ standpoint when such projects have multiple assistance listings as funding sources. We also noted that there was not a specific control that ensures timely updates of Work Breakdown Structure (WBS) funding assignments and allocations when there is a change such as a new grant agreement signed. Effect Amtrak’s control procedures in place as it relates to the preparation of the SEFA were not designed in such a manner that would timely identify the conditions noted, which resulted in several versions of the SEFA that were erroneous and inclusion of expenditures that were double counted within the SEFA. This puts Amtrak at greater risk of non-compliance with its grant agreements with respect to questioned costs and an inaccurate SEFA. Questioned Costs None. Context The SEFA, as originally provided, had exceptions as described in the Condition section above noted for matters 1 and 2 in the Criteria section above, indicating that certain internal controls were not functioning as designed and others were not designed effectively. Identification as a Repeat Finding Not a repeat finding. Recommendation We recommend Amtrak to strengthen the SEFA oversight process to ensure appropriate preparation and review of the SEFA to validate its accuracy, including reconciliation with prior year audited SEFA. This should include having one reviewer take overall responsibility for the completeness and accuracy of the final submitted SEFA. This robust review process should include appropriate procedures to confirm accuracy of the SEFA, which may include a protocol where representatives from various groups (both discretionary and non-discretionary federal programs) work collaboratively to review the SEFA and underlying details of expenditures, to ensure all the adjustments have been properly reflected as well as any projects that might have multiple fund sources are identified timely and reviewed for appropriate inclusion within the SEFA. Additionally, Amtrak should establish a process where any modifications of WBS funding assignments and allocations are updated in a timely manner. Views of Responsible Officials Amtrak recognizes the need to improve the preparation and review of the SEFA. The company has documented the steps for preparing and reviewing the SEFA within its process narrative. The company will update the narrative to address the preparation and review issues that led to the multiple versions of the SEFA being provided during the audit. The company will review and update the Grants Management Compliance Narrative and controls to improve timing of updates for modifications of WBS funding assignments. The company is in the process of updating the SEFA preparation documentation for FY2025, which will be used at the end of the year. The review procedures and controls are being enhanced to include a checklist to improve the review.
Finding 2024-002: Review of Compliance Matrices and Narratives Program Name: 1. Rail and Transit Security Grant Program Assistance Listing No. 97.075 2. Railroad Development Assistance Listing No. 20.314 Federal Award No.: 1. EMW-2022-RA-00032 EMW-2021-RA-00048 EMW-2020-RA-00014 2. 69A36524400010MEGDC Federal Agency: 1. U.S. Department of Homeland Security 2. U.S. Department of Transportation Criteria The code of federal regulations – 2 CFR 200.302 Financial management requires that: (a) Each State must expend and account for the Federal award in accordance with State laws and procedures for expending and accounting for the State’s funds. All recipient and subrecipient financial management systems, including records documenting compliance with Federal statutes, regulations, and the terms and conditions of the Federal award, must be sufficient to permit the preparation of reports required by the terms and conditions; and tracking expenditures to establish that funds have been used in accordance with Federal statutes, regulations, and the terms and conditions of the Federal award. The code of federal regulations – 2 CFR 200.303 Internal controls requires that recipients and subrecipients: (a) Establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). (b) Comply with the U.S. Constitution, Federal statutes, regulations, and the terms and conditions of the Federal award. (c) Evaluate and monitor the recipient’s or subrecipient’s compliance with statutes, regulations, and the terms and conditions of Federal awards. Condition The following exceptions to the criteria were observed during the performance of the audit procedures: 1. For the compliance matrix that is maintained for the Assistance Listing #97.075, we have identified that for nine provisions, the wording contained withing the matrix did not match in its entirety to the respective grant agreement. Additionally, we noted that two provisions that were present in the grant agreements were not included in the matrix. 2. For the compliance matrix that is maintained for the Assistance Listing #20.314, we have identified that for nine provisions, the wording contained withing the matrix did not match in its entirety to the respective grant agreement. 3. Specific compliance requirements as it relates to the earmarking provisions of the respective grants of the Assistance Listing #97.075 were not detailed out within the respective compliance matrix, nor within the compliance narrative that is documented by Amtrak to assess the applicability and relevance of individual compliance requirements contained within the Compliance Supplement. Cause In reviewing management’s controls, the key controls identified by management are not designed such that consistent and timely proactive monitoring and/or review occurs to ensure that all the compliance requirements and any changes to the wording of specific provisions are updated and reviewed within the compliance matrices and the compliance narrative. Effect Amtrak is not in compliance with the 2 CFR 200.302 (a) and 2 CFR 200.303. This may also put Amtrak at greater risk of non-compliance with specific provisions in accordance with the federal awards. Questioned Costs None. Context We have reviewed the federal awards in scope and the compliance matrices and compliance narrative maintained by the Company as part of the audit procedures in connection with testing of earmarking and special tests and provisions compliance requirements. Identification as a Repeat Finding Not a repeat finding. However, we have noted similar control deficiencies related to completeness of the compliance matrices in prior years. Recommendation We recommend that Amtrak establishes a more defined timeline for the events that would trigger the update and review of the compliance matrices and compliance narrative, which could include execution of any new federal awards or amendments to existing federal awards. Additionally, Amtrak should establish a process where the modifications to the provisions are assessed for materiality/applicability and include documentation of the respective conclusions as part of the review process. Views of Responsible Officials Amtrak acknowledges the need to augment process documentation around the controls over the preparation and updates to the compliance matrices. The company is in the process of updating these controls now and will incorporate the identified findings in developing more robust controls. The company specifically notes the need to add more documentation on considerations for what provisions are updated in the compliance matrices and the evidence of review. The review procedures and controls are being enhanced to include a checklist to improve the review. This checklist will be completed by both the compliance matrix creator (upon creation) and the compliance matrix reviewer/approver (upon review and final approval).
Finding 2024-002: Review of Compliance Matrices and Narratives Program Name: 1. Rail and Transit Security Grant Program Assistance Listing No. 97.075 2. Railroad Development Assistance Listing No. 20.314 Federal Award No.: 1. EMW-2022-RA-00032 EMW-2021-RA-00048 EMW-2020-RA-00014 2. 69A36524400010MEGDC Federal Agency: 1. U.S. Department of Homeland Security 2. U.S. Department of Transportation Criteria The code of federal regulations – 2 CFR 200.302 Financial management requires that: (a) Each State must expend and account for the Federal award in accordance with State laws and procedures for expending and accounting for the State’s funds. All recipient and subrecipient financial management systems, including records documenting compliance with Federal statutes, regulations, and the terms and conditions of the Federal award, must be sufficient to permit the preparation of reports required by the terms and conditions; and tracking expenditures to establish that funds have been used in accordance with Federal statutes, regulations, and the terms and conditions of the Federal award. The code of federal regulations – 2 CFR 200.303 Internal controls requires that recipients and subrecipients: (a) Establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). (b) Comply with the U.S. Constitution, Federal statutes, regulations, and the terms and conditions of the Federal award. (c) Evaluate and monitor the recipient’s or subrecipient’s compliance with statutes, regulations, and the terms and conditions of Federal awards. Condition The following exceptions to the criteria were observed during the performance of the audit procedures: 1. For the compliance matrix that is maintained for the Assistance Listing #97.075, we have identified that for nine provisions, the wording contained withing the matrix did not match in its entirety to the respective grant agreement. Additionally, we noted that two provisions that were present in the grant agreements were not included in the matrix. 2. For the compliance matrix that is maintained for the Assistance Listing #20.314, we have identified that for nine provisions, the wording contained withing the matrix did not match in its entirety to the respective grant agreement. 3. Specific compliance requirements as it relates to the earmarking provisions of the respective grants of the Assistance Listing #97.075 were not detailed out within the respective compliance matrix, nor within the compliance narrative that is documented by Amtrak to assess the applicability and relevance of individual compliance requirements contained within the Compliance Supplement. Cause In reviewing management’s controls, the key controls identified by management are not designed such that consistent and timely proactive monitoring and/or review occurs to ensure that all the compliance requirements and any changes to the wording of specific provisions are updated and reviewed within the compliance matrices and the compliance narrative. Effect Amtrak is not in compliance with the 2 CFR 200.302 (a) and 2 CFR 200.303. This may also put Amtrak at greater risk of non-compliance with specific provisions in accordance with the federal awards. Questioned Costs None. Context We have reviewed the federal awards in scope and the compliance matrices and compliance narrative maintained by the Company as part of the audit procedures in connection with testing of earmarking and special tests and provisions compliance requirements. Identification as a Repeat Finding Not a repeat finding. However, we have noted similar control deficiencies related to completeness of the compliance matrices in prior years. Recommendation We recommend that Amtrak establishes a more defined timeline for the events that would trigger the update and review of the compliance matrices and compliance narrative, which could include execution of any new federal awards or amendments to existing federal awards. Additionally, Amtrak should establish a process where the modifications to the provisions are assessed for materiality/applicability and include documentation of the respective conclusions as part of the review process. Views of Responsible Officials Amtrak acknowledges the need to augment process documentation around the controls over the preparation and updates to the compliance matrices. The company is in the process of updating these controls now and will incorporate the identified findings in developing more robust controls. The company specifically notes the need to add more documentation on considerations for what provisions are updated in the compliance matrices and the evidence of review. The review procedures and controls are being enhanced to include a checklist to improve the review. This checklist will be completed by both the compliance matrix creator (upon creation) and the compliance matrix reviewer/approver (upon review and final approval).
Finding 2024-001: Preparation of Schedule of Expenditures of Federal Awards (SEFA) Program Name: Multiple federal programs Criteria 1. The code of federal regulations – 2 CFR 200.302 Financial management requires that: (a) Each State must expend and account for the Federal award in accordance with State laws and procedures for expending and accounting for the State’s funds. All recipient and subrecipient financial management systems, including records documenting compliance with Federal statutes, regulations, and the terms and conditions of the Federal award, must be sufficient to permit the preparation of reports required by the terms and conditions; and tracking expenditures to establish that funds have been used in accordance with Federal statutes, regulations, and the terms and conditions of the Federal award. (b) The recipient’s and subrecipient’s financial management system must provide for the following: (1) Identification of all Federal awards received and expended and the Federal programs under which they were received. Federal program and Federal award identification must include, as applicable, the Assistance Listings title and number, Federal award identification number, year the Federal award was issued, and name of the Federal agency or pass-through entity. (2) Accurate, current, and complete disclosure of the financial results of each Federal award or program in accordance with the reporting requirements in § 200.328 and § 200.329. When a Federal agency or pass-through entity requires reporting on an accrual basis from a recipient or subrecipient that maintains its records other than on an accrual basis, the recipient or subrecipient must not be required to establish an accrual accounting system. This recipient or subrecipient may develop accrual data for its reports based on an analysis of the documentation on hand. 2. The code of federal regulations – 2 CFR 200.303 Internal controls requires that recipients and subrecipients must: (a) Establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). (b) Comply with the U.S. Constitution, Federal statutes, regulations, and the terms and conditions of the Federal award. (c) Evaluate and monitor the recipient’s or subrecipient’s compliance with statutes, regulations, and the terms and conditions of Federal awards. (d) Take prompt action when instances of noncompliance are identified. Condition The following exceptions to the criteria were observed during the performance of the audit procedures: 1. After the completion of internal review and approval process that Amtrak has established for SEFA preparation and review, we have received multiple updated versions of the schedule with changes to FY24 expenditure amounts for three Assistance Listings included on the SEFA. Total expenditures increased by $80.2 million from version 1 to the final version received. 2. The starting point of the SEFA preparation for the current year was not the audited FY23 SEFA submitted to Federal Audit Clearinghouse, as we have identified that Amtrak subsequently made changes to the FY23 internal SEFA document without reconciling the changes to the audited FY23 SEFA, which resulted in the total cumulative expenditures as of 9/30/2023 to be updated and as such impacting the FY24 expenditures for the respective federal programs. One of the adjustments related to the Hudson Yards Concrete Casing project (HYCC-3) which initially incorrectly recorded $25.0 million of prepaid expenditures. 3. As Assistance Listing #20.314 has been obligated as of 9/27/2024, Amtrak has recorded expenditures related to the HYCC-3 project under this program for the established pre-award period, which dated from January 30, 2023 as part of the FY24 expenditures. Previously, a portion of the total expenditures was included within the FY23 SEFA under Assistance Listing #20.315, for the total amount of $15.6 million. This amount was not adjusted out of the cumulative expenditures for Assistance Listing #20.315 until 2025. Consequently, these expenditures were listed both within the FY23 SEFA under Assistance Listing #20.315 and under the FY24 SEFA as Assistance Listing #20.314 expenditures. 4. As part of SEFA preparation as it relates to allocation of operating expenditures across multiple funding sources, certain projects were incorrectly mapped to annual grants funding source, which resulted in approximately $0.3 million of operating expenses to be included within Assistance Listing #20.315 that were also reported under Assistance Listing #97.075. Cause Amtrak’s control procedures in place as it relates to the preparation of the SEFA were not operating in a manner that would timely identify the conditions noted. Additionally, Amtrak’s controls around allocation of federal funding to project codes were not designed in a manner that would timely identify the conditions noted. In reviewing management’s controls around the SEFA preparation, the design of key controls identified by management does not include an overarching review of the SEFA and reconciliation of what’s been reported on the SEFA from individual projects’ standpoint when such projects have multiple assistance listings as funding sources. We also noted that there was not a specific control that ensures timely updates of Work Breakdown Structure (WBS) funding assignments and allocations when there is a change such as a new grant agreement signed. Effect Amtrak’s control procedures in place as it relates to the preparation of the SEFA were not designed in such a manner that would timely identify the conditions noted, which resulted in several versions of the SEFA that were erroneous and inclusion of expenditures that were double counted within the SEFA. This puts Amtrak at greater risk of non-compliance with its grant agreements with respect to questioned costs and an inaccurate SEFA. Questioned Costs None. Context The SEFA, as originally provided, had exceptions as described in the Condition section above noted for matters 1 and 2 in the Criteria section above, indicating that certain internal controls were not functioning as designed and others were not designed effectively. Identification as a Repeat Finding Not a repeat finding. Recommendation We recommend Amtrak to strengthen the SEFA oversight process to ensure appropriate preparation and review of the SEFA to validate its accuracy, including reconciliation with prior year audited SEFA. This should include having one reviewer take overall responsibility for the completeness and accuracy of the final submitted SEFA. This robust review process should include appropriate procedures to confirm accuracy of the SEFA, which may include a protocol where representatives from various groups (both discretionary and non-discretionary federal programs) work collaboratively to review the SEFA and underlying details of expenditures, to ensure all the adjustments have been properly reflected as well as any projects that might have multiple fund sources are identified timely and reviewed for appropriate inclusion within the SEFA. Additionally, Amtrak should establish a process where any modifications of WBS funding assignments and allocations are updated in a timely manner. Views of Responsible Officials Amtrak recognizes the need to improve the preparation and review of the SEFA. The company has documented the steps for preparing and reviewing the SEFA within its process narrative. The company will update the narrative to address the preparation and review issues that led to the multiple versions of the SEFA being provided during the audit. The company will review and update the Grants Management Compliance Narrative and controls to improve timing of updates for modifications of WBS funding assignments. The company is in the process of updating the SEFA preparation documentation for FY2025, which will be used at the end of the year. The review procedures and controls are being enhanced to include a checklist to improve the review.
Assistance Listing, Federal Agency, and Program Name 93.045/93.053, U.S. Department of Health and Human Services, Aging Cluster Federal Award Identification Number and Year N/A Pass through Entity Area Agency on Aging 1C Finding Type Material weakness Repeat Finding No Criteria Per 2 CFR 200.303(a), nonfederal entities must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States or the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The County’s controls over meal participants did not ensure a review was in place to check the intake forms for Halal Home Delivered meal participants or that updated assessments were obtained for home delivered meals. Lastly there was not a control in place to ensure liquid meal participants maintained a physician order, renewed every six months, stating the need for the additional supplement. Questioned Costs N/A Identification of How Questioned Costs Were Computed Not applicable, as there are no questioned costs Context The County is responsible for ensuring participants who receive meals are eligible under the terms of the grant. The County did not have a control over any Home Delivered Halal meal participants for eligibility, which made up 1 of 30 Home Delivered participants tested. In total, there are approximately 110 Home Delivered Halal participants out of a total of 3,872 Home Delivered participants given meals during the year. These participants made up about 3% of the total population. The County did not perform an updated assessment on 2 out of 30 participants tested for home delivered meals. The County did not obtain updated physician orders for all 4 of the liquid meal participants tested. In total there are about 386 liquid meal participants. This is less than 10% of all meals delivered. Of the 386 only 1% did not receive updated doctor notes. Cause and Effect The Country’s controls were not adequate to ensure that meals were only provided to eligible individuals. The lack of controls can result in the County not identifying ineligible participants timely. Recommendation We recommend the County implement the appropriate controls to ensure meals are provided to eligible individuals. Views of Responsible Officials and Corrective Action Plan Wayne County’s Department of Senior Services will implement processes to ensure only eligible individuals receive meals. A quarterly report will be run to verify all home delivered meal clients have updated assessments and reassessments and will be reviewed by the Department Director and or Division Director quarterly. Halal home delivered meal clients assessments will be reviewed by a second staff member to ensure eligibility and verified by the Department Director and or Division Director monthly.
Assistance Listing, Federal Agency, and Program Name 93.045/93.053, U.S. Department of Health and Human Services, Aging Cluster Federal Award Identification Number and Year N/A Pass through Entity Area Agency on Aging 1C Finding Type Material weakness Repeat Finding No Criteria Per 2 CFR 200.303(a), nonfederal entities must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States or the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The County’s controls over meal participants did not ensure a review was in place to check the intake forms for Halal Home Delivered meal participants or that updated assessments were obtained for home delivered meals. Lastly there was not a control in place to ensure liquid meal participants maintained a physician order, renewed every six months, stating the need for the additional supplement. Questioned Costs N/A Identification of How Questioned Costs Were Computed Not applicable, as there are no questioned costs Context The County is responsible for ensuring participants who receive meals are eligible under the terms of the grant. The County did not have a control over any Home Delivered Halal meal participants for eligibility, which made up 1 of 30 Home Delivered participants tested. In total, there are approximately 110 Home Delivered Halal participants out of a total of 3,872 Home Delivered participants given meals during the year. These participants made up about 3% of the total population. The County did not perform an updated assessment on 2 out of 30 participants tested for home delivered meals. The County did not obtain updated physician orders for all 4 of the liquid meal participants tested. In total there are about 386 liquid meal participants. This is less than 10% of all meals delivered. Of the 386 only 1% did not receive updated doctor notes. Cause and Effect The Country’s controls were not adequate to ensure that meals were only provided to eligible individuals. The lack of controls can result in the County not identifying ineligible participants timely. Recommendation We recommend the County implement the appropriate controls to ensure meals are provided to eligible individuals. Views of Responsible Officials and Corrective Action Plan Wayne County’s Department of Senior Services will implement processes to ensure only eligible individuals receive meals. A quarterly report will be run to verify all home delivered meal clients have updated assessments and reassessments and will be reviewed by the Department Director and or Division Director quarterly. Halal home delivered meal clients assessments will be reviewed by a second staff member to ensure eligibility and verified by the Department Director and or Division Director monthly.
Assistance Listing, Federal Agency, and Program Name 93.045/93.053, U.S. Department of Health and Human Services, Aging Cluster Federal Award Identification Number and Year N/A Pass through Entity Area Agency on Aging 1C Finding Type Material weakness Repeat Finding No Criteria Per 2 CFR 200.303(a), nonfederal entities must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States or the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The County’s controls over meal participants did not ensure a review was in place to check the intake forms for Halal Home Delivered meal participants or that updated assessments were obtained for home delivered meals. Lastly there was not a control in place to ensure liquid meal participants maintained a physician order, renewed every six months, stating the need for the additional supplement. Questioned Costs N/A Identification of How Questioned Costs Were Computed Not applicable, as there are no questioned costs Context The County is responsible for ensuring participants who receive meals are eligible under the terms of the grant. The County did not have a control over any Home Delivered Halal meal participants for eligibility, which made up 1 of 30 Home Delivered participants tested. In total, there are approximately 110 Home Delivered Halal participants out of a total of 3,872 Home Delivered participants given meals during the year. These participants made up about 3% of the total population. The County did not perform an updated assessment on 2 out of 30 participants tested for home delivered meals. The County did not obtain updated physician orders for all 4 of the liquid meal participants tested. In total there are about 386 liquid meal participants. This is less than 10% of all meals delivered. Of the 386 only 1% did not receive updated doctor notes. Cause and Effect The Country’s controls were not adequate to ensure that meals were only provided to eligible individuals. The lack of controls can result in the County not identifying ineligible participants timely. Recommendation We recommend the County implement the appropriate controls to ensure meals are provided to eligible individuals. Views of Responsible Officials and Corrective Action Plan Wayne County’s Department of Senior Services will implement processes to ensure only eligible individuals receive meals. A quarterly report will be run to verify all home delivered meal clients have updated assessments and reassessments and will be reviewed by the Department Director and or Division Director quarterly. Halal home delivered meal clients assessments will be reviewed by a second staff member to ensure eligibility and verified by the Department Director and or Division Director monthly.
Assistance Listing, Federal Agency, and Program Name 93.045/93.053, U.S. Department of Health and Human Services, Aging Cluster Federal Award Identification Number and Year N/A Pass through Entity Area Agency on Aging 1C Finding Type Material weakness Repeat Finding No Criteria Per 2 CFR 200.303(a), nonfederal entities must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States or the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The County’s controls over meal participants did not ensure a review was in place to check the intake forms for Halal Home Delivered meal participants or that updated assessments were obtained for home delivered meals. Lastly there was not a control in place to ensure liquid meal participants maintained a physician order, renewed every six months, stating the need for the additional supplement. Questioned Costs N/A Identification of How Questioned Costs Were Computed Not applicable, as there are no questioned costs Context The County is responsible for ensuring participants who receive meals are eligible under the terms of the grant. The County did not have a control over any Home Delivered Halal meal participants for eligibility, which made up 1 of 30 Home Delivered participants tested. In total, there are approximately 110 Home Delivered Halal participants out of a total of 3,872 Home Delivered participants given meals during the year. These participants made up about 3% of the total population. The County did not perform an updated assessment on 2 out of 30 participants tested for home delivered meals. The County did not obtain updated physician orders for all 4 of the liquid meal participants tested. In total there are about 386 liquid meal participants. This is less than 10% of all meals delivered. Of the 386 only 1% did not receive updated doctor notes. Cause and Effect The Country’s controls were not adequate to ensure that meals were only provided to eligible individuals. The lack of controls can result in the County not identifying ineligible participants timely. Recommendation We recommend the County implement the appropriate controls to ensure meals are provided to eligible individuals. Views of Responsible Officials and Corrective Action Plan Wayne County’s Department of Senior Services will implement processes to ensure only eligible individuals receive meals. A quarterly report will be run to verify all home delivered meal clients have updated assessments and reassessments and will be reviewed by the Department Director and or Division Director quarterly. Halal home delivered meal clients assessments will be reviewed by a second staff member to ensure eligibility and verified by the Department Director and or Division Director monthly.
2024-001 – Internal Controls Over Service Agencies Federal Agency: Department of Housing and Urban Development Program Name: Community Development Block Grant Assistance Listing Number: ALN 14.228 Pass-through Entity: Michigan Economic Development Corporation Grant Number: MSC 222028-ESB Criteria: Per 2 CFR 200.303, the recipient must establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the recipient or subrecipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government,” issued by the Comptroller General of the United States, or the “Internal Control-Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The City contracted with a service agency for administration of the grant. Processes and procedures were in place related to the review of the reimbursement requests prior to submission. However, as it relates to other reporting requirements, there was no formalized review process prior to submission. Cause: The project is related to the demolition and clearance of the former hospital location. The City is the grantee, but Northern Michigan University Foundation is the property owner. The City reimbursed the property owner for allowable costs in accordance with the grant agreement. In order to assist with grant administration, the service agency received information not only from the City, but also the property owner related to the project. The overall project consisted of multiple phases; however, only portions of Phase I were covered by the grant agreement. When preparing one of the semi-annual CDBG Progress Reports, the service agency erroneously included amounts that were not related to the grant. Effect: One of the semi-annual CDBG Progress Reports submitted to the Michigan Economic Development Corporation was erroneous. Questioned Costs: None. Identification of How Questioned Costs were Computed: N/A Perspective: When informed of the error, the service agency immediately reached out to the Michigan Economic Development Corporation (MEDC), the pass-through entity, for guidance on how to proceed with correcting the error. Prior to re-submitting a revised CDBG Progress Report, the service agency forwarded the report to a responsible official at the City for review. Review of the MEDC’s Single Audit Certification report did not result in any errors detected. Furthermore, review of the reimbursement requests did not reveal any errors which would have resulted in the City over or under-receiving federal reimbursements. Repeat Finding: No. Recommendation: Procedures should be put into place that when a service agency is utilized for administering a federal grant(s) that all reports are reviewed by a responsible City official prior to submission to the federal agency. This includes, but is not limited to, reimbursement requests, intermittent reporting, and any other required reports. Views of Responsible Officials: Management agrees with the finding.
2024-002 – Internal Controls Over Reporting Federal Agency: Department of Transportation Program Name: Port Infrastructure Development Program Assistance Listing Number: ALN 20.823 Pass-through Entity: N/A Grant Number: 693JF72245018 Criteria: Per 2 CFR 200.303, the recipient must establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the recipient or subrecipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government,” issued by the Comptroller General of the United States, or the “Internal Control-Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: When preparing one of the quarterly reports the City erroneously included costs in the current quarter’s expenditures that were already included in a previous quarter’s expenditure amounts. Cause: The City’s Engineering department is performing services related to the grant including program management, construction management, along with engineering services. As a result, payroll costs are allocated to the grant. When preparing one of the Quarterly Progress Reports the wrong time range was used which resulted in duplication of some of the payroll expenditures. Effect: One of the Quarterly Progress Reports was over-stated. Cumulative expenditures on future Quarterly Progress Reports will be misstated. Questioned Costs: None. Identification of How Questioned Costs were Computed: N/A Perspective: Review of other quarterly reports submitted during the fiscal year did not result in any errors detected. Furthermore, review of the reimbursement requests did not reveal any errors which would have resulted in the City over or under-receiving federal reimbursements. When informed of the error, the City immediately reached out to the United States Department of Transportation Maritime Administration (MARAD) for guidance on how to proceeds with correcting the error. The City also reviewed, revised, and resubmitted any subsequent Quarterly Progress Reports that were impacted. Repeat Finding: No. Recommendation: Prior to submitting the Quarterly Progress Report a secondary review should be performed by someone other than the preparing to ensure the data properly reconciles to the City’s financial reporting system. Views of Responsible Officials: Management agrees with the finding.
REFERENCE: 2024-101 REPEAT FINDING REFERENCE: 2023-001 CFDA NUMBER: 10.558 – CHILD AND ADULT CARE FOOD PROGRAM U.S. DEPARTMENT OF AGRICULTURE - FOOD AND NUTRITION - 2024 PASSED THROUGH ARIZONA STATE DEPARTMENT OF EDUCATION GRANT NUMBER 6AZ300003 QUESTIONED COSTS N/A CONDITION The following errors were noted during testing of FDCH Site Claims, the Sponsor’s Meal Served Report and 40 Day Care Home provider files for the months of July 2024 and September 2024: 1. For 3 of 40 provider files tested, menus were clerically inaccurate and did not support the meals claimed. This error occurred in both months tested. 2. For 2 of 40 provider files tested, meals were claimed when the provider’s children were the only children present. This error occurred in September 2024. 3. For 1 of 40 provider files tested, meals were claimed when no children were indicated as being present for the meal. This error occurred in July 2024. 4. For 1 of 40 provider files tested, more than 2 meals and 1 snack or 2 snacks and 1 meal were claimed for a child. This error occurred in September 2024. 5. For 1 of 40 provider files tested, meals were incorrectly disallowed based on the provider’s income eligibility. This error occurred in September 2024. These errors resulted in the following revised meal counts: These variances resulted in an under payment (known questioned costs) of $62. However, after projecting the various types of errors over six meal categories for the entire year, likely under reported costs totaled $2,958. CRITERIA In accordance with the Arizona Department of Education, Day Care Home Compliance Manual, Revised June 2019, Chapter 6 New Provider Eligibility Requirements, 6.3 Provider’s Own, at least one non-residential child must be enrolled and receiving care by the provider in order for the provider to qualify as a family child care home for CACFP eligibility purposes. Payment may be made for meals served to the provider's own children only when: • Such children are enrolled and participating in the child care program during the time of the meal service, • Enrolled nonresident children are present and participating in the child care program, and • The provider is eligible for Tier I reimbursement and providers' children are eligible to receive free or reduced-price meals. In accordance with the Arizona Department of Education, Day Care Home Compliance Manual, Revised June 2019, Chapter 10, Meal Requirements, Section 10.7 Other Meal Requirements, in order to claim a meal, the provider must abide by the following criteria: • The provider must serve a fully reimbursable meal that meets the meal pattern requirements and are supported by complete and up to date attendance, meal count, and menu records; • The child must be present and participate in the meal service; • All meal components must be served together; • The meal must be fully consumed on the premises in a congregate setting. Meals sent home with a child due to the parent picking up the child during meal service cannot be claimed; • Meal must be served during approved meal service time; • The provider can be reimbursed for a maximum of two meals and one snack or two snacks and one meal per child, per day; • Only children who are enrolled can be claimed and the number of children cannot exceed the allowable ratio; • Payment may be made for meals served to provider’s own child(ren) or foster children only when: Their child(ren) are enrolled and participating in the child care program during the time of the meal service; At least one enrolled, non-resident child is present and participating in the child care program; The provider meets the family size income standards for free or reduced price meals; • Seconds may be served but are not reimbursable; and • If a school age child receives a breakfast, lunch or afterschool snack at school, a provider may not claim the same meal. In accordance with the Uniform Guidance, Compliance Supplement, Part 6 – Internal Control, the 2 CFR section 200.303 requires that non-federal entities receiving federal awards establish and maintain internal control over the federal awards that provides reasonable assurance that the non-federal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. EFFECT Program requirements were not complied with. Additionally, meal reimbursements were clerically inaccurate and the providers were incorrectly reimbursed. CAUSE Although the internal controls were adequately designed, there were deficiencies in the execution of the controls. Most errors occurred on paper menus, which have a higher risk of errors. RECOMMENDATION AND BENEFIT Menus should be reviewed to ensure all meals are claimed, and provider meal count sheets should be reviewed for clerical accuracy and completion, prior to the preparation of the reimbursement claim. Additionally, income affidavits income affidavit information should be entered into the system timely to ensure that meals are properly claimed. These reviews should be documented. This will help ensure that program requirements are complied with and only eligible meals served to eligible participants are claimed for reimbursement. VIEWS OF RESPONSIBLE OFFICIALS See Corrective Action Plan.
REFERENCE: 2024-102 CFDA NUMBER: 10.558 – CHILD AND ADULT CARE FOOD PROGRAM U.S. DEPARTMENT OF AGRICULTURE - FOOD AND NUTRITION - 2024 PASSED THROUGH ARIZONA STATE DEPARTMENT OF EDUCATION GRANT NUMBER 6AZ300003 QUESTIONED COSTS N/A CONDITION The following errors were noted while testing the Category Detail Reports, Sponsor Claim and Child and Adult Care Food Program (CACFP) expenses for July 2024 and September 2024: 1. The hourly timesheet for one employee in September 2024 was clerically inaccurate. 2. Contracted services for September 2024 were double claimed. These errors resulted in the following revised amounts: These errors resulted in an over reporting of total Administrative Costs (known questioned costs) of $183. However, after projecting the various types of errors over operating costs for the entire year, likely questioned costs totaled $943. CRITERIA In accordance with the Uniform Guidance, Compliance Supplement, Part 6 – Internal Control, the 2 CFR section 200.303 requires that non-federal entities receiving federal awards establish and maintain internal control over the federal awards that provides reasonable assurance that the non-federal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. In accordance with the Arizona Department of Education, Day Care Home Compliance Manual, Revised June 2019, Chapter 5 Sponsor Responsibilities, Section 5.2 Sponsor Recordkeeping Requirements, sponsoring organizations are required to maintain records to fully support the monthly claim for reimbursement and compliance with program regulations. All sponsoring organizations must have a written policy pertaining to their recordkeeping procedures. All records shall be retained for a period of five years after the date of submission of the final claim for the fiscal year to which they pertain. EFFECT Program requirements were not complied with. Additionally, administrative costs were over reported. CAUSE Although the internal controls were adequately designed, there were deficiencies in the execution of the controls. Costs were not correctly summarized and reported on the Sponsor Claim. RECOMMENDATION AND BENEFIT The Organization’s monthly administrative cost report and supporting documentation should be reviewed for accuracy prior to completing the reimbursement claim. Any review should be documented. This will help ensure that program requirements are complied with and that administrative costs are accurately reported. VIEWS OF RESPONSIBLE OFFICIALS See Corrective Action Plan.
Federal Agency: U.S. Department of Health and Human Services Federal Program Name: Head Start Cluster Federal Assistance Listing Number: 93.600 Federal Award Identification Number(s) and Year(s): 05CH010838-2023, 05CH010838-2024 Award Period: March, 1 2023 to February 29, 2024; and March 1, 2024 to February 28, 2025 Type of Finding: Material Weakness in Internal Control over Major Federal Programs Criteria or Specific Requirement: Under 2 CFR section 200.303, a nonfederal entity must establish and maintain effective internal controls over the federal awards that provides reasonable assurance that the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Timely review and approval should be maintained to ensure accurate reports are submitted. Condition: The Organization does not have adequate internal controls in place to ensure required reports are approved by the appropriate personnel before being submitted. Questioned Costs: N/A Context: The two financial status reports selected for testing both did not contain a formal documented review and approval. Cause: While management does have a separate individual assigned to review the required reports prepared by the Fiscal Director, that review is not formally documented. Effect: Potential for inaccurate information reported. Repeat Finding: This is a repeat finding. Recommendation: We recommend that the assigned individual to review formally documents their review and approval of the reports with a signature before the required date to be submitted. Views of responsible officials and planned corrective actions: There is no disagreement with the finding. WCCA has already implemented a process to ensure all reports are reviewed and approved with documentation before submission.
Federal Agency: U.S. Department of Health and Human Services Federal Program Name: Head Start Cluster Federal Assistance Listing Number: 93.600 Federal Award Identification Number(s) and Year(s): 05CH010838-2023, 05CH010838-2024 Award Period: March, 1 2023 to February 29, 2024; and March 1, 2024 to February 28, 2025 Type of Finding: Material Weakness in Internal Control over Major Federal Programs Criteria or Specific Requirement: Under 2 CFR section 200.303, a nonfederal entity must establish and maintain effective internal controls over the federal awards that provides reasonable assurance that the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Timely review and approval should be maintained to ensure accurate reports are submitted. Condition: The Organization does not have adequate internal controls in place to ensure required reports are approved by the appropriate personnel before being submitted. Questioned Costs: N/A Context: The two financial status reports selected for testing both did not contain a formal documented review and approval. Cause: While management does have a separate individual assigned to review the required reports prepared by the Fiscal Director, that review is not formally documented. Effect: Potential for inaccurate information reported. Repeat Finding: This is a repeat finding. Recommendation: We recommend that the assigned individual to review formally documents their review and approval of the reports with a signature before the required date to be submitted. Views of responsible officials and planned corrective actions: There is no disagreement with the finding. WCCA has already implemented a process to ensure all reports are reviewed and approved with documentation before submission.
Federal Agency: U.S. Department of Health and Human Services Federal Program Name: Head Start Cluster Federal Assistance Listing Number: 93.600 Federal Award Identification Number(s) and Year(s): 05CH010838-2023, 05CH010838-2024 Award Period: March, 1 2023 to February 29, 2024; and March 1, 2024 to February 28, 2025 Type of Finding: Material Weakness in Internal Control over Major Federal Programs Criteria or Specific Requirement: Under 2 CFR section 200.303, a nonfederal entity must establish and maintain effective internal controls over the federal awards that provides reasonable assurance that the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Timely review and approval should be maintained to ensure accurate reports are submitted. Condition: The Organization does not have adequate internal controls in place to ensure required reports are approved by the appropriate personnel before being submitted. Questioned Costs: N/A Context: The two financial status reports selected for testing both did not contain a formal documented review and approval. Cause: While management does have a separate individual assigned to review the required reports prepared by the Fiscal Director, that review is not formally documented. Effect: Potential for inaccurate information reported. Repeat Finding: This is a repeat finding. Recommendation: We recommend that the assigned individual to review formally documents their review and approval of the reports with a signature before the required date to be submitted. Views of responsible officials and planned corrective actions: There is no disagreement with the finding. WCCA has already implemented a process to ensure all reports are reviewed and approved with documentation before submission.
Federal Agency: U.S. Department of Health and Human Services Federal Program Name: Head Start Cluster Federal Assistance Listing Number: 93.600 Federal Award Identification Number(s) and Year(s): 05CH010838-2023, 05CH010838-2024 Award Period: March, 1 2023 to February 29, 2024; and March 1, 2024 to February 28, 2025 Type of Finding: Material Weakness in Internal Control over Major Federal Programs Criteria or Specific Requirement: Under 2 CFR section 200.303, a nonfederal entity must establish and maintain effective internal controls over the federal awards that provides reasonable assurance that the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Timely review and approval should be maintained to ensure accurate reports are submitted. Condition: The Organization does not have adequate internal controls in place to ensure required reports are approved by the appropriate personnel before being submitted. Questioned Costs: N/A Context: The two financial status reports selected for testing both did not contain a formal documented review and approval. Cause: While management does have a separate individual assigned to review the required reports prepared by the Fiscal Director, that review is not formally documented. Effect: Potential for inaccurate information reported. Repeat Finding: This is a repeat finding. Recommendation: We recommend that the assigned individual to review formally documents their review and approval of the reports with a signature before the required date to be submitted. Views of responsible officials and planned corrective actions: There is no disagreement with the finding. WCCA has already implemented a process to ensure all reports are reviewed and approved with documentation before submission.
Federal Agency: U.S. Department of Health and Human Services Federal Program Name: Head Start Cluster Federal Assistance Listing Number: 93.600 Federal Award Identification Number(s) and Year(s): 05CH010838-2023, 05CH010838-2024 Award Period: March, 1 2023 to February 29, 2024; and March 1, 2024 to February 28, 2025 Type of Finding: Material Weakness in Internal Control over Major Federal Programs Criteria or Specific Requirement: Under 2 CFR section 200.303, a nonfederal entity must establish and maintain effective internal controls over the federal awards that provides reasonable assurance that the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Timely review and approval should be maintained to ensure accurate reports are submitted. Condition: The Organization does not have adequate internal controls in place to ensure required reports are approved by the appropriate personnel before being submitted. Questioned Costs: N/A Context: The two financial status reports selected for testing both did not contain a formal documented review and approval. Cause: While management does have a separate individual assigned to review the required reports prepared by the Fiscal Director, that review is not formally documented. Effect: Potential for inaccurate information reported. Repeat Finding: This is a repeat finding. Recommendation: We recommend that the assigned individual to review formally documents their review and approval of the reports with a signature before the required date to be submitted. Views of responsible officials and planned corrective actions: There is no disagreement with the finding. WCCA has already implemented a process to ensure all reports are reviewed and approved with documentation before submission.
Allowable Costs/Activities Allowed Material Weakness, Noncompliance 2024-002 Strengthen Controls to Ensure Compliance with Allowable Costs Requirements Agency: U.S. Department of Transportation; Passed-through Mississippi Office of Highway Safety ALN Numbers: 20.600 State and Community Highway Safety 20.616 National Priority Safety Programs Federal Award: M5TR-2024-MD-22-51 Repeat Finding: No Questioned Costs: $1,432.84 Criteria: In accordance with 2 CFR 200.403, costs charged to a federal award must be necessary, reasonable, and allocable. Further, per 2 CFR 200.303, the non-federal entity must establish and maintain effective internal controls over the federal award. Condition: During our evaluation and testing of the grant, we were alerted to improper payments totaling $1,432 made to employees as the result of misrepresentation of reimbursable expenses. The payments were processed and disbursed; however, internal controls subsequently identified and alerted officials to the improper payments. The employees were terminated, and no additional payments were made. Cause: Fraudulent requests for employee expense reimbursement for travel were submitted and not independently verified. Although controls were in place to verify such requests, the fraud attempt bypassed initial detection. The City’s post-disbursement review controls detected the issue, but only after payment had occurred. Effect: The City disbursed $1,432 in federal funds to fraudulent reimbursements. Although no additional losses occurred and corrective actions were taken, the incident reflects a breakdown in the preventative control environment over disbursement verification. Recommendation: We recommend that the City implement additional internal controls to ensure that proper and substantiated travel reimbursement payments are made. Views of Responsible Officials: The City concurs with the finding. While our internal post-payment review control ultimately identified the issue, we acknowledge the breakdown in the preventive stage. We have since revised our procedures to require independent verification. We also reported the incident to proper agencies as required.
Allowable Costs/Activities Allowed Material Weakness, Noncompliance 2024-002 Strengthen Controls to Ensure Compliance with Allowable Costs Requirements Agency: U.S. Department of Transportation; Passed-through Mississippi Office of Highway Safety ALN Numbers: 20.600 State and Community Highway Safety 20.616 National Priority Safety Programs Federal Award: M5TR-2024-MD-22-51 Repeat Finding: No Questioned Costs: $1,432.84 Criteria: In accordance with 2 CFR 200.403, costs charged to a federal award must be necessary, reasonable, and allocable. Further, per 2 CFR 200.303, the non-federal entity must establish and maintain effective internal controls over the federal award. Condition: During our evaluation and testing of the grant, we were alerted to improper payments totaling $1,432 made to employees as the result of misrepresentation of reimbursable expenses. The payments were processed and disbursed; however, internal controls subsequently identified and alerted officials to the improper payments. The employees were terminated, and no additional payments were made. Cause: Fraudulent requests for employee expense reimbursement for travel were submitted and not independently verified. Although controls were in place to verify such requests, the fraud attempt bypassed initial detection. The City’s post-disbursement review controls detected the issue, but only after payment had occurred. Effect: The City disbursed $1,432 in federal funds to fraudulent reimbursements. Although no additional losses occurred and corrective actions were taken, the incident reflects a breakdown in the preventative control environment over disbursement verification. Recommendation: We recommend that the City implement additional internal controls to ensure that proper and substantiated travel reimbursement payments are made. Views of Responsible Officials: The City concurs with the finding. While our internal post-payment review control ultimately identified the issue, we acknowledge the breakdown in the preventive stage. We have since revised our procedures to require independent verification. We also reported the incident to proper agencies as required.
Allowable Costs/Activities Allowed Material Weakness, Noncompliance 2024-002 Strengthen Controls to Ensure Compliance with Allowable Costs Requirements Agency: U.S. Department of Transportation; Passed-through Mississippi Office of Highway Safety ALN Numbers: 20.600 State and Community Highway Safety 20.616 National Priority Safety Programs Federal Award: M5TR-2024-MD-22-51 Repeat Finding: No Questioned Costs: $1,432.84 Criteria: In accordance with 2 CFR 200.403, costs charged to a federal award must be necessary, reasonable, and allocable. Further, per 2 CFR 200.303, the non-federal entity must establish and maintain effective internal controls over the federal award. Condition: During our evaluation and testing of the grant, we were alerted to improper payments totaling $1,432 made to employees as the result of misrepresentation of reimbursable expenses. The payments were processed and disbursed; however, internal controls subsequently identified and alerted officials to the improper payments. The employees were terminated, and no additional payments were made. Cause: Fraudulent requests for employee expense reimbursement for travel were submitted and not independently verified. Although controls were in place to verify such requests, the fraud attempt bypassed initial detection. The City’s post-disbursement review controls detected the issue, but only after payment had occurred. Effect: The City disbursed $1,432 in federal funds to fraudulent reimbursements. Although no additional losses occurred and corrective actions were taken, the incident reflects a breakdown in the preventative control environment over disbursement verification. Recommendation: We recommend that the City implement additional internal controls to ensure that proper and substantiated travel reimbursement payments are made. Views of Responsible Officials: The City concurs with the finding. While our internal post-payment review control ultimately identified the issue, we acknowledge the breakdown in the preventive stage. We have since revised our procedures to require independent verification. We also reported the incident to proper agencies as required.
GRANT REPORTING U.S. Department of Treasury ALN 21.027 – Coronavirus State and Local Fiscal Recovery Funds Contract No. 23.saa.900.46 (2023) Passed through the Florida Department of State 2024 Funding Repeat Finding Criteria: 2 CFR 200.303 requires non-federal entities to establish and maintain effective internal controls. Reports and reimbursement requests should be subject to independent review for the full fiscal year to verify completeness, validity and timeliness of submission. The grant agreement requires quarterly progress reports to be filed with the pass through entity, Florida Department of State. Condition: Review of quarterly reports was not always documented by City officials before submittal by their third party consultant. Cause of condition: The department at the City that is responsible for managing the grant did not originally have a process in place to document their review of progress reports submitted to the Florida Department of State by their third party consultant. Potential effect of condition: Reports submitted to the Florida Department of State may be incomplete, include errors, or be submitted late. Perspective: After this condition was reported as a finding for the fiscal year ending September 30, 2023, the City’s department that is responsible for managing the grant implemented a review process, but it was not in place for the full fiscal year 2024. Questioned costs: None. Recommendation: The City’s department responsible for the grant should continue to perform the review process that was put in place late in fiscal year 2024. Management’s Response:. The City updated its control process to ensure that reports prepared by third-party consultant are reviewed by City staff prior to being submitted to the grantor.
Finding No.: 2024-001 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Gramm-Leach-Bliley Act-Student Information Security Questioned Costs: $0 Criteria: 2 CFR 200.303 requires that a non-federal entity must “(a) establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the GLBA because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (ⅳ) Assess apps developed by the institution (ⅴ) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (ⅵ) Dispose of customer information securely (ⅶ) Anticipate and evaluate changes to the information system or network. (ⅷ) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: The University does not have a comprehensive written information security program addressing all the required minimum elements of the GLBA although we have noted that the University performs certain procedures to address some of the aforementioned criteria. Cause: The Office of Information Technology (OIT) is not aware of the GLBA requirements that the University needs to comply with effective June 9, 2023. Effect: The University has not developed, implemented and maintained a written Information Security Program compliant with federal regulations. Recommendation: The OIT led by the Chief Information Officer should develop a written Information Security Program as soon as possible to ensure compliance to the federal regulations. Management should review and approve the written Information Security Program annually to ensure that all minimum requirements are met and any changes in regulations are complied with. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.
Finding No.: 2024-001 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Gramm-Leach-Bliley Act-Student Information Security Questioned Costs: $0 Criteria: 2 CFR 200.303 requires that a non-federal entity must “(a) establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the GLBA because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (ⅳ) Assess apps developed by the institution (ⅴ) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (ⅵ) Dispose of customer information securely (ⅶ) Anticipate and evaluate changes to the information system or network. (ⅷ) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: The University does not have a comprehensive written information security program addressing all the required minimum elements of the GLBA although we have noted that the University performs certain procedures to address some of the aforementioned criteria. Cause: The Office of Information Technology (OIT) is not aware of the GLBA requirements that the University needs to comply with effective June 9, 2023. Effect: The University has not developed, implemented and maintained a written Information Security Program compliant with federal regulations. Recommendation: The OIT led by the Chief Information Officer should develop a written Information Security Program as soon as possible to ensure compliance to the federal regulations. Management should review and approve the written Information Security Program annually to ensure that all minimum requirements are met and any changes in regulations are complied with. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.
Finding No.: 2024-001 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Gramm-Leach-Bliley Act-Student Information Security Questioned Costs: $0 Criteria: 2 CFR 200.303 requires that a non-federal entity must “(a) establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the GLBA because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (ⅳ) Assess apps developed by the institution (ⅴ) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (ⅵ) Dispose of customer information securely (ⅶ) Anticipate and evaluate changes to the information system or network. (ⅷ) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: The University does not have a comprehensive written information security program addressing all the required minimum elements of the GLBA although we have noted that the University performs certain procedures to address some of the aforementioned criteria. Cause: The Office of Information Technology (OIT) is not aware of the GLBA requirements that the University needs to comply with effective June 9, 2023. Effect: The University has not developed, implemented and maintained a written Information Security Program compliant with federal regulations. Recommendation: The OIT led by the Chief Information Officer should develop a written Information Security Program as soon as possible to ensure compliance to the federal regulations. Management should review and approve the written Information Security Program annually to ensure that all minimum requirements are met and any changes in regulations are complied with. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.
Finding No.: 2024-001 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Gramm-Leach-Bliley Act-Student Information Security Questioned Costs: $0 Criteria: 2 CFR 200.303 requires that a non-federal entity must “(a) establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the GLBA because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (ⅳ) Assess apps developed by the institution (ⅴ) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (ⅵ) Dispose of customer information securely (ⅶ) Anticipate and evaluate changes to the information system or network. (ⅷ) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: The University does not have a comprehensive written information security program addressing all the required minimum elements of the GLBA although we have noted that the University performs certain procedures to address some of the aforementioned criteria. Cause: The Office of Information Technology (OIT) is not aware of the GLBA requirements that the University needs to comply with effective June 9, 2023. Effect: The University has not developed, implemented and maintained a written Information Security Program compliant with federal regulations. Recommendation: The OIT led by the Chief Information Officer should develop a written Information Security Program as soon as possible to ensure compliance to the federal regulations. Management should review and approve the written Information Security Program annually to ensure that all minimum requirements are met and any changes in regulations are complied with. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.