Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS) Federal Program: Research & Development ALN Number: Various Federal Award Years: Various Criteria Internal Controls Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls. The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control. During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment: Workday 1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period. 2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available). 3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday. Cause The conditions above relate to the following, respectively: 1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes. 2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR. 3) The exception occurred due to delays in supervisors’ timely reporting of terminations. Possible Asserted Effect Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards. Questioned Costs None. Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes. Recommendation We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained. Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken. Views of Responsible Officials Recommendation accepted. Please refer to corrective action plan.
2024-001 (Repeat Finding) Retaining Sliding Scale Determination Documentation Special Tests and Provisions ALN 93.224 Health Center Program (Community Health Centers, Migrant Health Centers, Health Care for the Homeless, and Public Housing Primary Care) US Department of Health and Human Services Contract Numbers H80CS30749-06 and H80CS30749-07 Contract Periods April 1, 2022 – March 31, 2023 and April 1, 2023 – March 31, 2024 Conditions and Criteria: The requirement under 45 CFR 75.361 provides requirements for the retention of records for grantees. In addition, 2 CFR 200.303 provides requirements to establish and maintain effective internal controls over Federal awards. Specifically, it states that financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Health and Human Services awarding agency of pass-through entity in the case of a subrecipient. In the 2023 audit, for 5 out of 40 samples selected for testing, it was noted that OCHS did not retain the proper documents that the patients had submitted that included their income and family size or the documents completed by OCHS showing the sliding fee discount determination for these patients. Effect: The effect is that records that are required to be retained were not retained and evidence of how the sliding fee discount was determined could not be examined. Questioned Costs: Any likely questioned costs could not be determined since compliance testing was unable to be performed due to the lack of documentation. It should be noted that there were no exceptions for 35 samples that were able to be tested, and for 5 samples with insufficient documentation, 3 had partial documentation of income (i.e., pay stubs) and 2 had no documentation of income as it was not maintained. However, the sliding scale calculation was completed for all 40 samples. Cause: Determining the sliding fee discount level for each patient is reassessed on an annual basis. During the year, there was employee turnover in the compliance department. Although OCHS has a records retention policy, there was a lack of monitoring in place to ensure that the requirement under 45 CFR 75.361 was adhered to. Auditor Recommendation: A procedure should be put in place to monitor whether the record retention policy is followed. Current Status: During the current year, fiscal 2024 audit testing, 5 of 40 samples lacked support for the sliding fee scale determination. However, for all 5 samples it was noted the sliding fee was determined during fiscal 2023. There is a three-year documentation retention requirement per 45 CFR 200.303. If asked to produce documentation for fiscal year 2023, OCHS would not be able to do so, therefore, the 2023 fiscal year finding was repeated. Planned Corrective Action: See the following Corrective Action Plan section for management’s planned corrective action.
2024-001 (Repeat Finding) Retaining Sliding Scale Determination Documentation Special Tests and Provisions ALN 93.224 Health Center Program (Community Health Centers, Migrant Health Centers, Health Care for the Homeless, and Public Housing Primary Care) US Department of Health and Human Services Contract Numbers H80CS30749-06 and H80CS30749-07 Contract Periods April 1, 2022 – March 31, 2023 and April 1, 2023 – March 31, 2024 Conditions and Criteria: The requirement under 45 CFR 75.361 provides requirements for the retention of records for grantees. In addition, 2 CFR 200.303 provides requirements to establish and maintain effective internal controls over Federal awards. Specifically, it states that financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Health and Human Services awarding agency of pass-through entity in the case of a subrecipient. In the 2023 audit, for 5 out of 40 samples selected for testing, it was noted that OCHS did not retain the proper documents that the patients had submitted that included their income and family size or the documents completed by OCHS showing the sliding fee discount determination for these patients. Effect: The effect is that records that are required to be retained were not retained and evidence of how the sliding fee discount was determined could not be examined. Questioned Costs: Any likely questioned costs could not be determined since compliance testing was unable to be performed due to the lack of documentation. It should be noted that there were no exceptions for 35 samples that were able to be tested, and for 5 samples with insufficient documentation, 3 had partial documentation of income (i.e., pay stubs) and 2 had no documentation of income as it was not maintained. However, the sliding scale calculation was completed for all 40 samples. Cause: Determining the sliding fee discount level for each patient is reassessed on an annual basis. During the year, there was employee turnover in the compliance department. Although OCHS has a records retention policy, there was a lack of monitoring in place to ensure that the requirement under 45 CFR 75.361 was adhered to. Auditor Recommendation: A procedure should be put in place to monitor whether the record retention policy is followed. Current Status: During the current year, fiscal 2024 audit testing, 5 of 40 samples lacked support for the sliding fee scale determination. However, for all 5 samples it was noted the sliding fee was determined during fiscal 2023. There is a three-year documentation retention requirement per 45 CFR 200.303. If asked to produce documentation for fiscal year 2023, OCHS would not be able to do so, therefore, the 2023 fiscal year finding was repeated. Planned Corrective Action: See the following Corrective Action Plan section for management’s planned corrective action.
2024-001 (Repeat Finding) Retaining Sliding Scale Determination Documentation Special Tests and Provisions ALN 93.224 Health Center Program (Community Health Centers, Migrant Health Centers, Health Care for the Homeless, and Public Housing Primary Care) US Department of Health and Human Services Contract Numbers H80CS30749-06 and H80CS30749-07 Contract Periods April 1, 2022 – March 31, 2023 and April 1, 2023 – March 31, 2024 Conditions and Criteria: The requirement under 45 CFR 75.361 provides requirements for the retention of records for grantees. In addition, 2 CFR 200.303 provides requirements to establish and maintain effective internal controls over Federal awards. Specifically, it states that financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Health and Human Services awarding agency of pass-through entity in the case of a subrecipient. In the 2023 audit, for 5 out of 40 samples selected for testing, it was noted that OCHS did not retain the proper documents that the patients had submitted that included their income and family size or the documents completed by OCHS showing the sliding fee discount determination for these patients. Effect: The effect is that records that are required to be retained were not retained and evidence of how the sliding fee discount was determined could not be examined. Questioned Costs: Any likely questioned costs could not be determined since compliance testing was unable to be performed due to the lack of documentation. It should be noted that there were no exceptions for 35 samples that were able to be tested, and for 5 samples with insufficient documentation, 3 had partial documentation of income (i.e., pay stubs) and 2 had no documentation of income as it was not maintained. However, the sliding scale calculation was completed for all 40 samples. Cause: Determining the sliding fee discount level for each patient is reassessed on an annual basis. During the year, there was employee turnover in the compliance department. Although OCHS has a records retention policy, there was a lack of monitoring in place to ensure that the requirement under 45 CFR 75.361 was adhered to. Auditor Recommendation: A procedure should be put in place to monitor whether the record retention policy is followed. Current Status: During the current year, fiscal 2024 audit testing, 5 of 40 samples lacked support for the sliding fee scale determination. However, for all 5 samples it was noted the sliding fee was determined during fiscal 2023. There is a three-year documentation retention requirement per 45 CFR 200.303. If asked to produce documentation for fiscal year 2023, OCHS would not be able to do so, therefore, the 2023 fiscal year finding was repeated. Planned Corrective Action: See the following Corrective Action Plan section for management’s planned corrective action.
2024-001 (Repeat Finding) Retaining Sliding Scale Determination Documentation Special Tests and Provisions ALN 93.224 Health Center Program (Community Health Centers, Migrant Health Centers, Health Care for the Homeless, and Public Housing Primary Care) US Department of Health and Human Services Contract Numbers H80CS30749-06 and H80CS30749-07 Contract Periods April 1, 2022 – March 31, 2023 and April 1, 2023 – March 31, 2024 Conditions and Criteria: The requirement under 45 CFR 75.361 provides requirements for the retention of records for grantees. In addition, 2 CFR 200.303 provides requirements to establish and maintain effective internal controls over Federal awards. Specifically, it states that financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Health and Human Services awarding agency of pass-through entity in the case of a subrecipient. In the 2023 audit, for 5 out of 40 samples selected for testing, it was noted that OCHS did not retain the proper documents that the patients had submitted that included their income and family size or the documents completed by OCHS showing the sliding fee discount determination for these patients. Effect: The effect is that records that are required to be retained were not retained and evidence of how the sliding fee discount was determined could not be examined. Questioned Costs: Any likely questioned costs could not be determined since compliance testing was unable to be performed due to the lack of documentation. It should be noted that there were no exceptions for 35 samples that were able to be tested, and for 5 samples with insufficient documentation, 3 had partial documentation of income (i.e., pay stubs) and 2 had no documentation of income as it was not maintained. However, the sliding scale calculation was completed for all 40 samples. Cause: Determining the sliding fee discount level for each patient is reassessed on an annual basis. During the year, there was employee turnover in the compliance department. Although OCHS has a records retention policy, there was a lack of monitoring in place to ensure that the requirement under 45 CFR 75.361 was adhered to. Auditor Recommendation: A procedure should be put in place to monitor whether the record retention policy is followed. Current Status: During the current year, fiscal 2024 audit testing, 5 of 40 samples lacked support for the sliding fee scale determination. However, for all 5 samples it was noted the sliding fee was determined during fiscal 2023. There is a three-year documentation retention requirement per 45 CFR 200.303. If asked to produce documentation for fiscal year 2023, OCHS would not be able to do so, therefore, the 2023 fiscal year finding was repeated. Planned Corrective Action: See the following Corrective Action Plan section for management’s planned corrective action.
No written procedures for advance receipt of federal award payments Assistance Listing Number: 21.027 Program Title: Coronavirus State and Local Fiscal Recovery Funds Pass-through Entity: Alabama Department of Environmental Management Contract Number and Year: FS-10269-02 and CS010896-01 2023 Finding Type: Significant Deficiency Known Questioned Costs: None Criteria – 2 CFR Section 200.303(a) requires nonfederal entities receiving federal awards to establish and maintain internal control over the federal awards that provides reasonable assurance that the nonfederal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. 2 CFR 200.305 Federal Payment requires nonfederal entities to establish written procedures to implement the requirements of cash management of federal funding. Condition – The Organization received federal funds prior to paying contractors and had no written procedures in place for appropriately handling those funds. Cause – The Organization has not developed or implemented written procedures for appropriately handling advance federal funds. Effect – Possible noncompliance with requirements of the program. Recommendation – The Organization should develop, implement and comply with written procedures to meet the requirements of 2 CFR Section 200.303(a) and 2 CFR 200.305 Federal Payment. Views of responsible officials – The Mayor has implemented policies to no longer hold contractor invoices until ARPA funding is received but will follow the reimbursement guidelines per the grant agreements.
No written procedures for advance receipt of federal award payments Assistance Listing Number: 21.027 Program Title: Coronavirus State and Local Fiscal Recovery Funds Pass-through Entity: Alabama Department of Environmental Management Contract Number and Year: FS-10269-02 and CS010896-01 2023 Finding Type: Significant Deficiency Known Questioned Costs: None Criteria – 2 CFR Section 200.303(a) requires nonfederal entities receiving federal awards to establish and maintain internal control over the federal awards that provides reasonable assurance that the nonfederal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. 2 CFR 200.305 Federal Payment requires nonfederal entities to establish written procedures to implement the requirements of cash management of federal funding. Condition – The Organization received federal funds prior to paying contractors and had no written procedures in place for appropriately handling those funds. Cause – The Organization has not developed or implemented written procedures for appropriately handling advance federal funds. Effect – Possible noncompliance with requirements of the program. Recommendation – The Organization should develop, implement and comply with written procedures to meet the requirements of 2 CFR Section 200.303(a) and 2 CFR 200.305 Federal Payment. Views of responsible officials – The Mayor has implemented policies to no longer hold contractor invoices until ARPA funding is received but will follow the reimbursement guidelines per the grant agreements.
Criteria: Per Title 2 CFR § 200.516, the auditor must report known questioned costs greater than $25,000 for a Federal program that is not audited as a major program. In addition, Title 2 CFR § 200.303 requires the recipient of federal funds establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Condition: As part of a review performed by METRO’s internal audit department (METRO IA) over the activities of the vanpool department in fiscal year 2024, METRO IA identified certain questioned costs incurred and reimbursed as part of the Highway Planning and Construction program administered by the Texas Department of Transportation (TXDOT). These questioned costs were communicated by METRO management to TXDOT and they are working with TXDOT on final resolution. The Highway Planning and Construction program was not a major program in fiscal year 2024 subject to a single audit. We did not identify any other similar costs in the major programs tested. Total questioned cost identified through the METRO IA procedures was $262,794. Total expenditures for the Highway Planning and Construction program were $744,358. Cause: The Vanpool department did not have adequate internal controls and processes in place to ensure that department personnel properly understood grant requirements and that program costs were properly calculated and allowable in accordance with the grant agreements. Effect: Certain of the costs incurred and submitted for reimbursement by METRO were unallowable. Auditor’s Recommendation: METRO should establish appropriate processes and controls to guide personnel in the determination of allowable costs in accordance with grant agreements. In particular, management should focus on the processes and controls associated with the vanpool department.
Reference Number: 2024-04 Compliance Requirement: Reporting Type of Finding: Internal control and Compliance Internal Control Impact: Material weakness Compliance Impact: Material Noncompliance . AL Number and Title: 84.425 – COVID-19 Education Stabilization Fund Federal Awarding Agency: U.S. Department of Education Federal Award Number: None Pass-through Entity: Alabama Department of Education Pass-through Award Number: None Questioned Costs: None Condition: The Board could not provide a copy, with supporting documentation, of the annual required information submission to the Alabama Department of Education for the federal program. Criteria: Per 2 CFR § 200.303, the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Cause: Internal controls are not in place to ensure that the reports submitted to the pass-through entity are adequately supported by information derived from the accounting system. No evidence of review by someone other than the preparer is maintained. Effect: Information provided to the Alabama Department of Education may be incorrect or incomplete or not submitted timely. Recommendation: Internal controls should be developed to ensure that reports are completed and submitted timely, are supported by information derived from the accounting system, and are reviewed and approved prior to being submitted to the State of Alabama. Client Response: We agree with this finding.
United States Department of Agriculture Federal Financial Assistance Listing #10.766 Communities Facilities Loans and Grants USDA Rural Development Building Loan 97‐07 & 97‐08 Special Tests and Provisions Material Weakness in Internal Control over Compliance and Noncompliance Criteria: 2 CFR 200.303(a) establishes that the auditee must establish and maintain effective internal control over the federal award that provides assurance that the entity is managing the federal award in compliance with federal statutes, regulations, and conditions of the federal award. Section 4 of the loan resolution security agreements dated March 28, 2012 states the Hospital must set aside a reserve amount which may be established as a bookkeeping account or as a separate bank account. Funds may be deposited in institutions insured by state and federal government or invested in marketable securities backed by the full faith and credit of the United States. Condition: As a part of the audit process, a reclassification entry was made to move the funds from the cash sweep general fund to a separate bookkeeping account. Management did not track the funds in a separate bank or bookkeeping account throughout the year. The Hospital had excess cash available to cover the required reserve amount for the fiscal year. Cause: The Hospital was unaware the funds were required to be tracked throughout the year and maintained in a separate bookkeeping account or as a separate bank account. Effect: The Hospital could be in violation of the reserve amount requirements if management is not monitoring compliance. Questioned Costs: None reported. Context/Sampling: Sampling was not used. Repeat Finding from Prior Years: Yes, prior year finding 2023‐004. Recommendation: We recommend the Hospital transfer the required reserve amount to a separate bookkeeping account in the trial balance or establish a separate bank account and ensure the funds are deposited monthly in institutions insured by state and federal governments or invested in marketable securities backed by the full faith and credit of the United States. Controls should be established and documented to monitor compliance with the reserve fund provision. Views of Responsible Officials: Management agrees with the finding.
2024-003: Preparation of Schedule of Expenditures of Federal Awards (SEFA) Finding Type: Material Weakness in Internal Controls and Noncompliance (Activities Allowed or Unallowed, Allowable Costs/Cost Principles, Reporting) Federal Program: U.S. Department of Treasury – Local Assistance and Tribal Consistency Fund (AL #21.032) Criteria: The Code of Federal Regulations (CFR) Section 200.303(b) requires non-Federal entities to establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and terms and conditions of the Federal award. CFR Section 200.502(a) states that the determination of when a Federal award is expended should be based on when the activity related to the Federal award occurs. Generally, the activity pertains to events that require the non-Federal entity to comply with Federal statutes, regulations, and the terms and conditions of Federal awards, such as expenditure/expense transactions associated with grant awards. The County reports expenditures on the SEFA when the expenditure has been incurred, or on the accrual basis of accounting, in accordance with generally accepted accounting principles. CFR Section 200.510(b) requires the auditee to prepare a SEFA for the period covered by the auditee’s financial statements which must include the total Federal awards expended as determined in accordance with CFR Section 200.502(a), as stated above, and must reconcile amounts reported in the SEFA to the amounts reported in the auditee’s financial statements. Condition: The SEFA was not appropriately reconciled to federal grant revenues and expenditures recorded in the financial statements. Changes were made during the closing process and during the completion of the single audit to properly report expenditures on the SEFA. Closing procedures should be in place to reconcile grant expenditures incurred at year-end, confirm the amount as eligible with the grantor, claim the grant revenues on a timely basis, reconcile the claim to the general ledger, and ensure the expenditures that will be claimed under federal awards are properly reported on the SEFA and audited financial statements prior to the start of the single audit. If expenditures reported on the SEFA are misstated, the County could fail to have a program appropriately identified as a major program and tested as a major program during the single audit. Failure to have a program audited during the single audit would result in noncompliance with Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Cause: Closing procedures were not in place and management did not effectively communicate with County departments responsible for administering federal awards to identify all federal grant related activity. Effect: County personnel were unable to provide a complete SEFA in the appropriate format prior to the start of the annual financial statement audit and were uncertain if a single audit was required. The SEFA required material adjustments to include all federal expenditures prior to the beginning of the single audit. Questioned Costs: No costs have been questioned as a result of this finding. Recommendation: We recommend that management meet with department heads throughout the year and during the closing process to identify all expenditures under federal awards. Training should be provided to all staff to make sure they are aware of the importance of accurately reconciling and claiming grant expenditures on a timely basis and providing the information to management for inclusion on the SEFA. Views of Responsible Officials: The County will work to improve closing processes and communications with various departments to ensure the SEFA is complete and accurate.
2024-004: Written Policies Required by the Uniform Guidance Finding Type: Material Weakness in Internal Controls and Noncompliance (Activities Allowed or Unallowed, Allowable Costs/Cost Principles, Reporting) Federal Program: U.S. Department of Treasury – Local Assistance and Tribal Consistency Fund (AL #21.032) Criteria: The County does not have written policies and procedures to implement the requirements of 2 CFR section 200 for the administration of federal awards. The Uniform Guidance requires a non-federal entity that has expended federal awards for a grant on or after December 26, 2014 to have written policies pertaining to: 1) advance payments and reimbursements (financial management); 2) determination of allowable costs; 3) compensation (personnel and benefits policies); 4) travel costs; and 5) procurement procedures. 2 CFR 200.303(a) establishes that the auditee must establish and maintain effective internal controls over the federal awards that provide assurance that the entity is managing the federal awards in compliance with federal statutes, regulations, and the conditions of the federal award. Condition: The County does not have processes or written policies in place to conform to all of the requirements in the Uniform Guidance. Cause: The County has not reviewed and updated its policies and procedures for continued changes in grants and the Uniform Guidance. Effect: As a result of this condition, the County did not fully comply with the Uniform Guidance. Questioned Costs: No costs have been questioned as a result of this finding. Recommendation: We recommend that the County adopt formal written policies covering these areas as soon as practical. Views of Responsible Officials: The County will work to update policies and procedures and to formalize responsibilities.
Criteria - Uniform Guidance (2 CFR §200.303) requires recipients of federal awards to establish and maintain effective internal controls over compliance. Specifically, 24 CFR §982.201 and related program requirements for the Housing Choice Voucher Program (HCV) (Assistance Listing Number 14.871) mandate: 1) Documentation of eligibility (including citizenship/immigration status and income verification). 2) Signed lease agreements between the tenant and owner. 3) Rent reasonableness determinations for all units. 4) Housing Quality Standards (HQS) inspections must be documented prior to lease-up and annually thereafter. 5) Recertifications (HUD-50058) and authorizations to release information (HUD-9886) must be on file. Condition - During testing of 40 participant files, we were unable to verify compliance with key program requirements due to missing documentation as detailed below: Deficiency Number of Files Affected Missing signed application 19 out of 40 Missing signed lease agreement 29 out of 40 Missing proof of citizenship/eligible immigration status 20 out of 40 Missing documentation of independent income verification 11 out of 40 Missing HUD-50058 recertification 11 out of 40 Missing HUD-9886 (Authorization for Release of Information) 14 out of 40 Missing documentation of rent reasonableness 18 out of 40 Missing HQS inspection documentation 25 out of 40 Cause - The Authority did not maintain adequate documentation in participant files, indicating a lack of effective internal controls over file management and compliance monitoring. Effect - The absence of required documentation increases the risk of non-compliance with HUD regulations, which may result in findings during HUD reviews or audits and possible loss of HUD funding or sanctions if deficiencies are not corrected. Questioned Costs - Due to missing documentation, the allowability of housing assistance payments for the impacted participants cannot be determined. Statistical Sampling - The sample was not intended to be, and was not, a statistically valid sample. Recommendation - To address the deficiencies identified in the HCV Program tenant files, we recommend that the Authority implement comprehensive measures to strengthen compliance and improve internal controls. First, the Authority should conduct a full review of all tenant files to identify and resolve missing documentation, using a standardized checklist to ensure all required documents are included in each file. Management’s Response - (a) Comments on the finding and recommendation - The Authority agrees with the finding. The Authority also agrees with the recommendations, please see below for action taken. (b) Action taken - The Authority will conduct a thorough review of all tenant files to identify and resolve missing documentation, including signed applications, lease agreements, proof of citizenship or eligible immigration status, independent income verification, HUD forms (50058 and 9886), rent reasonableness documentation, and HQS inspection records. Staff will work to obtain missing documents from tenants, landlords, or other necessary parties. A standardized checklist should be used to ensure all required items are present in each file moving forward. (c) Planned implementation date of corrective action - Completed by September 30, 2025.
Finding Number: 2024-001 Prior Year Finding Number: 2023-002 Compliance Requirement: Matching, Level of Effort, Earmarking Program: U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP) Cluster ALN: 10.551, 10.561 Award #: Various Award Year: 10/01/2023 – 09/30/2024 Government Department/Agency: Department of Human Services (DHS)/ Economic Security Administration (ESA) Criteria - The Uniform Guidance in 2 CFR Section 200.303 requires that non-Federal entities receiving Federal awards (i.e., auditee management) establish and maintain internal control designed to reasonably ensure compliance with Federal statues, regulations, and the terms and conditions of the Federal award. Per 2 CFR Section 277.4(b), Federal reimbursement rate, states that the base percentage for Federal payment shall be 50 percent of State agencies’ allowable SNAP administrative costs. Per review of the Settlement Agreement from the U.S. Department of Health and Human Services Departmental Appeals Board dated September 13, 1999, the District of Columbia is required to spend an additional $1,620,000 in local funds for the SNAP grant match each year by making an adjustment of $1,620,000 to the expenditures charged to the federal grant. Condition – During the testing of the SNAP Matching, Level of Effort, Earmarking compliance requirement, we noted that two (2) out of four (4) quarterly SF-425 reports tested, which were for quarters ended March 30, 2024 and June 30, 2024, had the issues that resulted in this finding. The SF-425 reports tested were approved and certified, and DHS/ESA exceeded the required SNAP Matching amount of $41,509,067. However, the Office of the Chief Financial Officer (OCFO) for DHS/ESA was unable to provide supporting documentation that would allow us to agree specific amounts reported for (1) Quality Control, (2) Fraud Control, (3) ADP Operations, and (4) Outreach. The total calculated amount by OCFO for DHS/ESA reported as the actual match on the SF-425 report, excluding New Investment, was $43,129,064. However, the total recalculated amount by auditors to be reported as the actual match was $43,199,416. Variance between these two amounts was $70,352. In addition, during the testing of the SNAP Matching, Level of Effort, Earmarking compliance requirement, we noted that the OCFO team for Human Support Services Cluster inadvertently failed to deduct the $1,620,000 adjustment from the Federal Share of Administrative Expenditures on the SEFA to comply with the Settlement Agreement with the U.S. Department of Health and Human Services Departmental Appeals Board dated September 13, 1999. The Settlement Agreement requires the District of Columbia to spend $1,620,000 in local funds for the SNAP grant each year, which the Agency decided to reflect as a deduction from the Federal Share of Administrative Expenditures on the SEFA. Furthermore, as a result of the Random Movement Time Study, the Agency needed to move expenses from the SNAP bucket in the DIFS System and the Agency inadvertently moved $158,834 less expenses. Consequently, the Federal Share of Administrative Expenditures on the SEFA is higher compared to the Federal Share of Administrative Expenditures reported on SF-425 report. Questioned Costs – None. Context – This is a condition identified per review of DHS/ESA’s compliance through the OCFO team with specified requirements using a statistically valid sample. Effect – OCFO for DHS/ESA is not in compliance with the stated provisions. Without adequate internal controls to ensure reconciliation of the amounts reported for the matching requirements and other pertinent information, there is an increased risk that matching and other pertinent information will not be properly reported. Cause – OCFO for DHS/ESA does not appear to have adequate policies and procedures in place to ensure that the amounts reported for the matching requirement and other pertinent information are accurate and supported. Recommendation – We recommend that OCFO for DHS/ESA strengthen its policies and procedures to ensure that amounts for SNAP matching requirements and other pertinent information are properly reported and that related reports are reviewed for compliance with program requirements as well as completeness and accuracy prior to submission. Related Noncompliance – Noncompliance. Views of Responsible Officials and Planned Corrective Actions – DHS concurs with the finding. The District’s corrective action is described in the Management’s Corrective Action Plan included as Appendix B of the attached Management’s Section.
Finding Number: 2024-002 Prior Year Finding Number: 2023-003 Compliance Requirement: Special Tests and Provisions – ADP System for SNAP Program: U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP) Cluster ALN: 10.551, 10.561 Award #: Various Award Year: 10/01/2023 – 09/30/2024 Government Department/Agency: Department of Human Services (DHS)/ Department of Health Care Finance (DHCF) DC Access System (DCAS) Program Management Administration Criteria - The Uniform Guidance in 2 CFR Section 200.303 requires that non-Federal entities receiving Federal awards (i.e., auditee management) establish and maintain internal control designed to reasonably ensure compliance with Federal statues, regulations, and the terms and conditions of the Federal award. Per 7 CFR Section 272.10(a), “All State agencies are required to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information concerning SNAP.” Per 7 CFR Section 272.10(b), “In order to meet the requirements of the Act and ensure the efficient and effective administration of the program, a SNAP system, at a minimum, shall be automated in each of the following program areas (1) Certification and (2) Issuance Reconciliation and Reporting. Under Certification – States agencies must determine eligibility and calculate benefits or validate the eligibility worker’s calculations by processing and storing all casefile information necessary for the eligibility determination and benefit computation (including but not limited to all household members’ names, addresses, dates of birth, social security numbers, individual household members’ earned and unearned income by source, deductions, resources and household size). Also, State agencies must redetermine or revalidate eligibility and benefits based on notices of change in households’ circumstances.” Condition – The District is self-reporting findings it noted from its ongoing efforts to resolve issues with the ADP system for SNAP. The issues identified and the estimated impact follows: 1. Failure to Send Correct and Timely Notices to SNAP Households - Notices pertaining to SNAP eligibility contain incorrect information, and/or SNAP applicants and recipients fail to receive proper notices. For example, in the Federal Fiscal Year (FFY) 2018 Local Program Access Review (PAR), Food and Nutrition Service (FNS) cited that SNAP applicants did not receive a Notice of Eligibility or notice contained incorrect information, no notice of required verification, and the notice of adverse action was incorrect. 2. Untimely Processing of SNAP Applications and Periodic Reports - On October 23, 2017, FNS advised DHS that its application processing timeliness (APT) rate between October 2016 and March 2017 was 88.45%, which triggered corrective action per FNS policy. Moreover, between that last APT report and now, DHS has disclosed that it has experienced processing backlogs of varying severity and persistence to FNS via ongoing communications and as part of waiver requests. DHS also provided a report to FNS in August 2022 that indicated significant application processing backlogs. 3. Establishment of Duplicate Accounts - DHS discovered that duplicate Product Delivery Cases (PDC) were being created in DCAS. One PDC was active and the other closed, but the closed PDC was still receiving benefits. 4. Issuance of Duplicate Payment - As a result of duplicate accounts in Deficiency 3, duplicate payments may have been issued to the same household when a caseworker reactivated a closed case. There is also a possibility that customers who received duplicate electronic benefits transfer (EBT) cards from different EBT vendors may have received duplicate payments. 5. Failure to Implement Computer Matching System - Based on the FFY18 Program Integrity Management Evaluation (ME) review, DHS failed to process Prisoner Verification System (PVS) matches, deceased matches, and National Directory of New Hires (NDNH) matches in accordance with federal requirements. 6. Failure to Produce System Computations to Support Recipient Claims - DCAS does not have the ability to calculate overpayments or send a demand letter. FNS correspondence letters dated October 18, 2017, and September 20, 2018, advised DHS to suspend the establishment of DCAS claims but allowed DHS to continue servicing ACEDS claims. 7. Treasury Offset Program (TOP) Reporting and Maintenance Decertified - FNS conducted a TOP Technical Review in June 2021 and DHS was decertified from TOP due to the following: • Referral of customers to TOP that are undergoing recoupment. • Incorrect determination of the date of delinquency. • Incorrect debt balance and debt status in TOP. 8. Failure to Initiate Recoupment on Active Households - When DCAS launched in October 2016, more than 3,000 claim cases with outstanding balances originating from SNAP overpayments were converted from ACEDS to DCAS. Some claims were not properly converted or activated in DCAS. As a result, DHS failed to take the required recovery actions, including TOP recovery or activation of the recoupment process through EBT cards. 9. Recipient and Benefit Integrity Report Update Required - DHS must provide an update on the target completion dates for system generation of all SNAP-related reports currently being created through manual intervention. The plan must include the procedures for reviewing and ensuring the accuracy of the data being submitted to Food Programs Reporting System (FPRS) with particular emphasis on the FNS-209 and the FNS-366B reports. DHS experienced some technical challenges in processing and retrieving claim and recoupment information accurately since the launch of DCAS in October 2016, which affected the FNS-209 quarterly reports. The Payment and Collections Division (PCD) and the DCAS report development team have made concerted efforts to improve the ability to generate data for the reports but continue to have difficulties in verifying the accuracy of data due in part to the laborious manual processes involved. Based on the FFY 2018 Program Integrity ME review, lines 3b, 10, and 14 of the FNS-209 failed to reconcile with the detailed documentation. 10. Work Requirements Have Not Been Properly Implemented - DHS is not in compliance with the requirement to accurately report on the FNS 583. DHS is unprepared to implement the work requirement and time limit for able-bodied adults without dependents when the current suspension mandated by the Families First Coronavirus Response Act ends and/or its waiver ends. Additionally, the District is not prepared to apply the Able-Bodied Adults Without Dependents (ABAWD) time limits when their ABAWD waiver expires. 11. Failure to Analyze Client Complaints and Include in the State’s Corrective Action Plans (CAP) Where Appropriate - DHS is failing to analyze client complaints and include in the State’s CAP where appropriate, per 7 CFR 271.6(a)(3) and 275.16. 12. The SNAP Application Does Not Clearly Explain Which Questions Are Required for SNAP - FNS reviewers found that the District’s SNAP application does not provide clear directions about which questions are required for SNAP, versus Cash or Medical Assistance. For example, Step 5 of the application asks “Does anyone in your household (including non-applicants) have any income? Yes – complete below; No – skip to step 6 (Complete if you are applying for Food, Medical, or Cash Assistance).” The directions are confusing and may be difficult to understand. Questioned Costs – Not determinable. Context – This is a condition identified per review of DHS’ compliance with specified requirements resulting from a system implementation. Effect – Without an effectively designed and operated system in place, ineligible beneficiaries may receive benefits under the SNAP grant and DHS may make payments on behalf of those beneficiaries resulting in noncompliance with the eligibility requirements. Inaccurate beneficiary allotment payments could result in participants receiving benefits that they are not entitled to receive under the program. Cause – DHS did not effectively design and operate the ADP system for SNAP which resulted to inaccurate benefit payments. Recommendation – We recommend that DHS continue to evaluate and improve the new ADP system for SNAP to ensure that it addresses all the administration requirements of the SNAP program. Related Noncompliance – Material noncompliance. Views of Responsible Officials and Planned Corrective Actions – The DHS and DHCF DCAS team agree with the findings noted in this report. DHS self-reported these findings as part of the agency’s ongoing effort to maintain integrity with all eligibility determinations. The root cause of each of the twelve (12) case issues with the ADP system for SNAP varied. The District’s corrective action is described in the Management’s Corrective Action Plan included as Appendix B of the attached Management’s Section.
Finding Number: 2024-003 Prior Year Finding Number: 2023-004 Compliance Requirement: Special Tests and Provisions – EBT Card Security Program: U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP) Cluster ALN: 10.551, 10.561 Award #: Various Award Year: 10/01/2023 – 09/30/2024 Government Department/Agency: Department of Human Services (DHS)/ Office of the Chief Financial Officer/Office of Finance and Treasury (OCFO/OFT) Criteria - The Uniform Guidance in 2 CFR Section 200.303 requires that non-Federal entities receiving Federal awards (i.e., auditee management) establish and maintain internal control designed to reasonably ensure compliance with Federal statues, regulations, and the terms and conditions of the Federal award. Per 7 CFR Section 274.8(b)(3), As an addition to or component of the Security Program required of Automated Data Processing (ADP) systems, the State agency shall ensure that the following electronic benefits transfer (EBT) security requirements are established: (i) Storage and control measures to control blank unissued EBT cards and PINs, and unused or spare POS devices; (ii) Measures to ensure communication access control. Communication controls shall include the transmission of transaction data and issuance information from POS terminals to work-stations and terminals at the data processing center; (iii) Message validation; (iv) Administrative and operational procedures; (v) A separate EBT security component shall be incorporated into the State agency Security Program for ADP systems. The periodic risk analyses required by the Security Program shall address the following items specific to an EBT system – (B) Completeness and timeliness of the reconciliation system; and (vi) The State agency shall incorporate the contingency plan approved by FNS into the Security Program. Condition – OCFO/OFT for DHS are required to maintain adequate security over, and documentation/records for EBT cards, to prevent their theft, embezzlement, loss damage, destruction, unauthorized transfer, negotiation, or use. OCFO/OFT have contracted with Fidelity National Information Service (FIS) for the issuance and security of the EBT cards; however, it is OCFO/OFT’s ultimate responsibility to ensure the contractor has controls in place to maintain adequate security over, and documentation/records of EBT cards in accordance with 7 CFR Section 274.8(b)(3). During our tests of the design and implementation of internal controls and compliance requirements in accordance with 7 CFR Section 274.8(b)(3), we noted the following issues: • For seventeen (17) out of the 60 samples, out of a population of 496 days from two EBT card centers, although both EBT Balance Sheets reconciled with the EBT Card Issuance Logs included in the package, we noted the following deficiencies: o For fourteen (14) out of the samples, we noted various issues including (a) the ID type for identification purposes was missing, (b) the customer case number was missing, (c) the Photo ID Program Referral Form was missing, (d) the identification type was noted as referral on the EBT Intake Form, but no referral form was attached, (e) the UPO EBT Center Intake Form was not signed by staff who created the card, and (f) the EBT Card Destruction log was missing. o For two (2) out of the samples, we noted that the required authorizations by a DHS Supervisor and eligibility staff was missing. o For one (1) out of the samples, we noted that the EBT Card Issuance Log had a wrong date. • In addition, for one (1) out of the 60 samples, we noted that the information on the summary reconciliation sheet did not agree to the Card Issuance Log. The summary reconciliation sheet shows 40 cards issued while the Card Issuance Log shows a total of 39 cards issued. These exceptions resulted in the Agency not being in compliance with 7 CFR Section 274.8(b)(3). Questioned Costs – None. Context – This is a condition identified per review of DHS’ compliance with specified requirements using a statistically valid sample. Effect – Without adequate internal controls to ensure compliance with EBT Card Security requirements, there is an increased risk that the inventory of EBT cards will not be properly maintained and accounted for, or that the program will not be in compliance with program requirements. Cause – OCFO/OFT for DHS does not have adequate policies and procedures in place to ensure adequate safeguarding, documentation over issuance and monitoring of EBT cards. Recommendation - We recommend that OCFO/OFT for DHS strengthen formal policies and procedures to maintain adequate security over, and documentation/records for EBT Cards. Related Noncompliance – Material noncompliance. Views of Responsible Officials and Planned Corrective Actions – The OCFO/OFT for DHS concurs with this finding. The District’s corrective action is described in the Management’s Corrective Action Plan included as Appendix B of the attached Management’s Section.
Finding Number: 2024-001 Prior Year Finding Number: 2023-002 Compliance Requirement: Matching, Level of Effort, Earmarking Program: U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP) Cluster ALN: 10.551, 10.561 Award #: Various Award Year: 10/01/2023 – 09/30/2024 Government Department/Agency: Department of Human Services (DHS)/ Economic Security Administration (ESA) Criteria - The Uniform Guidance in 2 CFR Section 200.303 requires that non-Federal entities receiving Federal awards (i.e., auditee management) establish and maintain internal control designed to reasonably ensure compliance with Federal statues, regulations, and the terms and conditions of the Federal award. Per 2 CFR Section 277.4(b), Federal reimbursement rate, states that the base percentage for Federal payment shall be 50 percent of State agencies’ allowable SNAP administrative costs. Per review of the Settlement Agreement from the U.S. Department of Health and Human Services Departmental Appeals Board dated September 13, 1999, the District of Columbia is required to spend an additional $1,620,000 in local funds for the SNAP grant match each year by making an adjustment of $1,620,000 to the expenditures charged to the federal grant. Condition – During the testing of the SNAP Matching, Level of Effort, Earmarking compliance requirement, we noted that two (2) out of four (4) quarterly SF-425 reports tested, which were for quarters ended March 30, 2024 and June 30, 2024, had the issues that resulted in this finding. The SF-425 reports tested were approved and certified, and DHS/ESA exceeded the required SNAP Matching amount of $41,509,067. However, the Office of the Chief Financial Officer (OCFO) for DHS/ESA was unable to provide supporting documentation that would allow us to agree specific amounts reported for (1) Quality Control, (2) Fraud Control, (3) ADP Operations, and (4) Outreach. The total calculated amount by OCFO for DHS/ESA reported as the actual match on the SF-425 report, excluding New Investment, was $43,129,064. However, the total recalculated amount by auditors to be reported as the actual match was $43,199,416. Variance between these two amounts was $70,352. In addition, during the testing of the SNAP Matching, Level of Effort, Earmarking compliance requirement, we noted that the OCFO team for Human Support Services Cluster inadvertently failed to deduct the $1,620,000 adjustment from the Federal Share of Administrative Expenditures on the SEFA to comply with the Settlement Agreement with the U.S. Department of Health and Human Services Departmental Appeals Board dated September 13, 1999. The Settlement Agreement requires the District of Columbia to spend $1,620,000 in local funds for the SNAP grant each year, which the Agency decided to reflect as a deduction from the Federal Share of Administrative Expenditures on the SEFA. Furthermore, as a result of the Random Movement Time Study, the Agency needed to move expenses from the SNAP bucket in the DIFS System and the Agency inadvertently moved $158,834 less expenses. Consequently, the Federal Share of Administrative Expenditures on the SEFA is higher compared to the Federal Share of Administrative Expenditures reported on SF-425 report. Questioned Costs – None. Context – This is a condition identified per review of DHS/ESA’s compliance through the OCFO team with specified requirements using a statistically valid sample. Effect – OCFO for DHS/ESA is not in compliance with the stated provisions. Without adequate internal controls to ensure reconciliation of the amounts reported for the matching requirements and other pertinent information, there is an increased risk that matching and other pertinent information will not be properly reported. Cause – OCFO for DHS/ESA does not appear to have adequate policies and procedures in place to ensure that the amounts reported for the matching requirement and other pertinent information are accurate and supported. Recommendation – We recommend that OCFO for DHS/ESA strengthen its policies and procedures to ensure that amounts for SNAP matching requirements and other pertinent information are properly reported and that related reports are reviewed for compliance with program requirements as well as completeness and accuracy prior to submission. Related Noncompliance – Noncompliance. Views of Responsible Officials and Planned Corrective Actions – DHS concurs with the finding. The District’s corrective action is described in the Management’s Corrective Action Plan included as Appendix B of the attached Management’s Section.
Finding Number: 2024-002 Prior Year Finding Number: 2023-003 Compliance Requirement: Special Tests and Provisions – ADP System for SNAP Program: U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP) Cluster ALN: 10.551, 10.561 Award #: Various Award Year: 10/01/2023 – 09/30/2024 Government Department/Agency: Department of Human Services (DHS)/ Department of Health Care Finance (DHCF) DC Access System (DCAS) Program Management Administration Criteria - The Uniform Guidance in 2 CFR Section 200.303 requires that non-Federal entities receiving Federal awards (i.e., auditee management) establish and maintain internal control designed to reasonably ensure compliance with Federal statues, regulations, and the terms and conditions of the Federal award. Per 7 CFR Section 272.10(a), “All State agencies are required to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information concerning SNAP.” Per 7 CFR Section 272.10(b), “In order to meet the requirements of the Act and ensure the efficient and effective administration of the program, a SNAP system, at a minimum, shall be automated in each of the following program areas (1) Certification and (2) Issuance Reconciliation and Reporting. Under Certification – States agencies must determine eligibility and calculate benefits or validate the eligibility worker’s calculations by processing and storing all casefile information necessary for the eligibility determination and benefit computation (including but not limited to all household members’ names, addresses, dates of birth, social security numbers, individual household members’ earned and unearned income by source, deductions, resources and household size). Also, State agencies must redetermine or revalidate eligibility and benefits based on notices of change in households’ circumstances.” Condition – The District is self-reporting findings it noted from its ongoing efforts to resolve issues with the ADP system for SNAP. The issues identified and the estimated impact follows: 1. Failure to Send Correct and Timely Notices to SNAP Households - Notices pertaining to SNAP eligibility contain incorrect information, and/or SNAP applicants and recipients fail to receive proper notices. For example, in the Federal Fiscal Year (FFY) 2018 Local Program Access Review (PAR), Food and Nutrition Service (FNS) cited that SNAP applicants did not receive a Notice of Eligibility or notice contained incorrect information, no notice of required verification, and the notice of adverse action was incorrect. 2. Untimely Processing of SNAP Applications and Periodic Reports - On October 23, 2017, FNS advised DHS that its application processing timeliness (APT) rate between October 2016 and March 2017 was 88.45%, which triggered corrective action per FNS policy. Moreover, between that last APT report and now, DHS has disclosed that it has experienced processing backlogs of varying severity and persistence to FNS via ongoing communications and as part of waiver requests. DHS also provided a report to FNS in August 2022 that indicated significant application processing backlogs. 3. Establishment of Duplicate Accounts - DHS discovered that duplicate Product Delivery Cases (PDC) were being created in DCAS. One PDC was active and the other closed, but the closed PDC was still receiving benefits. 4. Issuance of Duplicate Payment - As a result of duplicate accounts in Deficiency 3, duplicate payments may have been issued to the same household when a caseworker reactivated a closed case. There is also a possibility that customers who received duplicate electronic benefits transfer (EBT) cards from different EBT vendors may have received duplicate payments. 5. Failure to Implement Computer Matching System - Based on the FFY18 Program Integrity Management Evaluation (ME) review, DHS failed to process Prisoner Verification System (PVS) matches, deceased matches, and National Directory of New Hires (NDNH) matches in accordance with federal requirements. 6. Failure to Produce System Computations to Support Recipient Claims - DCAS does not have the ability to calculate overpayments or send a demand letter. FNS correspondence letters dated October 18, 2017, and September 20, 2018, advised DHS to suspend the establishment of DCAS claims but allowed DHS to continue servicing ACEDS claims. 7. Treasury Offset Program (TOP) Reporting and Maintenance Decertified - FNS conducted a TOP Technical Review in June 2021 and DHS was decertified from TOP due to the following: • Referral of customers to TOP that are undergoing recoupment. • Incorrect determination of the date of delinquency. • Incorrect debt balance and debt status in TOP. 8. Failure to Initiate Recoupment on Active Households - When DCAS launched in October 2016, more than 3,000 claim cases with outstanding balances originating from SNAP overpayments were converted from ACEDS to DCAS. Some claims were not properly converted or activated in DCAS. As a result, DHS failed to take the required recovery actions, including TOP recovery or activation of the recoupment process through EBT cards. 9. Recipient and Benefit Integrity Report Update Required - DHS must provide an update on the target completion dates for system generation of all SNAP-related reports currently being created through manual intervention. The plan must include the procedures for reviewing and ensuring the accuracy of the data being submitted to Food Programs Reporting System (FPRS) with particular emphasis on the FNS-209 and the FNS-366B reports. DHS experienced some technical challenges in processing and retrieving claim and recoupment information accurately since the launch of DCAS in October 2016, which affected the FNS-209 quarterly reports. The Payment and Collections Division (PCD) and the DCAS report development team have made concerted efforts to improve the ability to generate data for the reports but continue to have difficulties in verifying the accuracy of data due in part to the laborious manual processes involved. Based on the FFY 2018 Program Integrity ME review, lines 3b, 10, and 14 of the FNS-209 failed to reconcile with the detailed documentation. 10. Work Requirements Have Not Been Properly Implemented - DHS is not in compliance with the requirement to accurately report on the FNS 583. DHS is unprepared to implement the work requirement and time limit for able-bodied adults without dependents when the current suspension mandated by the Families First Coronavirus Response Act ends and/or its waiver ends. Additionally, the District is not prepared to apply the Able-Bodied Adults Without Dependents (ABAWD) time limits when their ABAWD waiver expires. 11. Failure to Analyze Client Complaints and Include in the State’s Corrective Action Plans (CAP) Where Appropriate - DHS is failing to analyze client complaints and include in the State’s CAP where appropriate, per 7 CFR 271.6(a)(3) and 275.16. 12. The SNAP Application Does Not Clearly Explain Which Questions Are Required for SNAP - FNS reviewers found that the District’s SNAP application does not provide clear directions about which questions are required for SNAP, versus Cash or Medical Assistance. For example, Step 5 of the application asks “Does anyone in your household (including non-applicants) have any income? Yes – complete below; No – skip to step 6 (Complete if you are applying for Food, Medical, or Cash Assistance).” The directions are confusing and may be difficult to understand. Questioned Costs – Not determinable. Context – This is a condition identified per review of DHS’ compliance with specified requirements resulting from a system implementation. Effect – Without an effectively designed and operated system in place, ineligible beneficiaries may receive benefits under the SNAP grant and DHS may make payments on behalf of those beneficiaries resulting in noncompliance with the eligibility requirements. Inaccurate beneficiary allotment payments could result in participants receiving benefits that they are not entitled to receive under the program. Cause – DHS did not effectively design and operate the ADP system for SNAP which resulted to inaccurate benefit payments. Recommendation – We recommend that DHS continue to evaluate and improve the new ADP system for SNAP to ensure that it addresses all the administration requirements of the SNAP program. Related Noncompliance – Material noncompliance. Views of Responsible Officials and Planned Corrective Actions – The DHS and DHCF DCAS team agree with the findings noted in this report. DHS self-reported these findings as part of the agency’s ongoing effort to maintain integrity with all eligibility determinations. The root cause of each of the twelve (12) case issues with the ADP system for SNAP varied. The District’s corrective action is described in the Management’s Corrective Action Plan included as Appendix B of the attached Management’s Section.
Finding Number: 2024-003 Prior Year Finding Number: 2023-004 Compliance Requirement: Special Tests and Provisions – EBT Card Security Program: U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP) Cluster ALN: 10.551, 10.561 Award #: Various Award Year: 10/01/2023 – 09/30/2024 Government Department/Agency: Department of Human Services (DHS)/ Office of the Chief Financial Officer/Office of Finance and Treasury (OCFO/OFT) Criteria - The Uniform Guidance in 2 CFR Section 200.303 requires that non-Federal entities receiving Federal awards (i.e., auditee management) establish and maintain internal control designed to reasonably ensure compliance with Federal statues, regulations, and the terms and conditions of the Federal award. Per 7 CFR Section 274.8(b)(3), As an addition to or component of the Security Program required of Automated Data Processing (ADP) systems, the State agency shall ensure that the following electronic benefits transfer (EBT) security requirements are established: (i) Storage and control measures to control blank unissued EBT cards and PINs, and unused or spare POS devices; (ii) Measures to ensure communication access control. Communication controls shall include the transmission of transaction data and issuance information from POS terminals to work-stations and terminals at the data processing center; (iii) Message validation; (iv) Administrative and operational procedures; (v) A separate EBT security component shall be incorporated into the State agency Security Program for ADP systems. The periodic risk analyses required by the Security Program shall address the following items specific to an EBT system – (B) Completeness and timeliness of the reconciliation system; and (vi) The State agency shall incorporate the contingency plan approved by FNS into the Security Program. Condition – OCFO/OFT for DHS are required to maintain adequate security over, and documentation/records for EBT cards, to prevent their theft, embezzlement, loss damage, destruction, unauthorized transfer, negotiation, or use. OCFO/OFT have contracted with Fidelity National Information Service (FIS) for the issuance and security of the EBT cards; however, it is OCFO/OFT’s ultimate responsibility to ensure the contractor has controls in place to maintain adequate security over, and documentation/records of EBT cards in accordance with 7 CFR Section 274.8(b)(3). During our tests of the design and implementation of internal controls and compliance requirements in accordance with 7 CFR Section 274.8(b)(3), we noted the following issues: • For seventeen (17) out of the 60 samples, out of a population of 496 days from two EBT card centers, although both EBT Balance Sheets reconciled with the EBT Card Issuance Logs included in the package, we noted the following deficiencies: o For fourteen (14) out of the samples, we noted various issues including (a) the ID type for identification purposes was missing, (b) the customer case number was missing, (c) the Photo ID Program Referral Form was missing, (d) the identification type was noted as referral on the EBT Intake Form, but no referral form was attached, (e) the UPO EBT Center Intake Form was not signed by staff who created the card, and (f) the EBT Card Destruction log was missing. o For two (2) out of the samples, we noted that the required authorizations by a DHS Supervisor and eligibility staff was missing. o For one (1) out of the samples, we noted that the EBT Card Issuance Log had a wrong date. • In addition, for one (1) out of the 60 samples, we noted that the information on the summary reconciliation sheet did not agree to the Card Issuance Log. The summary reconciliation sheet shows 40 cards issued while the Card Issuance Log shows a total of 39 cards issued. These exceptions resulted in the Agency not being in compliance with 7 CFR Section 274.8(b)(3). Questioned Costs – None. Context – This is a condition identified per review of DHS’ compliance with specified requirements using a statistically valid sample. Effect – Without adequate internal controls to ensure compliance with EBT Card Security requirements, there is an increased risk that the inventory of EBT cards will not be properly maintained and accounted for, or that the program will not be in compliance with program requirements. Cause – OCFO/OFT for DHS does not have adequate policies and procedures in place to ensure adequate safeguarding, documentation over issuance and monitoring of EBT cards. Recommendation - We recommend that OCFO/OFT for DHS strengthen formal policies and procedures to maintain adequate security over, and documentation/records for EBT Cards. Related Noncompliance – Material noncompliance. Views of Responsible Officials and Planned Corrective Actions – The OCFO/OFT for DHS concurs with this finding. The District’s corrective action is described in the Management’s Corrective Action Plan included as Appendix B of the attached Management’s Section.
Finding Number: 2024-001 Prior Year Finding Number: 2023-002 Compliance Requirement: Matching, Level of Effort, Earmarking Program: U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP) Cluster ALN: 10.551, 10.561 Award #: Various Award Year: 10/01/2023 – 09/30/2024 Government Department/Agency: Department of Human Services (DHS)/ Economic Security Administration (ESA) Criteria - The Uniform Guidance in 2 CFR Section 200.303 requires that non-Federal entities receiving Federal awards (i.e., auditee management) establish and maintain internal control designed to reasonably ensure compliance with Federal statues, regulations, and the terms and conditions of the Federal award. Per 2 CFR Section 277.4(b), Federal reimbursement rate, states that the base percentage for Federal payment shall be 50 percent of State agencies’ allowable SNAP administrative costs. Per review of the Settlement Agreement from the U.S. Department of Health and Human Services Departmental Appeals Board dated September 13, 1999, the District of Columbia is required to spend an additional $1,620,000 in local funds for the SNAP grant match each year by making an adjustment of $1,620,000 to the expenditures charged to the federal grant. Condition – During the testing of the SNAP Matching, Level of Effort, Earmarking compliance requirement, we noted that two (2) out of four (4) quarterly SF-425 reports tested, which were for quarters ended March 30, 2024 and June 30, 2024, had the issues that resulted in this finding. The SF-425 reports tested were approved and certified, and DHS/ESA exceeded the required SNAP Matching amount of $41,509,067. However, the Office of the Chief Financial Officer (OCFO) for DHS/ESA was unable to provide supporting documentation that would allow us to agree specific amounts reported for (1) Quality Control, (2) Fraud Control, (3) ADP Operations, and (4) Outreach. The total calculated amount by OCFO for DHS/ESA reported as the actual match on the SF-425 report, excluding New Investment, was $43,129,064. However, the total recalculated amount by auditors to be reported as the actual match was $43,199,416. Variance between these two amounts was $70,352. In addition, during the testing of the SNAP Matching, Level of Effort, Earmarking compliance requirement, we noted that the OCFO team for Human Support Services Cluster inadvertently failed to deduct the $1,620,000 adjustment from the Federal Share of Administrative Expenditures on the SEFA to comply with the Settlement Agreement with the U.S. Department of Health and Human Services Departmental Appeals Board dated September 13, 1999. The Settlement Agreement requires the District of Columbia to spend $1,620,000 in local funds for the SNAP grant each year, which the Agency decided to reflect as a deduction from the Federal Share of Administrative Expenditures on the SEFA. Furthermore, as a result of the Random Movement Time Study, the Agency needed to move expenses from the SNAP bucket in the DIFS System and the Agency inadvertently moved $158,834 less expenses. Consequently, the Federal Share of Administrative Expenditures on the SEFA is higher compared to the Federal Share of Administrative Expenditures reported on SF-425 report. Questioned Costs – None. Context – This is a condition identified per review of DHS/ESA’s compliance through the OCFO team with specified requirements using a statistically valid sample. Effect – OCFO for DHS/ESA is not in compliance with the stated provisions. Without adequate internal controls to ensure reconciliation of the amounts reported for the matching requirements and other pertinent information, there is an increased risk that matching and other pertinent information will not be properly reported. Cause – OCFO for DHS/ESA does not appear to have adequate policies and procedures in place to ensure that the amounts reported for the matching requirement and other pertinent information are accurate and supported. Recommendation – We recommend that OCFO for DHS/ESA strengthen its policies and procedures to ensure that amounts for SNAP matching requirements and other pertinent information are properly reported and that related reports are reviewed for compliance with program requirements as well as completeness and accuracy prior to submission. Related Noncompliance – Noncompliance. Views of Responsible Officials and Planned Corrective Actions – DHS concurs with the finding. The District’s corrective action is described in the Management’s Corrective Action Plan included as Appendix B of the attached Management’s Section.
Finding Number: 2024-002 Prior Year Finding Number: 2023-003 Compliance Requirement: Special Tests and Provisions – ADP System for SNAP Program: U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP) Cluster ALN: 10.551, 10.561 Award #: Various Award Year: 10/01/2023 – 09/30/2024 Government Department/Agency: Department of Human Services (DHS)/ Department of Health Care Finance (DHCF) DC Access System (DCAS) Program Management Administration Criteria - The Uniform Guidance in 2 CFR Section 200.303 requires that non-Federal entities receiving Federal awards (i.e., auditee management) establish and maintain internal control designed to reasonably ensure compliance with Federal statues, regulations, and the terms and conditions of the Federal award. Per 7 CFR Section 272.10(a), “All State agencies are required to sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information concerning SNAP.” Per 7 CFR Section 272.10(b), “In order to meet the requirements of the Act and ensure the efficient and effective administration of the program, a SNAP system, at a minimum, shall be automated in each of the following program areas (1) Certification and (2) Issuance Reconciliation and Reporting. Under Certification – States agencies must determine eligibility and calculate benefits or validate the eligibility worker’s calculations by processing and storing all casefile information necessary for the eligibility determination and benefit computation (including but not limited to all household members’ names, addresses, dates of birth, social security numbers, individual household members’ earned and unearned income by source, deductions, resources and household size). Also, State agencies must redetermine or revalidate eligibility and benefits based on notices of change in households’ circumstances.” Condition – The District is self-reporting findings it noted from its ongoing efforts to resolve issues with the ADP system for SNAP. The issues identified and the estimated impact follows: 1. Failure to Send Correct and Timely Notices to SNAP Households - Notices pertaining to SNAP eligibility contain incorrect information, and/or SNAP applicants and recipients fail to receive proper notices. For example, in the Federal Fiscal Year (FFY) 2018 Local Program Access Review (PAR), Food and Nutrition Service (FNS) cited that SNAP applicants did not receive a Notice of Eligibility or notice contained incorrect information, no notice of required verification, and the notice of adverse action was incorrect. 2. Untimely Processing of SNAP Applications and Periodic Reports - On October 23, 2017, FNS advised DHS that its application processing timeliness (APT) rate between October 2016 and March 2017 was 88.45%, which triggered corrective action per FNS policy. Moreover, between that last APT report and now, DHS has disclosed that it has experienced processing backlogs of varying severity and persistence to FNS via ongoing communications and as part of waiver requests. DHS also provided a report to FNS in August 2022 that indicated significant application processing backlogs. 3. Establishment of Duplicate Accounts - DHS discovered that duplicate Product Delivery Cases (PDC) were being created in DCAS. One PDC was active and the other closed, but the closed PDC was still receiving benefits. 4. Issuance of Duplicate Payment - As a result of duplicate accounts in Deficiency 3, duplicate payments may have been issued to the same household when a caseworker reactivated a closed case. There is also a possibility that customers who received duplicate electronic benefits transfer (EBT) cards from different EBT vendors may have received duplicate payments. 5. Failure to Implement Computer Matching System - Based on the FFY18 Program Integrity Management Evaluation (ME) review, DHS failed to process Prisoner Verification System (PVS) matches, deceased matches, and National Directory of New Hires (NDNH) matches in accordance with federal requirements. 6. Failure to Produce System Computations to Support Recipient Claims - DCAS does not have the ability to calculate overpayments or send a demand letter. FNS correspondence letters dated October 18, 2017, and September 20, 2018, advised DHS to suspend the establishment of DCAS claims but allowed DHS to continue servicing ACEDS claims. 7. Treasury Offset Program (TOP) Reporting and Maintenance Decertified - FNS conducted a TOP Technical Review in June 2021 and DHS was decertified from TOP due to the following: • Referral of customers to TOP that are undergoing recoupment. • Incorrect determination of the date of delinquency. • Incorrect debt balance and debt status in TOP. 8. Failure to Initiate Recoupment on Active Households - When DCAS launched in October 2016, more than 3,000 claim cases with outstanding balances originating from SNAP overpayments were converted from ACEDS to DCAS. Some claims were not properly converted or activated in DCAS. As a result, DHS failed to take the required recovery actions, including TOP recovery or activation of the recoupment process through EBT cards. 9. Recipient and Benefit Integrity Report Update Required - DHS must provide an update on the target completion dates for system generation of all SNAP-related reports currently being created through manual intervention. The plan must include the procedures for reviewing and ensuring the accuracy of the data being submitted to Food Programs Reporting System (FPRS) with particular emphasis on the FNS-209 and the FNS-366B reports. DHS experienced some technical challenges in processing and retrieving claim and recoupment information accurately since the launch of DCAS in October 2016, which affected the FNS-209 quarterly reports. The Payment and Collections Division (PCD) and the DCAS report development team have made concerted efforts to improve the ability to generate data for the reports but continue to have difficulties in verifying the accuracy of data due in part to the laborious manual processes involved. Based on the FFY 2018 Program Integrity ME review, lines 3b, 10, and 14 of the FNS-209 failed to reconcile with the detailed documentation. 10. Work Requirements Have Not Been Properly Implemented - DHS is not in compliance with the requirement to accurately report on the FNS 583. DHS is unprepared to implement the work requirement and time limit for able-bodied adults without dependents when the current suspension mandated by the Families First Coronavirus Response Act ends and/or its waiver ends. Additionally, the District is not prepared to apply the Able-Bodied Adults Without Dependents (ABAWD) time limits when their ABAWD waiver expires. 11. Failure to Analyze Client Complaints and Include in the State’s Corrective Action Plans (CAP) Where Appropriate - DHS is failing to analyze client complaints and include in the State’s CAP where appropriate, per 7 CFR 271.6(a)(3) and 275.16. 12. The SNAP Application Does Not Clearly Explain Which Questions Are Required for SNAP - FNS reviewers found that the District’s SNAP application does not provide clear directions about which questions are required for SNAP, versus Cash or Medical Assistance. For example, Step 5 of the application asks “Does anyone in your household (including non-applicants) have any income? Yes – complete below; No – skip to step 6 (Complete if you are applying for Food, Medical, or Cash Assistance).” The directions are confusing and may be difficult to understand. Questioned Costs – Not determinable. Context – This is a condition identified per review of DHS’ compliance with specified requirements resulting from a system implementation. Effect – Without an effectively designed and operated system in place, ineligible beneficiaries may receive benefits under the SNAP grant and DHS may make payments on behalf of those beneficiaries resulting in noncompliance with the eligibility requirements. Inaccurate beneficiary allotment payments could result in participants receiving benefits that they are not entitled to receive under the program. Cause – DHS did not effectively design and operate the ADP system for SNAP which resulted to inaccurate benefit payments. Recommendation – We recommend that DHS continue to evaluate and improve the new ADP system for SNAP to ensure that it addresses all the administration requirements of the SNAP program. Related Noncompliance – Material noncompliance. Views of Responsible Officials and Planned Corrective Actions – The DHS and DHCF DCAS team agree with the findings noted in this report. DHS self-reported these findings as part of the agency’s ongoing effort to maintain integrity with all eligibility determinations. The root cause of each of the twelve (12) case issues with the ADP system for SNAP varied. The District’s corrective action is described in the Management’s Corrective Action Plan included as Appendix B of the attached Management’s Section.
Finding Number: 2024-003 Prior Year Finding Number: 2023-004 Compliance Requirement: Special Tests and Provisions – EBT Card Security Program: U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP) Cluster ALN: 10.551, 10.561 Award #: Various Award Year: 10/01/2023 – 09/30/2024 Government Department/Agency: Department of Human Services (DHS)/ Office of the Chief Financial Officer/Office of Finance and Treasury (OCFO/OFT) Criteria - The Uniform Guidance in 2 CFR Section 200.303 requires that non-Federal entities receiving Federal awards (i.e., auditee management) establish and maintain internal control designed to reasonably ensure compliance with Federal statues, regulations, and the terms and conditions of the Federal award. Per 7 CFR Section 274.8(b)(3), As an addition to or component of the Security Program required of Automated Data Processing (ADP) systems, the State agency shall ensure that the following electronic benefits transfer (EBT) security requirements are established: (i) Storage and control measures to control blank unissued EBT cards and PINs, and unused or spare POS devices; (ii) Measures to ensure communication access control. Communication controls shall include the transmission of transaction data and issuance information from POS terminals to work-stations and terminals at the data processing center; (iii) Message validation; (iv) Administrative and operational procedures; (v) A separate EBT security component shall be incorporated into the State agency Security Program for ADP systems. The periodic risk analyses required by the Security Program shall address the following items specific to an EBT system – (B) Completeness and timeliness of the reconciliation system; and (vi) The State agency shall incorporate the contingency plan approved by FNS into the Security Program. Condition – OCFO/OFT for DHS are required to maintain adequate security over, and documentation/records for EBT cards, to prevent their theft, embezzlement, loss damage, destruction, unauthorized transfer, negotiation, or use. OCFO/OFT have contracted with Fidelity National Information Service (FIS) for the issuance and security of the EBT cards; however, it is OCFO/OFT’s ultimate responsibility to ensure the contractor has controls in place to maintain adequate security over, and documentation/records of EBT cards in accordance with 7 CFR Section 274.8(b)(3). During our tests of the design and implementation of internal controls and compliance requirements in accordance with 7 CFR Section 274.8(b)(3), we noted the following issues: • For seventeen (17) out of the 60 samples, out of a population of 496 days from two EBT card centers, although both EBT Balance Sheets reconciled with the EBT Card Issuance Logs included in the package, we noted the following deficiencies: o For fourteen (14) out of the samples, we noted various issues including (a) the ID type for identification purposes was missing, (b) the customer case number was missing, (c) the Photo ID Program Referral Form was missing, (d) the identification type was noted as referral on the EBT Intake Form, but no referral form was attached, (e) the UPO EBT Center Intake Form was not signed by staff who created the card, and (f) the EBT Card Destruction log was missing. o For two (2) out of the samples, we noted that the required authorizations by a DHS Supervisor and eligibility staff was missing. o For one (1) out of the samples, we noted that the EBT Card Issuance Log had a wrong date. • In addition, for one (1) out of the 60 samples, we noted that the information on the summary reconciliation sheet did not agree to the Card Issuance Log. The summary reconciliation sheet shows 40 cards issued while the Card Issuance Log shows a total of 39 cards issued. These exceptions resulted in the Agency not being in compliance with 7 CFR Section 274.8(b)(3). Questioned Costs – None. Context – This is a condition identified per review of DHS’ compliance with specified requirements using a statistically valid sample. Effect – Without adequate internal controls to ensure compliance with EBT Card Security requirements, there is an increased risk that the inventory of EBT cards will not be properly maintained and accounted for, or that the program will not be in compliance with program requirements. Cause – OCFO/OFT for DHS does not have adequate policies and procedures in place to ensure adequate safeguarding, documentation over issuance and monitoring of EBT cards. Recommendation - We recommend that OCFO/OFT for DHS strengthen formal policies and procedures to maintain adequate security over, and documentation/records for EBT Cards. Related Noncompliance – Material noncompliance. Views of Responsible Officials and Planned Corrective Actions – The OCFO/OFT for DHS concurs with this finding. The District’s corrective action is described in the Management’s Corrective Action Plan included as Appendix B of the attached Management’s Section.
Finding Number: 2024-004 Prior Year Finding Number: 2023-011 Compliance Requirement: Reporting Program: U.S. Department of the Treasury COVID-19 – Emergency Rental Assistance (ERA) Program ALN: 21.023 Award #: N/A Award Year: 12/27/2020 – 09/30/2025 Government Department/Agency: Department of Human Services (DHS) Criteria - The Uniform Guidance in 2 CFR Section 200.303 requires that non-Federal entities receiving Federal awards (i.e., auditee management) establish and maintain internal control designed to reasonably ensure compliance with Federal statues, regulations, and the terms and conditions of the Federal award. 2 CFR Section 200.302(a), Financial Management, states that each state must expend and account for the federal award in accordance with state laws and procedures for expending and accounting for the state’s own funds. In addition, the state’s and the other non-federal entity’s financial management systems, including records documenting compliance with federal statutes, regulations, and the terms and conditions of the federal award, must be sufficient to permit the preparation of reports required by general and program-specific terms and conditions; and the tracing of funds to a level of expenditures adequate to establish that such funds have been used according to the federal statutes, regulations, and the terms and conditions of the federal award. Condition – Subrecipient expenditures, totaling approximately $29.8 million, which are required to be presented in the Schedule of Expenditures of Federal Awards (SEFA), were improperly excluded from the initial SEFA prepared by management. Subsequently, the SEFA was adjusted by DHS to reflect the subrecipient expenditures incurred for the program. Questioned Costs – None. Context – This is a condition identified per review of DHS’ compliance with reporting requirements. Effect – Failure to properly review and present expenditures can result in noncompliance with reporting requirements. Cause – DHS did not comply with their policies and procedures to ensure accuracy of the SEFA. Recommendation – We recommend that DHS adhere to instituted policies and procedures to ensure the accuracy of the SEFA. Related Noncompliance – Noncompliance. Views of Responsible Officials and Planned Corrective Actions – The DHS Office of the Chief Financial Officer (OCFO) concurs with the finding. The District’s corrective action is described in the Management’s Corrective Action Plan included as Appendix B of the attached Management’s Section.
Finding Number: 2024-005 Prior Year Finding Number: N/A Compliance Requirement: Activities Allowed or Unallowed and Allowable Costs/Cost Principles Program: U.S. Department of the Treasury COVID-19 - Homeowner Assistance Fund ALN: 21.026 Award #: Various Award Year: 10/01/2023 – 09/30/2024 Government Department/Agency: Department of Housing and Community Development (DHCD) Criteria - The Uniform Guidance in 2 CFR Section 200.303 requires that non-Federal entities receiving Federal awards (i.e., auditee management) establish and maintain internal control designed to reasonably ensure compliance with Federal statues, regulations, and the terms and conditions of the Federal award. 2 CFR Section 200.406(a) defines credits as transactions that offset or reduce direct or indirect costs allocable to a Federal award. Examples of such transactions are purchase discounts, rebates or allowances, recoveries or indemnities on losses, insurance refunds or rebates, and adjustments of overpayments or erroneous charges. To the extent that such credits accruing to or received by the recipient or subrecipient relate to allowable costs, they must be credited to the Federal award either as a cost reduction or cash refund, as appropriate. Condition – During the review of benefit payments for the sixty (60) eligibility samples, we noted the following: • One payment made to the utility company where it was later determined that the homeowner was not eligible when additional information became available. • One instance where a duplicate payment was issued to the mortgage loan servicer. • One instance where the mortgage loan servicer noted the payment was no longer needed. For the conditions noted above, refunds are due to DHCD. Questioned Costs – Known amount is $42,289. Context – This is a condition identified per review of DHCD’s compliance with specified requirements using a statistically valid sample. Effect – Without adequate internal controls in place to ensure overpayments are identified and tracked by program and accounting personnel, DHCD could be noncompliant with the requirement to refund the agency for credits. Cause – DHCD did not have a process in place to identify and track credits. Recommendation – We recommend that DHCD implement a control to identify and track credits, such as refunds and duplicate payments, so that these amounts can be refunded to the agency. This includes strengthening communication between the program and accounting teams to ensure an awareness of possible refunds so adjustments can be made if necessary. Related Noncompliance – Noncompliance. Views of Responsible Officials and Planned Corrective Actions – DHCD concurs with the findings. DHCD will review and pursue repayment from these expenditures. The District’s corrective action is described in the Management’s Corrective Action Plan included as Appendix B of the attached Management’s Section.