Finding No.: 2024-001 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Gramm-Leach-Bliley Act-Student Information Security Questioned Costs: $0 Criteria: 2 CFR 200.303 requires that a non-federal entity must “(a) establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the GLBA because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (ⅳ) Assess apps developed by the institution (ⅴ) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (ⅵ) Dispose of customer information securely (ⅶ) Anticipate and evaluate changes to the information system or network. (ⅷ) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: The University does not have a comprehensive written information security program addressing all the required minimum elements of the GLBA although we have noted that the University performs certain procedures to address some of the aforementioned criteria. Cause: The Office of Information Technology (OIT) is not aware of the GLBA requirements that the University needs to comply with effective June 9, 2023. Effect: The University has not developed, implemented and maintained a written Information Security Program compliant with federal regulations. Recommendation: The OIT led by the Chief Information Officer should develop a written Information Security Program as soon as possible to ensure compliance to the federal regulations. Management should review and approve the written Information Security Program annually to ensure that all minimum requirements are met and any changes in regulations are complied with. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.
Findings and Questioned Costs Relating to Federal Awards 2024 001 SEFA Control Deficiency U.S. Department of Treasury Community Development Financial Institutions Program (ALN 21.033) Statistically Valid Sample: No, and it was not intended to be. Prior Year Finding: Not a repeat finding. Finding Type: Significant deficiency Criteria CFR 200.502(a) requires expenditures be recorded in the period they occur. Additionally, 2 CFR 200.303(a) states that non federal entities must establish and maintain effective internal control over federal awards that provide reasonable assurance that the non federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Condition and Context During our test work over the Schedule of Expenditures of Federal Awards (SEFA), we noted the Organization incorrectly reported expenditures, in the amount of $693,023, incurred in the fiscal year ended September 30, 2023 on the 2024 SEFA. CFR 200.502(a) requires expenditures be recorded on the SEFA in the period they occur. The 2023 expenditures were incurred during the performance period of the grant and were for activities allowed under the grant, therefore there were no questioned costs or noncompliance related to the expenditures. The Organization’s internal controls were not designed to detect that the expenditures were not timely reported on the SEFA. Cause The significant deficiency arose primarily from a misunderstanding and misapplication of SEFA preparation rules in accordance with CFR 200.502(a), specifically regarding the timing of recording expenditures. Effect Failure to properly report expenditures on the SEFA can lead to a missed or incorrect major program determination. Questioned Costs None. Recommendation We recommend that the Organization strengthen its internal controls to ensure all expenditures are reported on the SEFA in the period incurred to comply with the requirements of CFR 200.502(a). Views of Responsible Officials As noted by our auditor, the submitted expenditures were allowable under the grant. The condition exists such that these expenditures were included within the current period SEFA report because that is when they were determined to be applicable, rather than the period when they were actually incurred (the prior period SEFA report). Going forward, management will ensure to report expenditures in the period they were incurred rather than the period they were applied.
Item 2024‐001 – Suspension and Debarment (Repeat) COVID-19 Coronavirus State and Local Fiscal Recovery – ALN 21.027 U.S. Department of Treasury Federal Award Year ‐ 2021 Criteria – 2 CFR 200.303 requires the non‐Federal entity to “(a) establish and maintain effective internal controls over the Federal award that provides reasonable assurance that the non‐Federal entity is managing the Federal statutes, regulations, and the terms and conditions of the Federal award.” Non‐Federal entities are prohibited from contracting with or making subawards under covered transactions to parties that are suspended or debarred. “Covered transactions” include those procurement contracts for goods and services awarded under a nonprocurement transaction (e.g., grant or cooperative agreement) that are expected to equal or exceed $25,000 or meet certain other criteria as specified in 2 CFR section 180.220. All nonprocurement transactions entered into by a recipient (i.e., subawards to subrecipients), irrespective of award amount, are considered covered transactions, unless they are exempt as provided in 2 CFR section 180.215. Condition – Adequate controls were not in place to provide for proper review of covered transactions for suspension and debarment. Covered transactions, over $25,000 paid with grant funding were not reviewed for suspension and debarment. Cause – The County lacked sufficient controls to ensure evidence of compliance with suspension and debarment. Questioned Costs – Not determinable. Effect – Failure to properly verify that a potential vendor has not been suspended or debarred could result in unallowable expenditures and disallowed costs. Recommendation – We recommend that controls should be put into place to better monitor and document the compliance of vendors for suspension and debarment. Management’s Response – Management agrees with the finding. The County will implement additional controls to ensure there is evidence of review of covered transactions over $25,000 for suspension and debarment prior to payment. Deputy Clerk, Finance will be responsible for the corrective action and anticipates completion of corrective action will be taken before September 30, 2025.
2024-002 – COVID 19: Community Development Block Grants/Entitlement Grants Federal Awarding Agency – U.S. Department of Housing and Urban Development Assistance Listing Number – 14.218 FAIN – B-23-UC-12-0017 Award Year – 2023 Questioned costs – none Criteria: 2 CFR Part 200 in general and 2 CFR section 200.303(a) require non-Federal entities to establish and maintain effective internal controls over Federal awards, including the requirements for allowable costs, cost principles, period of performance, and special tests and provisions – wage rate requirements. The related compliance requirements are set in 24 CFR Part 570 Subpart D and sections 570.200 through .710, the Coronavirus Aid, Relief, and Economic Security (CARES) Act, the April 30, 2021 Quick Guide, CDBG-CV PPR Tieback Flexibilities, Title I of the Housing Community Development Act (HCDA) of 1974, as amended (Pub. L. No. 93-383) (42 USC 5301), 2 CFR Part 200, Subpart E, Appendices III-V11, and sections 200.330, .331, and .501(h), 31 USC 1552, Section III.B.7 of CDBG-CV Notice, Section 110(a) of the HCD Act, federal awarding agency regulations, and the terms and conditions of the award. Condition: Internal controls related to review of one invoice for a payment to a subrecipient, did not have evidence of all required approvals necessary to ensure compliance with allowable costs, cost principles, and period of performance requirements. One monthly payroll allocation journal entry did not have evidence of required approval necessary to ensure compliance with allowable costs, cost principles, and period of performance requirements. Controls were not sufficient over the special tests and provisions – wage rate requirements compliance requirement. Cause: Internal controls over certain payments, including payments requiring review of contractor and subcontractor wage rates were not evidenced with clear documentation. Effect: Allowable costs, cost principles, period of performance, and special tests and provisions – wage rate requirements compliance requirements may not be met due to lack of reperformable internal controls. Recommendation: We recommend that the City ensure wage rate requirement compliance is prioritized when applicable. We recommend that the City ensure that all controls for grants be documented in written procedures which should include the name or title of the positions responsible for each control (preparation, review, reconciliation, etc.) and that the performance of the controls be documented in a clear, reperformable manner including the name and date of each responsible individual and which specific control they performed over compliance for the grant.
2024-002 – COVID 19: Community Development Block Grants/Entitlement Grants Federal Awarding Agency – U.S. Department of Housing and Urban Development Assistance Listing Number – 14.218 FAIN – B-23-UC-12-0017 Award Year – 2023 Questioned costs – none Criteria: 2 CFR Part 200 in general and 2 CFR section 200.303(a) require non-Federal entities to establish and maintain effective internal controls over Federal awards, including the requirements for allowable costs, cost principles, period of performance, and special tests and provisions – wage rate requirements. The related compliance requirements are set in 24 CFR Part 570 Subpart D and sections 570.200 through .710, the Coronavirus Aid, Relief, and Economic Security (CARES) Act, the April 30, 2021 Quick Guide, CDBG-CV PPR Tieback Flexibilities, Title I of the Housing Community Development Act (HCDA) of 1974, as amended (Pub. L. No. 93-383) (42 USC 5301), 2 CFR Part 200, Subpart E, Appendices III-V11, and sections 200.330, .331, and .501(h), 31 USC 1552, Section III.B.7 of CDBG-CV Notice, Section 110(a) of the HCD Act, federal awarding agency regulations, and the terms and conditions of the award. Condition: Internal controls related to review of one invoice for a payment to a subrecipient, did not have evidence of all required approvals necessary to ensure compliance with allowable costs, cost principles, and period of performance requirements. One monthly payroll allocation journal entry did not have evidence of required approval necessary to ensure compliance with allowable costs, cost principles, and period of performance requirements. Controls were not sufficient over the special tests and provisions – wage rate requirements compliance requirement. Cause: Internal controls over certain payments, including payments requiring review of contractor and subcontractor wage rates were not evidenced with clear documentation. Effect: Allowable costs, cost principles, period of performance, and special tests and provisions – wage rate requirements compliance requirements may not be met due to lack of reperformable internal controls. Recommendation: We recommend that the City ensure wage rate requirement compliance is prioritized when applicable. We recommend that the City ensure that all controls for grants be documented in written procedures which should include the name or title of the positions responsible for each control (preparation, review, reconciliation, etc.) and that the performance of the controls be documented in a clear, reperformable manner including the name and date of each responsible individual and which specific control they performed over compliance for the grant.
2024-001 - Lack of Independent Review and Approval Finding Type. Immaterial Noncompliance; Significant Deficiency in Internal Control over Compliance (Allowable Costs/Cost Principles: ALN 93.600 and 64.033, Reporting: ALN 64.033 and Eligibility: ALN 64.033). Program. Head Start; U.S. Department of Health and Human Services; Assistance Listing Number 93.600; All Award Numbers and VA Supportive Services for Veteran Families Program; Department of Veterans Affairs, Assistance Listing Number 64.033; All Award Numbers. Criteria. Per 2 CFR 200.303, the recipient and subrecipient must establish, document, and maintain effective internal controls over federal awards that provides reasonable assurance that the recipient or subrecipient is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the Federal award. Condition. During our testing of Allowable Costs, we noted 4 disbursements tested did not have signed and approved purchase orders. During our testing of Reporting, we noted two quarterly reports that had no evidence of review and approval. During our Eligibility testing, we noted one applicant whose certification form was not signed by the supervisor. Cause. This condition is the result of management not adhering to the Organization's internal control policies. Effect. As a result of this condition, there is an increased risk of unallowable expenses being charged to the grant, inaccurate financial reporting, allowing ineligible participants to receive grant benefits and other potential noncompliance with federal regulations. Questioned Costs. No costs are required to be questioned as a result of this finding, inasmuch as no unallowable expenditures were noted. Recommendation. We recommend the Agency adheres to their internal control process of an independent review and approval of transactions and reporting related to federal grant programs. View of Responsible Official. Management agrees with this finding and has prepared a Corrective Action Plan.
2024-001 - Lack of Independent Review and Approval Finding Type. Immaterial Noncompliance; Significant Deficiency in Internal Control over Compliance (Allowable Costs/Cost Principles: ALN 93.600 and 64.033, Reporting: ALN 64.033 and Eligibility: ALN 64.033). Program. Head Start; U.S. Department of Health and Human Services; Assistance Listing Number 93.600; All Award Numbers and VA Supportive Services for Veteran Families Program; Department of Veterans Affairs, Assistance Listing Number 64.033; All Award Numbers. Criteria. Per 2 CFR 200.303, the recipient and subrecipient must establish, document, and maintain effective internal controls over federal awards that provides reasonable assurance that the recipient or subrecipient is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the Federal award. Condition. During our testing of Allowable Costs, we noted 4 disbursements tested did not have signed and approved purchase orders. During our testing of Reporting, we noted two quarterly reports that had no evidence of review and approval. During our Eligibility testing, we noted one applicant whose certification form was not signed by the supervisor. Cause. This condition is the result of management not adhering to the Organization's internal control policies. Effect. As a result of this condition, there is an increased risk of unallowable expenses being charged to the grant, inaccurate financial reporting, allowing ineligible participants to receive grant benefits and other potential noncompliance with federal regulations. Questioned Costs. No costs are required to be questioned as a result of this finding, inasmuch as no unallowable expenditures were noted. Recommendation. We recommend the Agency adheres to their internal control process of an independent review and approval of transactions and reporting related to federal grant programs. View of Responsible Official. Management agrees with this finding and has prepared a Corrective Action Plan.
2024-001 - Lack of Independent Review and Approval Finding Type. Immaterial Noncompliance; Significant Deficiency in Internal Control over Compliance (Allowable Costs/Cost Principles: ALN 93.600 and 64.033, Reporting: ALN 64.033 and Eligibility: ALN 64.033). Program. Head Start; U.S. Department of Health and Human Services; Assistance Listing Number 93.600; All Award Numbers and VA Supportive Services for Veteran Families Program; Department of Veterans Affairs, Assistance Listing Number 64.033; All Award Numbers. Criteria. Per 2 CFR 200.303, the recipient and subrecipient must establish, document, and maintain effective internal controls over federal awards that provides reasonable assurance that the recipient or subrecipient is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the Federal award. Condition. During our testing of Allowable Costs, we noted 4 disbursements tested did not have signed and approved purchase orders. During our testing of Reporting, we noted two quarterly reports that had no evidence of review and approval. During our Eligibility testing, we noted one applicant whose certification form was not signed by the supervisor. Cause. This condition is the result of management not adhering to the Organization's internal control policies. Effect. As a result of this condition, there is an increased risk of unallowable expenses being charged to the grant, inaccurate financial reporting, allowing ineligible participants to receive grant benefits and other potential noncompliance with federal regulations. Questioned Costs. No costs are required to be questioned as a result of this finding, inasmuch as no unallowable expenditures were noted. Recommendation. We recommend the Agency adheres to their internal control process of an independent review and approval of transactions and reporting related to federal grant programs. View of Responsible Official. Management agrees with this finding and has prepared a Corrective Action Plan.
2024-001 - Lack of Independent Review and Approval Finding Type. Immaterial Noncompliance; Significant Deficiency in Internal Control over Compliance (Allowable Costs/Cost Principles: ALN 93.600 and 64.033, Reporting: ALN 64.033 and Eligibility: ALN 64.033). Program. Head Start; U.S. Department of Health and Human Services; Assistance Listing Number 93.600; All Award Numbers and VA Supportive Services for Veteran Families Program; Department of Veterans Affairs, Assistance Listing Number 64.033; All Award Numbers. Criteria. Per 2 CFR 200.303, the recipient and subrecipient must establish, document, and maintain effective internal controls over federal awards that provides reasonable assurance that the recipient or subrecipient is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the Federal award. Condition. During our testing of Allowable Costs, we noted 4 disbursements tested did not have signed and approved purchase orders. During our testing of Reporting, we noted two quarterly reports that had no evidence of review and approval. During our Eligibility testing, we noted one applicant whose certification form was not signed by the supervisor. Cause. This condition is the result of management not adhering to the Organization's internal control policies. Effect. As a result of this condition, there is an increased risk of unallowable expenses being charged to the grant, inaccurate financial reporting, allowing ineligible participants to receive grant benefits and other potential noncompliance with federal regulations. Questioned Costs. No costs are required to be questioned as a result of this finding, inasmuch as no unallowable expenditures were noted. Recommendation. We recommend the Agency adheres to their internal control process of an independent review and approval of transactions and reporting related to federal grant programs. View of Responsible Official. Management agrees with this finding and has prepared a Corrective Action Plan.
2024-001 - Lack of Independent Review and Approval Finding Type. Immaterial Noncompliance; Significant Deficiency in Internal Control over Compliance (Allowable Costs/Cost Principles: ALN 93.600 and 64.033, Reporting: ALN 64.033 and Eligibility: ALN 64.033). Program. Head Start; U.S. Department of Health and Human Services; Assistance Listing Number 93.600; All Award Numbers and VA Supportive Services for Veteran Families Program; Department of Veterans Affairs, Assistance Listing Number 64.033; All Award Numbers. Criteria. Per 2 CFR 200.303, the recipient and subrecipient must establish, document, and maintain effective internal controls over federal awards that provides reasonable assurance that the recipient or subrecipient is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the Federal award. Condition. During our testing of Allowable Costs, we noted 4 disbursements tested did not have signed and approved purchase orders. During our testing of Reporting, we noted two quarterly reports that had no evidence of review and approval. During our Eligibility testing, we noted one applicant whose certification form was not signed by the supervisor. Cause. This condition is the result of management not adhering to the Organization's internal control policies. Effect. As a result of this condition, there is an increased risk of unallowable expenses being charged to the grant, inaccurate financial reporting, allowing ineligible participants to receive grant benefits and other potential noncompliance with federal regulations. Questioned Costs. No costs are required to be questioned as a result of this finding, inasmuch as no unallowable expenditures were noted. Recommendation. We recommend the Agency adheres to their internal control process of an independent review and approval of transactions and reporting related to federal grant programs. View of Responsible Official. Management agrees with this finding and has prepared a Corrective Action Plan.
2024-001 - Lack of Independent Review and Approval Finding Type. Immaterial Noncompliance; Significant Deficiency in Internal Control over Compliance (Allowable Costs/Cost Principles: ALN 93.600 and 64.033, Reporting: ALN 64.033 and Eligibility: ALN 64.033). Program. Head Start; U.S. Department of Health and Human Services; Assistance Listing Number 93.600; All Award Numbers and VA Supportive Services for Veteran Families Program; Department of Veterans Affairs, Assistance Listing Number 64.033; All Award Numbers. Criteria. Per 2 CFR 200.303, the recipient and subrecipient must establish, document, and maintain effective internal controls over federal awards that provides reasonable assurance that the recipient or subrecipient is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the Federal award. Condition. During our testing of Allowable Costs, we noted 4 disbursements tested did not have signed and approved purchase orders. During our testing of Reporting, we noted two quarterly reports that had no evidence of review and approval. During our Eligibility testing, we noted one applicant whose certification form was not signed by the supervisor. Cause. This condition is the result of management not adhering to the Organization's internal control policies. Effect. As a result of this condition, there is an increased risk of unallowable expenses being charged to the grant, inaccurate financial reporting, allowing ineligible participants to receive grant benefits and other potential noncompliance with federal regulations. Questioned Costs. No costs are required to be questioned as a result of this finding, inasmuch as no unallowable expenditures were noted. Recommendation. We recommend the Agency adheres to their internal control process of an independent review and approval of transactions and reporting related to federal grant programs. View of Responsible Official. Management agrees with this finding and has prepared a Corrective Action Plan.
2024-001 - Lack of Independent Review and Approval Finding Type. Immaterial Noncompliance; Significant Deficiency in Internal Control over Compliance (Allowable Costs/Cost Principles: ALN 93.600 and 64.033, Reporting: ALN 64.033 and Eligibility: ALN 64.033). Program. Head Start; U.S. Department of Health and Human Services; Assistance Listing Number 93.600; All Award Numbers and VA Supportive Services for Veteran Families Program; Department of Veterans Affairs, Assistance Listing Number 64.033; All Award Numbers. Criteria. Per 2 CFR 200.303, the recipient and subrecipient must establish, document, and maintain effective internal controls over federal awards that provides reasonable assurance that the recipient or subrecipient is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the Federal award. Condition. During our testing of Allowable Costs, we noted 4 disbursements tested did not have signed and approved purchase orders. During our testing of Reporting, we noted two quarterly reports that had no evidence of review and approval. During our Eligibility testing, we noted one applicant whose certification form was not signed by the supervisor. Cause. This condition is the result of management not adhering to the Organization's internal control policies. Effect. As a result of this condition, there is an increased risk of unallowable expenses being charged to the grant, inaccurate financial reporting, allowing ineligible participants to receive grant benefits and other potential noncompliance with federal regulations. Questioned Costs. No costs are required to be questioned as a result of this finding, inasmuch as no unallowable expenditures were noted. Recommendation. We recommend the Agency adheres to their internal control process of an independent review and approval of transactions and reporting related to federal grant programs. View of Responsible Official. Management agrees with this finding and has prepared a Corrective Action Plan.
Finding 2024-001: U.S. Department of the Treasury Federal Financial Assistance Listing 21.027 COVID-19 Coronavirus State and Local Fiscal Recovery Funds Compliance Requirement: Reporting Type of Finding: Significant Deficiency in Internal Controls over Compliance Criteria: 2 CFR 200.303(a) establishes that the auditee must establish and maintain effective internal control over the federal award that provides assurance that the entity is managing the federal award in compliance with federal statutes, regulations, and conditions of the federal award. Condition: The County’s reports submitted to the Department of Treasury were not reviewed and approved by a separate individual outside of the preparer. Cause: Originally, the County did not have an internal control process in place to ensure a secondary review and approval of the reports submitted to the Department of Treasury were performed by someone other than the preparer of the report. An updated secondary review process was put in place in early 2024. Effect: Without a secondary review and approval, there is a possibility that the report may not be accurately completed. Questioned Costs: None. Context / Sampling: For the Coronavirus State and Local Fiscal Recovery Funds, a nonstatistical sample of 2 out of 4 reports were tested. Repeat Finding from Prior Year: Yes, prior year finding 2023-001 Recommendation: We recommend the County implement a control process which includes a secondary review and approval of the required reports to be submitted to the federal agency. Views of Responsible Officials: Management agrees with the noted finding. Refer to Corrective Action Plan.
Finding 2024-003: U.S. Department of the Treasury Federal Financial Assistance Listing 21.027 COVID-19 Coronavirus State and Local Fiscal Recovery Funds Compliance Requirement: Procurement Suspension and Debarment Type of Finding: Significant Deficiency in Internal Controls over Compliance Criteria: 2 CFR 200.303(a) establishes that the auditee must establish and maintain effective internal control over the federal award that provides assurance that the entity is managing the federal award in compliance with federal statutes, regulations, and conditions of the federal award. Per 31 CFR 19.300, prior to enter in subawards and contracts with award funds, recipients must verify that such contractors and subrecipients are not suspended, debarred, or otherwise excluded pursuant to 31 CFR § 19.300. Condition: The County did not retain documentation of verifying that 6 vendors were not suspended, debarred, or otherwise excluded prior to entering into a transaction with them. Cause: The County performed the verification, but did not retain documentation and we were unable to verify that it was performed prior to the transaction. Effect: Vendors could be suspended, debarred, or otherwise excluded, and the county would not be aware. Questioned Costs: None Context / Sampling: We tested 32 of 158 transactions subject to suspension and debarment in the SLFRF program. Repeat Finding from Prior Year: Yes, prior year finding 2023-003 Recommendation: The County should retain documentation of the review of all vendors. Views of Responsible Officials: Management agrees with the noted finding. Refer to Corrective Action Plan.
2024-001 Lack of Documented Review of Annual Project and Expenditure Report Assisted Listing Number: 21.027 Program Title: COVID-19 Coronavirus State and Local Fiscal Recovery Funds Compliance Requirement: Reporting- Performance Reporting Pass-through Entity: N/A Federal Grant/Contract Number and Grant Year: COVID-19 Y5258 2021 Finding Type: Material Weakness in Internal Control Questioned Costs: $0 Condition: The annual project and expenditure report required by the grant related to the status of projects was prepared by the grant administrator and there was no documented review of the report by someone other than the preparer prior to submission. The recipient is required to file annually a project and expenditure report with the U.S. Treasury. Criteria: 2 CFR section 200.303 requires that nonfederal entities receiving federal awards establish and maintain internal control over the federal awards that provides reasonable assurance that the nonfederal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. Effect: Annual report could include potential errors and cause the City to be out of compliance with the requirement of the grant. Cause: The City has not implemented procedures to formally document their review of the annual project and expenditures report prior to submission to the U.S. Treasury. Perspective: The one report required to be filed did not have documentation of review. Recommendation: A copy of the report should be kept which includes both the date and signature of the preparer and the reviewer. View of responsible officials and planned corrective action: See attached corrective action plan.
FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.
FINDING 2024-003 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests. b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports. c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges. d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts. e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2024-006 ADP Security Program See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed 5 significant systems and noted: a. MDHHS and DTMB did not conduct annual testing of the disaster recovery plan (DRP) for 1 system during fiscal year 2024. b. MDHHS and DTMB did not complete all necessary updates to the system security plan for 4 systems during fiscal year 2024, including not updating the risk assessment which resulted in the expiration of the authority to operate and/or missing control assessments for the systems. Criteria Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish and maintain an ADP security program, including a security plan and policies and procedures to address contingency planning to meet critical processing needs in the event of short- or long-term interruption of services, plans for emergency preparedness, and a program for conducting periodic risk analyses. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Cause MDHHS and DTMB indicated resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. MDHHS and DTMB also indicated limited resources caused delays in the completion of a comprehensive ADP security program. Effect MDHHS and DTMB cannot demonstrate they have implemented effective controls to ensure the confidentiality, integrity, and availability of their information systems and cannot ensure they comply with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete DRPs could result in delays in restoring critical systems and business processes. Outdated or incomplete system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs. Management Views Although MDHHS and DTMB agree annual testing was not conducted for one system and not all necessary updates to the system security plan were completed during the audit period for 4 systems, MDHHS and DTMB disagree effective controls were not implemented to ensure confidentiality, integrity, and availability of its ADP information systems. MDHHS and DTMB also disagree the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described in the effect statement of the finding. MDHHS and DTMB have compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS and DTMB monitor remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of authority to operate. For one system cited, MDHHS is required to audit the system as part of the responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to data stored in those systems. The system required to be audited as part of the Affordable Care Act, along with two other systems cited, are reviewed biennially through the Internal Control Evaluation process where control evidence is updated to demonstrate the effectiveness of controls. Each system cited did not have any significant changes and implemented controls are still working as expected. Auditor's Comments to Management Views Although MDHHS may monitor the remediation of identified risks through POAMS, the four systems cited did not have updated risk assessments, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the internal control evaluation process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented. Therefore, the finding stands as written.
FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.
FINDING 2024-003 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests. b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports. c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges. d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts. e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2024-006 ADP Security Program See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed 5 significant systems and noted: a. MDHHS and DTMB did not conduct annual testing of the disaster recovery plan (DRP) for 1 system during fiscal year 2024. b. MDHHS and DTMB did not complete all necessary updates to the system security plan for 4 systems during fiscal year 2024, including not updating the risk assessment which resulted in the expiration of the authority to operate and/or missing control assessments for the systems. Criteria Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish and maintain an ADP security program, including a security plan and policies and procedures to address contingency planning to meet critical processing needs in the event of short- or long-term interruption of services, plans for emergency preparedness, and a program for conducting periodic risk analyses. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Cause MDHHS and DTMB indicated resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. MDHHS and DTMB also indicated limited resources caused delays in the completion of a comprehensive ADP security program. Effect MDHHS and DTMB cannot demonstrate they have implemented effective controls to ensure the confidentiality, integrity, and availability of their information systems and cannot ensure they comply with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete DRPs could result in delays in restoring critical systems and business processes. Outdated or incomplete system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs. Management Views Although MDHHS and DTMB agree annual testing was not conducted for one system and not all necessary updates to the system security plan were completed during the audit period for 4 systems, MDHHS and DTMB disagree effective controls were not implemented to ensure confidentiality, integrity, and availability of its ADP information systems. MDHHS and DTMB also disagree the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described in the effect statement of the finding. MDHHS and DTMB have compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS and DTMB monitor remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of authority to operate. For one system cited, MDHHS is required to audit the system as part of the responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to data stored in those systems. The system required to be audited as part of the Affordable Care Act, along with two other systems cited, are reviewed biennially through the Internal Control Evaluation process where control evidence is updated to demonstrate the effectiveness of controls. Each system cited did not have any significant changes and implemented controls are still working as expected. Auditor's Comments to Management Views Although MDHHS may monitor the remediation of identified risks through POAMS, the four systems cited did not have updated risk assessments, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the internal control evaluation process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented. Therefore, the finding stands as written.
FINDING 2024-018 WIC Special Supplemental Nutrition Program for Women, Infants, and Children, ALN 10.557, Activities Allowed or Unallowed and Allowable Costs/Cost Principles - MI-WIC Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not fully implement effective access controls over the Michigan Women, Infants, and Children Information System (MI-WIC) database. DTMB did not review all privileged MI-WIC database accounts on a semiannual basis. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to review privileged accounts for compliance with account management requirements semiannually. Cause DTMB informed us its internal control and monitoring activities were insufficient to ensure all appropriate parties adhered to established policies. Effect Without effective access controls, individuals may retain inappropriate access to the MI-WIC database. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB fully implement effective access controls over the MI-WIC database. Management Views MDHHS and DTMB agree with the finding.
FINDING 2024-019 WIC Special Supplemental Nutrition Program for Women, Infants, and Children, ALN 10.557, Activities Allowed or Unallowed and Allowable Costs/Cost Principles - MI-WIC Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over MI-WIC. Our review disclosed MDHHS did not document testing results at one stage of the process for 2 (5%) of 40 sampled MI-WIC change records. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to make sure the changes meet the documented requirements by testing against the documented test plan. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us that because of an oversight, it did not document the testing results. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MI-WIC. As a result, an increased risk exists MDHHS cannot ensure MI-WIC is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over MI-WIC. Management Views MDHHS agrees with the finding.
FINDING 2024-018 WIC Special Supplemental Nutrition Program for Women, Infants, and Children, ALN 10.557, Activities Allowed or Unallowed and Allowable Costs/Cost Principles - MI-WIC Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not fully implement effective access controls over the Michigan Women, Infants, and Children Information System (MI-WIC) database. DTMB did not review all privileged MI-WIC database accounts on a semiannual basis. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to review privileged accounts for compliance with account management requirements semiannually. Cause DTMB informed us its internal control and monitoring activities were insufficient to ensure all appropriate parties adhered to established policies. Effect Without effective access controls, individuals may retain inappropriate access to the MI-WIC database. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB fully implement effective access controls over the MI-WIC database. Management Views MDHHS and DTMB agree with the finding.
FINDING 2024-019 WIC Special Supplemental Nutrition Program for Women, Infants, and Children, ALN 10.557, Activities Allowed or Unallowed and Allowable Costs/Cost Principles - MI-WIC Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over MI-WIC. Our review disclosed MDHHS did not document testing results at one stage of the process for 2 (5%) of 40 sampled MI-WIC change records. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to make sure the changes meet the documented requirements by testing against the documented test plan. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us that because of an oversight, it did not document the testing results. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MI-WIC. As a result, an increased risk exists MDHHS cannot ensure MI-WIC is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over MI-WIC. Management Views MDHHS agrees with the finding.
FINDING 2024-018 WIC Special Supplemental Nutrition Program for Women, Infants, and Children, ALN 10.557, Activities Allowed or Unallowed and Allowable Costs/Cost Principles - MI-WIC Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not fully implement effective access controls over the Michigan Women, Infants, and Children Information System (MI-WIC) database. DTMB did not review all privileged MI-WIC database accounts on a semiannual basis. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to review privileged accounts for compliance with account management requirements semiannually. Cause DTMB informed us its internal control and monitoring activities were insufficient to ensure all appropriate parties adhered to established policies. Effect Without effective access controls, individuals may retain inappropriate access to the MI-WIC database. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB fully implement effective access controls over the MI-WIC database. Management Views MDHHS and DTMB agree with the finding.
FINDING 2024-019 WIC Special Supplemental Nutrition Program for Women, Infants, and Children, ALN 10.557, Activities Allowed or Unallowed and Allowable Costs/Cost Principles - MI-WIC Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over MI-WIC. Our review disclosed MDHHS did not document testing results at one stage of the process for 2 (5%) of 40 sampled MI-WIC change records. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to make sure the changes meet the documented requirements by testing against the documented test plan. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us that because of an oversight, it did not document the testing results. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MI-WIC. As a result, an increased risk exists MDHHS cannot ensure MI-WIC is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over MI-WIC. Management Views MDHHS agrees with the finding.
FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.
FINDING 2024-003 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests. b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports. c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges. d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts. e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2024-008 MDE, IT General Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Education (MDE) uses Michigan Nutrition Data (MiND) to review the local educational agencies' eligibility verification process for school children participating in the Summer Electronic Benefit Transfer Program for Children. In addition, MDE uses the Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS) to monitor its Coronavirus State and Local Fiscal Recovery Funds' subrecipients*. LEO uses the Next Generation Grant, Application and Cash Management System (NexSys) to approve grant applications and budgets, monitor subrecipients, and authorize payment requests for services covered by the Adult Education - Basic Grants to States. The Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) uses GEMS/MARS to monitor its Twenty-First Century Community Learning Centers subrecipients. In addition, MiLEAP uses NexSys to approve grant applications and/or budgets, monitor subrecipients, and/or authorize payment requests for services covered by Special Education-Grants for Infants and Families, Twenty-First Century Community Learning Centers, and the CCDF Cluster. MDE and DTMB are jointly responsible for maintenance and operation of MiND, GEMS/MARS, and NexSys. Condition DTMB did not fully implement effective general controls* over MiND, GEMS/MARS, and NexSys operating system servers. We noted: a. DTMB did not remove access for a user who had departed from State employment. b. DTMB did not review privileged accounts on a semiannual basis for the operating system servers. After bringing these matters to management's attention, DTMB corrected the issues noted. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires accounts should be removed within three business days when no longer required or when users are terminated or transferred. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts. Cause DTMB informed us the reassignment of the removal and recertification processes to another employee resulted in its lack of removing and reviewing the privileged accounts. Effect Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiND, GEMS/MARS, and NexSys operating system servers. Known Questioned Costs None. Recommendation We recommend DTMB fully implement effective general controls over MiND, GEMS/MARS, and NexSys operating system servers. Management Views DTMB agrees with the finding.
FINDING 2024-009 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. We noted: a. MDE did not maintain documentation to support the appropriate individual approved the system role for 9 (38%) of 24 sampled MiND users. b. MDE did not fully implement an effective annual recertification process of non-privileged accounts: (1) MDE did not review all non-privileged internal accounts on an annual basis for GEMS/MARS and MiND. (2) MDE did not always ensure the subrecipients certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2024 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements annually for non-privileged accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. Management Views MDE agrees with the finding.
FINDING 2024-010 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 16 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2024-020 National Guard Military Operations and Maintenance (O&M) Projects, ALN 12.401, Cash Management - Timeliness of Cash Draws See Schedule of Findings and Questioned Costs for chart/table. Condition The Department of Military and Veterans Affairs (DMVA) did not follow its established cash draw process to prepare reimbursement requests in accordance with the CMIA. We noted DMVA did not maintain sufficient or accurate documentation to support it timely submitted a reimbursement request for 10 (26%) of 38 sampled cash draws. For the remaining 28 cash draws reviewed, DMVA did not timely submit the reimbursement requests for 4 (14%) sampled cash draws DMVA took between 88 to 369 days to process these requests. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Subpart B of federal regulation 31 CFR 205 requires a state must minimize the time between the drawdown of federal funds from the federal government and its disbursement for federal program purposes. The timing and amount of funds transfers must be as close as is administratively feasible to a state's actual cash outlay for direct program costs and the proportionate share of any allowable indirect costs. DMVA's process is to run departmental expenditure reports for each appendix by the fifteenth day of the following month in which the expenditures were incurred. The process to submit the Request for Advance or Reimbursement (SF-270) to the United States Property and Fiscal Office (USPFO) varies by appendix. For construction appendices, DMVA sends the expenditure reports to its federal program manager for review and approval of the federal coding to be applied prior to DMVA preparing the reimbursement request. After the federal program manager approves the coding, DMVA prepares the SF-270 and sends it back to its federal program manager for final approval and submission to the USPFO. For all other appendices, DMVA prepares the SF-270 using the expenditure reports and sends the SF-270 to the federal program managers for approval. For airbases, the federal program managers submit the SF-270 to the USPFO after it is approved. Cause DMVA informed us competing priorities contributed to its inability to timely process reimbursement requests. Also, DMVA indicated its controls were not sufficient to ensure the retention of documentation to support the timely submission of reimbursement requests. Effect DMVA limited its assurance it complied with the CMIA. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend DMVA follow its established cash draw process to prepare reimbursement requests in accordance with the CMIA. Management Views DMVA agrees with the finding.
FINDING 2024-021 National Guard Military Operations and Maintenance (O&M) Projects, ALN 12.401, Period of Performance - Extension Procedures See Schedule of Findings and Questioned Costs for chart/table. Condition DMVA did not timely submit extension requests for cooperative agreement (CA) appendices sent to the USPFO for 2 (8%) of 24 appendices requiring extension requests during fiscal year 2024. For these 2 appendices, DMVA submitted the requests 111 days late. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over the federal awards that provides reasonable assurance the auditee is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Federal regulation 2 CFR 200.308 states a recipient must notify the federal agency in writing with the supporting justification and a revised period of performance at least 10 calendar days before the conclusions of the period of performance. The National Guard Bureau's Grants and Cooperative Agreement Policy Letter 21-07 indicates for projects and activities that cannot be completed before the end of a CA award's budget period of performance, the grantee must submit the extension request at least 10 days prior to the end of the period of performance. Cause DMVA's internal control and monitoring activities were not sufficient to ensure it timely submitted the required extension requests for CA appendices sent to the USPFO. Effect DMVA may have diminished the federal grantor agency's ability to ensure appropriate oversight and monitoring of the CA appendices. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend DMVA timely submit extension requests for CA appendices sent to the USPFO. Management Views DMVA agrees with the finding.
FINDING 2024-022 Highway Planning and Construction, ALN 20.205, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Matching, Level of Effort, and Earmarking; and Procurement and Suspension and Debarment - AASHTOWare Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Transportation (MDOT) did not fully establish effective security management and access controls over AASHTOWare users. MDOT program staff utilize AASHTOWare to administer construction contracts and approve payments to contractors. We noted MDOT did not fully review user access semiannually for privileged accounts or annually for all other accounts. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires accounts to be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts. Cause MDOT's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies. Effect Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to AASHTOWare. Known Questioned Costs None. Recommendation We recommend MDOT fully establish effective security management and access controls over AASHTOWare users. Management Views MDOT agrees with the finding.
FINDING 2024-022 Highway Planning and Construction, ALN 20.205, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Matching, Level of Effort, and Earmarking; and Procurement and Suspension and Debarment - AASHTOWare Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Transportation (MDOT) did not fully establish effective security management and access controls over AASHTOWare users. MDOT program staff utilize AASHTOWare to administer construction contracts and approve payments to contractors. We noted MDOT did not fully review user access semiannually for privileged accounts or annually for all other accounts. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires accounts to be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts. Cause MDOT's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies. Effect Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to AASHTOWare. Known Questioned Costs None. Recommendation We recommend MDOT fully establish effective security management and access controls over AASHTOWare users. Management Views MDOT agrees with the finding.
FINDING 2024-022 Highway Planning and Construction, ALN 20.205, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Matching, Level of Effort, and Earmarking; and Procurement and Suspension and Debarment - AASHTOWare Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Transportation (MDOT) did not fully establish effective security management and access controls over AASHTOWare users. MDOT program staff utilize AASHTOWare to administer construction contracts and approve payments to contractors. We noted MDOT did not fully review user access semiannually for privileged accounts or annually for all other accounts. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires accounts to be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts. Cause MDOT's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies. Effect Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to AASHTOWare. Known Questioned Costs None. Recommendation We recommend MDOT fully establish effective security management and access controls over AASHTOWare users. Management Views MDOT agrees with the finding.
FINDING 2024-008 MDE, IT General Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Education (MDE) uses Michigan Nutrition Data (MiND) to review the local educational agencies' eligibility verification process for school children participating in the Summer Electronic Benefit Transfer Program for Children. In addition, MDE uses the Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS) to monitor its Coronavirus State and Local Fiscal Recovery Funds' subrecipients*. LEO uses the Next Generation Grant, Application and Cash Management System (NexSys) to approve grant applications and budgets, monitor subrecipients, and authorize payment requests for services covered by the Adult Education - Basic Grants to States. The Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) uses GEMS/MARS to monitor its Twenty-First Century Community Learning Centers subrecipients. In addition, MiLEAP uses NexSys to approve grant applications and/or budgets, monitor subrecipients, and/or authorize payment requests for services covered by Special Education-Grants for Infants and Families, Twenty-First Century Community Learning Centers, and the CCDF Cluster. MDE and DTMB are jointly responsible for maintenance and operation of MiND, GEMS/MARS, and NexSys. Condition DTMB did not fully implement effective general controls* over MiND, GEMS/MARS, and NexSys operating system servers. We noted: a. DTMB did not remove access for a user who had departed from State employment. b. DTMB did not review privileged accounts on a semiannual basis for the operating system servers. After bringing these matters to management's attention, DTMB corrected the issues noted. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires accounts should be removed within three business days when no longer required or when users are terminated or transferred. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts. Cause DTMB informed us the reassignment of the removal and recertification processes to another employee resulted in its lack of removing and reviewing the privileged accounts. Effect Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiND, GEMS/MARS, and NexSys operating system servers. Known Questioned Costs None. Recommendation We recommend DTMB fully implement effective general controls over MiND, GEMS/MARS, and NexSys operating system servers. Management Views DTMB agrees with the finding.
FINDING 2024-009 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. We noted: a. MDE did not maintain documentation to support the appropriate individual approved the system role for 9 (38%) of 24 sampled MiND users. b. MDE did not fully implement an effective annual recertification process of non-privileged accounts: (1) MDE did not review all non-privileged internal accounts on an annual basis for GEMS/MARS and MiND. (2) MDE did not always ensure the subrecipients certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2024 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements annually for non-privileged accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. Management Views MDE agrees with the finding.
FINDING 2024-023 Coronavirus State and Local Fiscal Recovery Funds, ALN 21.027, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Period of Performance - PTMS Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDOT did not fully establish effective security management and access controls over Public Transportation Management System (PTMS) users. MDOT program staff utilize PTMS to approve subrecipient budget and payment requests. We noted MDOT did not review user access semiannually for privileged accounts or annually for all other accounts. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts. Cause MDOT informed us an oversight occurred due to employee turnover. Effect Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to PTMS. Known Questioned Costs None. Recommendation We recommend MDOT fully establish effective security management and access controls over PTMS users. Management Views MDOT agrees with the finding.
FINDING 2024-024 Coronavirus State and Local Fiscal Recovery Funds, ALN 21.027, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Period of Performance - Grant Reimbursement Approval Procedures See Schedule of Findings and Questioned Costs for chart/table. Condition The Department of Environment, Great Lakes, and Energy (EGLE) did not review and approve drinking water and clean water grant reimbursement requests for 2 (9%) of 23 sampled payments to ensure the requests were reasonable and appropriate. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Also, Subpart E of federal regulation 2 CFR 200 requires costs charged to federal programs be necessary and reasonable for the administration of the federal award and be in accordance with the relative benefits received by the program. Cause EGLE informed us it did not always follow the established process for reviewing and approving reimbursement requests for one grant. Effect EGLE could potentially reimburse for ineligible project expenditures. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend EGLE review and approve drinking water and clean water grant reimbursement requests to ensure the requests are reasonable and appropriate. Management Views EGLE agrees with the finding.
FINDING 2024-025 Coronavirus State and Local Fiscal Recovery Funds, ALN 21.027, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Period of Performance - Insufficient Respite Payment Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not have sufficient controls in place to prevent or detect and correct payment errors made to respite grant recipients. We noted MDHHS did not review and approve respite grant payments subsequent to manual input into the Medical Services Administration Manual Payment System (MSAPay). Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Also, Subpart E of federal regulation 2 CFR 200 requires costs charged to federal programs be necessary and reasonable for the administration of the federal award and be in accordance with the relative benefits received by the program. Cause MDHHS's internal control and monitoring activities were not sufficient to ensure it documented its review and approval of respite grant payments in MSAPay. Effect These deficiencies could potentially result in improper payments to recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS improve its controls to prevent or detect and correct payment errors made to respite grant recipients. Management Views MDHHS agrees with the finding.
FINDING 2024-026 Coronavirus State and Local Fiscal Recovery Funds, ALN 21.027, Reporting - Workfront Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition DTMB did not fully establish effective security management and access controls over Workfront. DTMB program staff utilize Workfront to collect and prepare all Coronavirus State and Local Fiscal Recovery Funds (CSLFRF) data reported to the U.S. Department of the Treasury. Our review of 9 sampled Workfront users noted: a. DTMB did not maintain documentation to support it approved the system role for 5 sampled Workfront users. b. DTMB did not ensure it properly approved 2 users prior to granting access to Workfront. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. Cause DTMB's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies in place at the time of approval. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to Workfront. Known Questioned Costs None. Recommendation We recommend DTMB fully establish effective security management and access controls over Workfront. Management Views DTMB agrees with the finding.
FINDING 2024-008 MDE, IT General Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Education (MDE) uses Michigan Nutrition Data (MiND) to review the local educational agencies' eligibility verification process for school children participating in the Summer Electronic Benefit Transfer Program for Children. In addition, MDE uses the Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS) to monitor its Coronavirus State and Local Fiscal Recovery Funds' subrecipients*. LEO uses the Next Generation Grant, Application and Cash Management System (NexSys) to approve grant applications and budgets, monitor subrecipients, and authorize payment requests for services covered by the Adult Education - Basic Grants to States. The Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) uses GEMS/MARS to monitor its Twenty-First Century Community Learning Centers subrecipients. In addition, MiLEAP uses NexSys to approve grant applications and/or budgets, monitor subrecipients, and/or authorize payment requests for services covered by Special Education-Grants for Infants and Families, Twenty-First Century Community Learning Centers, and the CCDF Cluster. MDE and DTMB are jointly responsible for maintenance and operation of MiND, GEMS/MARS, and NexSys. Condition DTMB did not fully implement effective general controls* over MiND, GEMS/MARS, and NexSys operating system servers. We noted: a. DTMB did not remove access for a user who had departed from State employment. b. DTMB did not review privileged accounts on a semiannual basis for the operating system servers. After bringing these matters to management's attention, DTMB corrected the issues noted. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires accounts should be removed within three business days when no longer required or when users are terminated or transferred. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts. Cause DTMB informed us the reassignment of the removal and recertification processes to another employee resulted in its lack of removing and reviewing the privileged accounts. Effect Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiND, GEMS/MARS, and NexSys operating system servers. Known Questioned Costs None. Recommendation We recommend DTMB fully implement effective general controls over MiND, GEMS/MARS, and NexSys operating system servers. Management Views DTMB agrees with the finding.
FINDING 2024-009 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. We noted: a. MDE did not maintain documentation to support the appropriate individual approved the system role for 9 (38%) of 24 sampled MiND users. b. MDE did not fully implement an effective annual recertification process of non-privileged accounts: (1) MDE did not review all non-privileged internal accounts on an annual basis for GEMS/MARS and MiND. (2) MDE did not always ensure the subrecipients certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2024 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements annually for non-privileged accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. Management Views MDE agrees with the finding.
FINDING 2024-010 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 16 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2024-008 MDE, IT General Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Education (MDE) uses Michigan Nutrition Data (MiND) to review the local educational agencies' eligibility verification process for school children participating in the Summer Electronic Benefit Transfer Program for Children. In addition, MDE uses the Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS) to monitor its Coronavirus State and Local Fiscal Recovery Funds' subrecipients*. LEO uses the Next Generation Grant, Application and Cash Management System (NexSys) to approve grant applications and budgets, monitor subrecipients, and authorize payment requests for services covered by the Adult Education - Basic Grants to States. The Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) uses GEMS/MARS to monitor its Twenty-First Century Community Learning Centers subrecipients. In addition, MiLEAP uses NexSys to approve grant applications and/or budgets, monitor subrecipients, and/or authorize payment requests for services covered by Special Education-Grants for Infants and Families, Twenty-First Century Community Learning Centers, and the CCDF Cluster. MDE and DTMB are jointly responsible for maintenance and operation of MiND, GEMS/MARS, and NexSys. Condition DTMB did not fully implement effective general controls* over MiND, GEMS/MARS, and NexSys operating system servers. We noted: a. DTMB did not remove access for a user who had departed from State employment. b. DTMB did not review privileged accounts on a semiannual basis for the operating system servers. After bringing these matters to management's attention, DTMB corrected the issues noted. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires accounts should be removed within three business days when no longer required or when users are terminated or transferred. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts. Cause DTMB informed us the reassignment of the removal and recertification processes to another employee resulted in its lack of removing and reviewing the privileged accounts. Effect Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiND, GEMS/MARS, and NexSys operating system servers. Known Questioned Costs None. Recommendation We recommend DTMB fully implement effective general controls over MiND, GEMS/MARS, and NexSys operating system servers. Management Views DTMB agrees with the finding.