Assistance Listing, Federal Agency, and Program Name 93.045/93.053, U.S. Department of Health and Human Services, Aging Cluster Federal Award Identification Number and Year N/A Pass through Entity Area Agency on Aging 1C Finding Type Material weakness Repeat Finding No Criteria Per 2 CFR 200.303(a), nonfederal entities must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States or the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The County’s controls over meal participants did not ensure a review was in place to check the intake forms for Halal Home Delivered meal participants or that updated assessments were obtained for home delivered meals. Lastly there was not a control in place to ensure liquid meal participants maintained a physician order, renewed every six months, stating the need for the additional supplement. Questioned Costs N/A Identification of How Questioned Costs Were Computed Not applicable, as there are no questioned costs Context The County is responsible for ensuring participants who receive meals are eligible under the terms of the grant. The County did not have a control over any Home Delivered Halal meal participants for eligibility, which made up 1 of 30 Home Delivered participants tested. In total, there are approximately 110 Home Delivered Halal participants out of a total of 3,872 Home Delivered participants given meals during the year. These participants made up about 3% of the total population. The County did not perform an updated assessment on 2 out of 30 participants tested for home delivered meals. The County did not obtain updated physician orders for all 4 of the liquid meal participants tested. In total there are about 386 liquid meal participants. This is less than 10% of all meals delivered. Of the 386 only 1% did not receive updated doctor notes. Cause and Effect The Country’s controls were not adequate to ensure that meals were only provided to eligible individuals. The lack of controls can result in the County not identifying ineligible participants timely. Recommendation We recommend the County implement the appropriate controls to ensure meals are provided to eligible individuals. Views of Responsible Officials and Corrective Action Plan Wayne County’s Department of Senior Services will implement processes to ensure only eligible individuals receive meals. A quarterly report will be run to verify all home delivered meal clients have updated assessments and reassessments and will be reviewed by the Department Director and or Division Director quarterly. Halal home delivered meal clients assessments will be reviewed by a second staff member to ensure eligibility and verified by the Department Director and or Division Director monthly.
2024-001 – Internal Controls Over Service Agencies Federal Agency: Department of Housing and Urban Development Program Name: Community Development Block Grant Assistance Listing Number: ALN 14.228 Pass-through Entity: Michigan Economic Development Corporation Grant Number: MSC 222028-ESB Criteria: Per 2 CFR 200.303, the recipient must establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the recipient or subrecipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government,” issued by the Comptroller General of the United States, or the “Internal Control-Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The City contracted with a service agency for administration of the grant. Processes and procedures were in place related to the review of the reimbursement requests prior to submission. However, as it relates to other reporting requirements, there was no formalized review process prior to submission. Cause: The project is related to the demolition and clearance of the former hospital location. The City is the grantee, but Northern Michigan University Foundation is the property owner. The City reimbursed the property owner for allowable costs in accordance with the grant agreement. In order to assist with grant administration, the service agency received information not only from the City, but also the property owner related to the project. The overall project consisted of multiple phases; however, only portions of Phase I were covered by the grant agreement. When preparing one of the semi-annual CDBG Progress Reports, the service agency erroneously included amounts that were not related to the grant. Effect: One of the semi-annual CDBG Progress Reports submitted to the Michigan Economic Development Corporation was erroneous. Questioned Costs: None. Identification of How Questioned Costs were Computed: N/A Perspective: When informed of the error, the service agency immediately reached out to the Michigan Economic Development Corporation (MEDC), the pass-through entity, for guidance on how to proceed with correcting the error. Prior to re-submitting a revised CDBG Progress Report, the service agency forwarded the report to a responsible official at the City for review. Review of the MEDC’s Single Audit Certification report did not result in any errors detected. Furthermore, review of the reimbursement requests did not reveal any errors which would have resulted in the City over or under-receiving federal reimbursements. Repeat Finding: No. Recommendation: Procedures should be put into place that when a service agency is utilized for administering a federal grant(s) that all reports are reviewed by a responsible City official prior to submission to the federal agency. This includes, but is not limited to, reimbursement requests, intermittent reporting, and any other required reports. Views of Responsible Officials: Management agrees with the finding.
2024-002 – Internal Controls Over Reporting Federal Agency: Department of Transportation Program Name: Port Infrastructure Development Program Assistance Listing Number: ALN 20.823 Pass-through Entity: N/A Grant Number: 693JF72245018 Criteria: Per 2 CFR 200.303, the recipient must establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the recipient or subrecipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government,” issued by the Comptroller General of the United States, or the “Internal Control-Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: When preparing one of the quarterly reports the City erroneously included costs in the current quarter’s expenditures that were already included in a previous quarter’s expenditure amounts. Cause: The City’s Engineering department is performing services related to the grant including program management, construction management, along with engineering services. As a result, payroll costs are allocated to the grant. When preparing one of the Quarterly Progress Reports the wrong time range was used which resulted in duplication of some of the payroll expenditures. Effect: One of the Quarterly Progress Reports was over-stated. Cumulative expenditures on future Quarterly Progress Reports will be misstated. Questioned Costs: None. Identification of How Questioned Costs were Computed: N/A Perspective: Review of other quarterly reports submitted during the fiscal year did not result in any errors detected. Furthermore, review of the reimbursement requests did not reveal any errors which would have resulted in the City over or under-receiving federal reimbursements. When informed of the error, the City immediately reached out to the United States Department of Transportation Maritime Administration (MARAD) for guidance on how to proceeds with correcting the error. The City also reviewed, revised, and resubmitted any subsequent Quarterly Progress Reports that were impacted. Repeat Finding: No. Recommendation: Prior to submitting the Quarterly Progress Report a secondary review should be performed by someone other than the preparing to ensure the data properly reconciles to the City’s financial reporting system. Views of Responsible Officials: Management agrees with the finding.
REFERENCE: 2024-101 REPEAT FINDING REFERENCE: 2023-001 CFDA NUMBER: 10.558 – CHILD AND ADULT CARE FOOD PROGRAM U.S. DEPARTMENT OF AGRICULTURE - FOOD AND NUTRITION - 2024 PASSED THROUGH ARIZONA STATE DEPARTMENT OF EDUCATION GRANT NUMBER 6AZ300003 QUESTIONED COSTS N/A CONDITION The following errors were noted during testing of FDCH Site Claims, the Sponsor’s Meal Served Report and 40 Day Care Home provider files for the months of July 2024 and September 2024: 1. For 3 of 40 provider files tested, menus were clerically inaccurate and did not support the meals claimed. This error occurred in both months tested. 2. For 2 of 40 provider files tested, meals were claimed when the provider’s children were the only children present. This error occurred in September 2024. 3. For 1 of 40 provider files tested, meals were claimed when no children were indicated as being present for the meal. This error occurred in July 2024. 4. For 1 of 40 provider files tested, more than 2 meals and 1 snack or 2 snacks and 1 meal were claimed for a child. This error occurred in September 2024. 5. For 1 of 40 provider files tested, meals were incorrectly disallowed based on the provider’s income eligibility. This error occurred in September 2024. These errors resulted in the following revised meal counts: These variances resulted in an under payment (known questioned costs) of $62. However, after projecting the various types of errors over six meal categories for the entire year, likely under reported costs totaled $2,958. CRITERIA In accordance with the Arizona Department of Education, Day Care Home Compliance Manual, Revised June 2019, Chapter 6 New Provider Eligibility Requirements, 6.3 Provider’s Own, at least one non-residential child must be enrolled and receiving care by the provider in order for the provider to qualify as a family child care home for CACFP eligibility purposes. Payment may be made for meals served to the provider's own children only when: • Such children are enrolled and participating in the child care program during the time of the meal service, • Enrolled nonresident children are present and participating in the child care program, and • The provider is eligible for Tier I reimbursement and providers' children are eligible to receive free or reduced-price meals. In accordance with the Arizona Department of Education, Day Care Home Compliance Manual, Revised June 2019, Chapter 10, Meal Requirements, Section 10.7 Other Meal Requirements, in order to claim a meal, the provider must abide by the following criteria: • The provider must serve a fully reimbursable meal that meets the meal pattern requirements and are supported by complete and up to date attendance, meal count, and menu records; • The child must be present and participate in the meal service; • All meal components must be served together; • The meal must be fully consumed on the premises in a congregate setting. Meals sent home with a child due to the parent picking up the child during meal service cannot be claimed; • Meal must be served during approved meal service time; • The provider can be reimbursed for a maximum of two meals and one snack or two snacks and one meal per child, per day; • Only children who are enrolled can be claimed and the number of children cannot exceed the allowable ratio; • Payment may be made for meals served to provider’s own child(ren) or foster children only when: Their child(ren) are enrolled and participating in the child care program during the time of the meal service; At least one enrolled, non-resident child is present and participating in the child care program; The provider meets the family size income standards for free or reduced price meals; • Seconds may be served but are not reimbursable; and • If a school age child receives a breakfast, lunch or afterschool snack at school, a provider may not claim the same meal. In accordance with the Uniform Guidance, Compliance Supplement, Part 6 – Internal Control, the 2 CFR section 200.303 requires that non-federal entities receiving federal awards establish and maintain internal control over the federal awards that provides reasonable assurance that the non-federal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. EFFECT Program requirements were not complied with. Additionally, meal reimbursements were clerically inaccurate and the providers were incorrectly reimbursed. CAUSE Although the internal controls were adequately designed, there were deficiencies in the execution of the controls. Most errors occurred on paper menus, which have a higher risk of errors. RECOMMENDATION AND BENEFIT Menus should be reviewed to ensure all meals are claimed, and provider meal count sheets should be reviewed for clerical accuracy and completion, prior to the preparation of the reimbursement claim. Additionally, income affidavits income affidavit information should be entered into the system timely to ensure that meals are properly claimed. These reviews should be documented. This will help ensure that program requirements are complied with and only eligible meals served to eligible participants are claimed for reimbursement. VIEWS OF RESPONSIBLE OFFICIALS See Corrective Action Plan.
REFERENCE: 2024-102 CFDA NUMBER: 10.558 – CHILD AND ADULT CARE FOOD PROGRAM U.S. DEPARTMENT OF AGRICULTURE - FOOD AND NUTRITION - 2024 PASSED THROUGH ARIZONA STATE DEPARTMENT OF EDUCATION GRANT NUMBER 6AZ300003 QUESTIONED COSTS N/A CONDITION The following errors were noted while testing the Category Detail Reports, Sponsor Claim and Child and Adult Care Food Program (CACFP) expenses for July 2024 and September 2024: 1. The hourly timesheet for one employee in September 2024 was clerically inaccurate. 2. Contracted services for September 2024 were double claimed. These errors resulted in the following revised amounts: These errors resulted in an over reporting of total Administrative Costs (known questioned costs) of $183. However, after projecting the various types of errors over operating costs for the entire year, likely questioned costs totaled $943. CRITERIA In accordance with the Uniform Guidance, Compliance Supplement, Part 6 – Internal Control, the 2 CFR section 200.303 requires that non-federal entities receiving federal awards establish and maintain internal control over the federal awards that provides reasonable assurance that the non-federal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. In accordance with the Arizona Department of Education, Day Care Home Compliance Manual, Revised June 2019, Chapter 5 Sponsor Responsibilities, Section 5.2 Sponsor Recordkeeping Requirements, sponsoring organizations are required to maintain records to fully support the monthly claim for reimbursement and compliance with program regulations. All sponsoring organizations must have a written policy pertaining to their recordkeeping procedures. All records shall be retained for a period of five years after the date of submission of the final claim for the fiscal year to which they pertain. EFFECT Program requirements were not complied with. Additionally, administrative costs were over reported. CAUSE Although the internal controls were adequately designed, there were deficiencies in the execution of the controls. Costs were not correctly summarized and reported on the Sponsor Claim. RECOMMENDATION AND BENEFIT The Organization’s monthly administrative cost report and supporting documentation should be reviewed for accuracy prior to completing the reimbursement claim. Any review should be documented. This will help ensure that program requirements are complied with and that administrative costs are accurately reported. VIEWS OF RESPONSIBLE OFFICIALS See Corrective Action Plan.
Federal Agency: U.S. Department of Health and Human Services Federal Program Name: Head Start Cluster Federal Assistance Listing Number: 93.600 Federal Award Identification Number(s) and Year(s): 05CH010838-2023, 05CH010838-2024 Award Period: March, 1 2023 to February 29, 2024; and March 1, 2024 to February 28, 2025 Type of Finding: Material Weakness in Internal Control over Major Federal Programs Criteria or Specific Requirement: Under 2 CFR section 200.303, a nonfederal entity must establish and maintain effective internal controls over the federal awards that provides reasonable assurance that the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Timely review and approval should be maintained to ensure accurate reports are submitted. Condition: The Organization does not have adequate internal controls in place to ensure required reports are approved by the appropriate personnel before being submitted. Questioned Costs: N/A Context: The two financial status reports selected for testing both did not contain a formal documented review and approval. Cause: While management does have a separate individual assigned to review the required reports prepared by the Fiscal Director, that review is not formally documented. Effect: Potential for inaccurate information reported. Repeat Finding: This is a repeat finding. Recommendation: We recommend that the assigned individual to review formally documents their review and approval of the reports with a signature before the required date to be submitted. Views of responsible officials and planned corrective actions: There is no disagreement with the finding. WCCA has already implemented a process to ensure all reports are reviewed and approved with documentation before submission.
Federal Agency: U.S. Department of Health and Human Services Federal Program Name: Head Start Cluster Federal Assistance Listing Number: 93.600 Federal Award Identification Number(s) and Year(s): 05CH010838-2023, 05CH010838-2024 Award Period: March, 1 2023 to February 29, 2024; and March 1, 2024 to February 28, 2025 Type of Finding: Material Weakness in Internal Control over Major Federal Programs Criteria or Specific Requirement: Under 2 CFR section 200.303, a nonfederal entity must establish and maintain effective internal controls over the federal awards that provides reasonable assurance that the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Timely review and approval should be maintained to ensure accurate reports are submitted. Condition: The Organization does not have adequate internal controls in place to ensure required reports are approved by the appropriate personnel before being submitted. Questioned Costs: N/A Context: The two financial status reports selected for testing both did not contain a formal documented review and approval. Cause: While management does have a separate individual assigned to review the required reports prepared by the Fiscal Director, that review is not formally documented. Effect: Potential for inaccurate information reported. Repeat Finding: This is a repeat finding. Recommendation: We recommend that the assigned individual to review formally documents their review and approval of the reports with a signature before the required date to be submitted. Views of responsible officials and planned corrective actions: There is no disagreement with the finding. WCCA has already implemented a process to ensure all reports are reviewed and approved with documentation before submission.
Federal Agency: U.S. Department of Health and Human Services Federal Program Name: Head Start Cluster Federal Assistance Listing Number: 93.600 Federal Award Identification Number(s) and Year(s): 05CH010838-2023, 05CH010838-2024 Award Period: March, 1 2023 to February 29, 2024; and March 1, 2024 to February 28, 2025 Type of Finding: Material Weakness in Internal Control over Major Federal Programs Criteria or Specific Requirement: Under 2 CFR section 200.303, a nonfederal entity must establish and maintain effective internal controls over the federal awards that provides reasonable assurance that the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Timely review and approval should be maintained to ensure accurate reports are submitted. Condition: The Organization does not have adequate internal controls in place to ensure required reports are approved by the appropriate personnel before being submitted. Questioned Costs: N/A Context: The two financial status reports selected for testing both did not contain a formal documented review and approval. Cause: While management does have a separate individual assigned to review the required reports prepared by the Fiscal Director, that review is not formally documented. Effect: Potential for inaccurate information reported. Repeat Finding: This is a repeat finding. Recommendation: We recommend that the assigned individual to review formally documents their review and approval of the reports with a signature before the required date to be submitted. Views of responsible officials and planned corrective actions: There is no disagreement with the finding. WCCA has already implemented a process to ensure all reports are reviewed and approved with documentation before submission.
Federal Agency: U.S. Department of Health and Human Services Federal Program Name: Head Start Cluster Federal Assistance Listing Number: 93.600 Federal Award Identification Number(s) and Year(s): 05CH010838-2023, 05CH010838-2024 Award Period: March, 1 2023 to February 29, 2024; and March 1, 2024 to February 28, 2025 Type of Finding: Material Weakness in Internal Control over Major Federal Programs Criteria or Specific Requirement: Under 2 CFR section 200.303, a nonfederal entity must establish and maintain effective internal controls over the federal awards that provides reasonable assurance that the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Timely review and approval should be maintained to ensure accurate reports are submitted. Condition: The Organization does not have adequate internal controls in place to ensure required reports are approved by the appropriate personnel before being submitted. Questioned Costs: N/A Context: The two financial status reports selected for testing both did not contain a formal documented review and approval. Cause: While management does have a separate individual assigned to review the required reports prepared by the Fiscal Director, that review is not formally documented. Effect: Potential for inaccurate information reported. Repeat Finding: This is a repeat finding. Recommendation: We recommend that the assigned individual to review formally documents their review and approval of the reports with a signature before the required date to be submitted. Views of responsible officials and planned corrective actions: There is no disagreement with the finding. WCCA has already implemented a process to ensure all reports are reviewed and approved with documentation before submission.
Federal Agency: U.S. Department of Health and Human Services Federal Program Name: Head Start Cluster Federal Assistance Listing Number: 93.600 Federal Award Identification Number(s) and Year(s): 05CH010838-2023, 05CH010838-2024 Award Period: March, 1 2023 to February 29, 2024; and March 1, 2024 to February 28, 2025 Type of Finding: Material Weakness in Internal Control over Major Federal Programs Criteria or Specific Requirement: Under 2 CFR section 200.303, a nonfederal entity must establish and maintain effective internal controls over the federal awards that provides reasonable assurance that the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Timely review and approval should be maintained to ensure accurate reports are submitted. Condition: The Organization does not have adequate internal controls in place to ensure required reports are approved by the appropriate personnel before being submitted. Questioned Costs: N/A Context: The two financial status reports selected for testing both did not contain a formal documented review and approval. Cause: While management does have a separate individual assigned to review the required reports prepared by the Fiscal Director, that review is not formally documented. Effect: Potential for inaccurate information reported. Repeat Finding: This is a repeat finding. Recommendation: We recommend that the assigned individual to review formally documents their review and approval of the reports with a signature before the required date to be submitted. Views of responsible officials and planned corrective actions: There is no disagreement with the finding. WCCA has already implemented a process to ensure all reports are reviewed and approved with documentation before submission.
Allowable Costs/Activities Allowed Material Weakness, Noncompliance 2024-002 Strengthen Controls to Ensure Compliance with Allowable Costs Requirements Agency: U.S. Department of Transportation; Passed-through Mississippi Office of Highway Safety ALN Numbers: 20.600 State and Community Highway Safety 20.616 National Priority Safety Programs Federal Award: M5TR-2024-MD-22-51 Repeat Finding: No Questioned Costs: $1,432.84 Criteria: In accordance with 2 CFR 200.403, costs charged to a federal award must be necessary, reasonable, and allocable. Further, per 2 CFR 200.303, the non-federal entity must establish and maintain effective internal controls over the federal award. Condition: During our evaluation and testing of the grant, we were alerted to improper payments totaling $1,432 made to employees as the result of misrepresentation of reimbursable expenses. The payments were processed and disbursed; however, internal controls subsequently identified and alerted officials to the improper payments. The employees were terminated, and no additional payments were made. Cause: Fraudulent requests for employee expense reimbursement for travel were submitted and not independently verified. Although controls were in place to verify such requests, the fraud attempt bypassed initial detection. The City’s post-disbursement review controls detected the issue, but only after payment had occurred. Effect: The City disbursed $1,432 in federal funds to fraudulent reimbursements. Although no additional losses occurred and corrective actions were taken, the incident reflects a breakdown in the preventative control environment over disbursement verification. Recommendation: We recommend that the City implement additional internal controls to ensure that proper and substantiated travel reimbursement payments are made. Views of Responsible Officials: The City concurs with the finding. While our internal post-payment review control ultimately identified the issue, we acknowledge the breakdown in the preventive stage. We have since revised our procedures to require independent verification. We also reported the incident to proper agencies as required.
Allowable Costs/Activities Allowed Material Weakness, Noncompliance 2024-002 Strengthen Controls to Ensure Compliance with Allowable Costs Requirements Agency: U.S. Department of Transportation; Passed-through Mississippi Office of Highway Safety ALN Numbers: 20.600 State and Community Highway Safety 20.616 National Priority Safety Programs Federal Award: M5TR-2024-MD-22-51 Repeat Finding: No Questioned Costs: $1,432.84 Criteria: In accordance with 2 CFR 200.403, costs charged to a federal award must be necessary, reasonable, and allocable. Further, per 2 CFR 200.303, the non-federal entity must establish and maintain effective internal controls over the federal award. Condition: During our evaluation and testing of the grant, we were alerted to improper payments totaling $1,432 made to employees as the result of misrepresentation of reimbursable expenses. The payments were processed and disbursed; however, internal controls subsequently identified and alerted officials to the improper payments. The employees were terminated, and no additional payments were made. Cause: Fraudulent requests for employee expense reimbursement for travel were submitted and not independently verified. Although controls were in place to verify such requests, the fraud attempt bypassed initial detection. The City’s post-disbursement review controls detected the issue, but only after payment had occurred. Effect: The City disbursed $1,432 in federal funds to fraudulent reimbursements. Although no additional losses occurred and corrective actions were taken, the incident reflects a breakdown in the preventative control environment over disbursement verification. Recommendation: We recommend that the City implement additional internal controls to ensure that proper and substantiated travel reimbursement payments are made. Views of Responsible Officials: The City concurs with the finding. While our internal post-payment review control ultimately identified the issue, we acknowledge the breakdown in the preventive stage. We have since revised our procedures to require independent verification. We also reported the incident to proper agencies as required.
Allowable Costs/Activities Allowed Material Weakness, Noncompliance 2024-002 Strengthen Controls to Ensure Compliance with Allowable Costs Requirements Agency: U.S. Department of Transportation; Passed-through Mississippi Office of Highway Safety ALN Numbers: 20.600 State and Community Highway Safety 20.616 National Priority Safety Programs Federal Award: M5TR-2024-MD-22-51 Repeat Finding: No Questioned Costs: $1,432.84 Criteria: In accordance with 2 CFR 200.403, costs charged to a federal award must be necessary, reasonable, and allocable. Further, per 2 CFR 200.303, the non-federal entity must establish and maintain effective internal controls over the federal award. Condition: During our evaluation and testing of the grant, we were alerted to improper payments totaling $1,432 made to employees as the result of misrepresentation of reimbursable expenses. The payments were processed and disbursed; however, internal controls subsequently identified and alerted officials to the improper payments. The employees were terminated, and no additional payments were made. Cause: Fraudulent requests for employee expense reimbursement for travel were submitted and not independently verified. Although controls were in place to verify such requests, the fraud attempt bypassed initial detection. The City’s post-disbursement review controls detected the issue, but only after payment had occurred. Effect: The City disbursed $1,432 in federal funds to fraudulent reimbursements. Although no additional losses occurred and corrective actions were taken, the incident reflects a breakdown in the preventative control environment over disbursement verification. Recommendation: We recommend that the City implement additional internal controls to ensure that proper and substantiated travel reimbursement payments are made. Views of Responsible Officials: The City concurs with the finding. While our internal post-payment review control ultimately identified the issue, we acknowledge the breakdown in the preventive stage. We have since revised our procedures to require independent verification. We also reported the incident to proper agencies as required.
GRANT REPORTING U.S. Department of Treasury ALN 21.027 – Coronavirus State and Local Fiscal Recovery Funds Contract No. 23.saa.900.46 (2023) Passed through the Florida Department of State 2024 Funding Repeat Finding Criteria: 2 CFR 200.303 requires non-federal entities to establish and maintain effective internal controls. Reports and reimbursement requests should be subject to independent review for the full fiscal year to verify completeness, validity and timeliness of submission. The grant agreement requires quarterly progress reports to be filed with the pass through entity, Florida Department of State. Condition: Review of quarterly reports was not always documented by City officials before submittal by their third party consultant. Cause of condition: The department at the City that is responsible for managing the grant did not originally have a process in place to document their review of progress reports submitted to the Florida Department of State by their third party consultant. Potential effect of condition: Reports submitted to the Florida Department of State may be incomplete, include errors, or be submitted late. Perspective: After this condition was reported as a finding for the fiscal year ending September 30, 2023, the City’s department that is responsible for managing the grant implemented a review process, but it was not in place for the full fiscal year 2024. Questioned costs: None. Recommendation: The City’s department responsible for the grant should continue to perform the review process that was put in place late in fiscal year 2024. Management’s Response:. The City updated its control process to ensure that reports prepared by third-party consultant are reviewed by City staff prior to being submitted to the grantor.
Finding No.: 2024-001 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Gramm-Leach-Bliley Act-Student Information Security Questioned Costs: $0 Criteria: 2 CFR 200.303 requires that a non-federal entity must “(a) establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the GLBA because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (ⅳ) Assess apps developed by the institution (ⅴ) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (ⅵ) Dispose of customer information securely (ⅶ) Anticipate and evaluate changes to the information system or network. (ⅷ) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: The University does not have a comprehensive written information security program addressing all the required minimum elements of the GLBA although we have noted that the University performs certain procedures to address some of the aforementioned criteria. Cause: The Office of Information Technology (OIT) is not aware of the GLBA requirements that the University needs to comply with effective June 9, 2023. Effect: The University has not developed, implemented and maintained a written Information Security Program compliant with federal regulations. Recommendation: The OIT led by the Chief Information Officer should develop a written Information Security Program as soon as possible to ensure compliance to the federal regulations. Management should review and approve the written Information Security Program annually to ensure that all minimum requirements are met and any changes in regulations are complied with. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.
Finding No.: 2024-001 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Gramm-Leach-Bliley Act-Student Information Security Questioned Costs: $0 Criteria: 2 CFR 200.303 requires that a non-federal entity must “(a) establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the GLBA because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (ⅳ) Assess apps developed by the institution (ⅴ) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (ⅵ) Dispose of customer information securely (ⅶ) Anticipate and evaluate changes to the information system or network. (ⅷ) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: The University does not have a comprehensive written information security program addressing all the required minimum elements of the GLBA although we have noted that the University performs certain procedures to address some of the aforementioned criteria. Cause: The Office of Information Technology (OIT) is not aware of the GLBA requirements that the University needs to comply with effective June 9, 2023. Effect: The University has not developed, implemented and maintained a written Information Security Program compliant with federal regulations. Recommendation: The OIT led by the Chief Information Officer should develop a written Information Security Program as soon as possible to ensure compliance to the federal regulations. Management should review and approve the written Information Security Program annually to ensure that all minimum requirements are met and any changes in regulations are complied with. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.
Finding No.: 2024-001 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Gramm-Leach-Bliley Act-Student Information Security Questioned Costs: $0 Criteria: 2 CFR 200.303 requires that a non-federal entity must “(a) establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the GLBA because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (ⅳ) Assess apps developed by the institution (ⅴ) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (ⅵ) Dispose of customer information securely (ⅶ) Anticipate and evaluate changes to the information system or network. (ⅷ) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: The University does not have a comprehensive written information security program addressing all the required minimum elements of the GLBA although we have noted that the University performs certain procedures to address some of the aforementioned criteria. Cause: The Office of Information Technology (OIT) is not aware of the GLBA requirements that the University needs to comply with effective June 9, 2023. Effect: The University has not developed, implemented and maintained a written Information Security Program compliant with federal regulations. Recommendation: The OIT led by the Chief Information Officer should develop a written Information Security Program as soon as possible to ensure compliance to the federal regulations. Management should review and approve the written Information Security Program annually to ensure that all minimum requirements are met and any changes in regulations are complied with. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.
Finding No.: 2024-001 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Gramm-Leach-Bliley Act-Student Information Security Questioned Costs: $0 Criteria: 2 CFR 200.303 requires that a non-federal entity must “(a) establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the GLBA because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (ⅳ) Assess apps developed by the institution (ⅴ) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (ⅵ) Dispose of customer information securely (ⅶ) Anticipate and evaluate changes to the information system or network. (ⅷ) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: The University does not have a comprehensive written information security program addressing all the required minimum elements of the GLBA although we have noted that the University performs certain procedures to address some of the aforementioned criteria. Cause: The Office of Information Technology (OIT) is not aware of the GLBA requirements that the University needs to comply with effective June 9, 2023. Effect: The University has not developed, implemented and maintained a written Information Security Program compliant with federal regulations. Recommendation: The OIT led by the Chief Information Officer should develop a written Information Security Program as soon as possible to ensure compliance to the federal regulations. Management should review and approve the written Information Security Program annually to ensure that all minimum requirements are met and any changes in regulations are complied with. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.
Finding No.: 2024-001 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Gramm-Leach-Bliley Act-Student Information Security Questioned Costs: $0 Criteria: 2 CFR 200.303 requires that a non-federal entity must “(a) establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the GLBA because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (ⅳ) Assess apps developed by the institution (ⅴ) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (ⅵ) Dispose of customer information securely (ⅶ) Anticipate and evaluate changes to the information system or network. (ⅷ) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: The University does not have a comprehensive written information security program addressing all the required minimum elements of the GLBA although we have noted that the University performs certain procedures to address some of the aforementioned criteria. Cause: The Office of Information Technology (OIT) is not aware of the GLBA requirements that the University needs to comply with effective June 9, 2023. Effect: The University has not developed, implemented and maintained a written Information Security Program compliant with federal regulations. Recommendation: The OIT led by the Chief Information Officer should develop a written Information Security Program as soon as possible to ensure compliance to the federal regulations. Management should review and approve the written Information Security Program annually to ensure that all minimum requirements are met and any changes in regulations are complied with. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.
Findings and Questioned Costs Relating to Federal Awards 2024 001 SEFA Control Deficiency U.S. Department of Treasury Community Development Financial Institutions Program (ALN 21.033) Statistically Valid Sample: No, and it was not intended to be. Prior Year Finding: Not a repeat finding. Finding Type: Significant deficiency Criteria CFR 200.502(a) requires expenditures be recorded in the period they occur. Additionally, 2 CFR 200.303(a) states that non federal entities must establish and maintain effective internal control over federal awards that provide reasonable assurance that the non federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Condition and Context During our test work over the Schedule of Expenditures of Federal Awards (SEFA), we noted the Organization incorrectly reported expenditures, in the amount of $693,023, incurred in the fiscal year ended September 30, 2023 on the 2024 SEFA. CFR 200.502(a) requires expenditures be recorded on the SEFA in the period they occur. The 2023 expenditures were incurred during the performance period of the grant and were for activities allowed under the grant, therefore there were no questioned costs or noncompliance related to the expenditures. The Organization’s internal controls were not designed to detect that the expenditures were not timely reported on the SEFA. Cause The significant deficiency arose primarily from a misunderstanding and misapplication of SEFA preparation rules in accordance with CFR 200.502(a), specifically regarding the timing of recording expenditures. Effect Failure to properly report expenditures on the SEFA can lead to a missed or incorrect major program determination. Questioned Costs None. Recommendation We recommend that the Organization strengthen its internal controls to ensure all expenditures are reported on the SEFA in the period incurred to comply with the requirements of CFR 200.502(a). Views of Responsible Officials As noted by our auditor, the submitted expenditures were allowable under the grant. The condition exists such that these expenditures were included within the current period SEFA report because that is when they were determined to be applicable, rather than the period when they were actually incurred (the prior period SEFA report). Going forward, management will ensure to report expenditures in the period they were incurred rather than the period they were applied.
Item 2024‐001 – Suspension and Debarment (Repeat) COVID-19 Coronavirus State and Local Fiscal Recovery – ALN 21.027 U.S. Department of Treasury Federal Award Year ‐ 2021 Criteria – 2 CFR 200.303 requires the non‐Federal entity to “(a) establish and maintain effective internal controls over the Federal award that provides reasonable assurance that the non‐Federal entity is managing the Federal statutes, regulations, and the terms and conditions of the Federal award.” Non‐Federal entities are prohibited from contracting with or making subawards under covered transactions to parties that are suspended or debarred. “Covered transactions” include those procurement contracts for goods and services awarded under a nonprocurement transaction (e.g., grant or cooperative agreement) that are expected to equal or exceed $25,000 or meet certain other criteria as specified in 2 CFR section 180.220. All nonprocurement transactions entered into by a recipient (i.e., subawards to subrecipients), irrespective of award amount, are considered covered transactions, unless they are exempt as provided in 2 CFR section 180.215. Condition – Adequate controls were not in place to provide for proper review of covered transactions for suspension and debarment. Covered transactions, over $25,000 paid with grant funding were not reviewed for suspension and debarment. Cause – The County lacked sufficient controls to ensure evidence of compliance with suspension and debarment. Questioned Costs – Not determinable. Effect – Failure to properly verify that a potential vendor has not been suspended or debarred could result in unallowable expenditures and disallowed costs. Recommendation – We recommend that controls should be put into place to better monitor and document the compliance of vendors for suspension and debarment. Management’s Response – Management agrees with the finding. The County will implement additional controls to ensure there is evidence of review of covered transactions over $25,000 for suspension and debarment prior to payment. Deputy Clerk, Finance will be responsible for the corrective action and anticipates completion of corrective action will be taken before September 30, 2025.
2024-002 – COVID 19: Community Development Block Grants/Entitlement Grants Federal Awarding Agency – U.S. Department of Housing and Urban Development Assistance Listing Number – 14.218 FAIN – B-23-UC-12-0017 Award Year – 2023 Questioned costs – none Criteria: 2 CFR Part 200 in general and 2 CFR section 200.303(a) require non-Federal entities to establish and maintain effective internal controls over Federal awards, including the requirements for allowable costs, cost principles, period of performance, and special tests and provisions – wage rate requirements. The related compliance requirements are set in 24 CFR Part 570 Subpart D and sections 570.200 through .710, the Coronavirus Aid, Relief, and Economic Security (CARES) Act, the April 30, 2021 Quick Guide, CDBG-CV PPR Tieback Flexibilities, Title I of the Housing Community Development Act (HCDA) of 1974, as amended (Pub. L. No. 93-383) (42 USC 5301), 2 CFR Part 200, Subpart E, Appendices III-V11, and sections 200.330, .331, and .501(h), 31 USC 1552, Section III.B.7 of CDBG-CV Notice, Section 110(a) of the HCD Act, federal awarding agency regulations, and the terms and conditions of the award. Condition: Internal controls related to review of one invoice for a payment to a subrecipient, did not have evidence of all required approvals necessary to ensure compliance with allowable costs, cost principles, and period of performance requirements. One monthly payroll allocation journal entry did not have evidence of required approval necessary to ensure compliance with allowable costs, cost principles, and period of performance requirements. Controls were not sufficient over the special tests and provisions – wage rate requirements compliance requirement. Cause: Internal controls over certain payments, including payments requiring review of contractor and subcontractor wage rates were not evidenced with clear documentation. Effect: Allowable costs, cost principles, period of performance, and special tests and provisions – wage rate requirements compliance requirements may not be met due to lack of reperformable internal controls. Recommendation: We recommend that the City ensure wage rate requirement compliance is prioritized when applicable. We recommend that the City ensure that all controls for grants be documented in written procedures which should include the name or title of the positions responsible for each control (preparation, review, reconciliation, etc.) and that the performance of the controls be documented in a clear, reperformable manner including the name and date of each responsible individual and which specific control they performed over compliance for the grant.
2024-002 – COVID 19: Community Development Block Grants/Entitlement Grants Federal Awarding Agency – U.S. Department of Housing and Urban Development Assistance Listing Number – 14.218 FAIN – B-23-UC-12-0017 Award Year – 2023 Questioned costs – none Criteria: 2 CFR Part 200 in general and 2 CFR section 200.303(a) require non-Federal entities to establish and maintain effective internal controls over Federal awards, including the requirements for allowable costs, cost principles, period of performance, and special tests and provisions – wage rate requirements. The related compliance requirements are set in 24 CFR Part 570 Subpart D and sections 570.200 through .710, the Coronavirus Aid, Relief, and Economic Security (CARES) Act, the April 30, 2021 Quick Guide, CDBG-CV PPR Tieback Flexibilities, Title I of the Housing Community Development Act (HCDA) of 1974, as amended (Pub. L. No. 93-383) (42 USC 5301), 2 CFR Part 200, Subpart E, Appendices III-V11, and sections 200.330, .331, and .501(h), 31 USC 1552, Section III.B.7 of CDBG-CV Notice, Section 110(a) of the HCD Act, federal awarding agency regulations, and the terms and conditions of the award. Condition: Internal controls related to review of one invoice for a payment to a subrecipient, did not have evidence of all required approvals necessary to ensure compliance with allowable costs, cost principles, and period of performance requirements. One monthly payroll allocation journal entry did not have evidence of required approval necessary to ensure compliance with allowable costs, cost principles, and period of performance requirements. Controls were not sufficient over the special tests and provisions – wage rate requirements compliance requirement. Cause: Internal controls over certain payments, including payments requiring review of contractor and subcontractor wage rates were not evidenced with clear documentation. Effect: Allowable costs, cost principles, period of performance, and special tests and provisions – wage rate requirements compliance requirements may not be met due to lack of reperformable internal controls. Recommendation: We recommend that the City ensure wage rate requirement compliance is prioritized when applicable. We recommend that the City ensure that all controls for grants be documented in written procedures which should include the name or title of the positions responsible for each control (preparation, review, reconciliation, etc.) and that the performance of the controls be documented in a clear, reperformable manner including the name and date of each responsible individual and which specific control they performed over compliance for the grant.
2024-001 - Lack of Independent Review and Approval Finding Type. Immaterial Noncompliance; Significant Deficiency in Internal Control over Compliance (Allowable Costs/Cost Principles: ALN 93.600 and 64.033, Reporting: ALN 64.033 and Eligibility: ALN 64.033). Program. Head Start; U.S. Department of Health and Human Services; Assistance Listing Number 93.600; All Award Numbers and VA Supportive Services for Veteran Families Program; Department of Veterans Affairs, Assistance Listing Number 64.033; All Award Numbers. Criteria. Per 2 CFR 200.303, the recipient and subrecipient must establish, document, and maintain effective internal controls over federal awards that provides reasonable assurance that the recipient or subrecipient is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the Federal award. Condition. During our testing of Allowable Costs, we noted 4 disbursements tested did not have signed and approved purchase orders. During our testing of Reporting, we noted two quarterly reports that had no evidence of review and approval. During our Eligibility testing, we noted one applicant whose certification form was not signed by the supervisor. Cause. This condition is the result of management not adhering to the Organization's internal control policies. Effect. As a result of this condition, there is an increased risk of unallowable expenses being charged to the grant, inaccurate financial reporting, allowing ineligible participants to receive grant benefits and other potential noncompliance with federal regulations. Questioned Costs. No costs are required to be questioned as a result of this finding, inasmuch as no unallowable expenditures were noted. Recommendation. We recommend the Agency adheres to their internal control process of an independent review and approval of transactions and reporting related to federal grant programs. View of Responsible Official. Management agrees with this finding and has prepared a Corrective Action Plan.
2024-001 - Lack of Independent Review and Approval Finding Type. Immaterial Noncompliance; Significant Deficiency in Internal Control over Compliance (Allowable Costs/Cost Principles: ALN 93.600 and 64.033, Reporting: ALN 64.033 and Eligibility: ALN 64.033). Program. Head Start; U.S. Department of Health and Human Services; Assistance Listing Number 93.600; All Award Numbers and VA Supportive Services for Veteran Families Program; Department of Veterans Affairs, Assistance Listing Number 64.033; All Award Numbers. Criteria. Per 2 CFR 200.303, the recipient and subrecipient must establish, document, and maintain effective internal controls over federal awards that provides reasonable assurance that the recipient or subrecipient is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the Federal award. Condition. During our testing of Allowable Costs, we noted 4 disbursements tested did not have signed and approved purchase orders. During our testing of Reporting, we noted two quarterly reports that had no evidence of review and approval. During our Eligibility testing, we noted one applicant whose certification form was not signed by the supervisor. Cause. This condition is the result of management not adhering to the Organization's internal control policies. Effect. As a result of this condition, there is an increased risk of unallowable expenses being charged to the grant, inaccurate financial reporting, allowing ineligible participants to receive grant benefits and other potential noncompliance with federal regulations. Questioned Costs. No costs are required to be questioned as a result of this finding, inasmuch as no unallowable expenditures were noted. Recommendation. We recommend the Agency adheres to their internal control process of an independent review and approval of transactions and reporting related to federal grant programs. View of Responsible Official. Management agrees with this finding and has prepared a Corrective Action Plan.
2024-001 - Lack of Independent Review and Approval Finding Type. Immaterial Noncompliance; Significant Deficiency in Internal Control over Compliance (Allowable Costs/Cost Principles: ALN 93.600 and 64.033, Reporting: ALN 64.033 and Eligibility: ALN 64.033). Program. Head Start; U.S. Department of Health and Human Services; Assistance Listing Number 93.600; All Award Numbers and VA Supportive Services for Veteran Families Program; Department of Veterans Affairs, Assistance Listing Number 64.033; All Award Numbers. Criteria. Per 2 CFR 200.303, the recipient and subrecipient must establish, document, and maintain effective internal controls over federal awards that provides reasonable assurance that the recipient or subrecipient is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the Federal award. Condition. During our testing of Allowable Costs, we noted 4 disbursements tested did not have signed and approved purchase orders. During our testing of Reporting, we noted two quarterly reports that had no evidence of review and approval. During our Eligibility testing, we noted one applicant whose certification form was not signed by the supervisor. Cause. This condition is the result of management not adhering to the Organization's internal control policies. Effect. As a result of this condition, there is an increased risk of unallowable expenses being charged to the grant, inaccurate financial reporting, allowing ineligible participants to receive grant benefits and other potential noncompliance with federal regulations. Questioned Costs. No costs are required to be questioned as a result of this finding, inasmuch as no unallowable expenditures were noted. Recommendation. We recommend the Agency adheres to their internal control process of an independent review and approval of transactions and reporting related to federal grant programs. View of Responsible Official. Management agrees with this finding and has prepared a Corrective Action Plan.
2024-001 - Lack of Independent Review and Approval Finding Type. Immaterial Noncompliance; Significant Deficiency in Internal Control over Compliance (Allowable Costs/Cost Principles: ALN 93.600 and 64.033, Reporting: ALN 64.033 and Eligibility: ALN 64.033). Program. Head Start; U.S. Department of Health and Human Services; Assistance Listing Number 93.600; All Award Numbers and VA Supportive Services for Veteran Families Program; Department of Veterans Affairs, Assistance Listing Number 64.033; All Award Numbers. Criteria. Per 2 CFR 200.303, the recipient and subrecipient must establish, document, and maintain effective internal controls over federal awards that provides reasonable assurance that the recipient or subrecipient is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the Federal award. Condition. During our testing of Allowable Costs, we noted 4 disbursements tested did not have signed and approved purchase orders. During our testing of Reporting, we noted two quarterly reports that had no evidence of review and approval. During our Eligibility testing, we noted one applicant whose certification form was not signed by the supervisor. Cause. This condition is the result of management not adhering to the Organization's internal control policies. Effect. As a result of this condition, there is an increased risk of unallowable expenses being charged to the grant, inaccurate financial reporting, allowing ineligible participants to receive grant benefits and other potential noncompliance with federal regulations. Questioned Costs. No costs are required to be questioned as a result of this finding, inasmuch as no unallowable expenditures were noted. Recommendation. We recommend the Agency adheres to their internal control process of an independent review and approval of transactions and reporting related to federal grant programs. View of Responsible Official. Management agrees with this finding and has prepared a Corrective Action Plan.
2024-001 - Lack of Independent Review and Approval Finding Type. Immaterial Noncompliance; Significant Deficiency in Internal Control over Compliance (Allowable Costs/Cost Principles: ALN 93.600 and 64.033, Reporting: ALN 64.033 and Eligibility: ALN 64.033). Program. Head Start; U.S. Department of Health and Human Services; Assistance Listing Number 93.600; All Award Numbers and VA Supportive Services for Veteran Families Program; Department of Veterans Affairs, Assistance Listing Number 64.033; All Award Numbers. Criteria. Per 2 CFR 200.303, the recipient and subrecipient must establish, document, and maintain effective internal controls over federal awards that provides reasonable assurance that the recipient or subrecipient is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the Federal award. Condition. During our testing of Allowable Costs, we noted 4 disbursements tested did not have signed and approved purchase orders. During our testing of Reporting, we noted two quarterly reports that had no evidence of review and approval. During our Eligibility testing, we noted one applicant whose certification form was not signed by the supervisor. Cause. This condition is the result of management not adhering to the Organization's internal control policies. Effect. As a result of this condition, there is an increased risk of unallowable expenses being charged to the grant, inaccurate financial reporting, allowing ineligible participants to receive grant benefits and other potential noncompliance with federal regulations. Questioned Costs. No costs are required to be questioned as a result of this finding, inasmuch as no unallowable expenditures were noted. Recommendation. We recommend the Agency adheres to their internal control process of an independent review and approval of transactions and reporting related to federal grant programs. View of Responsible Official. Management agrees with this finding and has prepared a Corrective Action Plan.
2024-001 - Lack of Independent Review and Approval Finding Type. Immaterial Noncompliance; Significant Deficiency in Internal Control over Compliance (Allowable Costs/Cost Principles: ALN 93.600 and 64.033, Reporting: ALN 64.033 and Eligibility: ALN 64.033). Program. Head Start; U.S. Department of Health and Human Services; Assistance Listing Number 93.600; All Award Numbers and VA Supportive Services for Veteran Families Program; Department of Veterans Affairs, Assistance Listing Number 64.033; All Award Numbers. Criteria. Per 2 CFR 200.303, the recipient and subrecipient must establish, document, and maintain effective internal controls over federal awards that provides reasonable assurance that the recipient or subrecipient is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the Federal award. Condition. During our testing of Allowable Costs, we noted 4 disbursements tested did not have signed and approved purchase orders. During our testing of Reporting, we noted two quarterly reports that had no evidence of review and approval. During our Eligibility testing, we noted one applicant whose certification form was not signed by the supervisor. Cause. This condition is the result of management not adhering to the Organization's internal control policies. Effect. As a result of this condition, there is an increased risk of unallowable expenses being charged to the grant, inaccurate financial reporting, allowing ineligible participants to receive grant benefits and other potential noncompliance with federal regulations. Questioned Costs. No costs are required to be questioned as a result of this finding, inasmuch as no unallowable expenditures were noted. Recommendation. We recommend the Agency adheres to their internal control process of an independent review and approval of transactions and reporting related to federal grant programs. View of Responsible Official. Management agrees with this finding and has prepared a Corrective Action Plan.
2024-001 - Lack of Independent Review and Approval Finding Type. Immaterial Noncompliance; Significant Deficiency in Internal Control over Compliance (Allowable Costs/Cost Principles: ALN 93.600 and 64.033, Reporting: ALN 64.033 and Eligibility: ALN 64.033). Program. Head Start; U.S. Department of Health and Human Services; Assistance Listing Number 93.600; All Award Numbers and VA Supportive Services for Veteran Families Program; Department of Veterans Affairs, Assistance Listing Number 64.033; All Award Numbers. Criteria. Per 2 CFR 200.303, the recipient and subrecipient must establish, document, and maintain effective internal controls over federal awards that provides reasonable assurance that the recipient or subrecipient is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the Federal award. Condition. During our testing of Allowable Costs, we noted 4 disbursements tested did not have signed and approved purchase orders. During our testing of Reporting, we noted two quarterly reports that had no evidence of review and approval. During our Eligibility testing, we noted one applicant whose certification form was not signed by the supervisor. Cause. This condition is the result of management not adhering to the Organization's internal control policies. Effect. As a result of this condition, there is an increased risk of unallowable expenses being charged to the grant, inaccurate financial reporting, allowing ineligible participants to receive grant benefits and other potential noncompliance with federal regulations. Questioned Costs. No costs are required to be questioned as a result of this finding, inasmuch as no unallowable expenditures were noted. Recommendation. We recommend the Agency adheres to their internal control process of an independent review and approval of transactions and reporting related to federal grant programs. View of Responsible Official. Management agrees with this finding and has prepared a Corrective Action Plan.
Finding 2024-001: U.S. Department of the Treasury Federal Financial Assistance Listing 21.027 COVID-19 Coronavirus State and Local Fiscal Recovery Funds Compliance Requirement: Reporting Type of Finding: Significant Deficiency in Internal Controls over Compliance Criteria: 2 CFR 200.303(a) establishes that the auditee must establish and maintain effective internal control over the federal award that provides assurance that the entity is managing the federal award in compliance with federal statutes, regulations, and conditions of the federal award. Condition: The County’s reports submitted to the Department of Treasury were not reviewed and approved by a separate individual outside of the preparer. Cause: Originally, the County did not have an internal control process in place to ensure a secondary review and approval of the reports submitted to the Department of Treasury were performed by someone other than the preparer of the report. An updated secondary review process was put in place in early 2024. Effect: Without a secondary review and approval, there is a possibility that the report may not be accurately completed. Questioned Costs: None. Context / Sampling: For the Coronavirus State and Local Fiscal Recovery Funds, a nonstatistical sample of 2 out of 4 reports were tested. Repeat Finding from Prior Year: Yes, prior year finding 2023-001 Recommendation: We recommend the County implement a control process which includes a secondary review and approval of the required reports to be submitted to the federal agency. Views of Responsible Officials: Management agrees with the noted finding. Refer to Corrective Action Plan.
Finding 2024-003: U.S. Department of the Treasury Federal Financial Assistance Listing 21.027 COVID-19 Coronavirus State and Local Fiscal Recovery Funds Compliance Requirement: Procurement Suspension and Debarment Type of Finding: Significant Deficiency in Internal Controls over Compliance Criteria: 2 CFR 200.303(a) establishes that the auditee must establish and maintain effective internal control over the federal award that provides assurance that the entity is managing the federal award in compliance with federal statutes, regulations, and conditions of the federal award. Per 31 CFR 19.300, prior to enter in subawards and contracts with award funds, recipients must verify that such contractors and subrecipients are not suspended, debarred, or otherwise excluded pursuant to 31 CFR § 19.300. Condition: The County did not retain documentation of verifying that 6 vendors were not suspended, debarred, or otherwise excluded prior to entering into a transaction with them. Cause: The County performed the verification, but did not retain documentation and we were unable to verify that it was performed prior to the transaction. Effect: Vendors could be suspended, debarred, or otherwise excluded, and the county would not be aware. Questioned Costs: None Context / Sampling: We tested 32 of 158 transactions subject to suspension and debarment in the SLFRF program. Repeat Finding from Prior Year: Yes, prior year finding 2023-003 Recommendation: The County should retain documentation of the review of all vendors. Views of Responsible Officials: Management agrees with the noted finding. Refer to Corrective Action Plan.
2024-001 Lack of Documented Review of Annual Project and Expenditure Report Assisted Listing Number: 21.027 Program Title: COVID-19 Coronavirus State and Local Fiscal Recovery Funds Compliance Requirement: Reporting- Performance Reporting Pass-through Entity: N/A Federal Grant/Contract Number and Grant Year: COVID-19 Y5258 2021 Finding Type: Material Weakness in Internal Control Questioned Costs: $0 Condition: The annual project and expenditure report required by the grant related to the status of projects was prepared by the grant administrator and there was no documented review of the report by someone other than the preparer prior to submission. The recipient is required to file annually a project and expenditure report with the U.S. Treasury. Criteria: 2 CFR section 200.303 requires that nonfederal entities receiving federal awards establish and maintain internal control over the federal awards that provides reasonable assurance that the nonfederal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. Effect: Annual report could include potential errors and cause the City to be out of compliance with the requirement of the grant. Cause: The City has not implemented procedures to formally document their review of the annual project and expenditures report prior to submission to the U.S. Treasury. Perspective: The one report required to be filed did not have documentation of review. Recommendation: A copy of the report should be kept which includes both the date and signature of the preparer and the reviewer. View of responsible officials and planned corrective action: See attached corrective action plan.
FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.
FINDING 2024-003 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests. b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports. c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges. d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts. e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2024-006 ADP Security Program See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed 5 significant systems and noted: a. MDHHS and DTMB did not conduct annual testing of the disaster recovery plan (DRP) for 1 system during fiscal year 2024. b. MDHHS and DTMB did not complete all necessary updates to the system security plan for 4 systems during fiscal year 2024, including not updating the risk assessment which resulted in the expiration of the authority to operate and/or missing control assessments for the systems. Criteria Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish and maintain an ADP security program, including a security plan and policies and procedures to address contingency planning to meet critical processing needs in the event of short- or long-term interruption of services, plans for emergency preparedness, and a program for conducting periodic risk analyses. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Cause MDHHS and DTMB indicated resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. MDHHS and DTMB also indicated limited resources caused delays in the completion of a comprehensive ADP security program. Effect MDHHS and DTMB cannot demonstrate they have implemented effective controls to ensure the confidentiality, integrity, and availability of their information systems and cannot ensure they comply with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete DRPs could result in delays in restoring critical systems and business processes. Outdated or incomplete system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs. Management Views Although MDHHS and DTMB agree annual testing was not conducted for one system and not all necessary updates to the system security plan were completed during the audit period for 4 systems, MDHHS and DTMB disagree effective controls were not implemented to ensure confidentiality, integrity, and availability of its ADP information systems. MDHHS and DTMB also disagree the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described in the effect statement of the finding. MDHHS and DTMB have compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS and DTMB monitor remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of authority to operate. For one system cited, MDHHS is required to audit the system as part of the responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to data stored in those systems. The system required to be audited as part of the Affordable Care Act, along with two other systems cited, are reviewed biennially through the Internal Control Evaluation process where control evidence is updated to demonstrate the effectiveness of controls. Each system cited did not have any significant changes and implemented controls are still working as expected. Auditor's Comments to Management Views Although MDHHS may monitor the remediation of identified risks through POAMS, the four systems cited did not have updated risk assessments, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the internal control evaluation process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented. Therefore, the finding stands as written.
FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.
FINDING 2024-003 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests. b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports. c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges. d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts. e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2024-006 ADP Security Program See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed 5 significant systems and noted: a. MDHHS and DTMB did not conduct annual testing of the disaster recovery plan (DRP) for 1 system during fiscal year 2024. b. MDHHS and DTMB did not complete all necessary updates to the system security plan for 4 systems during fiscal year 2024, including not updating the risk assessment which resulted in the expiration of the authority to operate and/or missing control assessments for the systems. Criteria Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish and maintain an ADP security program, including a security plan and policies and procedures to address contingency planning to meet critical processing needs in the event of short- or long-term interruption of services, plans for emergency preparedness, and a program for conducting periodic risk analyses. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Cause MDHHS and DTMB indicated resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. MDHHS and DTMB also indicated limited resources caused delays in the completion of a comprehensive ADP security program. Effect MDHHS and DTMB cannot demonstrate they have implemented effective controls to ensure the confidentiality, integrity, and availability of their information systems and cannot ensure they comply with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete DRPs could result in delays in restoring critical systems and business processes. Outdated or incomplete system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs. Management Views Although MDHHS and DTMB agree annual testing was not conducted for one system and not all necessary updates to the system security plan were completed during the audit period for 4 systems, MDHHS and DTMB disagree effective controls were not implemented to ensure confidentiality, integrity, and availability of its ADP information systems. MDHHS and DTMB also disagree the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described in the effect statement of the finding. MDHHS and DTMB have compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS and DTMB monitor remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of authority to operate. For one system cited, MDHHS is required to audit the system as part of the responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to data stored in those systems. The system required to be audited as part of the Affordable Care Act, along with two other systems cited, are reviewed biennially through the Internal Control Evaluation process where control evidence is updated to demonstrate the effectiveness of controls. Each system cited did not have any significant changes and implemented controls are still working as expected. Auditor's Comments to Management Views Although MDHHS may monitor the remediation of identified risks through POAMS, the four systems cited did not have updated risk assessments, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the internal control evaluation process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented. Therefore, the finding stands as written.
FINDING 2024-018 WIC Special Supplemental Nutrition Program for Women, Infants, and Children, ALN 10.557, Activities Allowed or Unallowed and Allowable Costs/Cost Principles - MI-WIC Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not fully implement effective access controls over the Michigan Women, Infants, and Children Information System (MI-WIC) database. DTMB did not review all privileged MI-WIC database accounts on a semiannual basis. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to review privileged accounts for compliance with account management requirements semiannually. Cause DTMB informed us its internal control and monitoring activities were insufficient to ensure all appropriate parties adhered to established policies. Effect Without effective access controls, individuals may retain inappropriate access to the MI-WIC database. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB fully implement effective access controls over the MI-WIC database. Management Views MDHHS and DTMB agree with the finding.
FINDING 2024-019 WIC Special Supplemental Nutrition Program for Women, Infants, and Children, ALN 10.557, Activities Allowed or Unallowed and Allowable Costs/Cost Principles - MI-WIC Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over MI-WIC. Our review disclosed MDHHS did not document testing results at one stage of the process for 2 (5%) of 40 sampled MI-WIC change records. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to make sure the changes meet the documented requirements by testing against the documented test plan. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us that because of an oversight, it did not document the testing results. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MI-WIC. As a result, an increased risk exists MDHHS cannot ensure MI-WIC is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over MI-WIC. Management Views MDHHS agrees with the finding.
FINDING 2024-018 WIC Special Supplemental Nutrition Program for Women, Infants, and Children, ALN 10.557, Activities Allowed or Unallowed and Allowable Costs/Cost Principles - MI-WIC Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not fully implement effective access controls over the Michigan Women, Infants, and Children Information System (MI-WIC) database. DTMB did not review all privileged MI-WIC database accounts on a semiannual basis. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to review privileged accounts for compliance with account management requirements semiannually. Cause DTMB informed us its internal control and monitoring activities were insufficient to ensure all appropriate parties adhered to established policies. Effect Without effective access controls, individuals may retain inappropriate access to the MI-WIC database. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB fully implement effective access controls over the MI-WIC database. Management Views MDHHS and DTMB agree with the finding.
FINDING 2024-019 WIC Special Supplemental Nutrition Program for Women, Infants, and Children, ALN 10.557, Activities Allowed or Unallowed and Allowable Costs/Cost Principles - MI-WIC Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over MI-WIC. Our review disclosed MDHHS did not document testing results at one stage of the process for 2 (5%) of 40 sampled MI-WIC change records. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to make sure the changes meet the documented requirements by testing against the documented test plan. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us that because of an oversight, it did not document the testing results. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MI-WIC. As a result, an increased risk exists MDHHS cannot ensure MI-WIC is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over MI-WIC. Management Views MDHHS agrees with the finding.
FINDING 2024-018 WIC Special Supplemental Nutrition Program for Women, Infants, and Children, ALN 10.557, Activities Allowed or Unallowed and Allowable Costs/Cost Principles - MI-WIC Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not fully implement effective access controls over the Michigan Women, Infants, and Children Information System (MI-WIC) database. DTMB did not review all privileged MI-WIC database accounts on a semiannual basis. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to review privileged accounts for compliance with account management requirements semiannually. Cause DTMB informed us its internal control and monitoring activities were insufficient to ensure all appropriate parties adhered to established policies. Effect Without effective access controls, individuals may retain inappropriate access to the MI-WIC database. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB fully implement effective access controls over the MI-WIC database. Management Views MDHHS and DTMB agree with the finding.
FINDING 2024-019 WIC Special Supplemental Nutrition Program for Women, Infants, and Children, ALN 10.557, Activities Allowed or Unallowed and Allowable Costs/Cost Principles - MI-WIC Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over MI-WIC. Our review disclosed MDHHS did not document testing results at one stage of the process for 2 (5%) of 40 sampled MI-WIC change records. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to make sure the changes meet the documented requirements by testing against the documented test plan. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us that because of an oversight, it did not document the testing results. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MI-WIC. As a result, an increased risk exists MDHHS cannot ensure MI-WIC is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over MI-WIC. Management Views MDHHS agrees with the finding.
FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.
FINDING 2024-003 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests. b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports. c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges. d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts. e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.