FINDING 2024-008 MDE, IT General Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Education (MDE) uses Michigan Nutrition Data (MiND) to review the local educational agencies' eligibility verification process for school children participating in the Summer Electronic Benefit Transfer Program for Children. In addition, MDE uses the Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS) to monitor its Coronavirus State and Local Fiscal Recovery Funds' subrecipients*. LEO uses the Next Generation Grant, Application and Cash Management System (NexSys) to approve grant applications and budgets, monitor subrecipients, and authorize payment requests for services covered by the Adult Education - Basic Grants to States. The Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) uses GEMS/MARS to monitor its Twenty-First Century Community Learning Centers subrecipients. In addition, MiLEAP uses NexSys to approve grant applications and/or budgets, monitor subrecipients, and/or authorize payment requests for services covered by Special Education-Grants for Infants and Families, Twenty-First Century Community Learning Centers, and the CCDF Cluster. MDE and DTMB are jointly responsible for maintenance and operation of MiND, GEMS/MARS, and NexSys. Condition DTMB did not fully implement effective general controls* over MiND, GEMS/MARS, and NexSys operating system servers. We noted: a. DTMB did not remove access for a user who had departed from State employment. b. DTMB did not review privileged accounts on a semiannual basis for the operating system servers. After bringing these matters to management's attention, DTMB corrected the issues noted. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires accounts should be removed within three business days when no longer required or when users are terminated or transferred. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts. Cause DTMB informed us the reassignment of the removal and recertification processes to another employee resulted in its lack of removing and reviewing the privileged accounts. Effect Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiND, GEMS/MARS, and NexSys operating system servers. Known Questioned Costs None. Recommendation We recommend DTMB fully implement effective general controls over MiND, GEMS/MARS, and NexSys operating system servers. Management Views DTMB agrees with the finding.
FINDING 2024-009 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. We noted: a. MDE did not maintain documentation to support the appropriate individual approved the system role for 9 (38%) of 24 sampled MiND users. b. MDE did not fully implement an effective annual recertification process of non-privileged accounts: (1) MDE did not review all non-privileged internal accounts on an annual basis for GEMS/MARS and MiND. (2) MDE did not always ensure the subrecipients certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2024 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements annually for non-privileged accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. Management Views MDE agrees with the finding.
FINDING 2024-010 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 16 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2024-020 National Guard Military Operations and Maintenance (O&M) Projects, ALN 12.401, Cash Management - Timeliness of Cash Draws See Schedule of Findings and Questioned Costs for chart/table. Condition The Department of Military and Veterans Affairs (DMVA) did not follow its established cash draw process to prepare reimbursement requests in accordance with the CMIA. We noted DMVA did not maintain sufficient or accurate documentation to support it timely submitted a reimbursement request for 10 (26%) of 38 sampled cash draws. For the remaining 28 cash draws reviewed, DMVA did not timely submit the reimbursement requests for 4 (14%) sampled cash draws DMVA took between 88 to 369 days to process these requests. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Subpart B of federal regulation 31 CFR 205 requires a state must minimize the time between the drawdown of federal funds from the federal government and its disbursement for federal program purposes. The timing and amount of funds transfers must be as close as is administratively feasible to a state's actual cash outlay for direct program costs and the proportionate share of any allowable indirect costs. DMVA's process is to run departmental expenditure reports for each appendix by the fifteenth day of the following month in which the expenditures were incurred. The process to submit the Request for Advance or Reimbursement (SF-270) to the United States Property and Fiscal Office (USPFO) varies by appendix. For construction appendices, DMVA sends the expenditure reports to its federal program manager for review and approval of the federal coding to be applied prior to DMVA preparing the reimbursement request. After the federal program manager approves the coding, DMVA prepares the SF-270 and sends it back to its federal program manager for final approval and submission to the USPFO. For all other appendices, DMVA prepares the SF-270 using the expenditure reports and sends the SF-270 to the federal program managers for approval. For airbases, the federal program managers submit the SF-270 to the USPFO after it is approved. Cause DMVA informed us competing priorities contributed to its inability to timely process reimbursement requests. Also, DMVA indicated its controls were not sufficient to ensure the retention of documentation to support the timely submission of reimbursement requests. Effect DMVA limited its assurance it complied with the CMIA. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend DMVA follow its established cash draw process to prepare reimbursement requests in accordance with the CMIA. Management Views DMVA agrees with the finding.
FINDING 2024-021 National Guard Military Operations and Maintenance (O&M) Projects, ALN 12.401, Period of Performance - Extension Procedures See Schedule of Findings and Questioned Costs for chart/table. Condition DMVA did not timely submit extension requests for cooperative agreement (CA) appendices sent to the USPFO for 2 (8%) of 24 appendices requiring extension requests during fiscal year 2024. For these 2 appendices, DMVA submitted the requests 111 days late. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over the federal awards that provides reasonable assurance the auditee is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Federal regulation 2 CFR 200.308 states a recipient must notify the federal agency in writing with the supporting justification and a revised period of performance at least 10 calendar days before the conclusions of the period of performance. The National Guard Bureau's Grants and Cooperative Agreement Policy Letter 21-07 indicates for projects and activities that cannot be completed before the end of a CA award's budget period of performance, the grantee must submit the extension request at least 10 days prior to the end of the period of performance. Cause DMVA's internal control and monitoring activities were not sufficient to ensure it timely submitted the required extension requests for CA appendices sent to the USPFO. Effect DMVA may have diminished the federal grantor agency's ability to ensure appropriate oversight and monitoring of the CA appendices. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend DMVA timely submit extension requests for CA appendices sent to the USPFO. Management Views DMVA agrees with the finding.
FINDING 2024-022 Highway Planning and Construction, ALN 20.205, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Matching, Level of Effort, and Earmarking; and Procurement and Suspension and Debarment - AASHTOWare Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Transportation (MDOT) did not fully establish effective security management and access controls over AASHTOWare users. MDOT program staff utilize AASHTOWare to administer construction contracts and approve payments to contractors. We noted MDOT did not fully review user access semiannually for privileged accounts or annually for all other accounts. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires accounts to be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts. Cause MDOT's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies. Effect Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to AASHTOWare. Known Questioned Costs None. Recommendation We recommend MDOT fully establish effective security management and access controls over AASHTOWare users. Management Views MDOT agrees with the finding.
FINDING 2024-022 Highway Planning and Construction, ALN 20.205, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Matching, Level of Effort, and Earmarking; and Procurement and Suspension and Debarment - AASHTOWare Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Transportation (MDOT) did not fully establish effective security management and access controls over AASHTOWare users. MDOT program staff utilize AASHTOWare to administer construction contracts and approve payments to contractors. We noted MDOT did not fully review user access semiannually for privileged accounts or annually for all other accounts. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires accounts to be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts. Cause MDOT's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies. Effect Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to AASHTOWare. Known Questioned Costs None. Recommendation We recommend MDOT fully establish effective security management and access controls over AASHTOWare users. Management Views MDOT agrees with the finding.
FINDING 2024-022 Highway Planning and Construction, ALN 20.205, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Matching, Level of Effort, and Earmarking; and Procurement and Suspension and Debarment - AASHTOWare Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition The Michigan Department of Transportation (MDOT) did not fully establish effective security management and access controls over AASHTOWare users. MDOT program staff utilize AASHTOWare to administer construction contracts and approve payments to contractors. We noted MDOT did not fully review user access semiannually for privileged accounts or annually for all other accounts. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires accounts to be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts. Cause MDOT's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies. Effect Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to AASHTOWare. Known Questioned Costs None. Recommendation We recommend MDOT fully establish effective security management and access controls over AASHTOWare users. Management Views MDOT agrees with the finding.
FINDING 2024-008 MDE, IT General Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Education (MDE) uses Michigan Nutrition Data (MiND) to review the local educational agencies' eligibility verification process for school children participating in the Summer Electronic Benefit Transfer Program for Children. In addition, MDE uses the Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS) to monitor its Coronavirus State and Local Fiscal Recovery Funds' subrecipients*. LEO uses the Next Generation Grant, Application and Cash Management System (NexSys) to approve grant applications and budgets, monitor subrecipients, and authorize payment requests for services covered by the Adult Education - Basic Grants to States. The Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) uses GEMS/MARS to monitor its Twenty-First Century Community Learning Centers subrecipients. In addition, MiLEAP uses NexSys to approve grant applications and/or budgets, monitor subrecipients, and/or authorize payment requests for services covered by Special Education-Grants for Infants and Families, Twenty-First Century Community Learning Centers, and the CCDF Cluster. MDE and DTMB are jointly responsible for maintenance and operation of MiND, GEMS/MARS, and NexSys. Condition DTMB did not fully implement effective general controls* over MiND, GEMS/MARS, and NexSys operating system servers. We noted: a. DTMB did not remove access for a user who had departed from State employment. b. DTMB did not review privileged accounts on a semiannual basis for the operating system servers. After bringing these matters to management's attention, DTMB corrected the issues noted. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires accounts should be removed within three business days when no longer required or when users are terminated or transferred. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts. Cause DTMB informed us the reassignment of the removal and recertification processes to another employee resulted in its lack of removing and reviewing the privileged accounts. Effect Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiND, GEMS/MARS, and NexSys operating system servers. Known Questioned Costs None. Recommendation We recommend DTMB fully implement effective general controls over MiND, GEMS/MARS, and NexSys operating system servers. Management Views DTMB agrees with the finding.
FINDING 2024-009 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. We noted: a. MDE did not maintain documentation to support the appropriate individual approved the system role for 9 (38%) of 24 sampled MiND users. b. MDE did not fully implement an effective annual recertification process of non-privileged accounts: (1) MDE did not review all non-privileged internal accounts on an annual basis for GEMS/MARS and MiND. (2) MDE did not always ensure the subrecipients certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2024 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements annually for non-privileged accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. Management Views MDE agrees with the finding.
FINDING 2024-023 Coronavirus State and Local Fiscal Recovery Funds, ALN 21.027, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Period of Performance - PTMS Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDOT did not fully establish effective security management and access controls over Public Transportation Management System (PTMS) users. MDOT program staff utilize PTMS to approve subrecipient budget and payment requests. We noted MDOT did not review user access semiannually for privileged accounts or annually for all other accounts. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts and annually for all other accounts. Cause MDOT informed us an oversight occurred due to employee turnover. Effect Without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to PTMS. Known Questioned Costs None. Recommendation We recommend MDOT fully establish effective security management and access controls over PTMS users. Management Views MDOT agrees with the finding.
FINDING 2024-024 Coronavirus State and Local Fiscal Recovery Funds, ALN 21.027, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Period of Performance - Grant Reimbursement Approval Procedures See Schedule of Findings and Questioned Costs for chart/table. Condition The Department of Environment, Great Lakes, and Energy (EGLE) did not review and approve drinking water and clean water grant reimbursement requests for 2 (9%) of 23 sampled payments to ensure the requests were reasonable and appropriate. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Also, Subpart E of federal regulation 2 CFR 200 requires costs charged to federal programs be necessary and reasonable for the administration of the federal award and be in accordance with the relative benefits received by the program. Cause EGLE informed us it did not always follow the established process for reviewing and approving reimbursement requests for one grant. Effect EGLE could potentially reimburse for ineligible project expenditures. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend EGLE review and approve drinking water and clean water grant reimbursement requests to ensure the requests are reasonable and appropriate. Management Views EGLE agrees with the finding.
FINDING 2024-025 Coronavirus State and Local Fiscal Recovery Funds, ALN 21.027, Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Period of Performance - Insufficient Respite Payment Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not have sufficient controls in place to prevent or detect and correct payment errors made to respite grant recipients. We noted MDHHS did not review and approve respite grant payments subsequent to manual input into the Medical Services Administration Manual Payment System (MSAPay). Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Also, Subpart E of federal regulation 2 CFR 200 requires costs charged to federal programs be necessary and reasonable for the administration of the federal award and be in accordance with the relative benefits received by the program. Cause MDHHS's internal control and monitoring activities were not sufficient to ensure it documented its review and approval of respite grant payments in MSAPay. Effect These deficiencies could potentially result in improper payments to recipients. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS improve its controls to prevent or detect and correct payment errors made to respite grant recipients. Management Views MDHHS agrees with the finding.
FINDING 2024-026 Coronavirus State and Local Fiscal Recovery Funds, ALN 21.027, Reporting - Workfront Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition DTMB did not fully establish effective security management and access controls over Workfront. DTMB program staff utilize Workfront to collect and prepare all Coronavirus State and Local Fiscal Recovery Funds (CSLFRF) data reported to the U.S. Department of the Treasury. Our review of 9 sampled Workfront users noted: a. DTMB did not maintain documentation to support it approved the system role for 5 sampled Workfront users. b. DTMB did not ensure it properly approved 2 users prior to granting access to Workfront. Criteria Federal regulation 2 CFR 200.303 requires the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. Cause DTMB's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies in place at the time of approval. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to Workfront. Known Questioned Costs None. Recommendation We recommend DTMB fully establish effective security management and access controls over Workfront. Management Views DTMB agrees with the finding.
FINDING 2024-008 MDE, IT General Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Education (MDE) uses Michigan Nutrition Data (MiND) to review the local educational agencies' eligibility verification process for school children participating in the Summer Electronic Benefit Transfer Program for Children. In addition, MDE uses the Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS) to monitor its Coronavirus State and Local Fiscal Recovery Funds' subrecipients*. LEO uses the Next Generation Grant, Application and Cash Management System (NexSys) to approve grant applications and budgets, monitor subrecipients, and authorize payment requests for services covered by the Adult Education - Basic Grants to States. The Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) uses GEMS/MARS to monitor its Twenty-First Century Community Learning Centers subrecipients. In addition, MiLEAP uses NexSys to approve grant applications and/or budgets, monitor subrecipients, and/or authorize payment requests for services covered by Special Education-Grants for Infants and Families, Twenty-First Century Community Learning Centers, and the CCDF Cluster. MDE and DTMB are jointly responsible for maintenance and operation of MiND, GEMS/MARS, and NexSys. Condition DTMB did not fully implement effective general controls* over MiND, GEMS/MARS, and NexSys operating system servers. We noted: a. DTMB did not remove access for a user who had departed from State employment. b. DTMB did not review privileged accounts on a semiannual basis for the operating system servers. After bringing these matters to management's attention, DTMB corrected the issues noted. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires accounts should be removed within three business days when no longer required or when users are terminated or transferred. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts. Cause DTMB informed us the reassignment of the removal and recertification processes to another employee resulted in its lack of removing and reviewing the privileged accounts. Effect Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiND, GEMS/MARS, and NexSys operating system servers. Known Questioned Costs None. Recommendation We recommend DTMB fully implement effective general controls over MiND, GEMS/MARS, and NexSys operating system servers. Management Views DTMB agrees with the finding.
FINDING 2024-009 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. We noted: a. MDE did not maintain documentation to support the appropriate individual approved the system role for 9 (38%) of 24 sampled MiND users. b. MDE did not fully implement an effective annual recertification process of non-privileged accounts: (1) MDE did not review all non-privileged internal accounts on an annual basis for GEMS/MARS and MiND. (2) MDE did not always ensure the subrecipients certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2024 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements annually for non-privileged accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. Management Views MDE agrees with the finding.
FINDING 2024-010 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 16 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2024-008 MDE, IT General Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Education (MDE) uses Michigan Nutrition Data (MiND) to review the local educational agencies' eligibility verification process for school children participating in the Summer Electronic Benefit Transfer Program for Children. In addition, MDE uses the Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS) to monitor its Coronavirus State and Local Fiscal Recovery Funds' subrecipients*. LEO uses the Next Generation Grant, Application and Cash Management System (NexSys) to approve grant applications and budgets, monitor subrecipients, and authorize payment requests for services covered by the Adult Education - Basic Grants to States. The Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) uses GEMS/MARS to monitor its Twenty-First Century Community Learning Centers subrecipients. In addition, MiLEAP uses NexSys to approve grant applications and/or budgets, monitor subrecipients, and/or authorize payment requests for services covered by Special Education-Grants for Infants and Families, Twenty-First Century Community Learning Centers, and the CCDF Cluster. MDE and DTMB are jointly responsible for maintenance and operation of MiND, GEMS/MARS, and NexSys. Condition DTMB did not fully implement effective general controls* over MiND, GEMS/MARS, and NexSys operating system servers. We noted: a. DTMB did not remove access for a user who had departed from State employment. b. DTMB did not review privileged accounts on a semiannual basis for the operating system servers. After bringing these matters to management's attention, DTMB corrected the issues noted. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires accounts should be removed within three business days when no longer required or when users are terminated or transferred. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts. Cause DTMB informed us the reassignment of the removal and recertification processes to another employee resulted in its lack of removing and reviewing the privileged accounts. Effect Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiND, GEMS/MARS, and NexSys operating system servers. Known Questioned Costs None. Recommendation We recommend DTMB fully implement effective general controls over MiND, GEMS/MARS, and NexSys operating system servers. Management Views DTMB agrees with the finding.
FINDING 2024-009 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. We noted: a. MDE did not maintain documentation to support the appropriate individual approved the system role for 9 (38%) of 24 sampled MiND users. b. MDE did not fully implement an effective annual recertification process of non-privileged accounts: (1) MDE did not review all non-privileged internal accounts on an annual basis for GEMS/MARS and MiND. (2) MDE did not always ensure the subrecipients certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2024 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements annually for non-privileged accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. Management Views MDE agrees with the finding.
FINDING 2024-010 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 16 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2024-008 MDE, IT General Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Education (MDE) uses Michigan Nutrition Data (MiND) to review the local educational agencies' eligibility verification process for school children participating in the Summer Electronic Benefit Transfer Program for Children. In addition, MDE uses the Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS) to monitor its Coronavirus State and Local Fiscal Recovery Funds' subrecipients*. LEO uses the Next Generation Grant, Application and Cash Management System (NexSys) to approve grant applications and budgets, monitor subrecipients, and authorize payment requests for services covered by the Adult Education - Basic Grants to States. The Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) uses GEMS/MARS to monitor its Twenty-First Century Community Learning Centers subrecipients. In addition, MiLEAP uses NexSys to approve grant applications and/or budgets, monitor subrecipients, and/or authorize payment requests for services covered by Special Education-Grants for Infants and Families, Twenty-First Century Community Learning Centers, and the CCDF Cluster. MDE and DTMB are jointly responsible for maintenance and operation of MiND, GEMS/MARS, and NexSys. Condition DTMB did not fully implement effective general controls* over MiND, GEMS/MARS, and NexSys operating system servers. We noted: a. DTMB did not remove access for a user who had departed from State employment. b. DTMB did not review privileged accounts on a semiannual basis for the operating system servers. After bringing these matters to management's attention, DTMB corrected the issues noted. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires accounts should be removed within three business days when no longer required or when users are terminated or transferred. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts. Cause DTMB informed us the reassignment of the removal and recertification processes to another employee resulted in its lack of removing and reviewing the privileged accounts. Effect Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiND, GEMS/MARS, and NexSys operating system servers. Known Questioned Costs None. Recommendation We recommend DTMB fully implement effective general controls over MiND, GEMS/MARS, and NexSys operating system servers. Management Views DTMB agrees with the finding.
FINDING 2024-009 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. We noted: a. MDE did not maintain documentation to support the appropriate individual approved the system role for 9 (38%) of 24 sampled MiND users. b. MDE did not fully implement an effective annual recertification process of non-privileged accounts: (1) MDE did not review all non-privileged internal accounts on an annual basis for GEMS/MARS and MiND. (2) MDE did not always ensure the subrecipients certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2024 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements annually for non-privileged accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. Management Views MDE agrees with the finding.
FINDING 2024-010 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 16 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2024-008 MDE, IT General Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Education (MDE) uses Michigan Nutrition Data (MiND) to review the local educational agencies' eligibility verification process for school children participating in the Summer Electronic Benefit Transfer Program for Children. In addition, MDE uses the Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS) to monitor its Coronavirus State and Local Fiscal Recovery Funds' subrecipients*. LEO uses the Next Generation Grant, Application and Cash Management System (NexSys) to approve grant applications and budgets, monitor subrecipients, and authorize payment requests for services covered by the Adult Education - Basic Grants to States. The Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) uses GEMS/MARS to monitor its Twenty-First Century Community Learning Centers subrecipients. In addition, MiLEAP uses NexSys to approve grant applications and/or budgets, monitor subrecipients, and/or authorize payment requests for services covered by Special Education-Grants for Infants and Families, Twenty-First Century Community Learning Centers, and the CCDF Cluster. MDE and DTMB are jointly responsible for maintenance and operation of MiND, GEMS/MARS, and NexSys. Condition DTMB did not fully implement effective general controls* over MiND, GEMS/MARS, and NexSys operating system servers. We noted: a. DTMB did not remove access for a user who had departed from State employment. b. DTMB did not review privileged accounts on a semiannual basis for the operating system servers. After bringing these matters to management's attention, DTMB corrected the issues noted. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires accounts should be removed within three business days when no longer required or when users are terminated or transferred. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts. Cause DTMB informed us the reassignment of the removal and recertification processes to another employee resulted in its lack of removing and reviewing the privileged accounts. Effect Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiND, GEMS/MARS, and NexSys operating system servers. Known Questioned Costs None. Recommendation We recommend DTMB fully implement effective general controls over MiND, GEMS/MARS, and NexSys operating system servers. Management Views DTMB agrees with the finding.
FINDING 2024-009 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. We noted: a. MDE did not maintain documentation to support the appropriate individual approved the system role for 9 (38%) of 24 sampled MiND users. b. MDE did not fully implement an effective annual recertification process of non-privileged accounts: (1) MDE did not review all non-privileged internal accounts on an annual basis for GEMS/MARS and MiND. (2) MDE did not always ensure the subrecipients certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2024 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements annually for non-privileged accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. Management Views MDE agrees with the finding.
FINDING 2024-010 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 16 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.
FINDING 2024-003 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests. b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports. c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges. d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts. e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2024-008 MDE, IT General Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Education (MDE) uses Michigan Nutrition Data (MiND) to review the local educational agencies' eligibility verification process for school children participating in the Summer Electronic Benefit Transfer Program for Children. In addition, MDE uses the Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS) to monitor its Coronavirus State and Local Fiscal Recovery Funds' subrecipients*. LEO uses the Next Generation Grant, Application and Cash Management System (NexSys) to approve grant applications and budgets, monitor subrecipients, and authorize payment requests for services covered by the Adult Education - Basic Grants to States. The Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) uses GEMS/MARS to monitor its Twenty-First Century Community Learning Centers subrecipients. In addition, MiLEAP uses NexSys to approve grant applications and/or budgets, monitor subrecipients, and/or authorize payment requests for services covered by Special Education-Grants for Infants and Families, Twenty-First Century Community Learning Centers, and the CCDF Cluster. MDE and DTMB are jointly responsible for maintenance and operation of MiND, GEMS/MARS, and NexSys. Condition DTMB did not fully implement effective general controls* over MiND, GEMS/MARS, and NexSys operating system servers. We noted: a. DTMB did not remove access for a user who had departed from State employment. b. DTMB did not review privileged accounts on a semiannual basis for the operating system servers. After bringing these matters to management's attention, DTMB corrected the issues noted. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires accounts should be removed within three business days when no longer required or when users are terminated or transferred. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts. Cause DTMB informed us the reassignment of the removal and recertification processes to another employee resulted in its lack of removing and reviewing the privileged accounts. Effect Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiND, GEMS/MARS, and NexSys operating system servers. Known Questioned Costs None. Recommendation We recommend DTMB fully implement effective general controls over MiND, GEMS/MARS, and NexSys operating system servers. Management Views DTMB agrees with the finding.
FINDING 2024-009 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. We noted: a. MDE did not maintain documentation to support the appropriate individual approved the system role for 9 (38%) of 24 sampled MiND users. b. MDE did not fully implement an effective annual recertification process of non-privileged accounts: (1) MDE did not review all non-privileged internal accounts on an annual basis for GEMS/MARS and MiND. (2) MDE did not always ensure the subrecipients certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2024 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements annually for non-privileged accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. Management Views MDE agrees with the finding.
FINDING 2024-010 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 16 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.
FINDING 2024-003 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests. b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports. c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges. d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts. e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2024-008 MDE, IT General Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Education (MDE) uses Michigan Nutrition Data (MiND) to review the local educational agencies' eligibility verification process for school children participating in the Summer Electronic Benefit Transfer Program for Children. In addition, MDE uses the Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS) to monitor its Coronavirus State and Local Fiscal Recovery Funds' subrecipients*. LEO uses the Next Generation Grant, Application and Cash Management System (NexSys) to approve grant applications and budgets, monitor subrecipients, and authorize payment requests for services covered by the Adult Education - Basic Grants to States. The Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) uses GEMS/MARS to monitor its Twenty-First Century Community Learning Centers subrecipients. In addition, MiLEAP uses NexSys to approve grant applications and/or budgets, monitor subrecipients, and/or authorize payment requests for services covered by Special Education-Grants for Infants and Families, Twenty-First Century Community Learning Centers, and the CCDF Cluster. MDE and DTMB are jointly responsible for maintenance and operation of MiND, GEMS/MARS, and NexSys. Condition DTMB did not fully implement effective general controls* over MiND, GEMS/MARS, and NexSys operating system servers. We noted: a. DTMB did not remove access for a user who had departed from State employment. b. DTMB did not review privileged accounts on a semiannual basis for the operating system servers. After bringing these matters to management's attention, DTMB corrected the issues noted. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires accounts should be removed within three business days when no longer required or when users are terminated or transferred. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts. Cause DTMB informed us the reassignment of the removal and recertification processes to another employee resulted in its lack of removing and reviewing the privileged accounts. Effect Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiND, GEMS/MARS, and NexSys operating system servers. Known Questioned Costs None. Recommendation We recommend DTMB fully implement effective general controls over MiND, GEMS/MARS, and NexSys operating system servers. Management Views DTMB agrees with the finding.
FINDING 2024-009 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. We noted: a. MDE did not maintain documentation to support the appropriate individual approved the system role for 9 (38%) of 24 sampled MiND users. b. MDE did not fully implement an effective annual recertification process of non-privileged accounts: (1) MDE did not review all non-privileged internal accounts on an annual basis for GEMS/MARS and MiND. (2) MDE did not always ensure the subrecipients certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2024 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements annually for non-privileged accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. Management Views MDE agrees with the finding.
FINDING 2024-010 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 16 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.
FINDING 2024-003 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests. b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports. c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges. d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts. e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2024-008 MDE, IT General Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Education (MDE) uses Michigan Nutrition Data (MiND) to review the local educational agencies' eligibility verification process for school children participating in the Summer Electronic Benefit Transfer Program for Children. In addition, MDE uses the Grant Electronic Monitoring System/Michigan Administrative Review System (GEMS/MARS) to monitor its Coronavirus State and Local Fiscal Recovery Funds' subrecipients*. LEO uses the Next Generation Grant, Application and Cash Management System (NexSys) to approve grant applications and budgets, monitor subrecipients, and authorize payment requests for services covered by the Adult Education - Basic Grants to States. The Michigan Department of Lifelong Education, Advancement, and Potential (MiLEAP) uses GEMS/MARS to monitor its Twenty-First Century Community Learning Centers subrecipients. In addition, MiLEAP uses NexSys to approve grant applications and/or budgets, monitor subrecipients, and/or authorize payment requests for services covered by Special Education-Grants for Infants and Families, Twenty-First Century Community Learning Centers, and the CCDF Cluster. MDE and DTMB are jointly responsible for maintenance and operation of MiND, GEMS/MARS, and NexSys. Condition DTMB did not fully implement effective general controls* over MiND, GEMS/MARS, and NexSys operating system servers. We noted: a. DTMB did not remove access for a user who had departed from State employment. b. DTMB did not review privileged accounts on a semiannual basis for the operating system servers. After bringing these matters to management's attention, DTMB corrected the issues noted. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires accounts should be removed within three business days when no longer required or when users are terminated or transferred. The Standard also requires accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts. Cause DTMB informed us the reassignment of the removal and recertification processes to another employee resulted in its lack of removing and reviewing the privileged accounts. Effect Without effective general controls, individuals may obtain unauthorized or inappropriate access or make inappropriate changes to MiND, GEMS/MARS, and NexSys operating system servers. Known Questioned Costs None. Recommendation We recommend DTMB fully implement effective general controls over MiND, GEMS/MARS, and NexSys operating system servers. Management Views DTMB agrees with the finding.
FINDING 2024-009 MDE, Security Management and Access Controls See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. We noted: a. MDE did not maintain documentation to support the appropriate individual approved the system role for 9 (38%) of 24 sampled MiND users. b. MDE did not fully implement an effective annual recertification process of non-privileged accounts: (1) MDE did not review all non-privileged internal accounts on an annual basis for GEMS/MARS and MiND. (2) MDE did not always ensure the subrecipients certified their non-privileged external accounts on an annual basis. Our results are summarized in the following table: See Schedule of Findings and Questioned Costs for chart/table. MDE did not disable inactive MiND and NexSys users who had not accessed the applications in over 18 months as of September 30, 2024 as noted below: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations, accounts should be reviewed for compliance with account management requirements annually for non-privileged accounts, and the information system to automatically disable inactive user accounts after 60 days. However, MDE requested and received an approved exception, which allows user accounts to not be disabled until after 18 months. MDE is responsible for granting access to certain user roles within each system. MDE's process required a security access form to be completed and signed by an authorized official prior to access being granted. Cause MDE's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies. Effect Without effective user access controls, individuals may obtain unauthorized or inappropriate access to MDE's systems. Known Questioned Costs None. Recommendation We recommend MDE fully establish effective security management and access controls over GEMS/MARS, MiND, and NexSys. Management Views MDE agrees with the finding.
FINDING 2024-010 MDE, Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDE did not fully implement an effective change management process over MiND and NexSys. We sampled 16 MiND and 12 NexSys change deployments and noted: See Schedule of Findings and Questioned Costs for chart/table. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner to authorize the change to be developed and perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDE informed us that because of an oversight, it did not document the testing results and close the work items. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to MiND and NexSys. As a result, an increased risk exists MDE cannot ensure MiND and NexSys are configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDE fully implement an effective change management process over MiND and NexSys. Management Views MDE agrees with the finding.
FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.
FINDING 2024-003 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests. b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports. c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges. d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts. e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS establish effective security management and access controls over Bridges users.
FINDING 2024-004 Bridges Change Management Process See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not fully implement an effective change management process over Bridges. Our review disclosed MDHHS did not document post-implementation approvals for 2 (5%) of 40 sampled Bridges change records. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. SOM Technical Standard 1340.00.060.04 requires the business owner perform post-implementation validation. SOM Technical Procedure 1340.00.060.04.01 requires each test type to have its own set of documentation. State of Michigan Administrative Guide to State Government policy 1340.00 requires approved personnel to adequately manage the configuration* of the State's systems, such as retaining previous system configurations, configuring approved devices for high-risk areas, and tracking and documenting system changes. Cause MDHHS informed us it did not always follow established processes for documenting post release validation and business owner approvals. Effect Without an effective change management process, individuals may make unauthorized or inappropriate changes to Bridges. As a result, an increased risk exists MDHHS cannot ensure Bridges is configured and operating securely and as intended. Known Questioned Costs None. Recommendation We recommend MDHHS fully implement an effective change management process over Bridges. Management Views MDHHS agrees with the finding.
FINDING 2024-006 ADP Security Program See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS and DTMB did not ensure a comprehensive ADP security program was fully implemented for information systems used to administer their federal programs. We reviewed 5 significant systems and noted: a. MDHHS and DTMB did not conduct annual testing of the disaster recovery plan (DRP) for 1 system during fiscal year 2024. b. MDHHS and DTMB did not complete all necessary updates to the system security plan for 4 systems during fiscal year 2024, including not updating the risk assessment which resulted in the expiration of the authority to operate and/or missing control assessments for the systems. Criteria Federal regulations 7 CFR 272.10 and 45 CFR 95.621 make state agencies responsible for security of information systems used to administer federal programs. In part, the regulations require state agencies to establish and maintain an ADP security program, including a security plan and policies and procedures to address contingency planning to meet critical processing needs in the event of short- or long-term interruption of services, plans for emergency preparedness, and a program for conducting periodic risk analyses. In addition, federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Cause MDHHS and DTMB indicated resources were focused on meeting federal and State mandates while maintaining operational needs and addressing IT security risks highlighted in prior audits. MDHHS and DTMB also indicated limited resources caused delays in the completion of a comprehensive ADP security program. Effect MDHHS and DTMB cannot demonstrate they have implemented effective controls to ensure the confidentiality, integrity, and availability of their information systems and cannot ensure they comply with applicable direct and material federal compliance requirements, such as the Medicaid Cluster special tests and provisions - ADP risk analysis and system security review requirement. Incomplete DRPs could result in delays in restoring critical systems and business processes. Outdated or incomplete system security plans and risk assessments put the security of critical systems at risk by failing to mitigate potential vulnerabilities. The federal grantor agency could issue sanctions and/or disallowances related to noncompliance. Known Questioned Costs None. Recommendation We recommend MDHHS and DTMB ensure a comprehensive ADP security program is fully implemented for information systems used to administer federal programs. Management Views Although MDHHS and DTMB agree annual testing was not conducted for one system and not all necessary updates to the system security plan were completed during the audit period for 4 systems, MDHHS and DTMB disagree effective controls were not implemented to ensure confidentiality, integrity, and availability of its ADP information systems. MDHHS and DTMB also disagree the security of critical systems was at risk by failing to mitigate potential vulnerabilities as described in the effect statement of the finding. MDHHS and DTMB have compensating controls in place to ensure confidentiality, integrity, and availability of its ADP information systems in addition to mitigating potential vulnerabilities. MDHHS and DTMB monitor remediation of Plans of Actions and Milestones (POAMS) for all information systems even after expiration of authority to operate. For one system cited, MDHHS is required to audit the system as part of the responsibilities related to the Affordable Care Act and the Medicaid Expansion marketplace. Those audits are conducted to show compliance with federal information security and privacy requirements related to data stored in those systems. The system required to be audited as part of the Affordable Care Act, along with two other systems cited, are reviewed biennially through the Internal Control Evaluation process where control evidence is updated to demonstrate the effectiveness of controls. Each system cited did not have any significant changes and implemented controls are still working as expected. Auditor's Comments to Management Views Although MDHHS may monitor the remediation of identified risks through POAMS, the four systems cited did not have updated risk assessments, creating a potential system vulnerability by failing to monitor the current risks. Further, the reviews conducted in other audits and the internal control evaluation process do not eliminate the need to ensure a comprehensive ADP security program is fully implemented. Therefore, the finding stands as written.
FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.
FINDING 2024-003 Bridges Security Management and Access Controls* See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS had not established effective security management and access controls over Bridges users. We noted: a. MDHHS did not properly approve 20 (50%) of 40 sampled Bridges incompatible role exception requests prior to granting the exception requests. b. MDHHS did not maintain documentation for 17 (21%) of 80 sampled local office security monitoring reports. Also, MDHHS did not complete timely reviews for 1 (2%) of 63 sampled security monitoring reports. c. MDHHS did not properly approve 3 (8%) of 40 sampled Bridges application security agreements prior to granting access to Bridges. d. MDHHS did not review its semiannual recertification of 2 of 5 sampled existing Bridges privileged user accounts. Also, MDHHS did not document or properly review its annual recertification of 5 (14%) of 35 sampled Bridges non-privileged user accounts. e. MDHHS did not maintain documentation for 6 (30%) of 20 sampled local office high-risk Bridges transaction monitoring reports. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity, and availability of State of Michigan information. SOM Technical Standard 1340.00.020.01 requires agencies to implement and document baseline controls ensuring users are only granted access which is necessary to accomplish assigned tasks in accordance with roles and responsibilities of their job functions. The Standard also requires separation of duties must be implemented through assigned information system access authorizations and accounts should be reviewed for compliance with account management requirements semiannually for privileged accounts* and annually for all other accounts. In addition, the GAO's FISCAM recommends compensating controls, such as additional monitoring and supervision, should be in place where segregation of duties'* conflicts exist. Cause For parts a., c., and d., MDHHS's internal control and monitoring activities were not sufficient to ensure all appropriate parties adhered to established policies and procedures. For parts b. and e., MDHHS's internal control and monitoring activities need improvement to ensure all appropriate parties maintain and timely complete their review of the local office security monitoring reports and high-risk Bridges transaction monitoring reports. Effect We consider these issues to be a material weakness because, without effective security management and access controls, individuals may obtain unauthorized or inappropriate access to Bridges. As a result, an increased risk exists MDHHS cannot ensure the security of the Bridges application and data used to help determine eligibility and benefit levels for the SNAP Cluster, Summer Electronic Benefit Transfer Program for Children, CCDF Cluster, Medicaid Cluster, Temporary Assistance for Needy Families (TANF), Refugee and Entrant Assistance State/Replacement Designee Administered Programs (REAP), Low-Income Home Energy Assistance Program (LIHEAP), and Children's Health Insurance Program (CHIP). Known Questioned Costs None. Recommendation We recommend MDHHS establish effective security management and access controls over Bridges users.