FINDING 2024-009 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. We noted: a. MDE did not maintain documentation to support the appropriate individual approved the system role for 9 (38%) of 24 sampled MiND users. b. MDE did not fully implement an effective annual recertification process of non-privileged accounts: (1) MDE did not review all non-privileged internal accounts on an annual basis for GEMS/MARS and MiND. (2) MDE did not always ensure the subrecipients certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2024 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements annually for non-privileged accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. Management Views MDE agrees with the finding.
FINDING 2024-010 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 16 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2024-008 MDE, IT General Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Education (MDE) uses Michigan Nutrition Data (MiND) to review the local educational agencies' eligibility verification process for school children participating in the Summer Electronic Benefit Transfer Program for Children. In addition, MDE uses the Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS) to monitor its Coronavirus State and Local Fiscal Recovery Funds' subrecipients*. LEO uses the Next Generation Grant, Application and Cash Management System (NexSys) to approve grant applications and budgets, monitor subrecipients, and authorize payment requests for services covered by the Adult Education - Basic Grants to States. The Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) uses GEMS/MARS to monitor its Twenty-First Century Community Learning Centers subrecipients. In addition, MiLEAP uses NexSys to approve grant applications and/or budgets, monitor subrecipients, and/or authorize payment requests for services covered by Special Education-Grants for Infants and Families, Twenty-First Century Community Learning Centers, and the CCDF Cluster. MDE and DTMB are jointly responsible for maintenance and operation of MiND, GEMS/MARS, and NexSys. Condition DTMB did not fully implement effective general controls* over MiND, GEMS/MARS, and NexSys operating system servers. We noted: a. DTMB did not remove access for a user who had departed from State employment. b. DTMB did not review privileged accounts on a semiannual basis for the operating system servers. After bringing these matters to management's attention, DTMB corrected the issues noted. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires accounts should be removed within three business days when no longer required or when users are terminated or transferred. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts. Cause DTMB informed us the reassignment of the removal and recertification processes to another employee resulted in its lack of removing and reviewing the privileged accounts. Effect Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiND, GEMS/MARS, and NexSys operating system servers. Known Questioned Costs None. Recommendation We recommend DTMB fully implement effective general controls over MiND, GEMS/MARS, and NexSys operating system servers. Management Views DTMB agrees with the finding.
FINDING 2024-009 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. We noted: a. MDE did not maintain documentation to support the appropriate individual approved the system role for 9 (38%) of 24 sampled MiND users. b. MDE did not fully implement an effective annual recertification process of non-privileged accounts: (1) MDE did not review all non-privileged internal accounts on an annual basis for GEMS/MARS and MiND. (2) MDE did not always ensure the subrecipients certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2024 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements annually for non-privileged accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. Management Views MDE agrees with the finding.
FINDING 2024-010 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 16 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2024-008 MDE, IT General Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Education (MDE) uses Michigan Nutrition Data (MiND) to review the local educational agencies' eligibility verification process for school children participating in the Summer Electronic Benefit Transfer Program for Children. In addition, MDE uses the Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS) to monitor its Coronavirus State and Local Fiscal Recovery Funds' subrecipients*. LEO uses the Next Generation Grant, Application and Cash Management System (NexSys) to approve grant applications and budgets, monitor subrecipients, and authorize payment requests for services covered by the Adult Education - Basic Grants to States. The Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) uses GEMS/MARS to monitor its Twenty-First Century Community Learning Centers subrecipients. In addition, MiLEAP uses NexSys to approve grant applications and/or budgets, monitor subrecipients, and/or authorize payment requests for services covered by Special Education-Grants for Infants and Families, Twenty-First Century Community Learning Centers, and the CCDF Cluster. MDE and DTMB are jointly responsible for maintenance and operation of MiND, GEMS/MARS, and NexSys. Condition DTMB did not fully implement effective general controls* over MiND, GEMS/MARS, and NexSys operating system servers. We noted: a. DTMB did not remove access for a user who had departed from State employment. b. DTMB did not review privileged accounts on a semiannual basis for the operating system servers. After bringing these matters to management's attention, DTMB corrected the issues noted. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires accounts should be removed within three business days when no longer required or when users are terminated or transferred. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts. Cause DTMB informed us the reassignment of the removal and recertification processes to another employee resulted in its lack of removing and reviewing the privileged accounts. Effect Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiND, GEMS/MARS, and NexSys operating system servers. Known Questioned Costs None. Recommendation We recommend DTMB fully implement effective general controls over MiND, GEMS/MARS, and NexSys operating system servers. Management Views DTMB agrees with the finding.
FINDING 2024-009 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. We noted: a. MDE did not maintain documentation to support the appropriate individual approved the system role for 9 (38%) of 24 sampled MiND users. b. MDE did not fully implement an effective annual recertification process of non-privileged accounts: (1) MDE did not review all non-privileged internal accounts on an annual basis for GEMS/MARS and MiND. (2) MDE did not always ensure the subrecipients certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2024 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements annually for non-privileged accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. Management Views MDE agrees with the finding.
FINDING 2024-010 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 16 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.
FINDING 2024-003 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests. b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports. c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges. d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts. e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2024-008 MDE, IT General Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Education (MDE) uses Michigan Nutrition Data (MiND) to review the local educational agencies' eligibility verification process for school children participating in the Summer Electronic Benefit Transfer Program for Children. In addition, MDE uses the Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS) to monitor its Coronavirus State and Local Fiscal Recovery Funds' subrecipients*. LEO uses the Next Generation Grant, Application and Cash Management System (NexSys) to approve grant applications and budgets, monitor subrecipients, and authorize payment requests for services covered by the Adult Education - Basic Grants to States. The Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) uses GEMS/MARS to monitor its Twenty-First Century Community Learning Centers subrecipients. In addition, MiLEAP uses NexSys to approve grant applications and/or budgets, monitor subrecipients, and/or authorize payment requests for services covered by Special Education-Grants for Infants and Families, Twenty-First Century Community Learning Centers, and the CCDF Cluster. MDE and DTMB are jointly responsible for maintenance and operation of MiND, GEMS/MARS, and NexSys. Condition DTMB did not fully implement effective general controls* over MiND, GEMS/MARS, and NexSys operating system servers. We noted: a. DTMB did not remove access for a user who had departed from State employment. b. DTMB did not review privileged accounts on a semiannual basis for the operating system servers. After bringing these matters to management's attention, DTMB corrected the issues noted. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires accounts should be removed within three business days when no longer required or when users are terminated or transferred. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts. Cause DTMB informed us the reassignment of the removal and recertification processes to another employee resulted in its lack of removing and reviewing the privileged accounts. Effect Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiND, GEMS/MARS, and NexSys operating system servers. Known Questioned Costs None. Recommendation We recommend DTMB fully implement effective general controls over MiND, GEMS/MARS, and NexSys operating system servers. Management Views DTMB agrees with the finding.
FINDING 2024-009 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. We noted: a. MDE did not maintain documentation to support the appropriate individual approved the system role for 9 (38%) of 24 sampled MiND users. b. MDE did not fully implement an effective annual recertification process of non-privileged accounts: (1) MDE did not review all non-privileged internal accounts on an annual basis for GEMS/MARS and MiND. (2) MDE did not always ensure the subrecipients certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2024 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements annually for non-privileged accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. Management Views MDE agrees with the finding.
FINDING 2024-010 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 16 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.
FINDING 2024-003 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests. b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports. c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges. d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts. e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2024-008 MDE, IT General Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Education (MDE) uses Michigan Nutrition Data (MiND) to review the local educational agencies' eligibility verification process for school children participating in the Summer Electronic Benefit Transfer Program for Children. In addition, MDE uses the Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS) to monitor its Coronavirus State and Local Fiscal Recovery Funds' subrecipients*. LEO uses the Next Generation Grant, Application and Cash Management System (NexSys) to approve grant applications and budgets, monitor subrecipients, and authorize payment requests for services covered by the Adult Education - Basic Grants to States. The Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) uses GEMS/MARS to monitor its Twenty-First Century Community Learning Centers subrecipients. In addition, MiLEAP uses NexSys to approve grant applications and/or budgets, monitor subrecipients, and/or authorize payment requests for services covered by Special Education-Grants for Infants and Families, Twenty-First Century Community Learning Centers, and the CCDF Cluster. MDE and DTMB are jointly responsible for maintenance and operation of MiND, GEMS/MARS, and NexSys. Condition DTMB did not fully implement effective general controls* over MiND, GEMS/MARS, and NexSys operating system servers. We noted: a. DTMB did not remove access for a user who had departed from State employment. b. DTMB did not review privileged accounts on a semiannual basis for the operating system servers. After bringing these matters to management's attention, DTMB corrected the issues noted. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires accounts should be removed within three business days when no longer required or when users are terminated or transferred. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts. Cause DTMB informed us the reassignment of the removal and recertification processes to another employee resulted in its lack of removing and reviewing the privileged accounts. Effect Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiND, GEMS/MARS, and NexSys operating system servers. Known Questioned Costs None. Recommendation We recommend DTMB fully implement effective general controls over MiND, GEMS/MARS, and NexSys operating system servers. Management Views DTMB agrees with the finding.
FINDING 2024-009 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. We noted: a. MDE did not maintain documentation to support the appropriate individual approved the system role for 9 (38%) of 24 sampled MiND users. b. MDE did not fully implement an effective annual recertification process of non-privileged accounts: (1) MDE did not review all non-privileged internal accounts on an annual basis for GEMS/MARS and MiND. (2) MDE did not always ensure the subrecipients certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2024 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements annually for non-privileged accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. Management Views MDE agrees with the finding.
FINDING 2024-010 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 16 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.
FINDING 2024-003 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests. b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports. c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges. d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts. e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2024-008 MDE, IT General Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Education (MDE) uses Michigan Nutrition Data (MiND) to review the local educational agencies' eligibility verification process for school children participating in the Summer Electronic Benefit Transfer Program for Children. In addition, MDE uses the Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS) to monitor its Coronavirus State and Local Fiscal Recovery Funds' subrecipients*. LEO uses the Next Generation Grant, Application and Cash Management System (NexSys) to approve grant applications and budgets, monitor subrecipients, and authorize payment requests for services covered by the Adult Education - Basic Grants to States. The Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) uses GEMS/MARS to monitor its Twenty-First Century Community Learning Centers subrecipients. In addition, MiLEAP uses NexSys to approve grant applications and/or budgets, monitor subrecipients, and/or authorize payment requests for services covered by Special Education-Grants for Infants and Families, Twenty-First Century Community Learning Centers, and the CCDF Cluster. MDE and DTMB are jointly responsible for maintenance and operation of MiND, GEMS/MARS, and NexSys. Condition DTMB did not fully implement effective general controls* over MiND, GEMS/MARS, and NexSys operating system servers. We noted: a. DTMB did not remove access for a user who had departed from State employment. b. DTMB did not review privileged accounts on a semiannual basis for the operating system servers. After bringing these matters to management's attention, DTMB corrected the issues noted. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires accounts should be removed within three business days when no longer required or when users are terminated or transferred. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts. Cause DTMB informed us the reassignment of the removal and recertification processes to another employee resulted in its lack of removing and reviewing the privileged accounts. Effect Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiND, GEMS/MARS, and NexSys operating system servers. Known Questioned Costs None. Recommendation We recommend DTMB fully implement effective general controls over MiND, GEMS/MARS, and NexSys operating system servers. Management Views DTMB agrees with the finding.
FINDING 2024-009 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. We noted: a. MDE did not maintain documentation to support the appropriate individual approved the system role for 9 (38%) of 24 sampled MiND users. b. MDE did not fully implement an effective annual recertification process of non-privileged accounts: (1) MDE did not review all non-privileged internal accounts on an annual basis for GEMS/MARS and MiND. (2) MDE did not always ensure the subrecipients certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2024 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements annually for non-privileged accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. Management Views MDE agrees with the finding.
FINDING 2024-010 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 16 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.
FINDING 2024-003 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests. b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports. c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges. d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts. e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2024-006 ADP Security Program See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed 5 significant systems and noted: a. MDHHS and DTMB did not conduct annual testing of the disaster recovery plan (DRP) for 1 system during fiscal year 2024. b. MDHHS and DTMB did not complete all necessary updates to the system security plan for 4 systems during fiscal year 2024, including not updating the risk assessment which resulted in the expiration of the authority to operate and/or missing control assessments for the systems. Criteria Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish and maintain an ADP security program, including a security plan and policies and procedures to address contingency planning to meet critical processing needs in the event of short- or long-term interruption of services, plans for emergency preparedness, and a program for conducting periodic risk analyses. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Cause MDHHS and DTMB indicated resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. MDHHS and DTMB also indicated limited resources caused delays in the completion of a comprehensive ADP security program. Effect MDHHS and DTMB cannot demonstrate they have implemented effective controls to ensure the confidentiality, integrity, and availability of their information systems and cannot ensure they comply with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete DRPs could result in delays in restoring critical systems and business processes. Outdated or incomplete system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs. Management Views Although MDHHS and DTMB agree annual testing was not conducted for one system and not all necessary updates to the system security plan were completed during the audit period for 4 systems, MDHHS and DTMB disagree effective controls were not implemented to ensure confidentiality, integrity, and availability of its ADP information systems. MDHHS and DTMB also disagree the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described in the effect statement of the finding. MDHHS and DTMB have compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS and DTMB monitor remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of authority to operate. For one system cited, MDHHS is required to audit the system as part of the responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to data stored in those systems. The system required to be audited as part of the Affordable Care Act, along with two other systems cited, are reviewed biennially through the Internal Control Evaluation process where control evidence is updated to demonstrate the effectiveness of controls. Each system cited did not have any significant changes and implemented controls are still working as expected. Auditor's Comments to Management Views Although MDHHS may monitor the remediation of identified risks through POAMS, the four systems cited did not have updated risk assessments, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the internal control evaluation process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented. Therefore, the finding stands as written.
FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.
FINDING 2024-003 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests. b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports. c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges. d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts. e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2024-006 ADP Security Program See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed 5 significant systems and noted: a. MDHHS and DTMB did not conduct annual testing of the disaster recovery plan (DRP) for 1 system during fiscal year 2024. b. MDHHS and DTMB did not complete all necessary updates to the system security plan for 4 systems during fiscal year 2024, including not updating the risk assessment which resulted in the expiration of the authority to operate and/or missing control assessments for the systems. Criteria Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish and maintain an ADP security program, including a security plan and policies and procedures to address contingency planning to meet critical processing needs in the event of short- or long-term interruption of services, plans for emergency preparedness, and a program for conducting periodic risk analyses. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Cause MDHHS and DTMB indicated resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. MDHHS and DTMB also indicated limited resources caused delays in the completion of a comprehensive ADP security program. Effect MDHHS and DTMB cannot demonstrate they have implemented effective controls to ensure the confidentiality, integrity, and availability of their information systems and cannot ensure they comply with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete DRPs could result in delays in restoring critical systems and business processes. Outdated or incomplete system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs. Management Views Although MDHHS and DTMB agree annual testing was not conducted for one system and not all necessary updates to the system security plan were completed during the audit period for 4 systems, MDHHS and DTMB disagree effective controls were not implemented to ensure confidentiality, integrity, and availability of its ADP information systems. MDHHS and DTMB also disagree the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described in the effect statement of the finding. MDHHS and DTMB have compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS and DTMB monitor remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of authority to operate. For one system cited, MDHHS is required to audit the system as part of the responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to data stored in those systems. The system required to be audited as part of the Affordable Care Act, along with two other systems cited, are reviewed biennially through the Internal Control Evaluation process where control evidence is updated to demonstrate the effectiveness of controls. Each system cited did not have any significant changes and implemented controls are still working as expected. Auditor's Comments to Management Views Although MDHHS may monitor the remediation of identified risks through POAMS, the four systems cited did not have updated risk assessments, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the internal control evaluation process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented. Therefore, the finding stands as written.
FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.
FINDING 2024-003 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests. b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports. c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges. d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts. e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2024-006 ADP Security Program See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed 5 significant systems and noted: a. MDHHS and DTMB did not conduct annual testing of the disaster recovery plan (DRP) for 1 system during fiscal year 2024. b. MDHHS and DTMB did not complete all necessary updates to the system security plan for 4 systems during fiscal year 2024, including not updating the risk assessment which resulted in the expiration of the authority to operate and/or missing control assessments for the systems. Criteria Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish and maintain an ADP security program, including a security plan and policies and procedures to address contingency planning to meet critical processing needs in the event of short- or long-term interruption of services, plans for emergency preparedness, and a program for conducting periodic risk analyses. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Cause MDHHS and DTMB indicated resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. MDHHS and DTMB also indicated limited resources caused delays in the completion of a comprehensive ADP security program. Effect MDHHS and DTMB cannot demonstrate they have implemented effective controls to ensure the confidentiality, integrity, and availability of their information systems and cannot ensure they comply with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete DRPs could result in delays in restoring critical systems and business processes. Outdated or incomplete system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs. Management Views Although MDHHS and DTMB agree annual testing was not conducted for one system and not all necessary updates to the system security plan were completed during the audit period for 4 systems, MDHHS and DTMB disagree effective controls were not implemented to ensure confidentiality, integrity, and availability of its ADP information systems. MDHHS and DTMB also disagree the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described in the effect statement of the finding. MDHHS and DTMB have compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS and DTMB monitor remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of authority to operate. For one system cited, MDHHS is required to audit the system as part of the responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to data stored in those systems. The system required to be audited as part of the Affordable Care Act, along with two other systems cited, are reviewed biennially through the Internal Control Evaluation process where control evidence is updated to demonstrate the effectiveness of controls. Each system cited did not have any significant changes and implemented controls are still working as expected. Auditor's Comments to Management Views Although MDHHS may monitor the remediation of identified risks through POAMS, the four systems cited did not have updated risk assessments, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the internal control evaluation process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented. Therefore, the finding stands as written.
FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.
FINDING 2024-003 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests. b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports. c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges. d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts. e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2024-006 ADP Security Program See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed 5 significant systems and noted: a. MDHHS and DTMB did not conduct annual testing of the disaster recovery plan (DRP) for 1 system during fiscal year 2024. b. MDHHS and DTMB did not complete all necessary updates to the system security plan for 4 systems during fiscal year 2024, including not updating the risk assessment which resulted in the expiration of the authority to operate and/or missing control assessments for the systems. Criteria Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish and maintain an ADP security program, including a security plan and policies and procedures to address contingency planning to meet critical processing needs in the event of short- or long-term interruption of services, plans for emergency preparedness, and a program for conducting periodic risk analyses. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Cause MDHHS and DTMB indicated resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. MDHHS and DTMB also indicated limited resources caused delays in the completion of a comprehensive ADP security program. Effect MDHHS and DTMB cannot demonstrate they have implemented effective controls to ensure the confidentiality, integrity, and availability of their information systems and cannot ensure they comply with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete DRPs could result in delays in restoring critical systems and business processes. Outdated or incomplete system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs. Management Views Although MDHHS and DTMB agree annual testing was not conducted for one system and not all necessary updates to the system security plan were completed during the audit period for 4 systems, MDHHS and DTMB disagree effective controls were not implemented to ensure confidentiality, integrity, and availability of its ADP information systems. MDHHS and DTMB also disagree the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described in the effect statement of the finding. MDHHS and DTMB have compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS and DTMB monitor remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of authority to operate. For one system cited, MDHHS is required to audit the system as part of the responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to data stored in those systems. The system required to be audited as part of the Affordable Care Act, along with two other systems cited, are reviewed biennially through the Internal Control Evaluation process where control evidence is updated to demonstrate the effectiveness of controls. Each system cited did not have any significant changes and implemented controls are still working as expected. Auditor's Comments to Management Views Although MDHHS may monitor the remediation of identified risks through POAMS, the four systems cited did not have updated risk assessments, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the internal control evaluation process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented. Therefore, the finding stands as written.
FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.
FINDING 2024-003 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests. b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports. c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges. d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts. e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.
FINDING 2024-003 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests. b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports. c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges. d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts. e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.
FINDING 2024-003 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests. b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports. c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges. d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts. e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS establish effective security management and access controls over Bridges users.