Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.