Federal Agency: U.S. Department of Health and Human Services Federal Program Name: Community Project Funding/Congressionally Directed Spending ‐ Construction Assistance Listing Number: 93.493 Federal Award Identification Number and Year: 6-CE1HS52375-07 - 2023 Award Period: September 30, 2023, through September 29, 2026 Type of Finding: • Material Weakness in Internal Control over Compliance – Subrecipient Monitoring • Other Matters Criteria or specific requirement: CFR Part 200 Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards, §200.303 specifies that a non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Condition: Evidence of subrecipient monitoring was not available for the five subrecipients selected for testing. Questioned costs: None. Context: Of the five subrecipients selected for testing, we noted that none of them had proper monitoring in place. Cause: The Association did not have internal control systems in place to adequately monitor subrecipients to ensure that the non-federal entity was in compliance with terms of the federal award. Effect: The Association could pass through federal funding to subrecipients who are not responsible or capable recipients of the funds. Funding could be used by the subrecipients in ways that are incompatible with program goals and compliance requirements. Repeat Finding: N/A. Recommendation: We recommend that the Association implement policies and procedures to ensure the performance of subrecipient monitoring and that the monitoring is formally documented and approved. Views of responsible officials: There is no disagreement with the audit finding.
Federal Agency: U.S. Department of Health and Human Services Federal Program Name: Community Project Funding/Congressionally Directed Spending ‐ Construction Assistance Listing Number: 93.493 Federal Award Identification Number and Year: 6-CE1HS52375-07 - 2023 Award Period: September 30, 2023, through September 29, 2026 Type of Finding: • Material Weakness in Internal Control over Compliance – Reporting • Other Matters Criteria or specific requirement: 2 CFR Part 200 Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards, §200.303 specifies that recipients must evaluate and monitor the recipient's or subrecipient's compliance with statutes, regulations, and the terms and conditions of Federal awards. This includes semiannual performance reporting requirements. Condition: Evidence of review and approval of semiannual progress reports was not available for items selected for testing. Questioned costs: None. Context: Of the two samples selected for testing, we noted that neither had proper review or approval processes in place. Cause: The Association did not have internal controls in place to ensure proper review and approval of semiannual progress reports prior to submission Effect: The Association risks submitting federal awards reports that are incomplete or not fairly presented in accordance with applicable program requirements. This could lead to inaccuracies in reported activity for the applicable reporting period. Repeat Finding: N/A. Recommendation: We recommend that the Association implement formal policies and procedures requiring the review and approval of performance, with such review and approval clearly documented. Views of responsible officials: There is no disagreement with the audit finding.
Identification of the Federal Program: U.S. Department of Health and Human Services, Health Resources and Services Administration (HRSA) Federal Agency and Program Name: Maternal and Child Health Federal Consolidated Programs (MCH) Assistance Listing #: 93.110 Award: 5 T73MC30767‐09 Award Year(s): 7/1/2024-6/30/2025 Criteria or Specific Requirement (Including Statutory, Regulatory or Other Citation): 2 CFR 200.303 requires that the non-Federal entity must “(a) establish, document and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Under the requirements of the Federal Funding Accountability and Transparency Act (Transparency Act) that are codified in 2 CFR Part 170, “unless the recipient is exempt as provided in paragraph d. of this award term, the recipient must report each subaward that equals or exceeds $30,000 in Federal funds for a subaward to an entity or Federal agency. The recipient must also report a subaward if a modification increases the Federal funding to an amount that equals or exceeds $30,000. All reported subawards should reflect the total amount of the subaward”. The recipient must report each subaward described to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) no later than the end of the month following the month in which the subaward was issued. Condition: During our audit, we noted 3 Federal Funding Accountability and Transparency Act (FFATA) reports, for the subaward modifications made during fiscal year 2025, were not submitted in the FSRS/SAM.gov timely. Cause: Vanderbilt University Medical Center (VUMC) did not have sufficient internal controls to ensure that the required FFATA reports were submitted timely. Effect or Potential Effect: VUMC did not submit the necessary FFATA reports under the MCH project for each first-tier subaward modifications in FSRS/SAM.gov and consequently was not in compliance with the requirements under the Transparency Act. Questioned Costs: $0 Context: Under the MCH program, there were five subrecipients that had a total of five subaward modifications in FY 2025. The three subaward modifications for which FFATA reports were not submitted timely totaled $33,853. Upon eventual submission, we did not identify any errors in the data reported. Total subrecipient’s costs are $326,025 in FY 2025. The total federal expenditures for the MCH program for FY 2025 were $5,760,179. Identification as a Repeat Finding: This is not a repeat finding. Recommendation: We recommend management strengthen its internal controls and procedures over the review of subrecipient awards and modifications to ensure the required FFATA reports are submitted timely to be in compliance with the Federal Transparency Act. Views of Responsible Officials: Management agrees with the finding and has strengthened our internal controls and procedures to ensure required FFATA reports are submitted timely in compliance with the Federal Transparency Act.
Identification of the Federal Program: Department of Homeland Security Federal Agency and Program Name: COVID-19 Disaster Grants – Public Assistance (Presidentially Declared Disasters) (FEMA) Assistance Listing #: 97.036 Pass-Through Entity: State of Tennessee Award: All FEMA Projects (Projects 435263, 550461, 684580) Award Year(s): Project 435263: 1/1/2020-7/31/2021 Project 550461: 1/1/2020-7/31/2021 Project 684580: 8/1/2020-6/30/2022 Criteria or Specific Requirement (Including Statutory, Regulatory or Other Citation): 2 CFR 200.303 requires that the non-Federal entity must “(a) establish, document and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control - Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: Management did not retain documentation over their review and approval of FEMA expenditures prior to submission in the FEMA Portal. Cause: Management represented that FEMA expenditures were reviewed and approved prior to submission; however, supporting documentation over the review and approval was not maintained. Effect or Potential Effect: Unallowable expenditures could have been charged to the federal program. Questioned Costs: $0. Context: There were three project worksheets obligated in FY2025. Management did not maintain documentation over the review and approval over the expenditures submitted to the FEMA . We selected 40 expenditures charged to FEMA, noting no instances of non-compliance. Total FEMA expenses reported on the SEFA for the year ended June 30, 2025, is $9,857,313. Identification as a Repeat Finding: This is not a repeat finding. Recommendation: We recommend Management ensure that appropriate documentation be retained over the review and approval of FEMA expenditures. Views of Responsible Officials: Management understands that additional audit evidence must be retained at a detailed enough level to allow the auditor to meet their reperformance standard. All expenses claimed were eligible and were reviewed by management prior to the submission. The control issue identified is due to the lack of evidence to support approval. Should management have a future FEMA claim we will retain additional audit evidence to enable auditor reperformance of the controls regarding approval of expenditures.
FINDING 2025-003 Subject: COVID-19 - Education Stabilization Fund - Equipment and Real Property Management Federal Agency: Department of Education Federal Program: COVID-19 - Education Stabilization Fund Assistance Listings Number: 84.425U Federal Award Number and Year (or Other Identifying Number): S425U210013 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Equipment and Real Property Management Audit Findings: Material Weakness, Modified Opinion Repeat Finding This is a repeat finding from the immediately prior audit report. The prior audit finding number was 2023-009. Condition and Context The School Corporation had not properly designed or implemented a system of internal controls, which would include appropriate segregation of duties, that would likely be effective in preventing, or detecting and correcting, noncompliance related to the Equipment and Real Property Management compliance requirement. The School Corporation made a real property purchase, 200 N Preston Street (Church Property), in the amount of $27,951 with grant funds. The Church Property was acquired in January 2024, and the expenditure was reimbursed under the ESSER III award in January 2024. The School Corporation did not maintain a capital asset ledger during the audit period, so the equipment purchased was not properly added to an asset ledger or property record. In addition, the School Corporation did not perform a physical inventory of equipment/property at least once every two years as required. The lack of internal controls and noncompliance were systemic issues throughout the audit period. INDIANA STATE BOARD OF ACCOUNTS 17 CROTHERSVILLE COMMUNITY SCHOOLS SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." 2 CFR 200.313(d) states in part: "Management requirements. Procedures for managing equipment (including replacement equipment), whether acquired in whole or in part under a Federal award, until disposition takes place will, as a minimum, meet the following requirements: (1) Property records must be maintained that include a description of the property, a serial number or other identification number, the source of funding for the property (including the FAIN), who holds title, the acquisition date, and cost of the property, percentage of Federal participation in the project costs for the Federal award under which the property was acquired, the location, use and condition of the property, and any ultimate disposition data including the date of disposal and sale price of the property. (2) A physical inventory of the property must be taken and the results reconciled with the property records at least once every two years. (3) A control system must be developed to ensure adequate safeguards to prevent loss, damage, or theft of the property. Any loss, damage, or theft must be investigated. . . ." Cause The School Corporation's management had not designed or implemented a system of internal controls that would have ensured procedures were in place so that the School Corporation would be in compliance with the provisions of the grant agreements and the Equipment and Real Property Management compliance requirement. Effect The failure to design and implement an effective system of internal controls enabled material noncompliance to go undetected. Noncompliance with the provisions of the grant agreements and the Equipment and Real Property Management compliance requirement could result in the loss of future federal funding to the School Corporation. Questioned Costs There were no questioned costs identified. INDIANA STATE BOARD OF ACCOUNTS 18 CROTHERSVILLE COMMUNITY SCHOOLS SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Recommendation We recommended that the School Corporation's management design and implement a system of internal controls to ensure compliance with the grant agreements and the Equipment and Real Property Management compliance requirement. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.
FINDING 2025-004 Subject: COVID-19 - Education Stabilization Fund - Earmarking Federal Agency: Department of Education Federal Program: COVID-19 - Education Stabilization Fund Assistance Listings Number: 84.425U Federal Award Number and Year (or Other Identifying Number): S425U210013 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Matching, Level of Effort, Earmarking Audit Findings: Material Weakness, Modified Opinion Condition and Context The School Corporation had not properly designed or implemented a system of internal controls, which would include appropriate segregation of duties, that would likely be effective in preventing, or detecting and correcting, noncompliance related to the Matching, Level of Effort, Earmarking compliance requirement. A portion of the ESSER III allocation is required to be set aside for learning loss. The required amount to be set aside is indicated in the ESSER III grant application. The School Corporation is responsible for monitoring each required set aside throughout the life of the grant to ensure the obligation is met. There was no oversight or review process in place to ensure monitoring of the required set aside. The School Corporation did not provide documentation to show that the set aside for the learning loss obligation was met or not met due to COVID-19 pandemic. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." Section 2001(e)(1) of the ARP Act states in part: "(e) Uses of Funds--A local educational agency that receives funds under this section— INDIANA STATE BOARD OF ACCOUNTS 19 CROTHERSVILLE COMMUNITY SCHOOLS SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) (1) shall reserve not less than 20 percent of such funds to address learning loss through the implementation of evidence-based interventions, such as summer learning or summer enrichment, extended day, comprehensive afterschool programs, or extended school year programs, and ensure that such interventions respond to students' academic, social, and emotional needs and address the disproportionate impact of the coronavirus on the student subgroups . . ." Cause Management had not developed a system of internal controls that would have ensured compliance with the grant agreement and the Matching, Level of Effort, Earmarking compliance requirement. Effect The failure to establish an effective internal control system and maintain adequate supporting documentation enabled material noncompliance to go undetected. Noncompliance with the grant agreement and the Matching, Level of Effort, Earmarking compliance requirement could result in the loss of federal funds to the School Corporation. Questioned Costs There were no questioned costs identified. Recommendation We recommended that the School Corporation's management establish an effective system of internal controls and maintain adequate supporting documentation to ensure compliance and with the grant agreement and the Matching, Level of Effort, Earmarking compliance requirement. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.
FINDING 2025-005 Subject: COVID-19 - Education Stabilization Fund - Allowable Costs/Cost Principles Federal Agency: Department of Education Federal Program: COVID-19 - Education Stabilization Fund Assistance Listings Number: 84.425U Federal Award Number and Year (or Other Identifying Number): S425U210013 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Allowable Costs/Cost Principles Audit Findings: Significant Deficiency, Other Matters Condition and Context The School Corporation had not properly designed or implemented a system of internal controls, which would include appropriate segregation of duties, that would likely be effective in preventing, or detecting and correcting, noncompliance related to the Allowable Costs/Cost Principles compliance requirement. INDIANA STATE BOARD OF ACCOUNTS 20 CROTHERSVILLE COMMUNITY SCHOOLS SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) A sample of 13 claims charged to the COVID-19 - Education Stabilization Fund program for which reimbursement was received during the audit period was selected for testing to verify the expenditures were in conformance with the applicable cost principles. Of the 13 claims tested, 3 were found to include unallowable costs. The description of the claims are as follows: • The School Corporation had 2 claims for supplies/building materials to build a storage building totaling $5,932. The building was not able to be completed due to the Fire Marshal's report. The School Corporation decided to not complete this project and used these materials/supplies within the School Corporation for other projects. There was no documentation presented for review to show where these materials were used; therefore, it could not be determined if the expenses were allowable. • The School Corporation had 1 claim for concrete for the storage building. The concrete pad was completed, and the building was never completed. Total cost of this claim was $3,619. There are no plans for the use of the concrete so it could not be determined if the expense was allowable. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." 2 CFR 200.403 states in part: "Except where otherwise authorized by statute, costs must meet the following general criteria in order to be allowable under Federal awards: (a) Be necessary and reasonable for the performance of the Federal award and be allocable thereto under these principles. (b) Conform to any limitations or exclusions set forth in these principles or in the Federal award as to types or amount of cost items. . . . (g) Be adequately documented. . . ." Cause Management had not developed a system of internal controls that would have ensured compliance with the grant agreement and the Allowable Costs/Cost Principles compliance requirement. Once the original project was discontinued no documentation was created to show how the purchased materials were used and for what purpose. INDIANA STATE BOARD OF ACCOUNTS 21 CROTHERSVILLE COMMUNITY SCHOOLS SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Effect The failure to establish an effective internal control system and maintain adequate supporting documentation enabled noncompliance to go undetected. Noncompliance with the grant agreement and the Allowable Costs/Cost Principles compliance requirement could result in the loss of federal funds to the School Corporation. Questioned Costs There were no questioned costs identified. Recommendation We recommended that the School Corporation's management establish an effective system of internal controls and maintain adequate supporting documentation to ensure compliance with the grant agreement and the Allowable Costs/Cost Principles compliance requirement. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.
FINDING 2025-006 Subject: Child Nutrition Cluster - Reporting Federal Agency: Department of Agriculture Federal Program: School Breakfast Program, National School Lunch Program, Summer Food Service Program for Children Assistance Listings Numbers: 10.553, 10.555, 10.559 Federal Award Numbers and Years (or Other Identifying Numbers): FY2023-2024, FY2024-2025 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Reporting Audit Finding: Material Weakness Condition and Context The School Corporation had not properly designed or implemented a system of internal controls, which would include appropriate segregation of duties, that would likely be effective in preventing, or detecting and correcting, noncompliance related to the Reporting compliance requirement. The School Corporation had not developed a system of internal controls over the reimbursement requests to ensure that the correct amounts are being requested for reimbursement in conformance with Reporting requirements. The Deputy Treasurer prepared the reimbursement requests without any oversight, review, or approval prior to submission. The lack of internal controls was a systemic issue throughout the audit period. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: INDIANA STATE BOARD OF ACCOUNTS 22 CROTHERSVILLE COMMUNITY SCHOOLS SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." Cause A proper system of internal controls was not designed by management of the School Corporation, which would include segregation of key functions. One employee was responsible for this compliance requirement, and no others were involved in any type of review or approval process. Effect Without the proper implementation of an effectively designed system of internal controls, the internal control system cannot be capable of preventing, or detecting and correcting, material noncompliance. Questioned Costs There were no questioned costs identified. Recommendation We recommended that the School Corporation's management establish an effective system of internal controls to ensure compliance with the grant agreement and the Reporting compliance requirement. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report. INDIANA STATE BOARD OF ACCOUNTS 23
FINDING 2025-002 Subject: Child Nutrition Cluster - Eligibility Federal Agency: Department of Agriculture Federal Programs: School Breakfast Program, National School Lunch Program Assistance Listings Numbers: 10.553, 10.555 Federal Award Numbers and Years (or Other Identifying Numbers): FY 23/24, FY 24/25 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Eligibility Audit Finding: Material Weakness Repeat Finding This is a repeat finding from the immediately prior audit report. The prior audit finding number was 2023-002. Condition and Context The School Corporation had not properly designed or implemented a system of internal controls, which would include appropriate segregation of duties, that would likely be effective in preventing, or detecting and correcting, noncompliance related to the eligibility determination of a child receiving meals and to the verification of free and reduced-price applications. INDIANA STATE BOARD OF ACCOUNTS 17 SILVER CREEK SCHOOL CORPORATION SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Any child enrolled in a participating school who meets the applicable program's definition of "child," may receive meals under the applicable program. In the case of the National School Lunch Program and the School Breakfast Program, children belonging to households meeting nationwide income eligibility requirements may receive meals at no charge or at reduced price. Children who have been determined ineligible for free or reduced-price school meals pay the full price, set by the School Food Authority, for their meals. Children attending SFSP meal service sites receive their meals at no charge. As a general rule, a child's eligibility for free or reduced-price meals under a Child Nutrition Cluster program may be established by the submission of an annual application or statement which furnishes such information as family income and family size. Local educational agencies, institutions, and sponsors then determine eligibility by comparing the data reported by the child's household to published income eligibility guidelines. Additionally, a child may be direct certified. For a direct certification, annual eligibility determinations are based on the child's household receiving benefits under SNAP, FDPIR, the Head Start Program (ALN 93.600), or, under most circumstances, the TANF program (ALN 93.558). A household may furnish documentation of its participation in one of these programs; or the school, institution, or sponsor may obtain the information directly from the state or local agency that administers these programs. Certain foster, runaway, homeless, and migrant children are categorically eligible for free school lunches and breakfasts. Direct certified households do not need to complete an application. The system parameters, including income guidelines, were entered by the software vendor without a documented review or oversight process by the School Corporation to ensure the parameters entered were accurate. In addition, the Food Service Director was responsible for generating and the IT Department was responsible for inputting the Direct Certification Reports into the School Corporation's software system (Infinite Campus). There was no evidence of an oversight, review, or approval process to ensure that the Direct Certification Reports were generated and input into the system correctly and periodically reviewed for updates. The lack of internal controls was a systemic issue throughout the audit period. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." Cause The School Corporation's management had not developed or documented an oversight or review process to ensure that income guidelines were properly entered into the software system and the direct certification report was properly processed. INDIANA STATE BOARD OF ACCOUNTS 18 SILVER CREEK SCHOOL CORPORATION SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Effect The failure to design or implement a system of internal controls places the School Corporation at risk of noncompliance with the grant agreement and the compliance requirements. Noncompliance could result in students either receiving benefits they are not entitled to or not receiving benefits they would otherwise be entitled to. Questioned Costs There were no questioned costs identified. Recommendation We recommended that management of the School Corporation design and implement a proper system of internal controls, including policies and procedures that would provide segregation of duties to ensure appropriate reviews, approvals, and oversight are taking place regarding the input of income guidelines and direct certifications into the software system. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.
FINDING 2025-003 Subject: COVID-19 - Education Stabilization Fund - Activities Allowed or Unallowed, Allowable Costs/Cost Principles Federal Agency: Department of Education Federal Program: COVID-19 - Education Stabilization Fund Assistance Listings Numbers: 84.425D, 84.425U Federal Award Numbers and Years (or Other Identifying Numbers): S425D210013, S425U200013 Pass-Through Entity: Indiana Department of Education Compliance Requirements: Activities Allowed or Unallowed, Allowable Costs/Cost Principles Audit Finding: Material Weakness Repeat Finding This is a repeat finding from the immediately prior audit report. The prior audit finding number was 2023-008. Condition and Context The School Corporation had not properly designed or implemented a system of internal controls, which would include appropriate segregation of duties, that would likely be effective in preventing, or detecting and correcting, noncompliance related to the Activities Allowed or Unallowed and the Allowable Costs/Cost Principles compliance requirements. INDIANA STATE BOARD OF ACCOUNTS 19 SILVER CREEK SCHOOL CORPORATION SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Reimbursement requests for the program were prepared by one employee and reviewed by another employee; however, the supporting documentation that was provided to the reviewer did not give a clear distinction as to what expenditures were included in the reimbursement. As the documentation provided was not adequate that accompanied the reimbursement request, and the reimbursement requests, as noted below, did not agree to the ledger, the reviewer could not have ensured expenses were allowed per the federal program and if the cost were in conformance with the allowable cost principles. In addition, while reviews of payroll and vendor claims took place prior to the reimbursement request being compiled, no reviewers had enough detailed information (i.e., fund being charged) or knowledge to determine if the expense was allowable from the federal award funds or was compliant with the cost principles. The lack of internal controls were systemic issues throughout the audit period for ESSER II and ESSER III. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." Cause A proper system of internal controls was not designed by management of the School Corporation. Embedded within a properly designed and implemented internal control system should be internal controls consisting of policies and procedures. Policies reflect the School Corporation's management statements of what should be done to effect internal controls, and procedures should consist of actions that would implement these policies. Reimbursement requests for the program were prepared by one employee and reviewed by another employee; however, detailed supporting documentation was not provided to the reviewer to determine if the expense was allowable from the federal award funds or was compliant with the cost principles. Effect The failure to establish an effective system of internal controls could have enabled noncompliance with the grant agreement and the Activities Allowed or Unallowed and the Allowable Cost/Cost Principles compliance requirements. Questioned Costs There were no questioned costs identified. INDIANA STATE BOARD OF ACCOUNTS 20 SILVER CREEK SCHOOL CORPORATION SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Recommendation We recommended that the School Corporation's management establish a system of internal controls to ensure compliance with the grant agreement and the Activities Allowed or Unallowed and the Allowable Cost/Cost Principles compliance requirements and that sufficient detailed supporting documentation accompanies all reimbursement requests. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.
FINDING 2025-004 Subject: COVID-19 - Education Stabilization Fund - Cash Management Federal Agency: Department of Education Federal Program: COVID - 19 - Education Stabilization Fund Assistance Listings Numbers: 84.425D, 84.425U Federal Award Numbers and Years (or Other Identifying Numbers): S425D210013, S425U200013 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Cash Management Audit Findings: Material Weakness, Other Matters Repeat Finding This is a repeat finding from the immediately prior audit report. The prior audit finding number was 2023-009. Condition and Context The School Corporation had not properly designed or implemented a system of internal controls, which would include appropriate segregation of duties, that would likely be effective in preventing, or detecting and correcting, noncompliance related to the Cash Management compliance requirement. Reimbursement requests for the program were prepared by one employee and reviewed by another employee; however, the supporting documentation that was provided to the reviewer did not give a clear distinction as to what expenditures were included in the reimbursement. As the documentation provided was not adequate that accompanied the reimbursement request, and the reimbursement requests, as noted below, did not agree to the ledger, the reviewer could not have ensured expenses were paid prior to requesting reimbursement. For 5 of 25 expenditures tested, the School Corporation was unable to provide supporting documentation traceable to the reimbursement request. There were 2 of those expenditures, totaling $1,715, that were for ESSER II's final reimbursement which requested the remainder of the grant award and expenses could not be traced to the documentation provided for the reimbursement amount. There were 3 of the expenditures, totaling $6,665, that were not traceable to an ESSER III reimbursement request. Therefore, as the expenditure could not be traced to a reimbursement request, it could not be determined if the School Corporation paid for the expense prior to requesting reimbursement. INDIANA STATE BOARD OF ACCOUNTS 21 SILVER CREEK SCHOOL CORPORATION SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Additionally, 1 of 25 expenditures tested, for $154, was an expense that occurred after the School Corporation requested reimbursement. The lack of internal controls and noncompliance were systemic issues throughout the audit period for ESSER II and ESSER III. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." 2 CFR 200.305(b) states in part: "For non-Federal entities other than states, payments methods must minimize the time elapsing between the transfer of funds from the United States Treasury or the pass-through entity and the disbursement by the non-Federal entity whether the payment is made by electronic funds transfer, or issuance or redemption of checks, warrants, or payment by other means. . . . (3) Reimbursement is the preferred method when the requirements in this paragraph (b) cannot be met, when the Federal awarding agency sets a specific condition per § 200.208, or when the non-Federal entity requests payment by reimbursement. . . ." 2 CFR 200.302(b) states in part: "The financial management system of each non-Federal entity must provide for the following . . . (2) Accurate, current, and complete disclosure of the financial results of each Federal award or program in accordance with the reporting requirements set forth in §§ 200.328 and 200.329. . . ." Cause A proper system of internal controls was not designed and implemented by management of the School Corporation, which would include segregation of key functions. Embedded within a properly designed and implemented internal control system should be internal controls consisting of policies and procedures. The School Corporation had not developed any policies that would have ensured compliance or that supporting documentation would have been maintained and available for audit related to the Cash Management compliance requirement. INDIANA STATE BOARD OF ACCOUNTS 22 SILVER CREEK SCHOOL CORPORATION SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Effect The failure to retain and provide appropriate supporting documentation prevented the determination of the School Corporation's compliance with the Cash Management compliance requirement. Noncompliance with the grant agreement and the Cash Management compliance requirement could result in the loss of future federal funds to the School Corporation. Questioned Costs There were no questioned costs identified. Recommendation We recommended that the School Corporation's management establish a system of internal controls to ensure that documentation will be maintained and available for audit and comply with the grant agreement and the Cash Management compliance requirement. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.
Criteria: In accordance with 2 CFR 200.303(a), a formalized system of internal control should be established, documented, and maintained to ensure that performance reporting information for each award is reliably captured and included in the applicable reports. Condition/Context: During our testing of the Reporting compliance requirement, specifically performance reporting, we noted that the Organization did not have any formal internal control procedures in place to ensure the accuracy, completeness, and timely submission of required performance reports. For the three performance reports tested, there were no documented review procedures or approvals to validate the information reported to the funding agencies. Our testing did not identify any instances of noncompliance; however, the absence of an internal control represents a breakdown in the control activities for the compliance area. Cause: Management had not implemented a formal internal control policy over the performance reporting process. Effect/Possible Effect: Failure to adequately maintain a system of internal control increases the risk of submitting inaccurate, incomplete, unsupported, or untimely reports. Questioned Costs: No questioned costs were identified as part of this finding. Repeat Finding: This is not a repeat finding. Recommendation: We recommend that the Organization design and implement formal internal control policies and procedures over the Reporting compliance requirement which includes, but is not limited to, documented preparation, review and approval of the reports and retention of supporting documents for all applicable information included within the reports. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the recommendation to design and implement formalized internal control policies and procedures specific to the Reporting compliance requirement and are in the process of doing so.
Significant Deficiency 2025-001 – Allowable Activities/Allowable Costs Federal Program Information: U.S. Department of Agriculture Passed through the State of Maine Department of Education: ALN 10.553,10.555, 10.559 & 10.579 Child Nutrition Cluster Criteria: The following CFR(s) apply to this finding: 2 CFR 200.303 Condition: During audit procedures, it was identified that the Unit did not have consistent internal controls over program expenditures. Cause: The Unit does not have the necessary internal controls over compliance. Effect: Insufficient controls could result in unallowable expenses being charged to the program and subsequently improperly reimbursed by federal funds Identification of Questioned Costs: None identified. Context: During audit procedures, 23 of the 25 disbursement samples did not have the proper approval on the invoices or supporting documents. This is not a statistically valid sample. Repeat Finding: This is not a repeat finding. Recommendation: It is recommended that the Unit develop and implement internal control policies and procedures for a consistent, documented approval process to ensure that only allowable costs are charged to the program. Views of Responsible Officials and Corrective Action Plan: Please see the Corrective Action Plan issued by the Regional School Unit No. 29.
Compliance Requirement: Activities Allowed or Unallowed and Allowable Costs/Cost Principles Information on the Major Federal Program: Federal agency: National Science Foundation (NSF) and Department of Health and Human Services – National Institute of Health (HHS-NIH) Assistance listing number: 47.076 and 93.859 Assistance listing name and award number: NSF Indigenous Climate Journalism - #42-10059-24006 and Biomedical Research and Research Training - #45-14000-24002 Award year: NSF: 09/01/2023 - 04/25/2025 HHS-NIH: 07/20/2023 - 06/30/2028 Criteria – The Uniform Guidance in 2 CFR Section 200.303, Internal Control requires that non-Federal entities receiving Federal awards (i.e., auditee management) establish and maintain internal control designed to reasonably ensure compliance with Federal statues, regulations, and the terms and conditions of the Federal award. Per 2 CFR Section 200.430 Compensation – Personal Services: “Costs of compensation are allowable to the extent that they satisfy the specific requirements of this part, and that the total compensation for individual employees: (1)Is reasonable for the services rendered and conforms to the establish written policy of thenon-Federal entity consistently applied to both Federal and non-Federal activities; (2)Follows an appointment made in accordance with a non-Federal entity’s laws and/or rules orwritten policies and meets the requirements of Federal statute, where applicable; and (3)Is determined and supported as provided in paragraph (i) of this section, Standards forDocumentation of Personnel Expenses, when applicable.” 2 CFR Section 200.430 (g): “Standards for Documentation of Personnel Expenses (1) Charges to Federal awards for salaries and wages must be based on records that accurately reflect the work performed. These records must: (i)Be supported by a system of internal control that provides reasonable assurance that thecharges are accurate, allowable, and properly allocated; (ii)Be incorporated into the official records of the recipient or subrecipient; (iii)Reasonably reflect the total activity for which the employee is compensated by the recipientor subrecipient, not exceeding 100 percent of compensated activities; (iv)Encompass federally-assisted and all other activities compensated by the recipient orsubrecipient on an integrated basis but may include the use of subsidiary records as definedin the recipient's or subrecipient's written policy; (v)Comply with the established accounting policies and procedures of the recipient orsubrecipient; (vi)Support the distribution of the employee's salary or wages among specific activities or costobjectives if the employee works on more than one Federal award; a Federal award and non-Federal award; an indirect cost activity and a direct cost activity; two or more indirectactivities allocated using different allocation bases; or an unallowable activity and a direct orindirect cost activity. (vii)Budget estimates (i.e., estimates determined before the services are performed) alone donot qualify as support for charges to Federal awards.” Condition – During the fiscal year ended June 30, 2025, the Organization allocated payroll expenditures charged to the Research and Development Program (major program) based on estimated percentages of personnel time dedicated to the grant. Management did not maintain documentation evidencing that the allocation methodology and resulting payroll distributions were reviewed and approved on a timely basis during the fiscal year. Compensating controls and audit results noted include: (i) payroll costs were budgeted by program and program budgets were approved, (ii) payroll charges were reconciled to the general ledger and reviewed, and (iii) substantive testing of payroll costs charged to the major program identified no exceptions in a sample of 10 payroll transactions tested. Cause – Although the Organization has established policies and procedures intended to support and evidence review and approval of payroll allocations charged to the major program, these procedures were not performed and/or retained in a timely manner during the fiscal year. As a result, management did not maintain contemporaneous documentation supporting that payroll allocation percentages and resulting payroll distributions were reviewed and approved in accordance with the Organization’s established guidelines and applicable regulations. Effect – The lack of timely documented review and approval of payroll allocation support increases the risk that payroll costs could be inaccurately allocated to the federal award and therefore not comply with 2 CFR 200.430 requirements for documentation of personnel expenses. However, based on compensating controls and our substantive testing (no exceptions noted in a sample of 10 transactions), there are no known or likely questioned costs and no misallocations were identified in the items tested. Questioned Costs – There are no known or likely questioned costs. Context – This is a condition identified per review of the Organization’s compliance with specified requirements of the Uniform Guidance. The prevalence of this finding is detailed in the condition section above. Repeat Finding – This is not a repeat finding. Recommendation – We recommend that management ensure established policies and procedures for the timely review and approval of payroll allocation methodologies and payroll expenditures charged to the major program are consistently performed. Management should also retain documentation evidencing the review and approval (including reviewer, date, and scope of review) to demonstrate compliance with 2 CFR 200.430. Views of Responsible Officials – Management agrees with the finding. Please see appendix A for Management’s Corrective Action Plan.
FINDING 2025-002 Subject: Child Nutrition Cluster - Allowable Costs/Cost Principles Federal Agency: Department of Agriculture Federal Programs: School Breakfast Program, National School Lunch Program, Summer Food Service Program for Children Assistance Listings Numbers: 10.553, 10.555, 10.559 Federal Award Numbers and Years (or Other Identifying Numbers): 2023-2024, 2024-2025 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Allowable Costs/Cost Principles Audit Findings: Material Weakness, Other Matters INDIANA STATE BOARD OF ACCOUNTS 16 LINTON-STOCKTON SCHOOL CORPORATION SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Condition and Context The School Corporation did not have adequate procedures in place to ensure that allocation of costs related to compensation and fringe benefits of the food service director was appropriately documented. The lack of internal controls and noncompliance were systemic issues throughout the audit period. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." 2 CFR 200.403 states in part: "Except where otherwise authorized by statute, costs must meet the following general criteria in order to be allowable under Federal awards: (a) Be necessary and reasonable for the performance of the Federal award and be allocable thereto under these principles. (b) Conform to any limitations or exclusions set forth in these principles or in the Federal award as to types or amount of cost items. . . . (g) Be adequately documented. . . ." 2 CFR 200.430 states in part: ". . . Compensation for personal services includes all remuneration, paid currently or accrued, for services of employees rendered during the period of performance under the Federal award, including but not necessarily limited to wages and salaries. Compensation for personal services may also include fringe benefits . . . (i) Standards for Documentation of Personal Expenses (1) Charges to Federal awards for salaries and wages must be based on records that accurately reflect the work performed. These records must: (i) Be supported by a system of internal control that provides reasonable assurance that the charges are accurate, allowable, and properly allocated; (ii) Be incorporated into the official records of the non-Federal entity; INDIANA STATE BOARD OF ACCOUNTS 17 LINTON-STOCKTON SCHOOL CORPORATION SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) (iii) Reasonably reflect the total activity for which the employee is compensated by the non-Federal entity, not exceeding 100% of compensated activities (for IHE, this per the IHE's definition of IBS); (iv) Encompass federally-assisted and all other activities compensated by the non- Federal entity on an integrated basis but may include the use of subsidiary records as defined in the non-Federal entity's written policy; (v) Comply with the established accounting policies and practices of the non-Federal entity (See paragraph (h)(1)(ii) above for treatment of incidental work for IHEs.); and . . . (vii) Support the distribution of the employee's salary or wages among specific activities or cost objectives if the employee works on more than one Federal award; a Federal award and non-Federal award; an indirect cost activity and a direct cost activity; two or more indirect activities which are allocated using different allocation bases; or an unallowable activity and a direct or indirect cost activity. . . ." Cause The School Corporation's Management had not developed nor implemented a system of internal controls that would have ensured that the allocation of costs are appropriately documented, and made available for audit, as it related to the grant agreement and the Allowable Costs/Cost Principles compliance requirement. Effect Without the proper implementation of an effectively designed system of internal controls, the School Corporation did not retain and provide appropriate supporting documentation to ensure compliance with allowable cost and cost principles requirements. Questioned Costs There were no questioned costs identified. Recommendation We recommended that the School Corporation's Management establish an effective system of internal controls and develop policies and procedures to ensure the allocation of costs are appropriately documented, which are to be maintained and made available for audit as related to the Allowable Cost/Cost Principles compliance requirement. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.
FINDING 2025-003 Subject: Child Nutrition Cluster - Eligibility Federal Agency: Department of Agriculture Federal Programs: School Breakfast Program, National School Lunch Program Assistance Listings Numbers: 10.553, 10.555 Federal Award Numbers and Years (or Other Identifying Numbers): 2023-2024, 2024-2025 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Eligibility Audit Finding: Material Weakness Repeat Finding This is a repeat finding from the immediately prior audit report. The prior audit finding number was 2023-003. Condition and Context The School Corporation had not properly designed or implemented a system of internal controls, which would include appropriate segregation of duties, that would likely be effective in preventing, or detecting and correcting, noncompliance related to the eligibility determination of a child receiving meals. Eligibility Any child enrolled in a participating school who meets the applicable program's definition of "child," may receive meals under the applicable program. In the case of the National School Lunch Program and the School Breakfast Program, children belonging to households meeting nationwide income eligibility requirements may receive meals at no charge or at reduced price. Children who have been determined ineligible for free or reduced-price school meals pay the full price, set by the School Food Authority, for their meals. Children attending SFSP meal service sites receive their meals at no charge. As a general rule, a child's eligibility for free or reduced-price meals under a Child Nutrition Cluster program may be established by the submission of an annual application or statement which furnishes such information as family income and family size. Local educational agencies, institutions, and sponsors then determine eligibility by comparing the data reported by the child's household to published income eligibility guidelines. Additionally, a child may be direct certified. For a direct certification, annual eligibility determinations are based on the child's household receiving benefits under SNAP, FDPIR, the Head Start Program (ALN 93.600), or, under most circumstances, the TANF program (ALN 93.558). A household may furnish documentation of its participation in one of these programs; or the school, institution, or sponsor may obtain the information directly from the state or local agency that administers these programs. Certain foster, runaway, homeless, and migrant children are categorically eligible for free school lunches and breakfasts. Direct certified households do not need to complete an application. The system parameters, including income guidelines, were entered by the software vendor without a documented review or oversight process by the School Corporation to ensure the parameters entered were accurate. In addition, the food service management provider was responsible for processing online application eligibility in the School Corporation's software system. The Food Service Director was responsible for randomly reviewing the eligibility status of online and paper applications; however, documentation of which applications were reviewed was not maintained. Therefore, we could not determine if there was an oversight, review, or approval process to ensure that eligibility determinations were correct. INDIANA STATE BOARD OF ACCOUNTS 19 LINTON-STOCKTON SCHOOL CORPORATION SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Finally, the Food Service Director was responsible for generating and inputting the Direct Certification Reports into the School Corporation's software system. There was no evidence of an oversight, review, or approval process to ensure that the Direct Certification Reports were generated and input into the system. The lack of internal controls was a systemic issue throughout the audit period. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." Cause The system of internal controls over the review of the income eligibility guidelines saved in the system, the manual determinations of eligibility, and the direct certification uploads were not properly implemented. Documentation was not maintained that the review process occurred. Effect Without the proper design or implementation of the components of a system of internal control, including policies and procedures that provide segregation of duties and additional oversight as needed, the internal control system cannot be capable of effectively preventing, or detecting and correcting, material noncompliance. Questioned Costs There were no questioned costs identified. Recommendation We recommended that management of the School Corporation design and implement a proper system of internal control, including policies and procedures that would provide segregation of duties, to ensure appropriate reviews, approvals, and oversight are taking place. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.
Finding 2025-041 AWARE – Information Security and Change Management Government Auditing Standards allow for information that is considered sensitive in nature, such as detailed information related to IT system security, to be issued through a separate “classified or limited use” report because of the potential damage that could be caused by the misuse of this information. We consider the specific technical details of this finding, along with the response, to be sensitive in nature and not appropriate for public disclosure. Therefore, the details of the following finding and response have been provided to the Department in a separate, confidential memorandum. The Department of Labor and Employment’s Division of Vocational Rehabilitation administers the federal Rehabilitation Services – Vocational Rehabilitation Grants to States [ALN 84.126] (Vocational Rehabilitation) program and relies on its Accessible Web-Based Activity and Reporting Environment (AWARE) IT system to aid with management of the program and to track expenditures. The AWARE system is a configurable, off-the-shelf (COTS) system that is managed and hosted by the Department’s third-party IT service provider, Alliance Enterprises (Alliance). Department staff access the system via a secure Web portal. Program information is stored on servers and databases managed by Alliance. Alliance developed the AWARE system specifically to meet federal requirements for Vocational Rehabilitation program services and is used by multiple states. In order for the Department to achieve its objectives and respond to risks, including those related to the federal programs it administers, management should establish a strong framework of internal controls that also includes information system controls. Specifically, information system controls typically start with management documenting IT policies that address IT general control responsibilities and procedures that document the more granular details of how to implement Department policies. These IT general control policies and procedures should include those policies and procedures that are specific to information security and access management. The Department has policies that define the rules for various software systems based on the Department’s needs and security requirements; and the AWARE System Security Plan (SSP), which lists security requirements and describes the controls that must be in place to ensure all the security policy requirements are met. Once policies and procedures have been formalized and communicated to responsible staff and the Department’s contractor, specific internal control activities can be implemented and operationalized. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to gain an understanding of, and determine whether the Department had designed and implemented IT general controls, specifically information security and change management controls, over the AWARE system. Our audit work consisted of inquiries to the Department to gain an understanding of these IT general control areas, along with a review of related documentation provided by the Department staff. How were the results of the audit work measured? We applied the following criteria when evaluating the design effectiveness of the IT general controls: • The Governor’s Office of Information Technology (OIT)’s Colorado Information Security Policies (Security Policies). • Federal regulations [2 CFR 200.303] require the Department to establish and maintain effective internal controls, including IT general controls, over federal awards that provide reasonable assurance that the Department is managing its federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal award. • Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office (GAO), is a leading industry internal control framework. The Office of the State Controller (OSC) has adopted the Green Book as the State’s standard for internal controls, which all state agencies must follow. Green Book, Paragraphs 3.09, Documentation of the Internal Control System, and 12.02, Documentation of Responsibilities through Policies, requires that management develop and maintain documentation of its internal control system and document in policies the internal control responsibilities of the organization. Green Book, Paragraph 12.05, Periodic Review of Control Activities, also requires that management periodically review policies and procedures for continued relevance and effectiveness in achieving the entity’s objectives or addressing related risks. If there is a significant change in an entity’s process, management should review this process in a timely manner after the change to verify that the control activities are designed and implemented appropriately. • Green Book, Paragraph 14.03, Communication throughout the Entity, prescribes that management should communicate quality information to enable personnel to perform key roles in achieving objectives, addressing risks, and supporting the internal control system. In these communications, management should assign the internal control responsibilities for key roles. What problems did the audit work identify? During Fiscal Year 2025, we identified problems with the Department’s information security and change management IT general controls for the AWARE system. Why did these problems occur? According to the Department, it is in the final stages of modernizing a new case management system that will replace its current AWARE system and, therefore, did not update its SSP or policies and procedures for AWARE during Fiscal Year 2025. Department staff indicated that they expected AWARE to be decommissioned prior to the end of Fiscal Year 2025, and therefore determined it was not feasible to update the AWARE SSP during Fiscal Year 2025 to comply with OIT’s Security Policies. However, deployment of the new system was delayed due to the Department working through the new system’s User Acceptance Testing. The Department indicated that it will develop policies for the new case management system during the modernization process, which it expects to be finalized with the decommissioning of AWARE in January 2026. Why do these problems matter? It is important for the Department to have an effective system of internal controls in place in order to meet its objectives and comply with federal requirements for the Vocation Rehabilitation program. Without an effective internal control system, the reliability of the data processed, stored, and reported on by the Department’s IT system for the Vocational Rehabilitation program can be adversely impacted. When IT policies and procedures are not maintained, updated, and communicated, Department staff, and others who are subject to the requirements and processes, may not be able to adequately manage or consistently apply IT policy requirements and processes to meet management’s objectives and expectations, respond to risks appropriately, and ensure the confidentiality, integrity, and availability of the Department’s information systems. See "Schedule of Findings and Questioned Costs" for table/chart. Recommendation 2025-041 The Department of Labor and Employment should improve its overall IT governance and information security IT general controls for the information system used for the Rehabilitation Services – Vocational Rehabilitation Grants to States program by: A. Implementing recommendation Part A as noted in the confidential finding. B. Implementing recommendation Part B as noted in the confidential finding. Response Department of Labor and Employment A. Agree Implementation Date: July 2026 The Department will implement Part A of the confidential finding. B. Agree Implementation Date: July 2026 The Department will implement Part B of the confidential finding.
Finding 2025-042 MyUI+ – IT Governance and Information Security Government Auditing Standards allow for information that is considered sensitive in nature, such as detailed information related to information technology system security, to be issued through a separate “classified or limited use” report because of the potential damage that could be caused by the misuse of this information. We consider the specific technical details of this finding, along with the response, to be sensitive in nature and not appropriate for public disclosure. Therefore, the details of the following finding and response have been provided to the Department in a separate, confidential memorandum. The Department administers the federal Unemployment Insurance (UI) program, and relies on its IT system, MyUI+, to aid with determining applicants’ eligibility for the UI program and to provide data necessary for federal reporting to the U.S. Department of Labor for the UI program. The Department is the business owner of the MyUI+ system and works with OIT and the Department’s external IT service provider to manage MyUI+. The OSC has adopted the GAO’s Green Book as the State’s standard for internal controls, which all state agencies must follow. For the Department to achieve its objectives and respond to risks, including those related to the federal programs it administers, management should establish a strong framework of internal controls that also address information system controls. Specifically, information system controls typically start with management documenting IT policies that address IT general control responsibilities and procedures that document the more granular details on how to implement Department policies. These IT general control policies and procedures should include those policies and procedures that are specific to information security, for example controls related to issuing new user credentials. Once the Department has formalized and communicated its policies and procedures to responsible staff, specific internal control activities can be implemented and operationalized. OIT has promulgated the Security Policies that apply to the Department and its systems, and outline specific business owner IT requirements with which the Department must comply. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the Department implemented our Fiscal Year 2024 audit recommendations related to MyUI+. As part of our recommendations, we recommended that the Department should improve its IT governance for the MyUI+ system by: • Formalizing and communicating IT procedures guidance to Department staff and the Department’s IT service provider performing IT general control activities, including a Department-defined periodic review process of OIT’s Security Policies to ensure the Department’s IT policies, procedures, and rules align with the most current version of the Security Policies. • Implementing the recommendation as noted in the confidential finding. The Department agreed with these recommendations and planned to implement them by June 2025. Our audit work consisted of assessing the design and implementation of the Department’s IT policies and procedures, through inquiry with Department staff and inspection of supporting documentation. How were the results of the audit work measured? We measured the results of our audit work against the following: • OIT Security Policies that are developed, published, and required to be followed by the Department and its external IT service providers state within the Policy section and the General Responsibilities section, specifically 8.3.1 and 8.3.2 for business owners, that all agencies, including the Department, must implement governance principles, which would include IT policies and procedures, for promoting data quality and integrity for their systems. OIT Security Policies also indicate that the Department, as the business owner for MyUI+, is responsible for following and adhering to all identified business owner requirements. • OIT Security Policies and IRS Publication 1075, Tax Information Security Guidelines for Federal State and Local Agencies. Department management stated that it aligns with IRS Publication 1075 for its systems even though MyUI+ does not contain Federal Tax Information, which is the focus of Publication 1075’s security requirements. • Federal regulations [2 CFR 200.303] require the Department to establish and maintain effective internal controls, including IT general controls, over federal awards that provide reasonable assurance that the Department is managing its federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal award. • Green Book, Paragraphs 3.09, Documentation of Internal Control System, and 12.02, Documentation of Responsibilities through Policies, states that management should develop and maintain documentation of its internal control system and document in policies the internal control responsibilities of the organization. Paragraphs 11.06 and 11.07, Design Appropriate Types of Control Activities, state that management should design appropriate types of control activities in the entity's information system, including information system general controls that facilitate the proper operation of the entity’s systems. What problems did the audit work identify? The Department did not fully implement our prior audit recommendations to improve its IT governance related to MyUI+ during Fiscal Year 2025. Specifically: • The Department took steps to implement the recommendation by beginning to formalize IT procedures for MyUI+, including those that defined a required periodic review of OIT’s Security Policies; however, the Department did not have the formalized procedures in place nor had it communicated the procedures to employees or its IT service provider by the end of Fiscal Year 2025. • We found that the Department did not fully implement the confidential prior audit recommendation during Fiscal Year 2025, which put the Department at risk for not complying with Publication 1075. Why did these problems occur? According to the Department, the review, updating, and communication process of its procedures did not occur by the end of Fiscal Year 2025 due to turnover and contract renegotiations, resulting in partial implementation of the recommendations by fiscal year end. Why do these problems matter? The lack of established IT policies and procedures make it difficult for Department management to measure and hold staff accountable for meeting management’s expectations, as well as ensuring risks are addressed and overall objectives and missions are fulfilled. Without policies and procedures, staff may not perform processes and controls in a consistent manner. The identified deficiencies increase the risk of system compromise and can affect the confidentiality, integrity, and availability of the MyUI+ system, as well as adversely impact the reliability of data that is processed, stored, and generated by the system. Additionally, if the MyUI+ information security processes and controls are not appropriately implemented and operating effectively, the Department may not be able to ensure compliance with federal requirements, OIT’s Security Policies, and Publication 1075. See "Schedule of Findings and Questioned Costs" for table/chart. Recommendation 2025-042 The Department of Labor and Employment (Department) should improve its overall IT governance and information security IT general controls, and work with its IT service provider, as applicable, for the MyUI+ information system by: A. Prioritizing staffing to complete and communicate the formalized IT procedures, including a required Department-defined periodic review process of the Colorado Information Security Policies, developed and published by the Governor’s Office of Information Technology, to Department staff and the Department’s IT service provider performing IT general control activities for MyUI+. B. Implementing recommendation Part B as noted in the confidential finding. Response Department of Labor and Employment A. Agree Implementation Date: April 2026 The Department will complete and communicate formalized IT procedures to staff and IT service providers for IT general control activities for MyUI+ by April 2026. B. Agree Implementation Date: April 2026 The Department will implement Part B of the confidential finding.
Finding 2025-043 Compliance with Reporting for Community Development Block Grant program The Department administers the federal Community Development Block Grant/State’s program and Non-Entitlement Grants in Hawaii (Community Development Block Grant or CDBG) [ALN 14.228] for non-entitlement municipalities and counties to carry out community development activities. The federal government splits the Department’s CDBG program into sub-programs related to the CARES Act (CDBG-CV), Disaster Recovery (CDBG-DR), and the Neighborhood Stabilization Program (CDBG-NSP). The CARES (Coronavirus Aid, Relief, and Economic Security) Act, enacted March 27, 2020, appropriated $5.0 billion in CDBG-CV funds to be allocated to about 1,250 states, local governments, and insular areas to fund activities to prevent, prepare for, and respond to Coronavirus. CDBG-CV and CDBG grants are a flexible source of funding that can be used to pay costs that are not covered by other sources of assistance, particularly to benefit persons of low and moderate income. The primary objective for CDBG-DR is to provide disaster relief, long-term recovery, restoration of infrastructure and housing, and economic revitalization in the most impacted and distressed areas resulting from a major disaster, declared pursuant to the Robert T. Stafford Disaster Relief and Emergency Assistance Act of 1974. The objectives of the CDBG-NSP are to: (1) stabilize property values, (2) arrest neighborhood decline, (3) assist in preventing neighborhood blight, and (4) stabilize communities across America hardest hit by residential foreclosures and abandonment. These objectives have been achieved through the purchase and redevelopment of foreclosed and abandoned homes and residential properties that allows those properties to turn into useful, safe and sanitary housing. The grants are to be considered CDBG funds. The Department is required to submit financial information electronically to the federal Housing and Urban Development (HUD) Exchange IT system on an annual basis. The Department is required to submit various reports that include the following: • Performance reports titled, Performance and Evaluation Financial Summary Reports (PR28), are required to list all of the financial activity related to the CDBG program and CDBG-CV subprogram. • Quarterly Performance Reports for the CDBG-DR program and CDBG-NSP. The Quarterly Performance Reports include the Department’s activities related to the CDBG grant for these sub-programs on a quarterly basis. The Department is also required to comply with the Federal Funding Accountability and Transparency Act of 2006 (Transparency Act or FFATA) for its CDBG awards. The Transparency Act was created to empower Americans with the ability to hold the government accountable for each spending decision and, as a result, to reduce wasteful spending by the government. The Transparency Act requires the federal government to make certain information on federal awards, including information about amounts passed through to subrecipients, or subawards, given to other governments or nonprofit organizations, available to the public. Federal regulations [2 CFR 200.1] define a subaward as an award provided by a pass-through entity, in this case the Department, to an entity to carry out part of a federal grant award received by the pass-through entity. A subrecipient is defined in federal regulations [2 CFR 200.1] as an entity, usually but not limited to non-federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other federal awards directly from a federal awarding agency. The Department is required to submit FFATA information through the FFATA Subaward Reporting System (formerly FSRS)—the System for Award Management (SAM.gov). Once the Department submits a report to SAM.gov, the public can view information from the report, including the subrecipient’s name, subaward identification number, subaward obligation/action date, subaward amount, federal awarding agency and subagency, the Department’s name, and the Department’s grant award identification number. In Fiscal Year 2025, the Department made 25 CDBG subawards to 18 subrecipients totaling $10.2 million that were subject to FFATA reporting. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to identify and review the operational effectiveness of the Department’s internal controls and compliance over the federal reporting process for the CDBG program, and determine whether the reports were prepared and submitted in accordance with state and federal regulations. During our audit, we reviewed two PR28 Performance and Evaluation Financial Summary Reports—one for CDBG overall and one for the CDBG-CV sub-program filed by the Department during Fiscal Year 2025—and the related supporting documentation. We also reviewed eight Quarterly Performance Reports—four reports for each of the CDBG-DR and CDBG-NSP subprograms filed by the Department for Fiscal Year 2025—and the related supporting documentation. Additionally, we received the Department’s sub-awardee report submitted to SAM.gov for FFATA reporting for Fiscal Year 2025 for the CDBG grant and tested 7 of the 25 subawards listed on the report. We used both performance and sub-awardee reports to determine if the financial activity in these reports could be traced to the expenditures recorded within the Colorado Operations Resource Engine (CORE), the State’s accounting system, for the CDBG grant program for Fiscal Year 2025. We also performed testwork to determine if the performance and sub-awardee reports were reviewed and approved internally, submitted in a timely manner, and approved by HUD. How were the results of the audit work measured? For the CDBG program, we measured the results of our audit work against the following requirements: • As noted previously, the Department is required to submit certain financial information electronically to HUD through its HUD Exchange system on an annual basis. HUD requires that the reports be prepared in accordance with Generally Accepted Accounting Principles (GAAP). Per the federal Office of Management and Budget’s (OMB) Compliance Supplement, the various reports that the Department must submit include the following: PR28 Performance and Evaluation Financial Summary Reports for the CDBG program and CDBG-CV sub-program. This report is required to list all of the financial activity related to the CDBG program, such as the overall benefit to low- and moderate-income persons, the maximum allowable costs for administration, technical assistance, and overall planning, management and administration, and must be submitted quarterly, 30 days after the reporting period end date. Quarterly Performance Reports for the CDBG-DR program and CDBG-NSP. The Quarterly Performance Reports must cover all expenditures on the cooperative agreement from the start date of the reporting period to the reporting period end date related to the CDBG grant for these sub-programs and must be submitted on a quarterly basis. • In accordance with federal regulations [2 CFR 170, Appendix A], the Department is required to report subawards of $30,000 or more to SAM.gov by the end of the month following the month in which the award was made. For example, the Department would have to submit a FFATA report to SAM.gov in May 2025 if it made an award or supplemental award equal to or greater than $30,000 in April 2025. • Federal regulations [2 CFR 200.303] state that recipients of federal funds must establish and maintain effective internal controls over their federal awards which provide reasonable assurance that the recipient is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. These internal controls should be in compliance with the Standards for Internal Control in the Federal Government (Green Book), published by the U.S. Government Accountability Office. Green Book states in Paragraphs 3.09 and 3.10 that management is to develop and maintain documentation of its internal control system, establishing the who, what, when, where, and why of internal control execution to personnel. What problems did the audit work identify? We identified problems in all of the Department’s reports for CDBG that we tested for Fiscal Year 2025. Specifically: • We identified issues in both of the two (100 percent) PR28 performance reports we reviewed. Specifically, we could not tie disbursement amounts for the CDBG program and CDBG-CV sub program totaling approximately $15,000 and $21.7 million, respectively, contained on the two PR28 performance reports to the Department’s accounting records. Additionally, the Department could not provide evidence that Department staff reviewed and approved the reports internally prior to submission to the federal government. • We identified issues in 7 of the 8 (88 percent) Quarterly Performance Reports we reviewed. The following table reflects quarterly amounts expended that could not be tied out for each programmatic report: See "Schedule of Findings and Questioned Costs" for table/chart. *The Department did not submit 4 of the 7 (57 percent) FFATA reports to SAM.gov within the required time period. We specifically noted that the Department submitted these four subawards to SAM.gov after the close of Fiscal Year 2025 in October 2025, which caused them to be out of compliance by up to 14 months. Why did these problems occur? The Department did not have adequate internal controls over its federal reporting processes, such as supervisory review and approval of the PR28 and FFATA reports prior to submission and publication. In addition, the Department failed to maintain adequate records of submissions and accounting support due to a lack of internal monitoring and review processes necessary for tracking report submissions and ensuring reports are submitted timely and are complete. The Department stated that the delay in the submission of the FFATA reports was due to technical difficulties experienced by the Department when the federal government switched from requiring the use of the previous FSRS system to SAM.gov on March 8, 2025. Why do these problems matter? By not providing accurate information to HUD or maintaining support for the Department’s performance reports, it is not meeting federal requirements. Further, the Department may not be addressing CDBG regulatory requirements that are intended to result in an overall benefit to lowand moderate-income persons and an overall benefit to the public. Additionally, inaccurate reporting could result in actual costs exceeding the maximum allowable costs for technical assistance, and overall planning, management and administration. By failing to report the subawards to SAM.gov in a timely manner, as required under FFATA, the Department is out of compliance with federal reporting requirements and risks federal sanctions. Additionally, by not reporting the relevant information—including subrecipient name, subrecipient Data Universal Numbering System number, amount of subaward, subaward obligation/action date, date of report submission, subaward number, subaward project description, subrecipient names, and compensation of highly compensated officers—the Department is failing to meet the federal intent of transparency for federal program spending. Furthermore, the Department not maintaining documentation of the review and approval of its federal reports can lead to a lack of accountability, making it difficult to verify compliance and potentially resulting in further scrutiny or penalties from federal oversight bodies. See "Schedule of Findings and Questioned Costs" for table/chart. Recommendation 2025-043 The Department of Local Affairs should strengthen its internal controls over federal reporting for its Community Development Block Grant/State’s program and Non-Entitlement Grants in Hawaii, including the Federal Funding Accountability and Transparency Act (FFATA) reporting, and ensure that its reporting meets federal requirements by: A. Ensuring that FFATA reporting occurs as required for subawards of $30,000 or more in the System for Award Management, SAM.gov, by the end of the month following the month the subawards are made. B. Documenting and implementing internal monitoring policies and procedures, including the performance of reconciliations of reports, to ensure that the required Performance and Evaluation Financial Summary Reports (PR28) and Quarterly Performance Reports are accurate and complete. This should include maintaining documentation of evidence of the review and approval of each report prior to its submission to the federal government. Response Department of Local Affairs A. Agree Implementation Date: April 2026 The Department will strengthen its internal controls over federal reporting by implementing policies and procedures that include a monitoring process to ensure that FFATA reporting occurs as required for subawards of $30,000 or more in SAM.gov by the end of the month following the month the subawards are made. B. Agree Implementation Date: April 2026 The Department will document and implement internal monitoring policies and procedures, including the performance of reconciliations of reports, to ensure that the required PR28 and Quarterly Performance Reports are accurate and complete. This will include maintaining documentation of evidence of the review and approval of each report prior to its submission to the federal government.
Finding 2025-044 Compliance with Activities Allowed or Unallowed and Allowable Costs/Cost Principles for the Coronavirus Capital Projects Fund The Department administers the federal Coronavirus Capital Projects Fund program (CCPF) [ALN 21.029] for non-entitlement municipalities, counties, and subcontractors to carry out capital development and infrastructure activities related to increasing awareness, education, and monitoring of the Coronavirus emergency by developing broadband infrastructure. Examples of activities related to CCPF include the development of fiber-optic broadband infrastructure and investments in improving broadband infrastructure within a municipality, addressing affordability and access to broadband infrastructure, and the development and improvement of buildings that directly enables work related to the education and monitoring of the Coronavirus emergency. The Department’s accounting section records all financial transactions within CORE and must ensure the accurate reporting of federal award expenditures and reimbursements and maintain adequate supporting documentation related to transactions recorded in CORE. The Department’s accounting section is also responsible for providing information through the submission of exhibits to the Office of the State Controller (OSC) to assist in preparation of the State’s financial statements, required note disclosures, and the State’s Schedule of Expenditures of Federal Awards (SEFA). For Fiscal Year 2025, the Department reported $33.7 million in expenditures for CCPF. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to review the Department’s internal controls over the CCPF payment processes and to determine whether payments were processed and paid in accordance with state regulations and federal “allowable cost” requirements during Fiscal Year 2025. As part of our audit work, we obtained from the Department the Fiscal Year 2025 expenditures listing for CCPF, comprised of eight transactions. We tested five transactions as part of our testing of the Department’s compliance with federal allowable cost requirements for the CCPF program. We also reviewed the Department’s Exhibit K1, Schedule of Federal Assistance, which it submitted to the OSC for Fiscal Year 2025 year-end reporting, and the related supporting documentation, including CORE transaction detail for revenues and expenditures associated with CCPF, to determine whether Department accounting staff prepared the exhibit in accordance with the OSC’s Fiscal Procedures Manual (Manual), and to determine whether the Exhibit K1 was accurate and complete. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: • Federal regulations [2 CFR 200.403] require that costs under federal awards must be necessary, reasonable, and allocable; conform to any limitations or exclusions; be consistent with policies and procedures; receive consistent treatment; adhere to GAAP; not be used for cost sharing of other programs; and be adequately documented. • Federal regulations [2 CFR 200.302] require that recipients must expend and account for the federal award in accordance with State laws and procedures for expending and accounting for the State’s funds. All recipients’ financial management systems, including records documenting compliance with federal statutes, regulations, and the terms and conditions of the federal award, must be sufficient to permit the preparation of reports required by the terms and conditions; and tracking expenditures to establish that funds have been used in accordance with federal statutes, regulations, and the terms and conditions of the federal award. • The OSC’s Manual contains instructions for the completion of exhibits. Specifically, the Exhibit K1 is used to report federal expenditure information to the OSC for inclusion in the State’s SEFA. • Federal regulations [2 CFR 200.303] state that each recipient of federal funds must establish and maintain effective internal controls over its federal awards, which provide reasonable assurance that the recipient is managing its federal grants in compliance with federal statutes, regulations, and the award terms and conditions. The OSC has adopted the Green Book as the State’s standard for internal controls, which all state agencies must follow. Green Book, Paragraphs 3.09 and 3.10, states that management is to develop and maintain documentation of its internal control system, establishing the who, what, when, where, and why of internal control execution to personnel. What problem did the audit work identify? Through our audit testwork, we identified an error with 1 of the 5 expenditures (20 percent) tested. Specifically, the Department recorded the expenditure transaction, which totaled $3,266,662, twice in CORE. Further, because CORE is programmed to automatically record earned federal revenue when a federal expenditure is recorded, the Department also recorded federal revenue in CORE to match the duplicate federal expenditure. As a result, the Department overstated both revenues and expenditures for CCPF by $3,266,662. In addition, the Department overstated its Fiscal Year 2025 CCPF expenditures on its Exhibit K1 by $3,266,662. After we notified Department staff of the errors, they provided a corrected Exhibit K1 to the OSC. The Department passed on correcting the overstated expenditures and revenues in CORE because, based on discussions with the auditors, the amount was not material. Why did this problem occur? The Department lacked sufficient internal controls during Fiscal Year 2025 over its financial management and federal allowable cost compliance requirements for the CCPF program. Specifically, the Department lacked sufficient training over the calculation of its year-end accrued liabilities. The Department incorrectly calculated and recorded the year-end accrual entry in CORE, and lacked adequate internal review processes, including a supervisory review process, to ensure the program’s accrued expenditures—and ultimately amounts reported on the Exhibit K1—were accurate and complete. Why does this problem matter? By failing to have strong internal controls over the recording and monitoring of federal expenditures and revenues, the Department cannot ensure that financial records are accurate, complete, and recorded in a timely manner. Internal review and approval processes reduce the risk of material misstatements affecting federal awards. Additionally, insufficient controls over federal program requirements can lead to a lack of accountability, making it difficult to demonstrate compliance and potentially resulting in further scrutiny or penalties from federal oversight bodies. Finally, failing to properly report expenditures of federal funds on its Exhibit K1, if uncorrected, could cause the State’s overall SEFA to be inaccurate and out of compliance with federal regulations. See "Schedule of Findings and Questioned Costs" for table/chart. Recommendation 2025-044 The Department of Local Affairs should strengthen its internal controls over the financial management of federal Coronavirus Capital Projects Fund grant expenditures by implementing an adequate supervisory review process and training for staff over year-end estimates/accruals to ensure transactions are accurately recorded in the Colorado Operations Resource Engine (CORE), the State’s accounting system; and that the Exhibit K1, Schedule of Federal Assistance, is accurate and complete. Response Department of Local Affairs Agree Implementation Date: April 2026 The Department of Local Affairs (Department) agrees with the recommendation to strengthen internal controls over the financial management of federal Coronavirus Capital Projects Fund grant expenditures and the accuracy and completeness of the Exhibit K1, Schedule of Federal Assistance. The Department will develop a corrective action plan that includes enhanced procedures for the performance of year-end estimates/accruals. The Department will create and implement staff training for staff that are responsible for preparing and reviewing the estimates/accruals, the Exhibit K1, grant transactions and enhancements.
Finding 2025-045 Compliance with Reporting for Immunization Cooperative Agreements – FFATA Reporting The Department is required to comply with the Federal Funding Accountability and Transparency Act of 2006 (Transparency Act or FFATA) for its Immunization Cooperative Agreements program [ALN 93.268] (Program). The Transparency Act was created to empower Americans with the ability to hold the government accountable for each spending decision and, as a result, to reduce wasteful spending by the government. The Transparency Act requires the federal government to make certain information on federal awards available to the public, including information about amounts passed through to subrecipients. The Department is required to report information about subgrants, or subawards, given to other governments or to nonprofit organizations, also referred to as subrecipients. Federal regulation [2 CFR 200.1] defines a subaward as an award provided by a pass-through entity, in this case the Department, to an entity to carry out part of a federal grant award received by the pass-through entity. A subrecipient is defined in federal regulation [2 CFR 200.1] as an entity, usually but not limited to non-Federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other Federal awards directly from a federal awarding agency. The Department is required to submit FFATA information through the federal government’s System for Award Management website, SAM.gov. Once the Department submits a report to SAM.gov, the public can view information from the report, including the subrecipient’s name, subaward identification number, subaward obligation/action date, subaward amount, federal awarding agency and subagency, the Department’s name, and the Department’s grant award identification number. In Fiscal Year 2025, the Department reported $112.0 million in total Program expenditures. Of this amount, the Department issued $15.8 million in subawards under the Program. The Department had 70 subrecipients with subawards for which it was required to submit FFATA information through SAM.gov during the fiscal year. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had adequate internal controls over and complied with FFATA reporting requirements for the Program during Fiscal Year 2025. As part of our audit work, we requested the Department’s policies and procedures over FFATA reporting and a list of all subrecipients for the Program during Fiscal Year 2025. We also inquired with Department staff about its internal control processes related to FFATA reporting. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: In accordance with federal regulations [2 CFR 170, Appendix A], the Department is required to report subawards of $30,000 or more to SAM.gov by the end of the month following the month in which the award was made. For example, the Department would have to submit a FFATA report to SAM.gov in May 2025 if it made an award or supplemental award equal to or greater than $30,000 in April 2025. Federal regulations [2 CFR 200.303] require the Department to establish and maintain effective internal controls over federal awards that provide reasonable assurance that the Department is managing its federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal award. The Department’s policies and procedures related to FFATA reporting state that its grants accountant is responsible for performing monthly FFATA reporting. What problem did the audit work identify? We determined that the Department did not comply with FFATA reporting requirements for the Program during Fiscal Year 2025. Specifically, the Department did not submit any FFATA reports to SAM.gov for the Program’s subawards issued during Fiscal Year 2025 and, as a result, did not report approximately $15.2 million in subawards for Fiscal Year 2025. Why did this problem occur? The Department did not have adequate internal controls over federal reporting requirements in place for the Program during Fiscal Year 2025. Specifically, the Department’s existing policies and procedures were not detailed enough to ensure that FFATA reporting was completed in accordance with federal requirements. The procedures in place designated one individual who was responsible for the FFATA reporting process, but did not include procedures to identify when FFATA reporting was required for subawards or to ensure that appropriate reporting was completed when required. Additionally, the Department’s procedures did not include any secondary review process over FFATA reporting or a process to ensure that FFATA reporting had been completed as required. Why does this problem matter? By failing to properly report FFATA subawards through SAM.gov, the Department is out of compliance with federal reporting requirements, risks federal sanctions, and does not meet the federal intent of transparency for federal program spending. See "Schedule of Findings and Questioned Costs" for table/chart. Recommendation 2025-045 The Department of Public Health and Environment should strengthen its internal controls over, and ensure it complies with, the Federal Funding Accountability and Transparency Act of 2006 (FFATA) reporting requirements for its Immunization Cooperative Agreements program. This should include updating its existing policies and procedures to include a monthly review of all subawards in order to identify those required to be reported each month and a secondary review process of the FFATA reports and submissions to ensure that FFATA reporting has been completed as required. Response Department of Public Health and Environment Agree Implementation Date: July 2026 CDPHE fiscal procedures have been updated to reflect changes to the reporting process, specifically noting the recent federal website change and adding the requirement of a secondary level of review. By July 31, 2026, all outstanding FFATA reports will be filed with the federal government and the monthly review process in the updated fiscal procedures will be implemented.
Finding 2025-047 Compliance with Reporting for the Highway Safety Cluster The Department is required to comply with the Federal Funding Accountability and Transparency Act of 2006 (Transparency Act or FFATA) for its Highway Safety Cluster programs, specifically the State and Community Highway Safety [ALN 20.600] and National Priority Safety Programs [ALN 20.616] (Programs). The Transparency Act was created to empower Americans with the ability to hold the government accountable for each spending decision and, as a result, to reduce wasteful spending by the government. The Transparency Act requires the federal government to make certain information on federal awards available to the public, including information about amounts passed through to subrecipients. The Department is required to report information about subgrants, or subawards, given to other governments or to nonprofit organizations (also referred to as subrecipients). Federal regulation [2 CFR 200.1] defines a subaward as an award provided by a pass-through entity, in this case the Department, to an entity to carry out part of a federal grant award received by the pass-through entity. A subrecipient is defined in federal regulation [2 CFR 200.1] as an entity, usually but not limited to non-federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A subrecipient may also be a recipient of other federal awards directly from a federal awarding agency. The Department is required to file FFATA reports through the System for Award Management website, SAM.gov. Once the Department submits a report to SAM.gov, the public can view certain information from the report, including the subrecipient’s name, subaward identification number, subaward obligation/action date, subaward amount, federal awarding agency and subagency, the Department’s name, and the Department’s grant award identification number. In Fiscal Year 2025, the Department reported approximately $12.9 million in total for the Programs’ expenditures. Of this amount, the Department issued about $6.8 million in subawards under the Programs. The Department had 70 subrecipients with subawards it was required to submit FFATA information for through SAM.gov during the fiscal year. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine whether the Department had adequate internal controls over and complied with FFATA reporting requirements for the Highway Safety Cluster Programs during Fiscal Year 2025. Another purpose of our audit work was to determine whether the Department implemented our Fiscal Year 2024 audit recommendations to strengthen its internal controls over and to ensure it complies with FFATA reporting requirements for the Highway Safety Cluster Programs. The Department agreed with these recommendations and planned to implement them by June 2025. As part of our audit work, we selected 24 Fiscal Year 2025 subrecipient expenditure transactions out of a total of 70 subrecipient transactions for which FFATA reporting was required for these Programs. We obtained copies of the FFATA reports that the Department uploaded to SAM.gov and obtained subaward agreements and purchase orders for each sample. We compared the Department’s subaward information to the information the Department submitted to SAM.gov to determine whether the Department reported accurate information. In addition, we performed testwork to determine whether the Department submitted the FFATA reports within the month following the month it made the subaward, as required by federal regulations. We also tested the Department’s progress in implementing our prior audit recommendations by reviewing their updated policies and procedures. How were the results of the audit work measured? We measured the results of our audit work against the following: • Federal regulations [2 CFR 170] require direct recipients of federal grants to report subawards of $30,000 or more to SAM.gov by the end of the month following the month in which the award was made. For example, the Department would have to submit a FFATA report to SAM.gov in May 2025 if an award or supplemental award equal to or greater than $30,000 was made in April 2025. Federal regulations [2 CFR 200.303] require the non-federal entity—in this instance the Department—to establish and maintain effective internal controls over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. • Federal regulation [2 CFR 200.332 (a)(1)] states that the Department’s subawards must clearly identify certain information, including but not limited to, the unique entity identifier, the Assistance Listing Number, the federal award date, and the federal award identification number. What problem did the audit work identify? Based on our audit work, we determined that the Department did not fully comply with FFATA reporting requirements for the Programs during Fiscal Year 2025 and did not fully implement our prior audit recommendations. Of the 24 subaward reports selected for testing, we identified issues on 5 subaward reports (21 percent). Specifically, we identified the following issues: • The Department was unable to provide documentation demonstrating that two subaward FFATA reports related to Fiscal Year 2024 awards had been submitted in SAM.gov. These submissions could not be located in SAM.gov. The amount of the subawards not submitted was $375,553. We further noted that these two reports had still not been submitted during Fiscal Year 2025. • For three subawards totaling $771,258, the Department did not maintain adequate documentation to support the amounts reported in SAM.gov. Specifically, the Department reported amounts of $537,573 for the three subawards, which did not agree to the Department’s subaward records, and represented a difference of $233,684. In addition, the Department did not meet the required FFATA reporting timelines for these subawards. Specifically, one subaward was reported 271 days late and two were reported 301 days late. Why did this problem occur? The Department did not have adequate internal controls in place related to FFATA reporting for the Highway Safety Cluster during Fiscal Year 2025 that ensured that reporting occurred as required for subawards of $30,000 or more in SAM.gov by the end of the month following the month the subawards are made. The Department implemented policies and procedures related to FFATA reporting during the fiscal year; however, Department staff indicated that staff were still being trained on these new procedures. In addition, the Department did not have procedures in place to ensure that, when an unsubmitted FFATA report is identified, the report is subsequently filed in SAM.gov, even if the submission is late. Why does this problem matter? By failing to properly report FFATA subawards through SAM.gov, the Department is out of compliance with federal reporting requirements, risks federal sanctions, and does not meet the federal intent of transparency for federal program spending. See "Schedule of Findings and Questioned Costs" for table/chart. Recommendation 2025-047 The Department of Transportation (Department) should strengthen its internal controls over and ensure it complies with Federal Funding Accountability and Transparency Act (FFATA) reporting requirements for the Highway Safety Cluster by: A. Ensuring that FFATA reporting occurs as required for subawards of $30,000 or more by the end of the month following the month the subawards are made and, if an unsubmitted FFATA report is identified, subsequently filing the report as soon as possible through SAM.gov, even if the submission is late. B. Providing training to Department staff to follow FFATA reporting policies and procedures. C. Ensuring Department staff follow the Department’s FFATA policies and procedures to ensure that FFATA reports are accurate and complete. Response Department of Transportation A. Agree Implementation Date: June 2026 The Department agrees with the recommendation. The Department will review, assess, and, where necessary, update existing procedures for FFATA reporting relating to the requirement that state subawards for $30,000+ be submitted within 30 days of committed budget. This will include ensuring that the confirmation date is documented. This process will be a coordinated effort between the Office Transportation Safety (OTS) and the Center for Accounting. This will include updating our reconciliation process to include additional data, reviewing and updating reconciliation and review procedures as needed, and reconciling Grants awarded in prior fiscal years that are still active and ensuring they have been appropriately reported. The findings related to this recommendation are in part the result of a federal reporting system limitation, and a federal system conversion. The legacy reporting system, FSRS, had a system limitation, which prevented the full amount of the award being reported in the case of three awards. Additionally, this conversion resulted in some data conversion issues impacting one additional award B. Agree Implementation Date: June 2026 The Department agrees with this finding and will provide any training needed to staff members to ensure that all components of the FFATA are completed accurately, timely and with proper reviews. This training will include leadership reviewing NHTSA/Federal guidelines and SAM.Gov training on FFATA reporting and requirements, documenting controls and ensuring the approvers have access to all supporting schedules, forms and systems and that they understand the subawards, and process for late submissions if needed. C. Agree Implementation Date: June 2026 The Department agrees with the finding and will ensure that staff follow all internal policies and procedures to maintain accurate and complete FFATA reporting. To achieve this, staff will review existing procedures and make any necessary updates regarding report compilation. Additionally, we will review control points to ensure they are consistently followed and approved by the team supervisor or team manager.
The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department of Transportation (Department) in the previous year and has not been remediated as of June 30, 2025 because the original implementation date provided by the Department was in a subsequent fiscal year. This complete finding and recommendation can be found within the original report and the complete recommendation can be found within Section IV: Disposition of Prior Audit Recommendations of this report. Finding 2024-058 Compliance with Subrecipient Monitoring for the Formula Grants for Rural Areas and Tribal Transit Program, Highway Safety Cluster, and SLFRF The Department receives federal grant funds directly from the federal government for the Formula Grants for Rural Areas and Tribal Transit Program, Highway Safety Cluster, and the Coronavirus State and Local Fiscal Recovery Funds (SLFRF) program and then subgrants, or passes through, a portion of the funds to cities and counties and other organizations that are considered to be either a subrecipient or a contractor. For Fiscal Year 2024, the Department had the following transactions that were subject to subrecipient monitoring testing: • Formula Grants for Rural Areas and Tribal Transit Program – 783 subrecipient transactions totaling $23,075,270. • Highway Safety Cluster – 829 subrecipient transactions totaling $5,669,865. • SLFRF – 232 subrecipient transactions totaling $38,321,493. For the SLFRF program, Intergovernmental Agreements are executed between the Department and subrecipients to communicate all relevant federal award information. For both the Formula Grants for Rural Areas and Tribal Transit Program and Highway Safety Cluster, Subaward Agreements (subawards) are executed between the Department and subrecipients to communicate all relevant federal award information. Intergovernmental Agreements and subawards are signed by authorized State personnel, generally the State Controller and the Department’s Chief Engineer. The Department includes a “Subrecipient Risk Assessment” tool with its Intergovernmental Agreements or subawards, which must be completed by Department staff prior to making the award. The Department’s subrecipient monitoring procedures are dependent on the assessed risk level noted in the Subrecipient Risk Assessment tool. Federal regulations [2 CFR Part 200 Section F] state that a non-federal entity that expends $1,000,000 or more in federal awards during the non-federal entity’s fiscal year must have a Single Audit conducted in accordance with 2 CFR 200.514. The Department’s Internal Audit Division staff tracks and receives Single Audit reports from its subrecipients. As part of the Department’s monitoring procedures, the Internal Audit Division personnel complete a “Single Audit Report Review Summary” form to show they reviewed the subrecipient’s Single Audit report, summarized any findings, and concluded on any risks presented to the Department and any related future actions to be taken. The form is signed by a Department preparer and a Department reviewer. For those subrecipients not required to file a Single Audit, an “Audit Division Single Audit Certification Form” must still be submitted by the subrecipients to the Department. These forms note that the entity was exempt from a Single Audit. What was the purpose of our audit work and what work was performed? The purpose of our audit work was to determine if the Department complied with federal requirements for subrecipient monitoring during Fiscal Year 2024 for the Formula Grants for Rural Areas and Tribal Transit Program, Highway Safety Cluster, and the SLFRF program and to determine whether the Department had adequate internal controls over subrecipient monitoring. As part of our audit work, we reviewed the Department’s internal controls over compliance for subrecipient monitoring and tested the Department’s compliance with federal subrecipient monitoring requirements. Specifically, we performed the following testwork related to each of the following federal programs: • Formula Grants for Rural Areas and Tribal Transit Program—We selected and reviewed a random sample of 40 subrecipient payment transactions. We reviewed subawards, amendments, and other supporting documentation provided by the Department. • Highway Safety Cluster—We selected and reviewed a random sample of 40 subrecipient payment transactions. We reviewed subawards, amendments, and other supporting documentation provided by the Department. • SLFRF—We selected and reviewed a random sample of 29 subrecipient payment transactions. We reviewed Intergovernmental Agreements, amendments, and other supporting documentation provided by the Department. How were the results of the audit work measured? Our audit work was designed to measure the Department’s compliance with the following criteria: • Federal regulation [2 CFR 200.303] states that the Department, as a federal grant recipient, must “establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.” • Federal regulation [2 CFR 200.332 (a)(1)] states that the Department’s subawards must clearly identify certain information, including but not limited to, the ALN, the Federal Award Date, and the FAIN. • Federal regulation [2 CFR 200.331] states that a pass-through entity, in this case the Department, must make case-by-case determinations as to whether each agreement it makes for the disbursement of federal program funds represents a payment of funds to a subrecipient or a contractor, depending on the role the entity plays. What problems did the audit work identify? We determined that the Department did not fully comply with subrecipient monitoring requirements during Fiscal Year 2024. Specifically, we noted the following: • Formula Grants for Rural Areas and Tribal Transit Program o For 10 of 40 (25 percent) subrecipient payment transactions selected for testing, we determined the subaward documents did not contain the federal award date in the subaward agreement, as required. The 10 transactions totaled $7,432,248 in subrecipient awards. • Highway Safety Cluster o For 1 of 40 (3 percent) subrecipient payment transactions selected for testing, we determined that the subrecipient should have been classified as a contractor, not a subrecipient. The transaction totaled $75,325. The Department had not made an adjusting entry in CORE to reclassify the transaction and correct this error by the end of our audit testwork. o For 5 of 40 (13 percent) subrecipient payment transactions selected for testing, we determined the subaward documents did not contain the federal award date in the subaward agreement. The 5 transactions totaled $25,100 in subrecipient awards. • SLFRF o For 2 of 29 (7 percent) subrecipient payment transactions selected for testing, we determined that the Intergovernmental Agreement did not include the FAIN and Federal Award Dates. The 2 transactions totaled $3,277,779 in subrecipient awards. o For 1 of 29 (3 percent) subrecipient payment transactions selected for testing, we determined the transaction did not include the ALN. This transaction totaled $1,851,279 in subrecipient awards. Why did these problems occur? The Department’s procedures and internal controls were not sufficient to ensure that Intergovernmental Agreements and subawards included all the required information to be included in the subaward, and internal controls did not prevent or detect errors. Department staff were not aware that this information was needed for the subaward to be in compliance with federal regulations. In some situations, the FAIN was only provided to the Department from the U.S. Department of Transportation subsequent to when the subaward was made. In these instances, the Department was not aware that they were required to provide the FAIN to their subrecipients once it was determined by the U.S. Department of Transportation. The Department’s procedures and internal controls were not sufficient to ensure that payments were properly classified as general disbursements or subrecipient payments, and internal controls did not prevent or detect errors. Department staff lacked the appropriate knowledge of the difference in contractors and subrecipients to ensure the proper classification of expenditures. The Department’s reviewers did not complete a sufficient review of the expense classifications to be able to identify the misclassification and propose a subsequent correction. Why do these problems matter? Based on the issues we identified, the Department is out of compliance with federal subrecipient requirements and could face sanctions or other penalties. In addition, by failing to properly report the required federal grant award information at the time of subaward issuance, subrecipients may be uninformed about what funding the subaward related to. This could result in misclassification of subaward information on the subrecipients’ Schedules of Expenditures of Federal Awards (SEFA) and the subrecipient may not know what federal requirements they need to follow as part of receiving the federal award funds. The Department’s improper classification of expenses as general disbursements versus subrecipient payments could lead to misstatements in the amounts reported on the SEFA, both for the State as a whole and at the subrecipient level. See "Schedule of Findings and Questioned Costs" for chart/table. Recommendation 2024-058 The Department of Transportation (Department) should strengthen its internal controls over and ensure that it complies with federal subrecipient monitoring requirements for the Formula Grants for Rural Areas and Tribal Transit Program, the Highway Safety Cluster, and the Coronavirus State and Local Fiscal Recovery Funds. Specifically, the Department should ensure that all required information is included in subawards or intergovernmental agreements or provide amendments to the subawards or intergovernmental once the Department receives the necessary information from the federal government, and that Department staff are sufficiently aware of the difference in subrecipients and contractors and properly classify general disbursements versus subrecipient payments. Response Department of Transportation Agree Implementation Date: June 2026 Department will strengthen controls to ensure that the required award information is provided, once available. Certain information such as Federal Award Identification Number and Federal Transit Administration and National Highway Traffic Safety Administration award date are not available at the time of contracting CDOT is working on a process to provide this information, once it is available in a publicly available format on CDOT’s website or on a subrecipient facing grant management site. We will add a note to the contract explaining where the information will be posted on our site when it becomes available. The Department will also identify staff requiring additional training on classification and coding for contractors vs. subrecipients.
FINDING 2025-003 Subject: Special Education Cluster (IDEA) - Procurement and Suspension and Debarment Federal Agency: Department of Education Federal Programs: COVID-19 - Special Education Grants to States, COVID-19 - Special Education Preschool Grants Assistance Listings Numbers: 84.027X, 84.173X Other Identifying Numbers: 22611-042-ARP, 22619-042-ARP Pass-Through Entity: Indiana Department of Education Compliance Requirement: Procurement and Suspension and Debarment Audit Findings: Material Weakness, Modified Opinion Condition and Context The School Corporation is a member of the Northeast Indiana Special Education Cooperative (Cooperative). During fiscal year 2023-2024, the Cooperative operated the special education program and spent the federal money on behalf of all its members. As the grant agreement was between the Indiana Department of Education (IDOE) and each member school, the School Corporation was responsible for ensuring and providing oversight of the Cooperative. The School Corporation did not have internal controls in place to ensure that the Cooperative complied with the Procurement and Suspension and Debarment compliance requirement. The Cooperative did not have adequate procedures in place to ensure that the requirements for the simplified acquisition threshold and for small purchases were met for each applicable procured good or service or to ensure that vendors were not suspended or debarred prior to entering into a covered transaction. Procurement When the value of the procurement for property or services exceeds the simplified acquisition threshold (SAT), or a lower threshold established by a nonfederal entity, formal procurement methods are required. The SAT is typically set at $250,000. However, Indiana Code 5-22-8 has a more restrictive threshold. Therefore, the SAT threshold is set at $150,000. Formal procurement methods require adherence to documented procedures and formal methods such as sealed bids or proposals. When the purchase value exceeds the micro-purchase threshold but is less than the simplified acquisition threshold, a small purchase occurs. Small purchases require documented full and open competition or a documented rationale for limited competition. For 2023-2024, three vendors with disbursements totaling $175,125 were identified as being less than the simplified acquisition threshold of $150,000 but exceeding the $50,000 micropurchase threshold and were selected for testing. The Cooperative did not obtain price or rate quotes for two of the three vendors, and there was no documentation detailing the history of the procurement, which must include the reason for the procurement method used. INDIANA STATE BOARD OF ACCOUNTS 18 SMITH-GREEN COMMUNITY SCHOOLS SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Suspension and Debarment Prior to entering into subawards and covered transactions with federal award funds, recipients are required to verify that such contractors and subrecipients are not suspended, debarred, or otherwise excluded. "Covered transactions" include, but are not limited to, contracts for goods and services awarded under a nonprocurement transaction (i.e., grant agreement) that are expected to equal or exceed $25,000. The verification is to be done by checking the SAM exclusions, collecting a certification from that vendor, or adding a clause or condition to the covered transaction with that vendor. Upon inquiry of the Cooperative in order to review the procedures in place for verifying that a vendor with which it plans to enter into a covered transaction is not suspended, debarred, or otherwise excluded, the Cooperative disclosed there were not any documented internal controls or procedures. Nine covered transactions were identified. The covered transactions, totaling $803,836, were selected for testing. The Cooperative did not verify the suspension and debarment status of the tested vendors prior to payment. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." 2 CFR 200.320 states in part: "The non-Federal entity must have and use documented procurement procedures, consistent with the standards of this section and §§ 200.317, 200.318, and 200.319 for any of the following methods of procurement used for the acquisition of property or services required under a Federal award or sub-award. (a) Informal procurement methods. When the value of the procurement for property or services under a Federal award does not exceed the simplified acquisition threshold (SAT), as defined in § 200.1, or a lower threshold established by a non-Federal entity, formal procurement methods are not required. The non-Federal entity may use informal procurement methods to expedite the completion of its transactions and minimize the associated administrative burden and cost. The informal methods used for procurement of property or services at or below the SAT include: . . . (2) Small purchases — (i) Small purchase procedures. The acquisition of property or services, the aggregate dollar amount of which is higher than the micro-purchase threshold but does not exceed the simplified acquisition threshold. If small purchase procedures are used, price or rate quotations must be obtained from an adequate number of qualified sources as determined appropriate by the non-Federal entity. . . . INDIANA STATE BOARD OF ACCOUNTS 19 SMITH-GREEN COMMUNITY SCHOOLS SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) (b) Formal procurement methods. When the value of the procurement for property or services under a Federal financial assistance awards exceeds the SAT, or a lower threshold established by a non-Federal entity, formal procurement methods are required. Formal procurement methods require following documented procedures. Formal procurement methods also require public advertising unless a non-competitive procurement can be used in accordance with § 200.319 or paragraph (c) of this section. The following formal methods of procurement are used for procurement of property or services above the simplified acquisition threshold or a value below the simplified acquisition threshold the non-Federal entity determines to be appropriate: (1) Sealed bids. A procurement method in which bids are publicly solicited and a firm fixed-price contract (lump sum or unit price) is awarded to the responsible bidder whose bid, conforming with all the material terms and conditions of the invitation for bids, is the lowest in price. The sealed bids method is the preferred method for procuring construction, if the conditions. . . . (2) Proposals. A procurement method in which either a fixed price or cost-reimbursement type contract is awarded. Proposals are generally used when conditions are not appropriate for the use of sealed bids. . . ." 2 CFR 180.300 states: "When you enter into a covered transaction with another person at the next lower tier, you must verify that the person with whom you intend to do business is not excluded or disqualified. You do this by: (a) Checking SAM Exclusions; or (b) Collecting a certification from that person; or (c) Adding a clause or condition to the covered transaction with that person." Cause The Cooperative noted that the American Rescue Plan (ARP) portion of the Special Education grant was new for 2023-2024. The ARP funding gave opportunity for types of expenditures that do not typically get expensed using special education funding. The transactions noted within the Condition and Context were from the ARP portion of the grant, which provided property or services that exceeded the micro-purchase threshold. Management of the Cooperative was unaware of the procurement requirements when property or services exceed the micro-purchase threshold. In addition, management of the Cooperative was unaware of the suspension and debarment requirements when a covered transaction is expected to equal or exceed $25,000. Effect Without the proper implementation of an effectively designed system of internal controls, including policies and procedures that provide segregation of duties and additional oversight as needed, the internal control system cannot be capable of effectively preventing, or detecting and correcting, material noncompliance. Without following the required methods for procurement, the Cooperative could be overpaying for services. Unverified vendors to whom payments are equal to or in excess of $25,000 could be suspended, debarred, or otherwise excluded. INDIANA STATE BOARD OF ACCOUNTS 20 SMITH-GREEN COMMUNITY SCHOOLS SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Noncompliance with the provisions of federal statutes, regulations, and terms and conditions of the federal award could result in the reduction of future federal funding to the Cooperative. Questioned Costs There were no questioned costs identified. Recommendation We recommended that the Cooperative's management design and implement a system of internal controls related to procurement and suspension and debarment procedures to ensure procurement requirements are met and to ensure entities are neither suspended nor debarred or otherwise excluded or disqualified prior to entering into any covered transactions. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.
FINDING 2025-001 Subject: Child Nutrition Cluster - Procurement and Suspension and Debarment Federal Agency: Department of Agriculture Federal Programs: School Breakfast Program, National School Lunch Program, Summer Food Service Program for Children Assistance Listings Numbers: 10.553, 10.555, 10.559 Federal Award Numbers and Years (or Other Identifying Numbers): FY 2023-24, FY 2024-25 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Procurement and Suspension and Debarment Audit Findings: Material Weakness, Other Matters Repeat Finding This is a repeat finding from the immediately prior audit report. The prior audit finding number was 2023-002. Condition and Context An effective internal control system was not in place at the School Corporation to ensure compliance with requirements related to the grant agreement and the Procurement and Suspension and Debarment compliance requirement. Procurement Federal regulations allow for informal procurement methods when the value of the procurement for property or services does not exceed the simplified acquisition threshold, which is set at $250,000 unless a lower, more restrictive threshold is set by a nonfederal entity. The State of Indiana has established a more restrictive threshold of $150,000 for informal procurement methods. This informal process allows for methods other than the formal bid process. The informal process is divided between two methods based on thresholds: micro-purchases, typically for those purchases $10,000 or under, and small purchase procedures for those purchases above the micro-purchase threshold but below the simplified acquisition threshold. Small purchase procedures require that price or rate quotations must be obtained from an adequate number of qualified sources or have documented reasoning to support a single source provider. Two vendors were identified that were paid $27,726 and $70,168, respectively, during the audit period using federal funds under the award, thereby requiring small purchase procedures for both procurements. Both vendors were selected for testing. The School Corporation was unable to provide any documentation for the vendor that was paid $70,168 that the procurement method used was appropriate or that the procurement provided full and open competition or rationale to support the determination to limit competition. Additionally, the history of procurement, including the rationale for the method of procurement, selection of the vendor, and the basis for the price, was not adequately documented for the vendor. INDIANA STATE BOARD OF ACCOUNTS 16 WASHINGTON COMMUNITY SCHOOLS, INC. SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Suspension and Debarment Prior to entering into subawards and covered transactions with federal award funds, recipients are required to verify that vendors and subrecipients are not suspended, debarred, or otherwise excluded from receiving federal funds. "Covered transactions" include, but are not limited to, contracts for goods and services awarded under a nonprocurement transaction (i.e., grant agreement) that are expected to equal or exceed $25,000. The verification is to be done by checking the Excluded Parties List System (EPLS), collecting a certification from that vendor, or adding a clause or condition to the covered transaction with that vendor. Four covered transactions that equaled or exceeded $25,000 were identified. All four transactions totaling $4,082,816 were selected for testing. For two of the four vendors, the School Corporation did not verify the vendor's suspension and debarment status prior to entering into the covered transaction with either vendor. The amount paid to both vendors totaled $97,894. The lack of internal controls and noncompliance were systemic issues throughout the audit period. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." 2 CFR 200.318 states in part: "(a) The non-Federal entity must have and use documented procurement procedures, consistent with State, local, and tribal laws and regulations and the standards of this section, for the acquisition of property or services required under a Federal award or subaward. The non-Federal entity's documented procurement procedures must conform to the procurement standards identified in §§ 200.317 through 200.327. . . . (i) The non-Federal entity must maintain records sufficient to detail the history of procurement. These records will include, but are not necessarily limited to, the following: Rationale for the method of procurement, selection of contract type, contractor selection or rejection, and the basis for the contract price. . . ." 2 CFR 200.320 states in part: "The non-Federal entity must have and use document procurement procedures, consistent with the standards of this section and §§ 200.317, 200.318, and 200.319 for any of the following methods of procurement used for the acquisition of property or services required under a Federal award or sub-award. INDIANA STATE BOARD OF ACCOUNTS 17 WASHINGTON COMMUNITY SCHOOLS, INC. SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) (a) Informal procurement methods. When the value of the procurement for property or services under a Federal award does not exceed the simplified acquisition threshold (SAT), as defined in § 200.1, or a lower threshold established by a non-Federal entity, formal procurement methods are not required. The non-Federal entity may use informal procurement methods to expedite the completion of its transactions and minimize the associated administrative burden and cost. The informal methods used for procurement of property or services at or below the SAT include: . . . (2) Small purchases– (i) Small purchase procedures. The acquisition of property or services, the aggregate dollar amount of which is higher than the micro-purchase threshold but does not exceed the simplified acquisition threshold. If small purchase procedures are used, price or rate quotations must be obtained from an adequate number of qualified sources as determined appropriate by the non-Federal entity. . . . (b) Noncompetitive procurement. There are specific circumstances in which noncompetitive procurement can be used. Noncompetitive procurement can only be awarded if one or more of the following circumstances apply: (1) The acquisition of property or services, the aggregate dollar amount of which does not exceed the micro-purchase threshold (see paragraph (a)(1) of this section); (2) The item is available only from a single source; (3) The public exigency or emergency for the requirement will not permit a delay resulting from publicizing a competitive solicitation; (4) The Federal awarding agency or pass-through entity expressly authorizes a noncompetitive procurement in response to a written request from the non-Federal entity; or (5) After solicitation of a number of sources, competition is determined inadequate." 2 CFR 180.300 states: "When you enter into a covered transaction with another person at the next lower tier, you must verify that the person with whom you intend to do business is not excluded or disqualified. You do this by: (a) Checking the SAM Exclusions; or (b) Collecting a certification from that person; or (c) Adding a clause or condition to the covered transaction with that person." Cause The School Corporation did not have adequate internal controls to ensure compliance with procurement and suspension and debarment requirements. The School Corporation was aware of the Procurement and Suspension and Debarment compliance requirement and relied on its food service management company to ensure compliance. There was not sufficient oversight by the School Corporation to ensure proper procedures were followed. INDIANA STATE BOARD OF ACCOUNTS 18 WASHINGTON COMMUNITY SCHOOLS, INC. SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Effect The lack of an effective internal control system enabled material noncompliance to occur and remain undetected. Noncompliance with the Procurement and Suspension and Debarment compliance requirement could enable small purchases made by the School Corporation to be uncompetitive and could lead to contracting with vendors who are suspended or debarred from receiving federal grant funding. Noncompliance with the grant agreement and the compliance requirement could result in the loss of future federal funding to the School Corporation. Questioned Costs There were no questioned costs identified. Recommendation We recommended that management of the School Corporation establish a proper system of internal controls and develop policies and procedures to ensure that there are appropriate procurement procedures for goods and services and that contractors and subrecipients, as appropriate, are verified to not be suspended, debarred, or otherwise excluded prior to entering into any contracts or subawards. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.
FINDING 2025-001 Information on the federal program: Subject: Special Education Cluster (IDEA) – Internal Controls Federal Agency: Department of Education Federal Program: Special Education Grants to States, Special Education Preschool Grants Assistance Listings Numbers: 84.027, 84.027X, 84.173X Federal Award Numbers and Years (or Other Identifying Numbers): 22611-046-PN01, 22611-046-ARP, 22619-046-ARP Pass-Through Entity: Indiana Department of Education Compliance Requirement: Earmarking Audit Findings: Significant Deficiency Criteria: 2 CFR section 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)...." 2 CFR 200.403 states in part: "Except where otherwise authorized by statute, costs must meet the following general criteria in order to be allowable under Federal awards:… (g) Be adequately documented. . . ." 2 CFR 200.208(b) states in part: "The Federal awarding agency or pass-through entity may adjust specific Federal award conditions as needed . . ." 511 IAC 7-34-7(b) states: "The public agency, in providing special education and related services to students in nonpublic schools must expend at least an amount that is the same proportion of the public agency total subgrant under 20 U.S.C. 1411(f) as the number of nonpublic school students with disabilities, who are enrolled by their parents in nonpublic schools within its boundaries, is to the total number of students with disabilities of the same age range." Condition: An effective internal control system was not in place at the School Corporation in order to ensure compliance with requirements related to the grant agreement and earmarking compliance requirement. Cause: The School Corporation's management had not developed a system of internal controls to ensure compliance with the earmarking requirements. Effect: The failure to establish an effective internal control system placed the School Corporation at risk of noncompliance with the grant agreement and the compliance requirements. A lack of segregation of duties within an internal control system could have also allowed noncompliance with the compliance requirements and allowed the misuse and mismanagement of federal funds and assets by not having proper oversight, reviews, and approvals over the activities of the programs. Questioned Costs: There were no questioned costs identified. Context: The School Corporation is a member of the Porter County Education Services (Cooperative). During fiscal year 2023-2024, the Cooperative operated the special education program and spent the federal money on behalf of all its members. As the grant agreement was between the Indiana Department of Education (IDOE) and each member school, the School Corporation was responsible for ensuring and providing oversight of the Cooperative. The School Corporation did not have internal controls in place to ensure that the Cooperative complied with the earmarking requirements. The Cooperative did not have adequate procedures in place to ensure that the required level of expenditures for non-public school students with disabilities was met for each member school. The Cooperative did not have effective internal controls to ensure non-public school expenditures were appropriately identified and reported. The Non-Public Proportionate Share expenditures for the 22611-046-PN01, 22611-046-ARP, and 22619-046-ARP grant awards could not be verified for the individual member schools. Total grant expenditures were posted as expended. The non-public proportionate share expenditures were determined by applying a percentage to the non-public school budgeted expenditures. As such, we were unable to identify if the minimum amount per each applicable member schools’ grant award was expended and properly reported to IDOE, as required. The lack of internal controls was isolated to the 22611-046-PN01, 22611-046-ARP, and 22619-046-ARP grant awards which were fully expended during fiscal year 2024. These three grant awards had minimum earmarking requirements for the Non-Public Proportionate Share of $18,682, $4,510, and $302 respectively. Identification as a repeat finding, if applicable: This is a repeat finding from the immediately prior audit. The prior finding number was 2023-004. Recommendation: We recommended that management of the School Corporation establish a proper system of internal controls and develop policies and procedures to monitor the Cooperative and ensure non-public proportionate share funds are appropriately allocated to the member school based on expenditures charged directly on behalf of the member school. Supporting documentation for these expenditures should be retained for audit. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
Finding 2025-002 Information on the federal program: Subject: Education Stabilization Fund – Special Tests and Provisions - Wage Rate Requirements Federal Agency: Department of Education Federal Program: COVID-19 - Education Stabilization Fund Assistance Listing Number: 84.425U Federal Award Numbers and Years (or Other Identifying Numbers): S425U210013 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Special Tests and Provisions - Wage Rate Requirements Audit Findings: Material Weakness, Material Noncompliance, Qualified Opinion Criteria: 2 CFR section 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ."29 CFR 5.5 states in part: (1) Minimum wages.All laborers and mechanics employed or working upon the site of the work (or under the United States Housing Act of 1937 or under the Housing Act of 1949 in the construction or development of the project), will be paid unconditionally and not less often than once a week, and without subsequent deduction or rebate on any account (except such payroll deductions as are permitted by regulations issued by the Secretary of Labor under the Copeland Act (29 CFR part 3)), the full amount of wages and bona fide fringe benefits (or cash equivalents thereof) due at time of payment computed at rates not less than those contained in the wage determination of the Secretary of Labor which is attached hereto and made a part hereof, regardless of any contractual relationship which may be alleged to exist between the contractor and such laborers and mechanics… (3)(ii)(A) The contractor shall submit weekly for each week in which any contract work is performed a copy of all payrolls to the (write in name of appropriate federal agency) if the agency is a party to the contract, but if the agency is not such a party, the contractor will submit the payrolls to the applicant, sponsor, or owner, as the case may be, for transmission to the (write in name of agency). 2 CFR 200 Appendix II states in part: In addition to other provisions required by the Federal agency or non-Federal entity; all contracts made by the non-Federal entity under the Federal award must contain provisions covering the following, as applicable. . . . (D) Davis-Bacon Act, as amended (40 U.S.C. 3141-3148). When required by Federal program legislation, all prime construction contracts in excess of $2,000 awarded by non-Federal entities must include a provision for compliance with the Davis-Bacon Act (40 U.S.C. 3141-3144, and 3146-3148) as supplemented by Department of Labor regulations (29 CFR Part 5, “Labor Standards Provisions Applicable to Contracts Covering Federally Financed and Assisted Construction”). In accordance with the statute, contractors must be required to pay wages to laborers and mechanics at a rate not less than the prevailing wages specified in a wage determination made by the Secretary of Labor. In addition, contractors must be required to pay wages not less than once a week.. . .” Condition: An effective internal control system was not in place at the School Corporation in order to ensure compliance with requirements related to the grant agreement and the Special Tests and Provisions – Wage Rate Requirements compliance requirements. Cause: The School Corporation's management had not developed a system of internal controls to ensure compliance with the compliance requirements listed above. Effect: The failure to design and implement an effective internal control system enabled material noncompliance to go undetected. Noncompliance with the grant agreement and the Special Tests and Provisions – Wage Rate Requirements compliance requirement could result in the loss of future federal funds to the School Corporation. Questioned Costs: There were no questioned costs identified. Context: The School Corporation did not obtain the weekly payroll reports certifications from a company that performed renovations to replace fan coil units and HVAC equipment in the building. Therefore, no review was performed to ensure that pay rates complied with the federal wage rate requirements. The amount disbursed and reported on the SEFA during the audit period is $119,190 and the labor portion was not determinable by the School Corporation. Identification as a repeat finding, if applicable: This is a repeat finding from the immediately prior audit. The prior audit finding number was 2023-006. Recommendation: We recommend the School Corporation implement a formal process to ensure the required weekly payroll reports certifications are collected and reviewed to ensure compliance with the wage rate requirements. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and has prepared a corrective action plan.
8. Criteria or specific requirement: Per Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (2 CFR Part 200) Subpart D, Post Federal Award Requirements Section 200.303, Internal controls, the recipient must establish, document and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. Per 7 CFR Section 210.8(a), the school food authority shall establish internal controls which ensure the accuracy of meal counts prior to the submission of the monthly claim for reimbursement. '9. Condition: One (1) of the monthly claims for reimbursement reported meal counts in excess of those supported by records of the District. The November 2024 claim amounts were consistent with participation levels and reimbursement amounts in other months tested. No anomalies or fluctuations were identified through analytical procedures; however, required supporting documentation was not maintained. '10. Cause: The District's internal controls over compliance were not functioning effectively to ensure claims for reimbursement were accurately prepared. '11. Effect: Claims could not be verified as allowable and properly supported. '12. Questioned Costs: The following questioned costs were computed based on the excess meals claimed for reimbursement times the applicable reimbursement rate: $719 (Project No. 25-4220-00). '13. Context: From the population of eleven (11) monthly claims for reimbursement, a sample of two (2) claims were selected for testing. We noted one (1) month in which the claims for reimbursement reported meal counts in excess of those supported by records of the District as follows: November 2024: Actual breakfast meals served: 8,408; Breakfast meals claimed for reimbursement: 8,661. The difference was due to one (1) day where the supporting documentation was not maintained. A statistically valid sample was not utilized. '14. Recommendation: We recommend that management review its policies and procedures and implement changes to strengthen internal control over compliance. '15. Management's response: The District agrees with the auditor's finding and recommendation.
2025-003: Material Weakness in Internal Controls over Compliance with Suspension and Debarment Federal Assistance Listing Number: 10.553, 10.555, and 10.582 Federal Award Year: 2025 Program Title: Child Nutrition Cluster Name of Federal Agency: U.S. Department of Agriculture Name of Pass-Through Entity: Colorado Department of Education COVID-19 Program: No Criteria: 2 CFR §200.303 requires that the grant recipient must establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control- Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: Based on our sample selection of three vendors for testing, we have identified that two of the three vendors tested did not have adequate verification of suspension and debarment. Upon further testing and discussion, the District does not have internal controls in place to verify suspension and debarment on vendors that are paid greater than or equal to $25,000, as required by 2 CFR 200 for various federal awards. Upon further compliance testing, vendors in our testing were in compliance with the requirement. Without internal controls over compliance, the District may not be able to identify noncompliance with a suspended or debarred vendors in a timely manner and may incur potential questioned costs without knowledge of the noncompliance. Questioned Costs: No questioned costs have been identified. Cause: The District’s internal controls over suspension and debarment requirement were not properly designed or implemented. Effect: Without internal controls over compliance, the District may not be able to identify noncompliance with a suspended or debarred vendors in a timely manner and may incur potential questioned costs without knowledge of the noncompliance. Repeat Finding: No. Recommendation: We recommend that the District implement internal controls over the suspension and debarment requirement and add this requirement to the procurement process at the District. In addition, we recommend that the District periodically review federal expenditure reports to identify vendors that may have been paid with federal grants in excess of the $25,000 suspension and debarment threshold to prevent potential noncompliance. Corrective Action Plan: Reported on page 60.
Criteria or specific requirement: In accordance with Uniform Guidance 2 CFR 180.300, nonfederal entities entering into covered transactions must verify that a party is not suspended or debarred from conducting business with the federal government. That verification may be performed by checking exclusions in SAM.gov, obtaining a certification from the vendor, or including a suspension and debarment clause or condition to the covered transaction. Additionally, pursuant to 2 CFR 200.303, the University is required to establish and maintain effective internal controls over federal awards to provide reasonable assurance that federal awards are managed in compliance with applicable federal statutes, regulations, and the terms and conditions of the federal award. Condition: During testing of suspension and debarment compliance for vendors with payments exceeding $25,000, CLA noted that 2 of 40 vendors tested did not have documentation evidencing that the vendor was verified as not suspended or debarred prior to entering into a contract. Questioned costs: None. Context: The University of Idaho entered into transactions with 2 vendors prior to verifying that the vendors were not suspended or debarred. Cause: The University of Idaho's control designed to verify vendor suspension and debarment status prior to contract execution is not operating effectively. Effect: There is an increased risk that suspended or debarred vendors could be contracted using federal funds. Repeat finding: No. Recommendation: CLA recommends that the University implement a more effective suspension and debarment policy and establish corresponding controls to ensure vendor eligibility is verified prior to entering into covered transactions. Views of responsible officials: There is no disagreement with the audit finding.
2025-066: Improve Web Application Security Applicable to: Department of Health Assigned Topic: Access Control; Configuration Management; System and Communications Protection Prior Finding Number: N/A Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: Yes Federal Awards Finding: Yes ALPT - ALN: WIC Special Supplemental Nutrition Program for Women, Infants, and Children - 10.557 Federal Award ID (Year): 251VA707W1006 (2025) Federal Agency: U.S. Department of Agriculture Compliance Requirement: Other - 2 CFR §200.303(e) Known Questioned Costs: $0 Health does not secure the web application, which supports its system used for eligibility determination for the WIC Special Supplemental Nutrition Program for Women, Infants, and Children federal grant program, with the minimum-security controls required by the Security Standard. We communicated the weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. The weaknesses identified resulted from limited management oversight and staffing constraints within OIM. Health should dedicate the resources necessary to develop and maintain adequate documentation and implement all security controls required by the Security Standard. Addressing these weaknesses will help ensure the confidentiality, integrity, and availability of data and support compliance with the Security Standard. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-041: Obtain, Review, and Document System and Organization Control Reports of Third-Party Service Providers Applicable to: Department of Social Services Assigned Topic: Third-Party Service Providers (Non-Information Systems) Prior Finding Number: 2024-010; 2023-085; 2022-089; 2021-019 Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: Yes Federal Awards Finding: Yes ALPT - ALN: Supplemental Nutrition Assistance Program – 10.551; Summer Electronic Benefit Transfer Program for Children - 10.646 Federal Award ID (Year): 251VA407Q3903 (2025); 251VA407N1175 (2025) Federal Agency: U.S. Department of Agriculture Compliance Requirement: Other - 2 CFR § 200.303(a) Known Questioned Costs: $0 Social Services continues to implement its corrective actions for obtaining, reviewing, and documenting System and Organization Control (SOC) reports of third-party service providers, specifically SOC 1, Type 2 reports. In response to prior audit recommendations, Social Services created a policy and procedure outlining the expectations for obtaining, reviewing, and documenting SOC 1, Type 2 reports and designated contract administrators as the party responsible for implementing the policies and procedures. Additionally, Social Services created training and a questionnaire that will guide contract administrators when conducting their review of the SOC 1, Type 2 report. However, because of the extent of its corrective actions, Social Services was unable to fully implement its policy and procedure as of the end of fiscal year 2025. SOC 1, Type 2 reports address the operating effectiveness of third-party service providers’ internal controls and the effect those internal controls may have on a user entity’s financial statements. Social Services uses third-party service providers to perform functions that are significant to its financial operations such as administering the electronic benefit transfer (EBT) process for several of its public assistance programs. During fiscal year 2025, Social Services’ third-party service provider issued nearly $2 billion in financial assistance to beneficiaries on EBT cards. Commonwealth Accounting Policies and Procedures (CAPP) Manual Topic 10305 requires agencies to have adequate interaction with third-party service providers to appropriately understand their internal control environment and maintain oversight over them to gain assurance over outsourced operations. Additionally, 2 CFR § 200.303(a) requires pass-through entities to establish, document, and maintain effective internal control over federal awards to ensure compliance with applicable laws, regulations, and award terms. Without fully implementing its policy and procedure, Social Services may not fully assess whether its complementary user entity controls are sufficient to support reliance on the third-party service providers’ controls. Additionally, by not obtaining the necessary SOC 1, Type 2 reports timely or properly documenting its review of the reports, Social Services may not timely detect a weakness in a third-party service provider’s environment. Social Services should continue to implement its corrective actions for obtaining, reviewing, and documenting SOC 1, Type 2 reports to comply with the CAPP Manual provisions and federal regulations. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-013: Improve Financial Management of Federal Grants Applicable to: Department of Wildlife Resources Assigned Topic: Federal Grants Management Prior Finding Number: N/A Finding Type: Internal Control and Compliance Finding Severity: Material Weakness Financial Statement Finding: No Federal Awards Finding: Yes ALPT - ALN: Sport Fish Restoration - 15.605; Wildlife Restoration and Basic Hunter Education and Safety - 15.611; Enhanced Hunter Education and Safety - 15.626 Federal Award ID (Year): F20AF10048 (2020); F20AF11897 (2020); F21AF02409 (2021); F22AF01121 (2022); F23AF00654 (2023); F23AF03173 (2023); F23AF03185 (2023); F24AF02770 (2024); F24AF02896 (2024); F24AF02903 (2024) Federal Agency: U.S. Department of the Interior Compliance Requirement: Allowable Costs/Cost Principles - 2 CFR § 200.302; 2 CFR § 200.303(a); 2 CFR § 200.305; 2 CFR § 200.510(b); 31 CFR § 205.33 Known Questioned Costs: $0 The Department of Wildlife Resources (Wildlife Resources) should improve its financial management of federal grants and documentation of internal controls to ensure compliance with state and federal requirements. Wildlife Resources has experienced recent turnover in its grants staff positions. Wildlife Resources has hired new staff; however, there was no transition period with the previous staff, and the previous grants staff did not sufficiently document internal controls over the federal programs. Staff have started documenting desk procedures, but agency-wide policies and procedures remain lacking. As such, grants staff did not appear to have sufficient knowledge of statewide policies and procedures to adequately perform the federal grants management processes in accordance with federal regulations and the Commonwealth Accounting Policies and Procedures (CAPP) Manual. We identified the following issues: Wildlife Resources should amend its procedures to comply with CAPP Manual requirements for cash management of federal funds. CAPP Manual Topic 20605 states that two methods of recording "split" funded expenses are acceptable. The method preferred by the State Comptroller is to establish procedures to "split code" the expenses by allocating the disbursement between a state fund and the federal fund at the matching ratio prescribed by the grant or contract. A second, and temporary, funding method allows the agency to charge the original expense to a state fund and subsequently, within seven business days, prepare and submit a general ledger journal in the Commonwealth’s accounting and financial reporting system to charge the federal fund for the federal portion of the original expense, referencing the original voucher in the journal reference line for transparency. If a state agency cannot comply, the agency must request approval from the State Comptroller. Wildlife Resources follows the temporary funding method to record its federal expenses. Wildlife Resources spends from state funds and then performs journal entries to move transactions to the federal fund in bulk with some journal entries representing hundreds of individual transactions, which does not allow for transparency regarding the nature of Wildlife Resources federal expenses. Further, our analysis found that Wildlife Resources enters journal entries for federal drawdowns up to three months after the original transaction date which is not consistent with the seven-day requirement in CAPP Manual Topic 20605. Per 2 Code of Federal Regulations (CFR) § 200.302, a recipient must comply with state laws and procedures for expending and accounting for the State's funds. Additionally, the untimely performance of these extensive journal entries may result in Wildlife Resources recording journal entries in the wrong fiscal year, which could result in inaccurate information within the Commonwealth’s Annual Comprehensive Financial Report. Wildlife Resources does not maintain adequate support for its journal entries. CAPP Manual Topic 20405 requires the agency to retain sufficient supporting documentation to provide auditable records containing evidence of required coding elements for journal entries. Wildlife Resources’ journal entries lack documentation related to changes in coding. Further, Wildlife Resources does not maintain supporting documentation for journal entries in one accessible location which would allow for sufficient supervisory review. Not maintaining adequate supporting documentation over journal entries increases the risk of inaccurate or fraudulent transactions. Wildlife Resources also does not have policies and procedures in place that detail how it creates the journal entries, what type of documentation to retain to support journal entries, or how Wildlife Resources ensures it only moves allowable costs to the federal fund. Title 2 CFR § 200.303(a) requires recipients to establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the recipient or subrecipient is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. During fiscal year 2025, in response to our Office’s 2024 Internal Control Questionnaire Review, Wildlife Resources established a bimonthly drawdown and journal entry schedule to ensure timely drawdown of federal funds to reimburse expenses originally incurred within state funds and to assist in remediation of its cash flow issues. Per 31 CFR § 205.33, a state must minimize the time between the drawdown of federal funds from the federal government and their disbursement for federal program purposes in accordance with the actual, immediate cash requirements of the state. The timing and amount of funds transfers must be as close as is administratively feasible to a state's actual cash outlay for direct program costs and the proportionate share of any allowable indirect costs. However, based on our analysis of drawdowns, while Wildlife Resources has made progress in the rate of drawdowns since the previous review, due to staff shortages, Wildlife Resources has not fully followed its drawdown schedule to ensure timely drawdowns of federal funds, which could exacerbate the agency’s cash flow issues. Specifically, the drawdown schedule included twenty planned drawdowns, however Wildlife Resources completed only eleven (55%) in accordance with that schedule. Furthermore, Wildlife Resources does not have policies and procedures in place over the completion of drawdowns as required by 2 CFR § 200.302, which requires a recipient to have written procedures to implement the requirements of 2 CFR § 200.305 regarding federal drawdowns. Wildlife Resources did not record program income revenue of approximately $2.3 million in the correct fiscal year for the Fish and Wildlife Cluster. Wildlife Resources recorded the program income received in fiscal year 2025 in a suspense account and did not distribute the income to the proper revenue account until fiscal year 2026. CAPP Manual Topic 20205 requires recording of all state receipts in the Commonwealth’s accounting and financial reporting system in a timely manner within three business days of the deposit. Additionally, the Department of Accounts (Accounts) Fiscal Year-End Closing Procedures require agencies to certify that they properly distributed balances to the correct accounts before final close of Commonwealth’s accounting and financial reporting system. By not properly recording program income, Wildlife Resources may misrepresent financial information to the federal government and report information that does not agree with its accounting records. Wildlife Resources reported federal expenses on its Schedule of Expenditures of Federal Awards (SEFA), a schedule that details Wildlife Resources’ federal expenses for fiscal year 2025, that did not agree to its underlying accounting records. Wildlife Resources reported federal expenses in the SEFA that it recorded as state funds in the Commonwealth’s accounting and financial reporting system due to considering journal entries that they did not record in the system until the next fiscal year. Due to these issues and preparation of the SEFA by a member of management on long-term leave who was not available during the audit, Wildlife Resources could not support amounts totaling over $660,000 in its SEFA. Additionally, Wildlife Resources does not have documented procedures outlining its process for preparing the SEFA in accordance with 2 CFR § 200.510(b), which states that the auditee must prepare a schedule of expenditures of federal awards for the period covered by the auditee’s financial statements which must include the total federal awards expended as determined in accordance with 2 CFR § 200.502. Accounts’ Office of the Comptroller’s Directive No. 1-25 (Comptroller’s Directive) also provides specific directions for compiling the SEFA and supporting schedules to support its preparation of the Commonwealth’s SEFA and related disclosures. Furthermore, the Comptroller’s Directive states that an agency must ensure that it has internal controls in place to avoid material misstatements and/or misclassifications in the attachments and other financial information submitted to Accounts for inclusion in the Commonwealth’s Single Audit. By not implementing adequate internal controls over financial reporting, Wildlife Resources cannot provide reasonable assurance that the financial information it submits to Accounts for inclusion in the Commonwealth’s Single Audit is free of material misstatements. Because of the scope of the matters and errors noted above, we consider this finding to be a material weakness in internal control. Wildlife Resources should improve its financial management of federal funds and documentation of internal controls to ensure compliance with state and federal requirements. The need for strong internal controls is especially important given that Wildlife Resources is exploring additional federal funding opportunities. Wildlife Resources should work with Accounts to develop and implement a federal grants management process that complies with the CAPP Manual. Wildlife Resources should improve its process and controls related to federal fund drawdowns to ensure timely reimbursement of expenses within federal limitations. Further, Wildlife Resources should also improve its controls and procedures related to journal entry processing to ensure it retains adequate support for all entries and enters the entries timely. Additionally, Wildlife Resources should perform a thorough review of its SEFA before submitting it to Accounts and retain supporting documentation to support the SEFA. Finally, Wildlife Resources should develop policies and procedures over all federal grants processes including all compliance requirements. These improvements combined are necessary to ensure accurate accounting and financial reporting in accordance with the CAPP Manual, the Code of Federal Regulations, the Comptroller’s Directives, and applicable accounting standards. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-070: Continue to Strengthen Internal Controls over the Vocational Rehabilitation Case Management System Applicable to: Department for Aging and Rehabilitative Services Assigned Topic: Access Control; Audit and Accountability; Information Security Roles and Responsibilities; Personnel Security; Planning; Risk Assessment Prior Finding Number: N/A Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: No Federal Awards Finding: Yes ALPT - ALN: Rehabilitation Services Vocational Rehabilitation Grants to States - 84.126 Federal Award ID (Year): H126A240069 (2024); H126A250069 (2025); H126A240070 (2024); H126A250070 (2025) Federal Agency: U.S. Department of Education Compliance Requirement: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 The Department for Aging and Rehabilitative Services (Aging and Rehabilitative Services) continues to strengthen internal controls over its Vocational Rehabilitation (VR) case management system. To comply with the provisions in the Commonwealth’s IT Security Audit Standard, SEC502 (IT Audit Standard), Aging and Rehabilitative Services’ Internal Audit Division (Internal Audit) conducted an audit over the agency’s VR case management system and concluded fieldwork in December 2024. The audit included a risk-based selection of security controls from the Commonwealth’s Information Security Standard, SEC530 (Security Standard) sections and control families, in addition to the controls in the IT Audit Standard. Internal Audit identified 25 total findings affecting several control families and sections in the Security Standard and IT Audit Standard. We elected not to disclose the specific findings because they are considered to be Freedom of Information Act exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to containing descriptions of security mechanisms. Aging and Rehabilitative Services developed corrective action plans to remediate the findings Internal Audit communicated in its report and has resolved two of the 25 findings (8%) as of the end of fiscal year 2025. Internal Audit noted that many of the reported findings were the result of insufficient agency resources and/or a lack of formal policies and procedures. The Security Standard requires that system owners maintain compliance with Commonwealth of Virginia information security policies and standards in all IT system activities. Additionally, Title 2 Code of Federal Regulations (CFR) § 200.303(e) requires federal grant recipients to take reasonable cybersecurity and other measures to safeguard information including protected personally identifiable information (PII) and other types of information. Inadequate or lacking IT security controls could potentially lead to a data breach or unauthorized access to confidential and mission-critical data, resulting in data corruption, data loss, or system disruption, if accessed by either internal or external malicious attacker. We recommend that Aging and Rehabilitative Services’ management continue to dedicate the necessary resources to remediate the internal control deficiencies noted in the Internal Audit report covering the VR case management system. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-015: Implement Internal Controls over TANF Federal Performance Reporting Applicable to: Department of Social Services Assigned Topic: Federal Grants Management Prior Finding Number: 2024-101; 2023-105; 2022-103 Finding Type: Internal Control and Compliance Finding Severity: Material Weakness Financial Statement Finding: No Federal Awards Finding: Yes ALPT - ALN: Temporary Assistance for Needy Families (TANF) - 93.558 Federal Award ID (Year): 2501VATANF (2025) Federal Agency: U.S. Department of Health and Human Services Compliance Requirement: Reporting - 45 CFR § 265.7(b) Known Questioned Costs: $0 Benefit Programs does not have adequate internal controls in place to ensure accurate reporting in the Administration for Children and Families’ (ACF) 199 TANF Data Report (ACF-199) and 209 Separate State Programs – Maintenance-of-Effort Data Report (ACF-209). Social Services submits this data to ACF quarterly, and ACF uses the data to determine whether the Commonwealth met the minimum work participation requirements for the Temporary Assistance for Needy Families (TANF) federal grant program. Benefit Programs uses a third-party service provider to produce the ACF-199 and ACF-209 reports and relies solely on their internal controls during the data extraction and data reporting process as of the end of fiscal year 2025. In response to the prior audit findings, Benefit Programs made significant revisions to its planned corrective actions to better address the weaknesses identified in prior audits. Benefit Programs’ revised planned corrective actions include inventorying and documenting the ACF-199 and ACF-209 reporting requirements, researching previous reporting errors to determine their cause, developing change requests to address reporting format adjustments, and partnering with their Business Operations Unit to develop internal controls for validating data from its third-party service provider. However, because of the extent of its corrective actions, Benefit Programs was unable to implement all of them by the end of fiscal year 2025. Benefit Programs anticipates completing its corrective actions for this audit finding by the end of fiscal year 2026. We audited 60 cases and identified 30 instances (50%) where the third-party service provider did not report one or more key line items accurately based on the data Social Services maintains in its case management system or other supporting data, and Benefit Programs did not detect or correct these errors before the third-party service provider submitted the data to ACF. Specifically, we noted that Benefit Programs did not accurately report the following key line items for the ACF-199 and ACF-209 reports submitted during fiscal year 2025: Benefit Programs did not accurately report the “Work Participation Status” key line item for 29 out of 60 (48%) cases tested. Benefit Programs did not accurately report the “Hours of Participation (Job Search and Job Readiness Assistance)” key line item for five out of 57 (9%) cases tested. Benefit Programs did not accurately report the “Type of Family for Work Participation” key line item for one out of 57 (2%) cases tested. Benefit Programs did not accurately report the “TANF Family Exempt from Time Limits” key line item for one out of 57 (2%) cases tested. Benefit Programs did not accurately report the “Number of Months Countable Toward the Federal Time Limit” key line item for one out of 57 (2%) cases tested. Benefit Programs did not accurately report the “Unsubsidized Employment” key line item for one out of 57 (2%) cases tested. Title 45 CFR § 265.7(b) requires States to have complete and accurate reports, which means that the reported data accurately reflects information available in case records, are free of computational errors, and are internally consistent. Additionally, 2 CFR § 200.303(a) requires pass-through entities to establish, document, and maintain effective internal control over federal awards to ensure compliance with applicable laws, regulations, and award terms. Reporting potentially inaccurate or incomplete information prevents ACF from adequately monitoring the Commonwealth’s work participation rates and the overall performance for the TANF federal grant program. Further, ACF can impose a penalty if it finds Social Services did not meet statutory required work participation rates. Because of the scope of this matter and errors noted above, we consider it to be a material weakness in internal control. Additionally, we believe this matter represents material noncompliance since Social Services did not fully comply with the provisions at 45 CFR § 265.7(b). Benefit Programs should continue to implement its planned corrective actions to ensure accurate reporting in the ACF-199 and ACF-209 TANF federal performance reports. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-019: Perform Analysis to Identify Service Provider Agencies That Perform Significant Fiscal Processes Applicable to: Department of Social Services Assigned Topic: Federal Grants Management Prior Finding Number: 2022-104 Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: No Federal Awards Finding: Yes ALPT - ALN: Social Services Block Grant - 93.667 Federal Award ID (Year): 2501VASOSR (2025) Federal Agency: U.S. Department of Health and Human Services Compliance Requirement: Other - 2 CFR § 200.303(a) Known Questioned Costs: $0 Consistent with prior years, Social Services is not performing a comprehensive analysis of service provider agencies during its Agency Risk Management and Internal Control Standards (ARMICS) review to determine if they perform significant fiscal processes. Significant fiscal processes include, but are not limited to, programs or activities that have a high-degree of public visibility; represent areas of concern and high risk to mission-critical business processes for agency managers and stakeholders; or have a significant effect on general ledger account balances. Social Services transferred approximately $53 million to other state agencies or institutions from various federal grant programs during the fiscal year to administer certain grants management functions on its behalf. CAPP Manual Topic 10305 states an agency (primary agency) may use another agency (service provider agency) to perform significant fiscal processes for the primary agency. ARMICS states that decisions about significance should consider not only quantitative, but also qualitative factors, and managers should define any fiscal process as significant if errors or misstatements in the process could have adverse consequences for legal or regulatory obligations. Further, CAPP Manual Topic 10305 states that if a primary agency identifies a service provider agency that performs significant fiscal processes, the primary agency must have adequate interaction with the service provider agency to gain an appropriate understanding of the service provider agency’s control environment and obtain assurances from the service provider agency regarding the state of internal control applicable to the significant fiscal processes performed. Finally, 2 CFR §200.303(a) requires pass-through entities to establish, document, and maintain effective internal control over federal awards to ensure compliance with applicable laws, regulations, and award terms. During its analysis of service provider agencies, Social Services only considered service provider agencies that have a significant effect on general ledger account balances but did not consider qualitative factors like degree of public visibility, areas of concern, or risk to mission-critical business processes. Additionally, Social Services inadvertently indicated that corrective action for this finding was complete during its transition of corrective action plan responsibilities. Without performing a comprehensive analysis of service provider agencies during its ARMICS review, Social Services cannot provide assurance that it obtained adequate coverage over service provider agency operations that are quantitatively or qualitatively significant to its operations. Social Services should identify all service provider agencies and determine which entities provide significant fiscal processes. Thereafter, Social Services should perform a comprehensive analysis to determine if it has an appropriate understanding of the agency’s control environment and obtain assurance from the service provider agency regarding the state of internal control applicable to the significant fiscal processes performed. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-025: Strengthen Internal Controls over FFATA Reporting Applicable to: Department of Social Services Assigned Topic: Federal Grants Management Prior Finding Number: 2024-106; 2023-107; 2022-106 Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: No Federal Awards Finding: Yes ALPT - ALN: Temporary Assistance for Needy Families (TANF) - 93.558; Foster Care-Title IV-E - 93.658; Social Services Block Grant - 93.667 Federal Award ID (Year): 2501VATANF (2025); 2501VASOSR (2025); 2501VAFOST (2025) Federal Agency: U.S. Department of Health and Human Services Compliance Requirement: Reporting - 2 CFR Part 170 Appendix A; 2 CFR § 200.303(a) Known Questioned Costs: $0 Social Services Division of Finance (Finance) continues to lack adequate internal control over Federal Funding Accountability and Transparency Act (FFATA) reporting. FFATA reports disclose how entities and organizations are obligating federal funds. During fiscal year 2025, Social Services disbursed over $700 million in federal funds from roughly 4,800 subawards. In response to prior audit recommendations, Finance revised its FFATA reporting policy to establish procedures for the timely completion and submission of required reports and began submitting FFATA reports to the federal government. However, we noted the following deviations from Finance’s FFATA reporting policy while auditing new subawards granted for the Foster Care, Social Services Block Grant, and TANF federal grant programs during fiscal year 2025: Finance’s Federal Reporting Unit did not file any FFATA reporting submissions for non-locality subrecipients that received TANF funds from the Division of Family Services and the Division of Community and Volunteer Services. These divisions disbursed approximately $10.4 million from 39 new TANF subawards during fiscal year 2025. In a sample of seven report submissions, we identified the following inaccuracies in the System for Award Management (SAM.gov) for TANF subawards that Benefit Programs awarded to non-locality subrecipients: The Federal Reporting Unit reported an inaccurate subaward obligation/action date for four (57%) report submissions. The Federal Reporting Unit reported an inaccurate subaward Unique Entity Identifier (UEI) for one (14%) report submission. The Federal Reporting Unit reported an inaccurate subaward name for one (14%) report submission. The Federal Reporting Unit did not submit FFATA reporting submissions timely for the TANF, Social Services Block Grant, and Foster Care Title IV-E federal grant programs. The Federal Reporting Unit’s delays in FFATA reporting ranged from three months to over one year. Title 2 CFR Part 170 Appendix A requires non-federal entities to report each obligating action that equals or exceeds $30,000 to SAM.gov by the end of the month following the obligating action. This requirement also applies to any subaward modification that increases the award amount to equal or exceed $30,000. Additionally, 2 CFR §200.303(a) requires pass-through entities to establish, document, and maintain effective internal control over federal awards to ensure compliance with applicable laws, regulations, and award terms. Finance uses a decentralized approach to fulfil its FFATA reporting responsibilities since it does not determine which subrecipients will receive federal funding. To mitigate the risk of reporting incomplete and inaccurate information to SAM.gov, Finance and the programmatic divisions developed a Budget Solicitation Form to track and monitor Social Services’ subaward obligations. Additionally, Finance’s Contract and Procurement Team maintains a list of subawards that it makes available to all parties on Social Services’ intranet. Finally, Finance’s Financial Systems Team developed a report from Social Services’ financial accounting and reporting system that reports expenditures by federal program and subaward. However, Finance’s FFATA reporting policy did not indicate how the Federal Reporting Unit should use this information to monitor FFATA reporting compliance. As a result, the Federal Reporting Unit did not use this information, in its entirety, and did not identify the deviations noted above during the normal course of its operations. When Social Services does not upload all obligating actions meeting the reporting threshold to SAM.gov, as required, a citizen or federal official may have a distorted view of how Social Services is obligating federal funds. Finance should update its FFATA reporting policy to document what sources of information the Federal Reporting Unit should use to monitor compliance with the FFATA reporting requirements and apply appropriate oversight to ensure the Federal Reporting Unit submits complete and accurate information to SAM.gov. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-014: Perform Responsibilities Outlined in the Agency Monitoring Plan Applicable to: Department of Social Services Assigned Topic: Federal Grants Management Prior Finding Number: 2024-082; 2023-097; 2022-011; 2021-070; 2020-074; 2019-090; 2018-093 Finding Type: Internal Control and Compliance Finding Severity: Material Weakness Financial Statement Finding: Yes Federal Awards Finding: Yes ALPT - ALN: Grants to States for Medicaid – 93.778 Federal Award ID (Year): 2505VA5MAP (2025) Federal Agency: U.S. Department of Health and Human Services Compliance Requirement: Subrecipient Monitoring - 2 CFR § 200.303(a); 2 CFR § 200.332 Known Questioned Costs: $0 The Department of Social Services (Social Services) Compliance Division (Compliance) continues not to adhere to its established approach for overseeing agency-wide subrecipient monitoring, as outlined in its Agency Monitoring Plan. In response to the prior audit recommendations, Compliance made significant revisions to its Agency Monitoring Plan to include tools for tracking and monitoring division-level subrecipient monitoring reviews, began meeting monthly with division-level subrecipient monitoring coordinators, and developed a quarterly variance report that it will use to report the status of the agency’s subrecipient monitoring activities to Social Services’ Executive Team. Compliance adopted its revised Agency Monitoring Plan in July 2025 and anticipates completing the remainder of its corrective actions by the end of fiscal year 2026. Additionally, Social Services hired a director to lead Compliance in fiscal year 2025. Social Services engaged a consultant in April 2025 to help develop remediation plans for its previous audit findings. However, because of the extent of its corrective actions, Compliance could not design and implement its corrective actions by the end of fiscal year 2025. As a result, we identified the following deviations from the Agency Monitoring Plan: Compliance did not review programmatic division annual subrecipient monitoring plans to ensure they implement a risk-based approach. The Agency Monitoring Plan states that Compliance will use a monitoring plan checklist to evaluate and determine if all the required elements for subrecipient monitoring are present in each division’s plan. As a result, Compliance was not aware that the Division of Benefit Programs' (Benefit Programs) non-locality risk assessment template did not include all required risk factors outlined in the Agency Monitoring Plan. Compliance did not confirm that division-level subrecipient monitoring coordinators are maintaining monitoring documentation in Compliance’s centralized repository. As a result, Compliance could not confirm the completeness of the centralized repository. The Agency Monitoring Plan requires that Compliance monitor whether divisions post monitoring review reports to the centralized repository. Compliance did not review each division’s monitoring activities nor provide the required quarterly reports of variances and noncompliance from the Agency Monitoring Plan to Social Services’ Executive Team. As a result, Compliance and the Executive Team were not aware that Benefit Programs did not comply with certain aspects of its subrecipient monitoring plan, such as maintaining complete sampling documentation, monitoring records and reports, and documenting subsequent corrective action. Title 2 U.S. Code of Federal Regulations (CFR) § 200.303(a) requires pass-through entities to establish, document, and maintain effective internal control over federal awards to ensure compliance with applicable laws, regulations, and award terms. Further, 2 CFR § 200.332 requires pass-through entities to monitor subrecipients to ensure they meet federal requirements. Finally, the Agency Monitoring Plan establishes Compliance’s responsibility to centrally coordinate, review, and report on subrecipient monitoring activities across all divisions. Compliance is responsible for agency-wide compliance and risk mitigation that helps ensure adherence to state and federal legal and regulatory standards. During fiscal year 2025, Social Services disbursed approximately $700 million in federal funds to roughly 350 subrecipients from 37 federal grant programs. Without performing the responsibilities in the Agency Monitoring Plan, Compliance cannot provide the Executive Team with assurance that Social Services’ subrecipient monitoring efforts are adequate to comply with the regulations at 2 CFR § 200.332. Additionally, Compliance places Social Services at risk of disallowed expenditures and/or suspension or termination of its federal awards by not monitoring the agency’s subrecipient monitoring activities. Because of the scope of this matter and the magnitude of Social Services’ subrecipient monitoring responsibilities, we consider these weaknesses collectively to create a material weakness in internal controls since Compliance did not implement its corrective actions by the end of fiscal year 2025. Compliance should continue to implement its planned corrective actions to perform the responsibilities outlined in its Agency Monitoring Plan. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-043: Improve IT Third-Party Oversight Process Applicable to: Department of Medical Assistance Services Assigned Topic: Third-Party Service Providers (Information Systems) Prior Finding Number: 2024-017; 2023-086; 2022-090 Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: Yes Federal Awards Finding: Yes ALPT - ALN: Grants to States for Medicaid – 93.778 Federal Award ID (Year): 2505VA5MAP (2025) Federal Agency: U.S. Department of Health and Human Services Compliance Requirement: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Medical Assistance Services is continuing its efforts to implement its formal process to maintain oversight for three of its information technology (IT) third-party service providers that manage and support its Medicaid management system. The Medicaid management system encompasses different functions, such as member and provider reporting, financial reporting, and federal reporting. Medical Assistance Services has collected data since the prior audit to implement its IT Third Party Risk Management Procedure, which was effective in February 2024, and comply with its IT System and Services Acquisition Policy. However, Medical Assistance Services is still determining the best method to consistently capture the necessary data, which has resulted in the agency not yet verifying the following required controls and processes for one of the Medicaid management system IT service providers not covered by the Virginia Information Technologies Agency’s (VITA) Commonwealth of Virginia Risk and uthority Management Program. Medical Assistance Services does not confirm the geographic location of sensitive data monthly for the IT service providers. Without confirming the geographic location of sensitive data, Medical Assistance Services may be unable to enforce contract requirements, laws, and standards due to the data falling outside the United States’ jurisdiction. Medical Assistance Services does not confirm whether IT service providers perform vulnerability scans every 90 days. By not obtaining and analyzing the vulnerability scan results from the IT service provider, Medical Assistance Services increases the risk that the IT service providers are not remediating legitimate vulnerabilities in a timely manner. Medical Assistance Services has required additional time to collaborate with its IT service provider to adjust its data collection methods and verification processes. Medical Assistance Services also had to prioritize its resources to remediate ongoing findings from previous audits. Medical Assistance Services should continue its efforts to implement its IT Third Party Risk Management Procedure and ensure those tasked with monitoring IT service providers confirm the geographic location of sensitive data, the provider’s performance of vulnerability scanning, and remediation efforts per the Security Standard. Medical Assistance Services should also ensure the individuals responsible for monitoring consistently perform formal oversight processes in a timely manner, which will help maintain the confidentiality, integrity, and availability of sensitive and mission critical data. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-048: Improve Information Security Program and IT Governance Applicable to: Department of Social Services Assigned Topic: Information Security Roles and Responsibilities Prior Finding Number: 2024-035; 2023-027; 2022-022 Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: Yes Federal Awards Finding: Yes ALPT - ALN: Grants to States for Medicaid – 93.778 Federal Award ID (Year): 2505VA5MAP (2025) Federal Agency: U.S. Department of Health and Human Services Compliance Requirement: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services continues to improve its information security program and information technology (IT) governance structure to address the weaknesses identified in prior audits. In August 2024, Social Services established the Innovation, Architecture, and Governance (IAG) Team to coordinate efforts among the Technology Services Division (TSD), the Cybersecurity Team, the Information Security Risk Management (ISRM) Division, and the Executive Team. The IAG Team established a roadmap to track the tasks, task owners, and target dates to bring the information security program in compliance with the Commonwealth’s Information Security Standard, SEC530 (Security Standard). The IAG Team also oversees regularly scheduled coordination working sessions to obtain updates from the owners assigned to each task in the roadmap. Additionally, Social Services changed the reporting structure for the ISRM Division, including the Information Security Officer (ISO). The ISO now reports directly to Social Services’ Commissioner. However, because of the extent of its corrective actions, Social Services has not yet accomplished all the tasks in the established roadmap to complete corrective actions to bring the information security program in compliance with the Security Standard. Although Social Services continues to make significant progress towards prioritizing and implementing IT governance changes to address existing control deficiencies, the IAG Team needed time to establish a roadmap and coordinate efforts among the Cybersecurity Team, the TSD, the IRSM Division, and the Executive Team to be able to ensure effective implementation of the information security program and controls. Due to the number and magnitude of the issues, it will take time for Social Services to complete remediation efforts initiated according to the established roadmap. The Security Standard requires agency heads to maintain a documented and effectively communicated information security program that is sufficient to protect the agency’s IT systems. Unidentified or unresolved vulnerabilities in Social Services’ IT environment could result in a data breach or unauthorized access to confidential and mission-critical data, leading to data corruption, data loss, or system disruption, if accessed by either internal or external malicious attackers. The TSD, the Cybersecurity Team, the ISRM Division, and Social Services’ Executive Team should continue to work together and follow the direction of the IAG Team to improve compliance with the Security Standard. As part of the continued effort, the Cybersecurity Team, the TSD, and the IRSM Division should continue to evaluate IT resource levels to ensure sufficient resources are available and dedicated to prioritizing and implementing the planned IT governance structure changes. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-049: Identify and Assign Security Roles for Each Sensitive IT System Applicable to: Department of Social Services Assigned Topic: Information Security Roles and Responsibilities Prior Finding Number: N/A Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: Yes Federal Awards Finding: Yes ALPT - ALN: Grants to States for Medicaid – 93.778 Federal Award ID (Year): 2505VA5MAP (2025) Federal Agency: U.S. Department of Health and Human Services Compliance Requirement: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services’ ISO did not identify a system owner for each sensitive IT system and ensure system owners assigned a data owner, system administrator, and data custodian for each sensitive IT system. Social Services manages and maintains 80 sensitive IT systems that require security role assignments. Specifically, our audit identified: The ISO did not identify a system owner for two of its 80 (3%) sensitive systems. The ISO did not confirm that system owners assigned a data owner for five of 80 (6%) sensitive systems. The ISO did not confirm that system owners assigned a system administrator for 40 of 80 (50%) sensitive systems. The ISO did not confirm that system owners assigned a data custodian for ten of 80 (13%) sensitive systems. The Security Standard requires that the agency head or designee identify a system owner for each agency sensitive IT system and requires the system owner to assign a data owner, data custodian, and system administrator for each agency sensitive IT system. Without assigning security roles, Social Services lacks accountability, which may lead to a failure to enforce security policies and lead to a higher risk of security incidents. Social Services designated the ISO with the responsibility for ensuring that it assigns security roles for each sensitive IT system. However, due to an oversight, the ISO did not assign security roles for each sensitive IT system. The ISO should identify a system owner for each sensitive IT system and ensure system owners assign a data owner, system administrator, and data custodian for each sensitive IT system to meet the Security Standard requirements and to maintain the confidentiality, integrity, and availability of sensitive and mission-critical data. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-050: Continue Improving IT Risk Management Program Applicable to: Department of Social Services Assigned Topic: Planning; Risk Assessment Prior Finding Number: 2024-024; 2023-014; 2022-030; 2021-026; 2020-027; 2019-063; 2018-025 Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: Yes Federal Awards Finding: Yes ALPT - ALN: Grants to States for Medicaid – 93.778 Federal Award ID (Year): 2505VA5MAP (2025) Federal Agency: U.S. Department of Health and Human Services Compliance Requirement: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services continues to not have a formal and effective IT Risk Management program that aligns with the requirements in the Security Standard. Specifically, Social Services does not: verify and validate the data and system sensitivity ratings of its systems to ensure proper IT system sensitivity ratings. ensure that its sensitive systems list aligns with completed data classifications. create or annually review risk assessments for each sensitive system. create or annually review system security plans for each sensitive system. implement risk treatment plans to mitigate risks following its sensitive systems’ risk assessments. We communicated the details of these weaknesses to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing descriptions of security mechanisms. The Security Standard requires Social Services to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ IT mission-critical systems and data. Social Services’ IT Risk Management program has a complex workflow, along with a complex IT environment, which has slowed the process of remediation and contributed to the identified weaknesses. By not meeting the minimum requirements in the Security Standard, Social Services cannot ensure the confidentiality, integrity, and availability of data within its systems. Social Services should obtain and dedicate the necessary resources to ensure that its IT Risk Management program aligns with the Security Standard. Additionally, Social Services should implement the controls required to address the weaknesses identified in the FOIAE communication. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-051: Improve Database Security Applicable to: Department of Social Services Assigned Topic: Access Control; Identification and Authentication Prior Finding Number: N/A Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: Yes Federal Awards Finding: Yes ALPT - ALN: Grants to States for Medicaid – 93.778 Federal Award ID (Year): 2505VA5MAP (2025) Federal Agency: U.S. Department of Health and Human Services Compliance Requirement: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services does not require and has not implemented certain requirements in accordance with the Security Standard and industry best practices for its database. We identified two control weaknesses and communicated them to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing descriptions of security mechanisms. The Security Standard requires agencies to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ IT mission critical systems and data. By not meeting the minimum requirements in the Security Standard, Social Services cannot ensure the confidentiality, integrity, and availability of data within its systems. Due to an oversight, Social Services’ management did not identify that the database was not configured according to Security Standard requirements. Social Services began testing and applying the configurations needed to resolve the weaknesses identified in the database during the audit. Social Services should dedicate the necessary resources to ensure database configurations align with the requirements of the Security Standard and industry best practices. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-052: Improve Change Management Process Applicable to: Department of Social Services Assigned Topic: Configuration Management; System and Services Acquisition Prior Finding Number: N/A Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: Yes Federal Awards Finding: Yes ALPT - ALN: Grants to States for Medicaid – 93.778 Federal Award ID (Year): 2505VA5MAP (2025) Federal Agency: U.S. Department of Health and Human Services Compliance Requirement: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services does not consistently follow its IT change management process to include elements required by its IT Change Management Process Procedure and the Security Standard. Specifically, our review found: Social Services did not track changes to application code and maintain version control in one of its three (33%) development projects. Social Services did not perform a risk and impact analysis for one of 40 (3%) changes. Social Services did not review the risk and impact analysis and validate the change for four of 40 (10%) changes. Social Services did not establish and document a backout plan for one of 40 (3%) changes. Social Services did not update and attach supporting documentation for the change for 40 of 40 (100%) changes. Social Services did not complete user acceptance testing for six of 40 (15%) changes. Social Services did not validate the change to confirm complete and successful execution for one of 40 (3%) changes. Social Services’ IT Change Management Process Procedure requires that each change include a documented risk and impact rating validated through ISRM oversight; an implementation plan (also known as the Playbook, which verifies technical testing and roles and responsibilities); a clearly defined backout plan; post-implementation validation to verify all acceptance criteria were met (including testing evidence); and attached closure documents that include user acceptance testing and updated supporting documentation, such as technical diagrams and baselines. The Security Standard requires that Social Services document and implement configuration change control processes that involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades and modifications. Additionally, the Security Standard requires agencies to employ tools and processes for maintaining trusted generations of source code. Social Services established and implemented its current change management procedure and process in September 2024; however, the process has not matured to include the necessary oversight to ensure employees adhere to each of the steps in the procedure. Without consistently implementing a formal change management process that aligns with the requirements of its IT Change Management Process Procedure and the Security Standard, Social Services increases the risk of implementing unauthorized changes to its production environment that may negatively affect the confidentiality, integrity, and availability of its IT systems and data. Social Services should implement an oversight capability to consistently implement and systematically record all changes according to its IT Change Management Process Procedure and the Security Standard. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-053: Improve Identity and Access Management Oversight and Controls Applicable to: Department of Social Services Assigned Topic: Access Control; Identification and Authentication; Information Security Roles and Responsibilities Prior Finding Number: N/A Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: Yes Federal Awards Finding: Yes ALPT - ALN: Grants to States for Medicaid – 93.778 Federal Award ID (Year): 2505VA5MAP (2025) Federal Agency: U.S. Department of Health and Human Services Compliance Requirement: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services does not conduct organization-wide oversight to ensure the performance of identity and access management (IAM) controls that protect sensitive information in its critical systems in accordance with organizational policies and procedures and the Security Standard. Social Services manages sensitive systems that require strong IAM controls. As a result of not conducting organization-wide oversight, Social Services does not: Examine and evaluate risk for critical IAM elements and maintain risk assessments to capture changes in risk and the control environment to ensure Social Services implements appropriate controls to reduce risk to an acceptable level. Define processes and practices to collect, monitor, and evaluate performance metrics that Social Services has implemented for IAM functions to evaluate how the functions are performing against agreed-upon performance expectations and report results to stakeholders. Revoke access for terminated users timely. Maintain an inventory of service accounts, document the purpose of each account, and centrally manage the service accounts to minimize the potential for misuse. Provide access to users only after the asset owner authorizes access. Social Services Access Control Policy states that the System Owner shall require the implementation team to enforce approved authorizations. The Security Standard states that the agency head is responsible for the security of the agency’s IT systems and data, including designating an ISO for the agency that reports directly to the agency head. The Security Standard states that the ISO is responsible for developing and managing the agency’s information security program. By not conducting organization-wide oversight of IAM controls, Social Services cannot rely on the controls to effectively reduce the risk of compromise to confidentiality, integrity, and availability of sensitive data in its IT environment. Social Services’ decentralized approach to ensuring IAM control compliance contributes to the lack of oversight and lack of efficient and effective implementation of the individual IAM findings outlined above. Social Services should assign oversight of organizational IAM controls to a central person or team. The person or team responsible should subsequently establish and implement a centralized process to oversee IAM controls to ensure Social Services consistently implements access and account management controls. A centralized oversight IAM function will help Social Services manage IAM controls to protect the confidentiality, integrity, and availability of sensitive and mission-critical data. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-068: Improve Database Security Applicable to: Department of Medical Assistance Services Assigned Topic: Access Control; Audit and Accountability; Identification and Authentication; System and Information Integrity Prior Finding Number: 2024-023 Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: Yes Federal Awards Finding: Yes ALPT - ALN: Grants to States for Medicaid – 93.778 Federal Award ID (Year): 2505VA5MAP (2025) Federal Agency: U.S. Department of Health and Human Services Compliance Requirement: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 The Department of Medical Assistance Services (Medical Assistance Services) has made significant progress improving security for the database supporting its primary system for financial accounting and reporting in accordance with its internal procedures, the Commonwealth’s Information Security Standard, SEC530 (Security Standard), and industry best practices, such as the Center for Internet Security Benchmarks (CIS Benchmark). Since the prior year audit, Medical Assistance Services remediated four of the eight weaknesses previously identified. However, Medical Assistance Services does not define deviations from recommended and expected security configurations in its baseline configuration, leading to some weaknesses still existing in the database. We communicated the remaining weaknesses to management in a separate document marked Freedom of Information Act Exempt (FOIAE) under § 2.2-3705.2 of the Code of Virginia due to it containing descriptions of security mechanisms. The Security Standard requires Medical Assistance Services to develop, document, and disseminate information security policies and procedures that align with the control requirements in the Security Standard. Additionally, the Security Standard requires Medical Assistance Services to develop, document, and maintain a current baseline configuration of the system; apply more restrictive security configurations for sensitive systems; and monitor systems for security baseline and policy compliance. Without aligning the database’s settings and configurations with its policies and procedures, the Security Standard, and industry best practices, Medical Assistance Services cannot ensure data integrity within the database. Additionally, without documenting details and the justification for approved deviations, Medical Assistance Services increases the risk that it will not meet minimum-security requirements and recommendations to protect its sensitive data from malicious parties. A lack of resources led to Medical Assistance Services experiencing delays in resolving the remaining weaknesses. Medical Assistance Services should dedicate the resources necessary to review and update its procedures to define deviations from recommended and expected security configurations as well as business justification and approval for any deviations. Additionally, Medical Assistance Services should develop a process to review the database’s configuration against its established procedures on a scheduled basis and after major changes occur to help detect and address potential misconfigurations timely. Furthermore, Medical Assistance Services should implement the security controls and processes communicated in the FOIAE document to address the risks present in the database to ensure the configuration aligns with its procedures, the Security Standard, and CIS Benchmark. These actions will help maintain the confidentiality, availability, and integrity of Medical Assistance Services’ sensitive and mission-critical data. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-084: Improve Web Application Security Applicable to: Department of Social Services Assigned Topic: Audit and Accountability Prior Finding Number: 2024-025; 2023-015; 2022-029; 2021-025; 2020-026; 2019-037 Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: Yes Federal Awards Finding: Yes ALPT - ALN: Grants to States for Medicaid – 93.778 Federal Award ID (Year): 2505VA5MAP (2025) Federal Agency: U.S. Department of Health and Human Services Compliance Requirement: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services continues to not configure a sensitive web application in accordance with its internal policies and the Security Standard. Social Services remediated four of the five previously communicated weaknesses but still has not remediated one weakness. We communicated the control weakness to management in a separate document marked FOIAE under § 2.2-3705.2 of the Code of Virginia, due to it containing descriptions of security mechanisms. The Security Standard requires Social Services to implement certain controls that reduce unnecessary risk to the confidentiality, integrity, and availability of Social Services’ IT mission-critical systems and data. By not meeting the minimum requirements in the Security Standard, Social Services cannot ensure the confidentiality, integrity, and availability of data within its systems. Social Services prioritized other projects which contributed to the weakness persisting. Social Services’ TSD, ISRM Division, and business owners should work together to remediate the remaining weakness to secure the web application and meet the minimum requirements in Social Services’ internal policies and the Security Standard. Addressing this weakness will help to ensure that Social Services secures its IT environment and systems to protect its sensitive and mission-critical data and achieve compliance with both internal policies and the Security Standard. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-085: Conduct Information Technology Security Audits Applicable to: Department of Social Services Assigned Topic: Audit and Accountability Prior Finding Number: 2024-058; 2023-056 Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: Yes Federal Awards Finding: Yes ALPT - ALN: Grants to States for Medicaid – 93.778 Federal Award ID (Year): 2505VA5MAP (2025) Federal Agency: U.S. Department of Health and Human Services Compliance Requirement: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Social Services is making progress in conducting a comprehensive IT security audit on each sensitive IT system at least once every three years. Social Services identified 78 sensitive IT systems which currently require an IT security audit and completed audits for 30 of these systems during calendar years 2022 and 2023. These systems are due to be audited again during the three-year audit period covering calendar years 2024 to 2026. Additionally, Social Services completed audits for 31 sensitive IT systems during calendar year 2024. However, 17 sensitive IT systems (22%) remain unaudited, including one system that has not been audited since 2017. Social Services hired a contractor to complete an audit over each of the remaining unaudited systems and those due for audit during the audit period covering calendar years 2024 to 2026. Social Services did not perform the remaining IT security audits due to prioritizing required federal audits and needing additional funding to contract out the remaining sensitive system audits. Lack of a documented procedure and process for conducting IT security audits also contributed to the lapse in IT security audits conducted over the last three years. Additionally, Social Services drafted an IT Audit Policy for conducting IT security audits over each sensitive system but has not implemented it since it is pending management’s approval. Social Services indicates it is on track to approve the draft policy and complete the remaining IT security audits by the end of calendar year 2026. The Security Standard requires that each IT system classified as sensitive undergo an IT security audit as required by and in accordance with the current version of the Commonwealth’s IT Security Audit Standard, SEC502 (IT Audit Standard). The IT Audit Standard requires that IT systems containing sensitive data, or systems with an assessed sensitivity of high on any of the criteria of confidentiality, integrity, or availability, receive an IT security audit at least once every three years. Without conducting full IT security audits for each sensitive system once every three years, Social Services increases the risk that IT staff will not detect and mitigate existing weaknesses. Malicious parties taking advantage of continued weaknesses could compromise sensitive and confidential data. Further, such security incidents could lead to mission-critical systems being unavailable. Social Services should finalize and implement its IT Audit Policy then complete all outstanding IT security audits to ensure it meets its IT Audit Policy and Security Standard requirements. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-093: Evaluate Separation of Duty Conflicts within the Case Management System Applicable to: Department of Social Services Assigned Topic: Access Control Prior Finding Number: 2024-041; 2023-034 Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: Yes Federal Awards Finding: Yes ALPT - ALN: Grants to States for Medicaid – 93.778 Federal Award ID (Year): 2505VA5MAP (2025) Federal Agency: U.S. Department of Health and Human Services Compliance Requirement: Other - 2 CFR § 200.303(e) Known Questioned Costs: $0 Benefit Programs continues to implement corrective actions pertaining to evaluating separation of duties conflicts within its case management system. In response to the prior audit findings, Benefit Programs developed a collaborative strategy to address separation of duties conflicts in the case management system and generated a complete listing of current roles and responsibilities. However, because of the extent of its corrective actions, Benefit Programs could not fully develop and implement all corrective actions by the end of fiscal year 2025. Benefit Programs intends to create a matrix to identify individual conflicts, generate a report of users with conflicting roles, and develop justifications and internal controls for these instances by the end of fiscal year 2026. Social Services, in conjunction with local departments of social services, other state agencies, and numerous contractors, uses the case management system to determine applicant eligibility and authorize benefit payments for the Medicaid, SNAP, CCDF Cluster, LIHEAP, and TANF federal grant programs. Social Services authorized over $18 billion in assistance payments to beneficiaries from these federal programs through its case management system during fiscal year 2025. The Security Standard requires the agency to separate duties of individuals as necessary, document separation of duties of individuals, and define information system access authorizations to support the separation of duties. Further, Social Services’ Information Security Policy states that the system owner is responsible for identifying and documenting separation of duties for individuals and defining system access authorizations to support separation of duties. Without identifying and evaluating separation of duties conflicts, Benefit Programs does not know which combination of roles may pose a separation of duties conflict in its case management system. As a result, Benefit Programs is unable to implement compensating controls, which increases the possibility of a system breach or other malicious attack on Social Services’ data and places Social Services’ reputation at risk. Benefit Programs should continue to implement its corrective actions pertaining to evaluating separation of duties within its case management system. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2025-100: Continue Developing Record Retention Requirements and Processes for Electronic Records Applicable to: Department of Social Services Assigned Topic: Contingency Planning Prior Finding Number: 2024-067; 2023-066; 2022-064; 2021-047; 2020-041; 2019-049; 2018-054 Finding Type: Internal Control and Compliance Finding Severity: Significant Deficiency Financial Statement Finding: Yes Federal Awards Finding: Yes ALPT - ALN: Grants to States for Medicaid – 93.778 Federal Award ID (Year): 2505VA5MAP (2025) Federal Agency: U.S. Department of Health and Human Services Compliance Requirement: Other - 2 CFR § 200.303(e); 45 CFR § 155.1210 Known Questioned Costs: $0 Social Services continues to operate without an adequate data retention process that ensures consistent compliance with retention requirements for its case management system and adherence to federal regulations and state law. Social Services’ case management system stores several types of federal benefit program records with varying retention requirements supporting ten programs and services, such as the Medical Assistance (Medicaid), Supplemental Nutrition Assistance (SNAP), Child Care and Development Fund (CCDF) Cluster, Low-Income Home Energy Assistance (LIHEAP), and TANF federal grant programs. Social Services’ case management system authorized over $18 billion in public assistance payments to beneficiaries from these federal programs during fiscal year 2025. Social Services encountered delays with its record purge and retention project because of the magnitude and complexities associated with effectively implementing a retention and purge process for an integrated eligibility system. Additionally, Social Services identified an additional required element of the purge and retention project following its Release 1 implementation in February 2024. For these reasons, Social Services’ plan includes updating the purge and retention design document and implementing Release 2 in August 2025, then completing the purge and retention project with the final releases, Release 3 and Release 4, by February 2026. Title 45 CFR § 155.1210 governs record retention for Medicaid and requires state agencies to maintain records for ten years. Additionally, the Virginia Public Records Act, outlined in § 42.1-91 of the Code of Virginia, makes an agency responsible for ensuring that its public records are preserved, maintained, and accessible throughout their lifecycle, including converting and migrating electronic records as often as necessary so that the agency does not lose information due to hardware, software, or media obsolescence or deterioration. Further, the Virginia Public Records Act (§ 42.1-76 et seq. of the Code of Virginia) details requirements for the disposition of records. Section § 42.1-86.1 requires that records created after July 1, 2006, and authorized to be destroyed or discarded, must be discarded in a timely manner and such records that contain identifying information as defined by subsection C of § 18.2 - 186.3 of the Code of Virginia shall be destroyed within six months of the expiration of the records retention period. Finally, the Security Standard requires agencies to implement backup and restoration plans that address the retention of the data in accordance with the records retention policy for every IT system identified as sensitive relative to availability. Without implementing records retention requirements, Social Services increases the risk of a data or privacy breach. Additionally, destroying documents that should be available for business processes or audit, or keeping data longer than stated, could expose Social Services to fines, penalties, or other legal consequences. Further, Social Services may not be able to ensure that backup and restoration efforts will provide mission-critical information according to recovery times. Finally, retaining records longer than necessary causes the Commonwealth to spend additional resources to maintain, back-up, and protect information that no longer serves a business purpose. Social Services should complete the record purge and retention project for its case management system and should subsequently implement consistent records retention and destruction processes across business divisions to ensure compliance with laws and regulations. Views of Responsible Officials: The views of responsible officials are included in the report related to their organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.