FINDING 2024-004 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.
FINDING 2024-003 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests. b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports. c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges. d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts. e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.
FINDING 2024-003 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests. b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports. c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges. d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts. e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2024-056 Disaster Grants - Public Assistance (Presidentially Declared Disasters), ALN 97.036, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, Period of Performance, Reporting, Subrecipient Monitoring, and Special Tests and Provisions - EM Grants Manager Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of State Police (MSP) did not fully establish effective security management and access controls over EM Grants Manager. MSP program staff utilize EM Grants Manager for administering Federal Emergency Management Agency disaster grants. We noted: a. MSP did not maintain documentation for 2 (10%) of 20 sampled EM Grants Manager access request forms. b. MSP did not review privileged accounts on a semiannual basis. c. MSP did not disable 1,658 (89%) of 1,868 active EM Grant Manager user accounts not accessing the application in over 60 days as of September 30, 2024. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts, and the information system to automatically disable inactive user accounts after 60 days. Cause MSP informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. Effect Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to EM Grants Manager. Known Questioned Costs None. Recommendation We recommend MSP fully establish effective security management and access controls over EM Grants Manager. Management Views MSP agrees with the finding.
FINDING 2024-056 Disaster Grants - Public Assistance (Presidentially Declared Disasters), ALN 97.036, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, Period of Performance, Reporting, Subrecipient Monitoring, and Special Tests and Provisions - EM Grants Manager Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of State Police (MSP) did not fully establish effective security management and access controls over EM Grants Manager. MSP program staff utilize EM Grants Manager for administering Federal Emergency Management Agency disaster grants. We noted: a. MSP did not maintain documentation for 2 (10%) of 20 sampled EM Grants Manager access request forms. b. MSP did not review privileged accounts on a semiannual basis. c. MSP did not disable 1,658 (89%) of 1,868 active EM Grant Manager user accounts not accessing the application in over 60 days as of September 30, 2024. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts, and the information system to automatically disable inactive user accounts after 60 days. Cause MSP informed us internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. Effect Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to EM Grants Manager. Known Questioned Costs None. Recommendation We recommend MSP fully establish effective security management and access controls over EM Grants Manager. Management Views MSP agrees with the finding.
Item 2024-002: Reporting [See table in report] Federal and state agencies: • 93.231 – U.S. Department of Health and Human Services • 445.566 – Wisconsin Department of Workforce Development • 435.65859 – Wisconsin Department of Health Services Pass-through entity: None Criteria: The Organization is required to comply with 2 CFR section 200.303 which requires that non-federal entities receiving federal awards establish and maintain internal control over the federal awards that provides reasonable assurance that the non-federal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. Condition: During our testing of reporting requirements, we noted that there was no documentation that reports were reviewed prior to submission to grantor. Cause: Staffing changes in the finance department. A review is performed, however this review is not documented due to the electronic filing of the reports. Due to these events, management has not documented review of the reports. Effect: Likelihood of inaccurate reporting is increased when reports are not thoroughly reviewed. Questioned costs: None Prevalence: The population of reports subject to reporting requirements included 24 reports for the programs referred to in this finding. For 9 of the 10 reports tested, the Organization did not have documentation showing the reports were reviewed. The sample size of 10 was determined using guidance in the American Institute of Certified Public Accountants (AICPA) Audit and Accounting Guide—Government Auditing Standards and Single Audits. Our sample was not a statistical sample. Repeat finding: Yes Recommendation: We recommend that the Organization review their processes to ensure review of all reports required are accurately reviewed and documented. Views of responsible officials of the auditee: We agree with the above finding and our response is included in the corrective action plan.
Item 2024-002: Reporting [See table in report] Federal and state agencies: • 93.231 – U.S. Department of Health and Human Services • 445.566 – Wisconsin Department of Workforce Development • 435.65859 – Wisconsin Department of Health Services Pass-through entity: None Criteria: The Organization is required to comply with 2 CFR section 200.303 which requires that non-federal entities receiving federal awards establish and maintain internal control over the federal awards that provides reasonable assurance that the non-federal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. Condition: During our testing of reporting requirements, we noted that there was no documentation that reports were reviewed prior to submission to grantor. Cause: Staffing changes in the finance department. A review is performed, however this review is not documented due to the electronic filing of the reports. Due to these events, management has not documented review of the reports. Effect: Likelihood of inaccurate reporting is increased when reports are not thoroughly reviewed. Questioned costs: None Prevalence: The population of reports subject to reporting requirements included 24 reports for the programs referred to in this finding. For 9 of the 10 reports tested, the Organization did not have documentation showing the reports were reviewed. The sample size of 10 was determined using guidance in the American Institute of Certified Public Accountants (AICPA) Audit and Accounting Guide—Government Auditing Standards and Single Audits. Our sample was not a statistical sample. Repeat finding: Yes Recommendation: We recommend that the Organization review their processes to ensure review of all reports required are accurately reviewed and documented. Views of responsible officials of the auditee: We agree with the above finding and our response is included in the corrective action plan.
Finding 2024-004 U.S. Department of Health and Human Services Program Title: Global AIDS Assistance Listing Number: 93.067 Federal Award Year: 2023-2024 Type of Finding: Allowable Costs – Internal Control (Significant Deficiency) Criteria: The 2 CFR section 200.303 requires that non-federal entities receiving federal awards establish and maintain internal control over the federal awards that provides reasonable assurance that the non-federal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. The internal control system will include reviews of expenses charged to federal awards to verify that the expenses charged are both allowable costs and allowable activities. These reviews should be documented by an approval noted on the supporting documentation for the specific expenditure. Context: During our audit, we sampled both payroll and non-payroll transactions from the country offices of the Organization. We noted that the Organization was unable to provide sufficient documentation to demonstrate that it had performed the required ongoing review and approval of expenses charged to the grant. The absence of such documentation indicates that the Organization did not fully comply with the federal requirements for internal controls over allowable costs and allowable activities. Condition: During our testing, we selected 40 payroll and 40 non-payroll transactions for testing. In our testing over payroll transactions, we noted that there were two (2) transactions in which the Organization was unable to provide evidence of a review and approval of the transaction. In our testing over non-payroll transactions, we noted that there was one (1) transaction in which the Organization was unable to provide evidence of a review and approval of the transaction. Cause and Effect: The Organization is not able at access supporting documentation due to political and social conditions in the countries where the Organization operates. Questioned Costs: None to report. Identified as a Repeat Finding: No. Recommendation: The Organization should ensure that headquarters staff have access to all supporting documentation for expenses charged to federal grants.
Finding 2024-004 U.S. Department of Health and Human Services Program Title: Global AIDS Assistance Listing Number: 93.067 Federal Award Year: 2023-2024 Type of Finding: Allowable Costs – Internal Control (Significant Deficiency) Criteria: The 2 CFR section 200.303 requires that non-federal entities receiving federal awards establish and maintain internal control over the federal awards that provides reasonable assurance that the non-federal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. The internal control system will include reviews of expenses charged to federal awards to verify that the expenses charged are both allowable costs and allowable activities. These reviews should be documented by an approval noted on the supporting documentation for the specific expenditure. Context: During our audit, we sampled both payroll and non-payroll transactions from the country offices of the Organization. We noted that the Organization was unable to provide sufficient documentation to demonstrate that it had performed the required ongoing review and approval of expenses charged to the grant. The absence of such documentation indicates that the Organization did not fully comply with the federal requirements for internal controls over allowable costs and allowable activities. Condition: During our testing, we selected 40 payroll and 40 non-payroll transactions for testing. In our testing over payroll transactions, we noted that there were two (2) transactions in which the Organization was unable to provide evidence of a review and approval of the transaction. In our testing over non-payroll transactions, we noted that there was one (1) transaction in which the Organization was unable to provide evidence of a review and approval of the transaction. Cause and Effect: The Organization is not able at access supporting documentation due to political and social conditions in the countries where the Organization operates. Questioned Costs: None to report. Identified as a Repeat Finding: No. Recommendation: The Organization should ensure that headquarters staff have access to all supporting documentation for expenses charged to federal grants.
Finding 2024-004 U.S. Department of Health and Human Services Program Title: Global AIDS Assistance Listing Number: 93.067 Federal Award Year: 2023-2024 Type of Finding: Allowable Costs – Internal Control (Significant Deficiency) Criteria: The 2 CFR section 200.303 requires that non-federal entities receiving federal awards establish and maintain internal control over the federal awards that provides reasonable assurance that the non-federal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. The internal control system will include reviews of expenses charged to federal awards to verify that the expenses charged are both allowable costs and allowable activities. These reviews should be documented by an approval noted on the supporting documentation for the specific expenditure. Context: During our audit, we sampled both payroll and non-payroll transactions from the country offices of the Organization. We noted that the Organization was unable to provide sufficient documentation to demonstrate that it had performed the required ongoing review and approval of expenses charged to the grant. The absence of such documentation indicates that the Organization did not fully comply with the federal requirements for internal controls over allowable costs and allowable activities. Condition: During our testing, we selected 40 payroll and 40 non-payroll transactions for testing. In our testing over payroll transactions, we noted that there were two (2) transactions in which the Organization was unable to provide evidence of a review and approval of the transaction. In our testing over non-payroll transactions, we noted that there was one (1) transaction in which the Organization was unable to provide evidence of a review and approval of the transaction. Cause and Effect: The Organization is not able at access supporting documentation due to political and social conditions in the countries where the Organization operates. Questioned Costs: None to report. Identified as a Repeat Finding: No. Recommendation: The Organization should ensure that headquarters staff have access to all supporting documentation for expenses charged to federal grants.
Finding 2024-004 U.S. Department of Health and Human Services Program Title: Global AIDS Assistance Listing Number: 93.067 Federal Award Year: 2023-2024 Type of Finding: Allowable Costs – Internal Control (Significant Deficiency) Criteria: The 2 CFR section 200.303 requires that non-federal entities receiving federal awards establish and maintain internal control over the federal awards that provides reasonable assurance that the non-federal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. The internal control system will include reviews of expenses charged to federal awards to verify that the expenses charged are both allowable costs and allowable activities. These reviews should be documented by an approval noted on the supporting documentation for the specific expenditure. Context: During our audit, we sampled both payroll and non-payroll transactions from the country offices of the Organization. We noted that the Organization was unable to provide sufficient documentation to demonstrate that it had performed the required ongoing review and approval of expenses charged to the grant. The absence of such documentation indicates that the Organization did not fully comply with the federal requirements for internal controls over allowable costs and allowable activities. Condition: During our testing, we selected 40 payroll and 40 non-payroll transactions for testing. In our testing over payroll transactions, we noted that there were two (2) transactions in which the Organization was unable to provide evidence of a review and approval of the transaction. In our testing over non-payroll transactions, we noted that there was one (1) transaction in which the Organization was unable to provide evidence of a review and approval of the transaction. Cause and Effect: The Organization is not able at access supporting documentation due to political and social conditions in the countries where the Organization operates. Questioned Costs: None to report. Identified as a Repeat Finding: No. Recommendation: The Organization should ensure that headquarters staff have access to all supporting documentation for expenses charged to federal grants.
Finding 2024-001: Cash Management and Reporting – Significant Deficiency in Internal Control over Compliance. Program: 16.575 – U.S. Department of Justice, Office of Justice Programs, Office for Victims of Crimes: Passed-through Texas Office of the Governor, Criminal Justice Division (CJD) Crime Victim Assistance. Criteria: The 2 CFR section 200.303 requires that non-Federal entities receiving Federal awards establish and maintain internal control over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. Condition: During our audit, we noted that reports and requests for reimbursements were not being reviewed and approved prior to submission. Cause: Controls were not in place to review and approve reports or requests for reimbursements prior to submission. Effect or Potential Effect: Reports and requests for reimbursements being submitted to the granting agency might be incomplete or inaccurate. Questioned Costs: None noted. Context: Management was not able to produce evidence that the reports and requests for reimbursements were being reviewed and approved prior to submission. Recommendation: A policy should be established and enforced to maintain evidence of controls performed over appliable compliance requirements. Evidence of review and approval of reports and requests for reimbursement should be retained by management and be available for inspection. Repeat Finding: No. Views of Responsible Officials: Management agrees with the audit finding and a response is included in the corrective action plan.
Finding: 2024-002 – Cash Management – Significant Deficiency in Controls over Compliance Department: United States Department of Health and Human Services Program Name: Assistance for Torture Victims Federal Assistance Listing Number: 93.604 Criteria: 2 CFR 200.303: The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework” issued by COSO. Condition/Context: During our walkthroughs of the cash draw process, the Organization indicated that there is a lack of evidence supporting preparation of the draw and review of the draw. Cause: Management did not have a documented policy and set of documented procedures in place to ensure consistent application of an independent review and memorializing that review. Effect: Draws in excess of amounts incurred may not be spent within three days. Further, any amounts claimed that are not allowable grant expenditures may be disallowed by the granting agency. Questioned Costs: None identified. Repeat finding – This is not a repeat finding. Recommendation: We recommend that the Organization establish a written policy and procedures for cash management that should be reviewed and approved by those charged with governance. The policy should require that all draws are reviewed by someone independent of the individual calculating the draw. The review should be documented in the Organization’s books and records. Views of responsible officials and planned corrective actions: Management agrees with this finding.
Program Information: U.S. Department of the Interior Single Agreement – Assistance Listing #15.036 Award Number: A18AV00341 Award Period: 10/01/2023 – 9/30/2024 Criteria: Non-federal entities other than states, including those operating federal programs as subrecipients of states, must follow the procurement standards set out at 2 CFR sections 200.318 through 200.326. They must use their own documented procurement procedures, which reflect applicable state and local laws and regulations, provided that the procurements conform to applicable federal statutes and the procurement requirements identified in 2 CFR part 200. Non-federal entities are prohibited from contracting with or making subawards under covered transactions to parties that are suspended or debarred. “Covered transactions” include contracts for goods and services awarded under a non-procurement transaction (e.g., grant or cooperative agreement) that are expected to equal or exceed $25,000 or meet certain other criteria as specified in 2 CFR section 180.220. Per 2 CFR § 200.303 Internal controls, the non-federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-federal entity is managing the Federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition/Context: 1 of 3 procurement samples selected for testing had no documentation of bidding, alternative price quotes, or sole source documentation. Additionally, for 1 of 1 Individually Important Items and 2 of 2 suspension and debarment samples selected for testing, NWIFC could not provide support showing a SAM.gov check was performed prior to conducting business with the vendors. [ X ] Compliance Finding [ ] Significant Deficiency [ X ] Material Weakness Cause: It appears the policies and procedures for procurement and suspension and debarment were not followed. Effect: Without solicitation from an adequate number of qualified sources, NWIFC is at risk of over-spending on projects and, thus, leaving fewer resources available to fulfill the mission of NWIFC. Additionally, NWIFC could be subject to other sanctions from funding agencies if they determine that programs did not assure vendors were properly checked for suspension and debarment. Questioned Costs: $25,750 for procurement. This amount represents procurement transactions selected for testing that lacked required documentation of competitive bidding, price comparisons, or sole source justifications. As a result, these costs do not meet the allowability and procurement standards under 2 CFR 200.318–200.320 and are therefore questioned. Not applicable for suspension and debarment. While internal controls were not followed, no specific transactions were identified that violated the cost allowability requirements. Repeat Finding: Yes, finding #2023-003. Recommendation: We recommend that the NWIFC adhere to program policies and procedures as documented and supporting documentation is kept available for review. Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding and has prepared corrective action as detailed in its Corrective Action Plan.
Program Information: U.S. Department of Commerce NOAA Hatchery Genetic Mgmt – Assistance Listing #11.437 Award Number: NA18NMF4370324 Award Period: 7/01/2018 – 6/30/2024 Criteria: Reporting requirements are contained in the following: Monitoring and reporting program performance, 2 CFR Section 200.329. • Per the award documents, the grantee shall prepare and provide progress reports to Pacific States Marine Fisheries Commission (PSMFC). These run January to June and July to December and are due 15 days after each period. Per 2 CFR § 200.303 Internal controls, the non-federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-federal entity is managing the Federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition/Context: NWIFC could not provide support showing review and approval of the progress reports prior to submitting them to PSMFC. [ ] Compliance Finding [ X ] Significant Deficiency [ ] Material Weakness Cause: It appears the policies and procedures for reporting were not followed. Effect: Failing to comply with the grant award requirements, the program may be subject to higher risk status and a decreased amount of funding. Questioned Costs: Not applicable – The condition relates to the lack of review and approval of the required reports before submitting to the funding agency, which does not directly impact the allowability or support for costs charged to the program. No costs are being questioned as a result. Repeat Finding: No. Recommendation: We recommend that the NWIFC adhere to program policies and procedures as documented and supporting documentation is kept available for review. Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding and has prepared corrective action as detailed in its Corrective Action Plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.