Federal Grantor: Department of Labor Pass-Through: Iowa Workforce Development Program: Workforce Innovation and Opportunity Act (WIOA) Cluster Award No. and Year: 24-N-CI-WI-OA and 2024 Federal Assistance Listing Number: 17.258, 17.259, 17.278 Compliance Requirement: Subrecipient Monitoring Type of Finding: Material Weakness in Internal Control over Compliance and Material Noncompliance Criteria: In accordance with Title 2 U.S. Code of Federal Regulations (CFR) 200.332, pass-through entities must comply with the following: 2 CFR 200.332(b) – Evaluate each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward. This evaluation of risk may include consideration of such factors listed in 2 CFR 200.332(b)(1) through (4). 2 CFR 200.332(d) – Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include the information at 2 CFR 200.332(d)(1) through (4). 2 CFR 200.332(f) – Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in 200.501. Condition: The County did not have any formal controls in place for evaluating each subrecipient’s risk of noncompliance or the purpose of determining the appropriate subrecipient monitoring for the WIOA Cluster. Cause: The County did not follow their procedures to evaluate the risk of noncompliance or monitor the activities of each subrecipient, and the County did not maintain documentation of their verification that every subrecipient is audited, as required. Effect: The County’s control policies were not consistently followed which require compliance with Subrecipient Monitoring requirements in 2 CFR 200.332 and did not comply with subrecipient monitoring requirements related to the program. Questioned Costs: No questioned costs were identified as a result of our procedures. Context/Sampling: The entire population of two (2) subrecipients were selected for testing. The condition noted above was identified during our procedures related to subrecipient monitoring and was pervasive to the program. Repeat Finding from Prior Years: No. Recommendation: We recommend that the County adhere to their policies and procedures in accordance with 2 CFR 200.332 to ensure compliance with subrecipient monitoring requirements. Views of Responsible Officials: Management agrees with the finding. See separate corrective action plan.
Federal Grantor: Department of Labor Pass-Through: Iowa Workforce Development Program: Workforce Innovation and Opportunity Act (WIOA) Cluster Award No. and Year: 24-N-CI-WI-OA and 2024 Federal Assistance Listing Number: 17.258, 17.259, 17.278 Compliance Requirement: Subrecipient Monitoring Type of Finding: Material Weakness in Internal Control over Compliance and Material Noncompliance Criteria: In accordance with Title 2 U.S. Code of Federal Regulations (CFR) 200.332, pass-through entities must comply with the following: 2 CFR 200.332(b) – Evaluate each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward. This evaluation of risk may include consideration of such factors listed in 2 CFR 200.332(b)(1) through (4). 2 CFR 200.332(d) – Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include the information at 2 CFR 200.332(d)(1) through (4). 2 CFR 200.332(f) – Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in 200.501. Condition: The County did not have any formal controls in place for evaluating each subrecipient’s risk of noncompliance or the purpose of determining the appropriate subrecipient monitoring for the WIOA Cluster. Cause: The County did not follow their procedures to evaluate the risk of noncompliance or monitor the activities of each subrecipient, and the County did not maintain documentation of their verification that every subrecipient is audited, as required. Effect: The County’s control policies were not consistently followed which require compliance with Subrecipient Monitoring requirements in 2 CFR 200.332 and did not comply with subrecipient monitoring requirements related to the program. Questioned Costs: No questioned costs were identified as a result of our procedures. Context/Sampling: The entire population of two (2) subrecipients were selected for testing. The condition noted above was identified during our procedures related to subrecipient monitoring and was pervasive to the program. Repeat Finding from Prior Years: No. Recommendation: We recommend that the County adhere to their policies and procedures in accordance with 2 CFR 200.332 to ensure compliance with subrecipient monitoring requirements. Views of Responsible Officials: Management agrees with the finding. See separate corrective action plan.
Finding Number: 2024-003 Program: Housing Opportunities for Persons with AIDS (HOPWA) ALN #: 14.241 Pass-through Entity: N/A- Direct Award Federal Agency: Department of Housing and Urban Development Federal Award Year: July 1, 2023–June 30, 2024 Compliance Requirement: Subrecipient Monitoring Type of finding: Material weakness and material noncompliance Criteria The 2 CFR sections 200.332(d) through (f) provide the principles to be applied to monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, complies with the terms and conditions of the subaward, and achieves performance goals. According to 2 CFR 200.303, the nonfederal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The City does not have properly designed controls and documented procedures in place to ensure compliance with the following requirements: • Each subrecipients risk of noncompliance is appropriately evaluated. • Appropriate monitoring of the subrecipient based on their risk of noncompliance. • Verification that subrecipients are audited as required when they are expected to exceed the threshold for having a single audit. Cause The City does not have formal written policies, procedures, and internal controls in place to ensure that all required subrecipient monitoring procedures are performed. Proper perspective During our audit, we noted that four of the four subrecipients selected for testing did not have a completed risk assessment to determine their risk of noncompliance. As such, we were unable to determine that the proper level of monitoring was completed throughout the fiscal year over the contracted subrecipient. Additionally, we noted that the audited financial statements were obtained for the four subrecipients selected for testing, but there was no documentation to evidence the nature and extent of the City’s review of the reports obtained. Possible asserted effect Lack of effective controls and written policies and procedures over subrecipient monitoring could result in the City’s noncompliance with program requirements. Questioned costs None Statistical sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat finding Yes, 2023-005 Recommendation We recommend the City establish a checklist or formal documentation requirements for both risk assessments and review of single audit report procedures. Employees can complete these checklists when obtaining and reviewing the documentation. The City should then conclude on and document the subrecipient’s risk of noncompliance based on the checklist to ensure the proper level of monitoring occurs throughout the year. Views of responsible officials and corrective actions The City has addressed this recommendation. The City has updated policies and procedures in place. A standardized Subrecipient Audit Risk Assessment Checklist is in place and a Monitoring Risk Assessment Checklist has also been developed and implemented to guide and document the evaluation of subrecipient risk, review of single audit reports, monitoring. Federal Grants Division staff will complete this checklist during the initial subrecipient review and update it annually. This will ensure consistent documentation of each subrecipient's risk level and corresponding compliance requirements. The process will enable the City to make informed decisions regarding the appropriate level of monitoring for each subrecipient, based on the risk assessment outcomes. This systematic approach enhances accountability, supports audit readiness, and aligns with federal guidance under 2 CFR Part 200. All the agencies/subrecipients have been informed of the upcoming monitoring.
Finding Number: 2024-009 Program: Coronavirus State and Local Fiscal Recovery Funds ALN #: 21.027 Pass-through Entity: N/A- Direct Award Federal Agency: U.S. Department of Treasury Federal Award Year: July 1, 2023–June 30, 2024 Compliance Requirement: Subrecipient Monitoring Type of finding: Material weakness and material noncompliance Criteria The 2 CFR sections 200.332(d) through (f) provide the principles to be applied to monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, complies with the terms and conditions of the subaward, and achieves performance goals. According to 2 CFR 200.303, the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The City does not have properly designed controls and documented procedures in place to ensure compliance with the following requirements: • Each subrecipients risk of noncompliance is appropriately evaluated. • Verification that subrecipients are audited as required when they are expected to exceed the threshold for having a single audit. • All required elements of the subrecipient contracts are included during execution. Cause The City’s lack of effective internal controls and written policies and procedures have caused the following Proper perspective During the audit, we noted that eight of the nine subrecipient selections did not contain all the required elements of the contract. Additionally, nine of the nine selections completed a risk assessment questionnaire. However, there is no indication that the City reviewed the questionnaires and subsequently concluded on the subrecipient’s risk of noncompliance. We also noted that audited financial statements were obtained for the three subrecipients that required a single audit, but there was no documentation to evidence the nature and extent of the City’s review of the audit reports obtained. Therefore, we were unable to determine if, based on the subrecipient’s risk assessment questionnaire and single audit report, if additional monitoring procedures were required Possible asserted effect Lack of effective controls and written policies and procedures over subrecipient monitoring could result in the City’s noncompliance with program requirements. Questioned costs None Statistical sampling The sample was not intended to be, and was not, a statistically valid sample. Repeat Finding Yes, 2023-009 Recommendation We recommend the City establish a checklist or formal documentation requirements for both risk assessments and review of single audit report procedures. Employees can complete these checklists when obtaining and reviewing the documentation. The City should then conclude on and document the subrecipient’s risk of noncompliance based on the checklist to ensure the proper level of monitoring occurs throughout the year. Views of responsible officials and corrective actions The City has implemented additional controls over subrecipient monitoring by establishing a formal policy to review and document subrecipient qualifications, risk assessments and financial reports and have created subsequent monitoring plans and checklists. noncompliance and control exceptions.
Condition: We tested 100% of the eleven (11) subrecipients and noted the following: • The County failed to adequately monitor the subrecipients. • The contracts did not clearly identify the vendor as a subrecipient relationship. • Funds were not encumbered at the time of the notice to proceed was given to subrecipients. The subrecipients approved by the Board of County Commissioners state that subrecipients or beneficiaries shall provide monthly performance reports until all award funds hereunder have been expended. Through the observation of records, it was determined that monthly performance reports were not submitted each month by entities receiving funding. Cause of Condition: Policies and procedures have not been designed and implemented to ensure federal expenditures are made in accordance with compliance requirements. Effect of Condition: This condition resulted in noncompliance with federal grant guidelines. Recommendation: OSAI recommends the County gain an understanding of the requirements for this program and implement internal controls to ensure compliance with these requirements. Management Response: BOCC Chairman: Board of County Commissioners: The Board of County Commissioners is responsible for the overall fiscal concerns of the county. See OKLA. STAT. Title 19, § 345. The Board of County Commissioners, with the cooperation and participation of all elected officials, reviews, develops and implements policies and procedures to create a strong internal control environment. The Board of County Commissioners will work with all elected officials, the third-party administrator, and federal, state and local partners to develop policies, procedures, and internal controls designed to accurately track grants, including the application process, verification, oversight, and reporting of grant requirements. These policies and procedures will be designed to identify requirements for recipients and sub-recipients of grants, ensure accurate equipment and real property management, procurement, recipient and subrecipient monitoring and reporting. Further, policies will ensure a proper understanding of all grant requirements and compliance of the same. To assist in this process, the Board of County Commissioners engaged a third-party administrator to oversee the grant process, including application, eligibility, review, requirements, contracting, recipient tracking and oversight, and documentation and reporting. The Board of County Commissioners will work with the third-party administrator to ensure proper grant administration. Criteria: 2 CFR 200 §200.332 Requirement for Pass-Through Entities states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the federal award and subaward. (2) All requirements imposed by the pass-through entity on the subrecipient so that the federal award is used in accordance with federal statutes, regulations and the terms and conditions of the federal award. (5) A requirement that the subrecipient permit the pass-through entity and auditors to have access to the subrecipient’s records and financial statements as necessary for the pass-through entity to meet the requirements of this part. (6) Appropriate terms and conditions concerning closeout of the subaward.
System of Internal Controls Over Compliance: Subrecipient Monitoring; U.S. Department of Treasury, Assistance Listing #21.027, Coronavirus State and Local Fiscal Recovery Funds, Passed Through State of Nevada Criteria: In accordance with 2 CFR 200.332, the auditee must maintain a system of internal control over compliance to ensure they provide each subrecipient within the required information to identify the award and applicable requirements under the award and to evaluate risk and monitor the activities of each subrecipient to ensure compliance under the award. Condition: The Organization did not appropriately implement internal controls necessary to ensure appropriate documentation was available to support the performance of controls in compliance with 2 CFR 200.332. Context: The Organization did not identify funds being passed through from one subsidiary of the Organization to a second subsidiary in a timely manner and based on this timing did not appropriately document the performance of internal controls over the compliance for subrecipient monitoring. Cause: The Organization did not identify its only subrecipient for this award in a timely manner. Effect: The Organization was not able to properly document its performance of internal controls over most of the requirements outlined in 2 CFR 200.332 for the award based on untimely identification of its subrecipient. Recommendation: We recommend management design and implement a system of internal controls over compliance where consideration of possible subrecipients is considered when the award is being applied for and that well documented and supportable internal controls over subrecipient monitoring are implemented when there are subrecipients identified under an award. Repeat Finding: No Views of Responsible Officials and Planned Corrective Actions: SJRC NV Region is addressing its missing controls related to the requirements of 2 CFR 200.332. We acknowledge that SJRC must ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the information required under 2 CFR 200.332 at the time of the subaward all requirements. This includes that every subaward is clearly identified to the subrecipient as a subaward and includes at the time of the subaward and if any data elements change, that there must be an approved subaward modification. We will also ensure we meet the requirements under 2 CFR 200.332 to include our obligations to risk assess and monitor any subrecipients. The timeframe for correction is immediate and full accounting system control improvements will be implemented as part of our 2025 fiscal year-end close.
Federal Agency: United States Department of Agriculture (USDA) Federal Program: 10.558 Child and Adult Care Food Program (CACFP) 2022, 2023, 2024 - CACFP 2022, 2023, 2024 - CACFP-CIL 2023 and 2024 - CACFP-SPON State Agency: Department of Health and Senior Services (DHSS) - Bureau of Community Food and Nutrition Assistance (BCFNA) Type of Finding: A - Internal Control (Significant Deficiency) and Nonmaterial Noncompliance B - Internal Control (Material Weakness) and Material Noncompliance Questioned Costs: Unknown Compliance Requirement: Subrecipient Monitoring As noted in our previous audit, during the year ended June 30, 2024, BCFNA subrecipient risk assessment and monitoring procedures were not in compliance with subrecipient monitoring requirements and were not sufficient to ensure CACFP subrecipient compliance with program requirements. During the year ended June 30, 2024, the BCFNA disbursed approximately $67.6 million to over 780 CACFP subrecipients, which consist of child and adult care centers and sponsors of centers. Disbursements to subrecipients represented approximately 98 percent of the program's expenditures. As part of its pass-through responsibilities, 7 CFR Section 226.6(a)(5), the BCFNA is required to ensure subrecipients effectively operate the program. Regulation 2 CFR Section 200.332(b) requires pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Regulation 2 CFR Section 200.332(d) requires pass-through entities to monitor the activities of the subrecipient as necessary to ensure the subaward is used for authorized purposes, complies with the terms and conditions of the subaward, and achieves performance goals. The BCFNA's subrecipient monitoring process, outlined in the Internal Nutritionist Manual, provides the requirements for monitoring the CACFP facilities/sponsors. The manual provides the planned frequency and type of monitoring activities, monitoring methods, and corrective action requirements. The manual requires the preparation of a risk assessment at the end of each monitoring review that assigns a grade of A, B, B-, or C to the facility/sponsor based on the number and severity of deficiencies and findings. Facilities/sponsors that receive a C grade are determined to be "seriously deficient." The assigned grade determines the required timing of future monitoring reviews of the facility/sponsor. Facilities/sponsors with an A grade will be next monitored in 3 years, a B grade within 2 years, a B- grade within 6 months to 1 year, and a C grade within 90 days. During each monitoring review, BCFNA personnel review documentation supporting a sample of claims during a test month. Any identified errors and associated overclaims/underclaims exceeding established thresholds are recouped/reimbursed in the facility's/sponsor's future claims. When reviews identify noncompliance, facilities/sponsors are required to prepare and submit a Corrective Action Plan (CAP) to the BCFNA. In addition, as noted at finding number 2024-008, the BCFNA relies on these subrecipient monitoring procedures to prevent and detect meal reimbursement claim errors. Monitoring reviews have identified significant issues and claim errors, including some potentially fraudulent activity, and led to over 15 contract terminations in recent years. To test compliance with subrecipient monitoring requirements, and to evaluate the effectiveness of BCFNA monitoring procedures, we reviewed and analyzed a randomly-selected sample of 60 BCFNA monitoring reviews conducted for 60 CACFP facilities/sponsors during the year ended June 30, 2024. While our review found the sample monitoring reviews were performed in accordance with the policies and procedures outlined in the Internal Nutritionist Manual, we identified areas in which these policies and procedures could be strengthened and improved to ensure facilities/sponsors comply with program requirements and submit proper claims. Our review and analysis of the 60 sampled monitoring reviews noted the monitoring reviews identified significant errors, noncompliance, disallowances, and overclaims. Our comparison of the sampled reviews to prior reviews noted deficient facilities/sponsors generally had continued deficiencies and little improvement from prior reviews, as follows: • Of the 60 sampled, 32 facilities/sponsors received an A grade, while 28 received grades of B, B-, or C. • Of the 24 facilities/sponsors that received grades of B, B-, or C, and had a prior review, 21 (88 percent) received the same or lower grade than the prior review. • Of the 4 facilities/sponsors that received a C grade and had a prior review, 2 (50 percent) received the same grade as the prior review, and 2 (50 percent) received a lower grade. • Of the 7 facilities/sponsors that received a C grade, 4 were terminated as a result of the review or as a result of a subsequent 90-day follow-up review. • For 43 of 59 (73 percent) monitoring reviews for which the BCFNA tested claims (with claims totaling $537,466 during the test months), the BCFNA identified overclaims totaling $48,508 and underclaims totaling $10,144, netting to $38,364, or at least 7 percent of the reimbursements tested. A. Risk Assessments The BCFNA prepares and uses risk assessments to determine the extent of monitoring necessary for each facility/sponsor. However, the risk assessments prepared during the year ended June 30, 2024, considered only the previous monitoring review grade (conducted up to 3 years previously), and did not consider other pertinent risk factors outlined in federal regulations. Regulation 2 CFR Section 200.332(b) suggests risk assessments should consider the subrecipient's prior experience with the same or similar subawards, the results of previous audits, whether the subrecipient has new personnel or new or substantially-changed systems, and the extent and results of federal awarding agency monitoring. While federal regulations provide the BCFNA discretion in selecting risk factors to consider, limiting risk assessments to only one risk factor and ignoring other relevant factors hinders the BCFNA's ability to identify red flags and fraud risk factors and properly assess facility/sponsor risk of noncompliance. Sufficient risk assessments are necessary to ensure monitoring reviews are conducted with adequate frequency to help ensure subrecipient compliance with program requirements. Finding classification This finding is classified as a significant deficiency in internal control and nonmaterial noncompliance with the federal subrecipient monitoring requirements regarding risk assessments. As noted in the finding, BCFNA risk assessments prepared during the year ended June 30, 2024, do not meet the spirit of the federal regulation, which suggests the extent and level of monitoring for each subrecipient be based on various risk factors. As a result, there is a risk that monitoring reviews will not be performed as frequently and thoroughly as needed to identify and address subrecipient noncompliance. Because the BCFNA does perform risk assessments for each subrecipient and does monitor the subrecipients with lower grades with more frequency, the finding did not rise to a level of material noncompliance, and was therefore considered nonmaterial noncompliance. Our decisions regarding the classification of the internal control deficiencies were made in accordance with AU-C Section 935, Compliance Audits and the AICPA Audit Guide: Government Auditing Standards and Single Audits (Audit Guide). In addition to the definitions outlined in part B of this finding, the Audit Guide states "[a] significant deficiency in internal control over compliance is a deficiency, or a combination of deficiencies, in internal control over compliance with a type of compliance requirement of a federal program that is less severe than a material weakness in internal control over compliance, yet important enough to merit attention by those charged with governance." Our evaluation of the deficiencies for the possibility and magnitude of potential noncompliance determined the deficiencies are considered a significant deficiency. B. Subrecipient Monitoring Procedures Our review of BCFNA subrecipient monitoring procedures during the year ended June 30, 2024, noted areas that should be strengthened and improved. Corrective action plans BCFNA CAP review procedures were not adequate to ensure facilities/sponsors made and/or planned sufficient corrective actions to address noncompliance, as required by federal regulations. The Internal Nutritionist Manual requires nutritionists to review subrecipient CAPs outlining corrective actions taken or planned for completeness and to ensure the required action items are adequately addressed. However, during the year ended June 30, 2024, this review was generally performed without verifying the accuracy of the CAP information through review of supporting documentation, testing, or other methods. The BCFNA did not require submission of supporting documentation of corrective actions taken or planned. BCFNA officials indicated they may request supporting documentation on occasion depending on the complexity of the finding, and they verify the CAP during 90-day follow-up reviews of "seriously deficient" facilities/sponsors. Of the 60 monitoring reviews in our sample, 49 required a CAP. The monitoring review documentation indicated the CAP was verified during 7 of the 90-day follow-up reviews, but there was no documentation that the nutritionist verified the CAP information for any of the remaining 42 reviews (86 percent of the 49 reviews that required a CAP). Furthermore, our review of monitoring review documentation noted numerous instances in which the prior year CAP indicated a specific deficiency was addressed, but the same deficiency was again noted in the subsequent review. Regulation 2 CFR Section 200.332(d) provides that monitoring must include following up and ensuring the subrecipient takes timely and appropriate action on all deficiencies identified. The USDA CACFP handbook, Monitoring Handbook for State Agencies (USDA Monitoring Handbook), provides that follow-up reviews (on-site or desk reviews of paperwork) may be conducted any time corrective action is required to ensure the facility/sponsor has completely corrected the review findings, according to its approved corrective action response. Example CAP forms included in the USDA Handbook require facilities/sponsors to submit supporting documentation along with the CAP to verify corrections were made or will be implemented. The USDA CACFP handbook, Serious Deficiency, Suspension, & Appeals for State Agencies & Sponsoring Organizations, provides that facilities/sponsors deemed "seriously deficient," must submit additional supporting documentation with the CAP to document that corrective actions have occurred; this might include copies of income eligibility forms, enrollment rosters, staff training documentation, site monitoring reports, menus, child nutrition labels or manufacturers' product analysis sheets or recipes, attendance records, meal count forms, and itemized food receipts. Without verifying information in CAPs submitted, the BCFNA cannot demonstrate compliance with federal regulations and it lacks assurance the facilities/sponsors took timely and appropriate action on all deficiencies identified during monitoring reviews. In addition, there is increased risk that deficiencies will not be corrected and will continue without detection. In August 2024, the BCFNA implemented an electronic system for facilities/sponsors to upload documentation supporting their CAPs. In May 2025, the BCFNA updated the Internal Nutritionist Manual to provide for reviews of the supporting documentation to verify facilities/sponsors implemented corrective action. Claims testing The Internal Nutritionist Manual and monitoring practices provide for testing of a sample of claims within only 1 test month during each monitoring review, and do not provide for expanded testing when significant errors are identified. BCFNA personnel indicated monitoring reviews are limited to only 1 test month because the USDA Monitoring Handbook does not require expanded testing of records beyond 1 month. While the BCFNA performs additional testing during 90-day follow-up reviews for facilities/sponsors deemed "seriously deficient," additional testing is not performed in any other situation. For example, one facility had a 33 percent overpayment rate and received a B grade while another facility had a 100 percent overpayment rate and received a B- grade; however, additional testing was not performed for either facility. The USDA Monitoring Handbook suggests testing activities during 1 test month, and also suggests the state agency may determine additional review is warranted and review records beyond the test month to determine the extent of the noncompliance. When significant errors are identified, additional testing would help BCFNA nutritionists determine the extent that instances of noncompliance are isolated versus pervasive. Such information would be valuable to the overall conclusions and grade assigned to the review, and in decisions regarding subsequent monitoring. Overclaim recoupment BCFNA subrecipient monitoring procedures do not provide for identification and pursuit of recoupment of all overpayments associated with errors identified during monitoring reviews. When overclaims due to noncompliance with eligibility requirements are identified during monitoring reviews, the BCFNA only identifies and seeks recoupment for the overclaims made during the test month. Overclaims associated with eligibility errors begin at the time the eligibility determination was made and continue until the error is discovered. Although the BCFNA is aware noncompliance occurred during the month(s) before the test month, the BCFNA does not attempt to identify those overclaims. In addition, when a facility/sponsor is terminated, the BCFNA does not always identify or seek recoupment of overclaim amounts. In our sample of 60 monitoring reviews, the contract for 1 sponsor was terminated as a result of a 90-day follow-up review. For this sponsor, in the review prior to the 90-day follow-up review, the BCFNA identified and recouped overclaims totaling $2,278, or 100 percent of total claims tested. In the subsequent 90-day follow-up review significant claim errors were identified in the test month claims, which totaled $1,961; however, the test month claims were not fully tested, and overclaims were not identified or recouped. Any overclaims not identified and recouped from this terminated sponsor would be considered questioned costs; however, those questioned costs are unknown. BCFNA officials indicated they do not pursue recoupment of overclaims beyond the test month because this practice is allowed by the USDA. They indicated they pursue recoupment of overclaims for facilities/sponsors with terminated contracts on a case-by-case basis, considering various factors. However, 7 CFR Section 226.14 provides that state agencies shall disallow and recover any portion of a claim for reimbursement not properly payable, including claims not made in accordance with recordkeeping requirements. Pursuing full recoupment would hold facilities/sponsors accountable for all overclaims and would serve as a deterrent to future errors, noncompliance, and overclaims. Furthermore, without procedures to identify and recoup all overclaims, there is a risk that significant overclaims will go undetected and unrecouped, and questioned costs could be significant. Conclusions In addition to complying with federal requirements, strong subrecipient monitoring procedures are necessary to ensure facilities/sponsors comply with program requirements, submit proper claims, and address deficiencies identified. Without strong internal controls, there is increased risk of noncompliance, errors, fraud, waste, and abuse of federal funds. Strong monitoring procedures would ensure facilities/sponsors are held accountable for, and correct, errors and noncompliance identified. Regulation 2 CFR Section 200.332(g) requires pass-through entities to consider whether the results of the subrecipient's audits, on-site reviews, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity's own records. Furthermore, 2 CFR Section 200.303(a) requires the non-federal entity to "[e]stablish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-federal entity is managing that Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government, issued by the Comptroller General of the United States or the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission." Finding classification This finding is classified as a material weakness in internal control and material noncompliance with the federal subrecipient monitoring requirements. Our audit of the BCFNA's compliance with federal subrecipient monitoring requirements concluded the BCFNA did not materially comply with federal requirements to ensure subrecipients effectively operate the CACFP and to monitor the activities of the subrecipient as necessary to ensure the subaward is used for authorized purposes, complies with the terms and conditions of the subaward, and achieves performance goals. This conclusion is based on the facts, deficiencies, and noncompliance stated in the finding, including the following: (1) Disbursements to subrecipients represented approximately 98 percent of the CACFP expenditures. (2) BCFNA subrecipient monitoring reviews identified significant errors, noncompliance, disallowances, and overclaims; and deficiencies identified often continued for years with little improvement from review to review. The 7 percent subrecipient payment error rate identified by the BCFNA, which exceeds our audit materiality threshold of 4 percent, along with the high rate of continued noncompliance, serve as indicators of the ineffectiveness of the BCFNA monitoring process. (3) The BCFNA did not comply with specific components of federal subrecipient monitoring requirements, including properly following up and ensuring subrecipients take timely and appropriate action on all deficiencies identified and disallowing and recovering improper payments. (4) Multiple deficiencies in monitoring procedures were identified, including the previously-listed deficiencies and inadequate payment testing. In conducting a single audit in accordance with 2 CFR Part 200 (Uniform Guidance), auditors are required by 2 CFR Section 200.514(d)(1)(2), to determine whether the auditee has complied with federal statutes, regulations, and the terms and conditions of federal awards that may have a direct and material effect on each of its major programs, as outlined in the OMB Compliance Supplement. While compliance with the USDA CACFP handbooks was considered in the our audit, our conclusion on compliance is based on the BCFNA's compliance with the federal statutes and regulations, as required. Our decisions regarding the classification of the internal control deficiencies were made in accordance with AU-C Section 935, Compliance Audits and the Audit Guide. The Audit Guide provides the following definitions regarding internal control deficiencies: A deficiency in internal control over compliance exists when the design or operation of a control over compliance does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, noncompliance with a type of compliance requirement of a federal program on a timely basis. A material weakness in internal control over compliance is a deficiency, or combination of deficiencies, in internal control over compliance, such that there is a reasonable possibility that material noncompliance with a type of compliance requirement of a federal program will not be prevented, or detected and corrected, on a timely basis. "A reasonable possibility exists when the likelihood of the event is either reasonably possible or probable…" Reasonably possible is "[t]he chance of the future event or events occurring is more than remote but less than likely." Probable means "[t]he future event or events are likely to occur." The failure to design and implement adequate controls and procedures over subrecipient monitoring led to material noncompliance with the subrecipient monitoring requirements. The BCFNA's controls failed to develop an effective subrecipient monitoring process that ensures subrecipients use subawards for authorized purposes, comply with the terms and conditions of the subawards, and achieve performance goals. Because the internal control deficiencies have not been corrected, it is probable that the material noncompliance will continue. For these reasons, the deficiencies are considered a material weakness. Recommendations The DHSS through the BCFNA: A. Implement a CACFP subrecipient risk assessment process that is consistent with federal regulations. B. Review, strengthen, and enforce subrecipient monitoring procedures to ensure CACFP facilities/sponsors comply with program requirements, submit proper claims, and address deficiencies identified. The BCFNA should enhance procedures to provide for identification and recoupment of overclaims associated with all errors identified during monitoring reviews, as required by federal regulations; expand testing when significant errors are identified; and continue to verify CAP information. The DHSS should identify and recoup the overclaims for the terminated sponsor noted in this finding. Auditee's Response A. We disagree with the auditor's finding. Our Corrective Action Plan includes an explanation and specific reasons for our disagreement. B. We disagree with the auditor's finding. Our Corrective Action Plan includes an explanation and specific reasons for our disagreement. Auditor's Comment The DHSS Corrective Action Plan (CAP) states the DHSS disagrees with the finding because, while the prior year finding (finding number 2023-013) was partially sustained by the USDA - Food and Nutrition Service (USDA-FNS), a corrective action plan was accepted and deemed adequate by the USDA-FNS. The CAP also states in April 2025, the USDA-FNS recommended final action to close the prior year finding. These statements are not accurate. April and June 2025 emails from USDA-FNS officials to the DHSS regarding the prior audit finding, provided to auditors by DHSS officials, indicate the finding was sustained; corrective action was required, taken, and validated by the USFA-FNS; and final action was approved by the USDA-FNS on June 10, 2025. It is unclear why the DHSS considers the prior year finding to be only partially sustained when the Summary Schedule of Prior Audit Findings, which was also prepared by the DHSS, states the finding was sustained. Except for the information mentioned in the audit finding regarding subrecipient corrective action plans, the DHSS did not provide the State Auditor's Office information regarding corrective action taken. Any new procedures would have been implemented after the audit period, and will be subject to subsequent audits. Because the DHSS took no corrective action prior to or during the audit period, this finding is valid.
Federal Agency: Department of the Treasury (Treasury) Federal Program: 21.027 COVID-19 - Coronavirus State and Local Fiscal Recovery Funds SLFRP4542 State Agency: Office of Administration (OA) Type of Finding: A - Internal Control (Material Weakness) and Material Noncompliance B - Internal Control (Material Weakness) and Material Noncompliance Compliance Requirement: Subrecipient Monitoring As noted in our previous audit, the OA has not established policies and procedures regarding monitoring subrecipients of the Coronavirus State and Local Fiscal Recovery Funds (SLFRF) program. As a result, the OA did not comply with the Uniform Guidance (UG) requirements regarding identifying and monitoring subrecipients of the SLFRF program. The OA is the lead agency responsible for administering the SLFRF program. The purpose of the SLFRF program is to provide funding to respond to the COVID-19 public health emergency (PHE) or its negative impacts; respond to workers performing essential work during the PHE; provide government services, to the extent of the reduction in revenue due to the PHE (revenue replacement); make necessary investments in water, sewer, or broadband infrastructure; provide emergency relief from natural disasters or the negative economic impacts of natural disasters; and finance certain surface transportation and housing projects. The OA and various state agencies designed projects within the various allowable SLFRF program categories, and are responsible for administering the projects. The OA developed the American Rescue Plan Act Grant Management Portal (portal) to serve as the official repository of information and documentation supporting each SLFRF program project. The state agencies upload supporting documentation to the portal, including contracts, payment requests, and other supporting documentation. Most payments are made on a reimbursement basis. The OA reviews each payment request and processes the payments. Some SLFRF program projects are administered through subawards. The OA establishes contracts with each subrecipient that outline various SLFRF program requirements, terms, and conditions. In the Schedule of Expenditures of Federal Awards (SEFA), the OA reported approximately $186 million was passed through to subrecipients of the SLFRF program during the year ended June 30, 2024. This amount represents approximately 30 percent of the SLFRF program expenditures. These awards were administered through the OA and 7 other state agencies. However, as noted in finding point A., the amounts are not accurate due to subrecipient determination errors. In response to our prior audit finding, the OA held a training for state agency personnel in August 2024 and sent a letter to state agencies in January 2025 (after the current audit period), covering agency responsibilities related to certain SLFRF program subrecipient monitoring requirements, such as subrecipient determinations and single audits. Of the 7 state agencies that administered subawards reported in the SEFA during the year ended June 30, 2024, 4 administered the majority of the subawards, with payments totaling approximately $181 million, or 97 percent of the total subrecipient payments reported in the SEFA. These 4 state agencies were the Department of Mental Health (DMH), Department of Higher Education and Workforce Development (DHEWD), Department of Natural Resources (DNR), and the Department of Economic Development (DED). Our review and testing of subrecipient monitoring procedures focused on the OA and the 4 state agencies. For the 4 state agencies, a total of 212 recipients were identified as subrecipients in the SEFA. However, as noted in finding point A., this count is not accurate due to subrecipient determination errors. To understand the OA and state agency procedures, and to test compliance with subrecipient monitoring requirements, we randomly selected a sample of payments to 21 subrecipients for the 4 state agencies. In addition, we judgmentally selected an additional subrecipient at one of the agencies because we had received citizen concerns regarding the administration of the subrecipient project. The 22 subrecipients were awarded a total of approximately $230 million in SLFRF program funding and were paid a total of approximately $77.9 million during the year ended June 30, 2024. We reviewed records in the portal supporting the subawards and 1 payment for each of the 22 subrecipients. We reviewed payments totaling approximately $5.9 million. For the judgmentally-selected subrecipient, we reviewed documentation of the state agency's monitoring of the subrecipient, including documentation of decisions to terminate (June 2024), not reinstate (December 2024), and reinstate (June 2025) the project. No significant issues were identified in this review. A. Subrecipient Determination The OA has not established policies and procedures to determine whether recipients of the SLFRF program funds are subrecipients or contractors. As a result, some recipients were incorrectly classified, and the OA lacks a complete and accurate listing of subrecipients. Subrecipient monitoring requirements are outlined in the UG. Regulation 2 CFR Section 200.331 states a pass-through entity must make case-by-case determinations whether each agreement it makes for the disbursement of federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor. The classification of a subrecipient is dependent on whether the entity is responsible for making eligibility determinations for assistance, has its performance measured in relation to whether the objectives of the federal program were met, has responsibility for programmatic decision-making, is responsible for adherence to federal program requirements, and uses the federal funds to carry out a program for its public purpose. The OA did not evaluate each SLFRF program recipient for the UG criteria, and did not make a determination of whether the entity was a subrecipient or contractor. OA officials assigned responsibility for making these determinations and identifying subrecipients to the applicable state agencies, but did not provide clear guidance to the state agencies or ensure the state agencies properly performed and documented the determinations. One of the 4 state agencies had not documented their determinations for any of their sampled subrecipients and another state agency had not documented its determinations for 2 of 4 sampled subrecipients. Our analysis and review of the population of 212 subrecipients identified in the SEFA for the 4 state agencies revealed 1 state agency incorrectly recorded 2 contractors (office supply and electrical supply companies), with payments totaling $6,509, as subrecipients. The OA is the lead agency responsible for administering the SLFRF program. Without adequate procedures over subrecipient or contractor determinations, the OA lacks assurance that its subrecipients have been identified for subrecipient monitoring purposes. The OA Corrective Action Plan and Summary Schedule of Prior Audit Findings for prior audit finding number 2023-010 state the OA disagrees that it needs to develop policies and procedures regarding subrecipient determinations since the requirements are already stated in the Uniform Guidance and SLFRF program regulations. However, documented policies and procedures are necessary to clearly communicate responsibilities to the state agencies, prevent misunderstandings, and demonstrate adequate internal controls over compliance with subrecipient monitoring requirements. Regulation 2 CFR Section 200.303(a) requires the non-federal entity to "[e]stablish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government, issued by the Comptroller General of the United States or the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission." Paragraph 3.10 of the Standards for Internal Control in the Federal Government, also known as the Green Book, states, "[e]ffective documentation assists in management's design of internal control by establishing and communicating the who, what, when, where, and why of internal control execution to personnel. Documentation also provides a means to retain organizational knowledge and mitigate the risk of having that knowledge limited to a few personnel, as well as a means to communicate that knowledge as needed to external parties, such as external auditors." Paragraph 12.01 states, "[m]anagement should implement control activities through policies." B. Subrecipient Monitoring The OA did not implement an effective subrecipient monitoring program to monitor the SLFRF subrecipients. As a result, some subrecipient monitoring procedures were not performed as required by the UG. Regulation 2 CFR Section 200.332(b) states that pass-through entities must evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Risk assessments may consider factors such as the subrecipient's prior experience with the same or similar subawards, the results of previous audits, whether the subrecipient has new personnel or new or substantially-changed systems, and the extent and results of federal awarding agency monitoring. Regulation 2 CFR Section 200.332(d) requires pass-through entities to monitor the activities of the subrecipient as necessary to ensure the subrecipient is in compliance with federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity; (2) following up and ensuring the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address single audit findings related to the particular subaward; and (3) issuing a management decision for applicable findings pertaining only to the federal award provided to the subrecipient from the pass-through entity. Regulation 2 CFR Section 200.332(f) requires pass-through entities to verify that every subrecipient had a single audit when it is expected that the subrecipient spent $750,000 or more during the subrecipient's fiscal year. To monitor subrecipients of the SLFRF program, the OA relies on its pre-payment monitoring process. The OA does not perform any post-payment monitoring procedures, and relies on the state agencies to perform these procedures. The OA did not establish policies and procedures over the pre-payment review process and these reviews were not always clearly documented. In addition, the OA did not sufficiently communicate with the state agencies regarding subrecipient monitoring responsibilities or ensure the state agencies performed monitoring reviews. The information communicated to the state agencies in memos, emails, and periodic meetings and trainings with state agency personnel were not formalized in a policy and did not cover all relevant compliance requirements. In addition, the OA did not ensure risk assessments were performed or that subrecipients received single audits as required by the UG. Risk assessments The OA did not ensure required risk assessments for subrecipients of the SLFRF program were performed to determine the nature, timing, and extent of monitoring procedures necessary. Two of the 4 state agencies did not perform any risk assessments for the sampled subrecipients. OA officials indicated risk assessment procedures are the responsibility of the state agencies; however, the OA did not provide clear guidance to the state agencies or ensure the state agencies performed and used risk assessments as required. In addition to complying with federal requirements, risk assessments are necessary to ensure monitoring reviews are conducted with adequate frequency to help ensure subrecipient compliance with program requirements. OA pre-payment monitoring procedures The OA has not developed policies and procedures outlining its pre-payment monitoring procedures and did not always clearly document monitoring performed prior to making payments. In their review and approval of each SLFRF subrecipient payment request, OA officials stated they thoroughly review supporting documentation uploaded to the portal by the state agencies, including contracts, bid documentation, invoices, and other supporting documentation. OA officials further stated they review for compliance with certain types of SLFRF program compliance requirements, including allowable activities and allowable costs, procurement, and period of performance. However, the OA does not clearly document review procedures performed. For each of the 22 subrecipients sampled, the portal included documentation pertaining to some, but not all of the applicable compliance requirements. For example, for 5 subrecipient payments reviewed (for 2 state agencies), the portal included summary invoices, but did not include sufficiently detailed documentation showing compliance with the allowable activities and allowable costs and period of performance compliance requirements. Without documented policies and procedures and documentation of prepayment monitoring procedures performed, the OA cannot demonstrate subrecipient monitoring procedures were performed. Additional monitoring procedures The OA does not monitor subrecipients beyond the pre-payment monitoring process previously described. OA officials stated post-payment monitoring procedures are the responsibility of the state agencies; however, the OA did not sufficiently communicate with the agencies regarding subrecipient monitoring responsibilities or ensure the agencies performed monitoring reviews. Our review of subrecipient monitoring procedures at the 4 state agencies noted 3 agencies had developed written policies or procedures regarding subrecipient monitoring. We also noted state agency review procedures varied significantly, did not cover all significant compliance requirements, and were not always documented. While officials of some state agencies indicated they perform detailed pre-payment reviews for compliance with allowable activities and allowable costs, period of performance, and/or local match requirements, officials of some agencies explained they and the OA sometimes review only summary invoices of expenditures from the subrecipients prior to payment. Additionally, officials of all state agencies described various post-payment review procedures such as reviews for compliance with certain requirements, reviews of documentation supporting expenditures of funds advanced to the subrecipient, billing reviews of documentation supporting summary invoices, and/or reviews of the final work product; however, none of the agencies performed all of these procedures. In addition, the agencies could not always provide documentation such reviews had been performed for the sampled items. In addition to noncompliance with subrecipient monitoring requirements, the failure to ensure sufficient monitoring procedures were performed and documented increases the risk that subrecipient noncompliance will not be prevented or detected timely. Subrecipient audits The OA did not ensure the required reviews of single audit reports for applicable SLFRF program subrecipients were conducted. OA officials indicated the state agencies are responsible for ensuring subrecipients had a single audit, and reviewing and following up on the audit reports; however, the OA did not ensure the state agencies performed these procedures. All 4 agencies described procedures to monitor and follow up on single audit reports. Each subrecipient that spent in excess of $750,000 in federal awards during its fiscal year must obtain a single audit in accordance with the UG within 9 months after the end of the fiscal year. In addition to noncompliance with subrecipient monitoring requirements, the failure to ensure subrecipients received required audits and to review and follow up on the related audit reports, increases the risk that subrecipient noncompliance will not be identified and addressed. Conclusions The following table summarizes the results of our sampling at the 4 state agencies, presented in finding points A. and B. Instances in which a criterion was partially met are shown as the applicable number of items sampled. The OA is the lead agency responsible for administering the SLFRF program. OA officials indicated the state agencies were responsible for some of the subrecipient monitoring requirements. However, without clear communication and monitoring of these responsibilities, the OA lacks assurance of compliance with all subrecipient monitoring requirements. Without an established subrecipient monitoring program, the OA cannot provide assurance subrecipients are complying with SLFRF program requirements and there is increased risk that noncompliance with program requirements or subaward terms and conditions will go undetected, or that subaward performance goals will not be achieved. In addition, a subrecipient monitoring program is necessary to demonstrate adequate internal controls over compliance with subrecipient monitoring requirements. Regulation 2 CFR Section 200.303(a) requires the non-federal entity to "[e]stablish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-federal entity is managing that Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government, issued by the Comptroller General of the United States or the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission." Paragraph 3.10 of the Standards for Internal Control in the Federal Government, also known as the Green Book, states, "[e]ffective documentation assists in management's design of internal control by establishing and communicating the who, what, when, where, and why of internal control execution to personnel. Documentation also provides a means to retain organizational knowledge and mitigate the risk of having that knowledge limited to a few personnel, as well as a means to communicate that knowledge as needed to external parties, such as external auditors." Paragraph 12.01 states, "[m]anagement should implement control activities through policies." Recommendations The OA: A. Develop policies and procedures to determine whether recipients of SLFRF program funds are subrecipients or contractors. Continue to work with the state agencies to ensure accurate and documented determinations are prepared for all recipients, and modify subrecipient records as needed. B. Develop a subrecipient monitoring program in accordance with the Uniform Guidance that includes performing risk assessments for each subrecipient for the purposes of determining the appropriate subrecipient monitoring procedures; monitoring for compliance with federal requirements and subaward terms and conditions, and ensuring subaward performance goals are achieved; and reviewing subrecipient single audit reports. Ensure tasks delegated to state agencies are adequately communicated and establish procedures to ensure those tasks are appropriately completed. Auditee's Response A. We partially agree with the auditor's finding. Our Corrective Action Plan includes an explanation and specific reasons for our disagreement and any planned actions to address the finding. B. We agree with the auditor's finding. Our Corrective Action Plan includes our planned actions to address the finding. Auditor's Comment The OA Corrective Action Plan states the OA partially agrees with Finding point A. because the OA completed training for all agencies regarding agency subrecipient monitoring responsibilities and distributed a memo instructing the agencies to develop subrecipient monitoring policies and procedures. However, as noted in the audit finding, the training was held and letter was sent to state agencies after the current audit period. Because the OA took no corrective action prior to or during the audit period, the internal control weaknesses and noncompliance occurred again in the current audit period.
Federal Agency: Department of Homeland Security - Federal Emergency Management Agency (FEMA) Federal Program: 97.036 Disaster Grants - Public Assistance (Presidentially Declared Disasters) 2017 - FEMA-4317-DR-MO 2019 - FEMA-4435-DR-MO and FEMA-4551-DR-MO 2020 - FEMA-4490-DR-MO and FEMA-4452-DR-MO 2021 - FEMA-4612-DR-MO and FEMA-4636-DR-MO 2022 - FEMA-4665-DR-MO 2023 - FEMA-4741-DR-MO 2024 - FEMA-4803-DR-MO State Agency: Department of Public Safety - State Emergency Management Agency (SEMA) Type of Finding: Internal Control (Material Weakness) and Material Noncompliance Compliance Requirement: Subrecipient Monitoring During state fiscal year 2024, the SEMA did not perform subrecipient monitoring reviews or review subrecipient single audit reports for the Disaster Grants - Public Assistance (Presidentially Declared Disasters) (DGPA) as required. The SEMA disbursed approximately $180 million to 320 DGPA program subrecipients during the year ended June 30, 2024. Regulation 2 CFR Section 200.332(b) requires pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Regulation 2 CFR section 200.332(d) requires pass-through entities to monitor the activities of the subrecipient as necessary to ensure the subaward is used for authorized purposes, complies with the terms and conditions of the subaward, and achieves performance goals. Pass-through entities are required to follow up and ensure the subrecipient takes timely and appropriate action on all deficiencies detected through audits, on-site reviews, and other means. Regulation 2 CFR Section 200.332(f) requires pass-through entities to verify that every subrecipient has a single audit when it is expected that the subrecipient spent $750,000 or more during the subrecipient's fiscal year. The SEMA's tiered monitoring process, outlined in the SEMA's Risk Assessment Form and Recovery Division Monitoring Policy, requires risk assessments be performed 24 months after the disaster declaration for each subrecipient. Risk assessments are to evaluate various risk indicators and categorize each subrecipient as high, medium, or low risk. The risk category determines the required type and nature of monitoring required for the subrecipient. The policy requires on-site monitoring reviews for all high-risk subrecipients and desk reviews of 20 percent of medium-risk subrecipients. No additional action is required for low-risk subrecipients. The monitoring policy requires the SEMA to generate reports listing any deficiencies noted during on-site and desk monitoring reviews. The Monitoring Report will, if applicable, reflect any notice given to the subrecipient about delinquent reports, failure to submit proper documentation, and any issues noted during the review. The monitoring report also identifies the SEMA's and subrecipient's actions and plans to resolve the issue(s), by documenting a brief written plan and timeline for the resolution of the issues identified. When all issues have been resolved, the policy requires a follow-up letter and updated review report to be provided to the subrecipient. The monitoring policy further requires the SEMA during both the desk and on-site monitoring to review the subrecipient's financial and compliance audit reports. The SEMA's single audit compliance policy requires the SEMA to verify every subrecipient had a single audit when required. Once the single audit is reviewed and additional documentation is obtained, the SEMA will issue a Management Decision Letter. Monitoring reviews During state fiscal year 2024, the SEMA's Monitoring Specialist performed risk assessments for all 890 subrecipients of open projects; however, the SEMA did not perform the 190 monitoring reviews of these subrecipients as required by the monitoring policy. The following table shows the results of the risk assessments performed for that fiscal year, and the supervisory monitoring reviews required by federal regulation and SEMA policy. When subrecipient monitoring reviews are not performed as required by federal regulation and SEMA policy, there is increased risk that noncompliance with program requirements will go undetected. Subrecipient audits During state fiscal year 2024, the SEMA did not conduct the required review of single audit reports for applicable DGPA program subrecipients as required by SEMA policies and federal regulations. During September 2023, the SEMA sent letters to all subrecipients asking if they were required to have a single audit; but performed no further procedures such as ensuring subrecipients obtained the audits or reviewing and following up on audit reports. Each subrecipient that spent in excess of $750,000 in federal awards during its fiscal year must obtain a single audit in accordance with federal regulations within 9 months after the end of the fiscal year. In addition to noncompliance with subrecipient monitoring requirements, the failure to ensure subrecipients received required audits and to review and follow up on the related audit reports, increases the risk that subrecipient noncompliance will not be identified and addressed. Conclusions SEMA personnel indicated the monitoring reviews and single audit reviews were not performed due to turnover and shortages in staff. Adherence to policies and procedures is necessary to ensure compliance with subrecipient monitoring requirements. Regulation 2 CFR Section 200.303(a) requires the non-federal entity to "[e]stablish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-federal entity is managing the Federal award in compliance with Federal regulations, SEMA policies and the terms and conditions of the Federal award." Recommendation The SEMA strengthen controls and procedures to ensure subrecipients of the DGPG are monitored in accordance with the monitoring policies and ensure policies are followed to ensure compliance with the monitoring requirements. Auditee's Response We agree with the auditor's finding. Our Corrective Action Plan includes our planned actions to address the finding.
2024-004: Subrecipient Determination and Monitoring Assistance Listing Number (ALN) and Title: 20.205 Highway Planning and Construction Federal Grantor: U.S. Department of Transportation (DOT) Passed-through: Oregon Department of Transportation (ODOT) Award Identification Numbers and Years: Finding is applicable to all 20.205 awards on the SEFA for 2024 Compliance Requirement: Subrecipient Monitoring Type of Finding: Noncompliance and Material Weakness in Internal Control over Compliance. Prior Year Audit Finding: No Criteria: 2 CFR 200.331 requires pass-through entities (PTEs) like LCOG to make case-by-case determinations whether an agreement casts the party receiving funds as a subrecipient or a contractor (vendor). This determination affects reporting on the SEFA (§200.510(b)(4)). Furthermore, 2 CFR 200.332 requires PTEs to evaluate each subrecipient's risk of noncompliance, monitor their activities to ensure compliance with federal requirements (including reviewing financial and performance reports), and verify that subrecipients subject to the Single Audit requirements have obtained the required audit and take appropriate action on any findings effecting the pass-through program (§200.332(b), (d), and (f)). Effective internal controls should ensure proper classification and that required monitoring activities are performed and documented. Condition: LCOG exhibited weaknesses in its process for determining and monitoring subrecipients under ALN 20.205. Specifically: LCOG did not correctly classify entities receiving funds. Multiple vendors were incorrectly identified as subrecipients on the draft SEFA provided for audit. Two entities meeting the definition of subrecipients were identified during audit procedures; however, LCOG had classified them as vendors and omitted them from the draft SEFA. As a result of misclassifying the actual subrecipients as vendors, LCOG did not perform required subrecipient monitoring activities for these entities, such as conducting and documenting a risk assessment or obtaining and reviewing their Single Audit reporting packages. Questioned Costs: None. Context: The misclassifications were identified during audit testing and review of the draft SEFA. While the entities omitted from the SEFA were later confirmed to be subrecipients, LCOG had not performed the required monitoring steps during the fiscal year. Subsequent review of the Single Audit reports for these two subrecipients during the audit process confirmed they had correctly reported the funds received from LCOG and disclosed no audit findings related to this program. No errors were noted in the initial contracting process with these entities. However, the lack of contemporaneous monitoring represents noncompliance and a control weakness. Cause: LCOG lacks adequate procedures for performing and documenting the subrecipient vs. contractor determination based on the criteria in 2 CFR 200.331. This initial failure led to inaccurate SEFA reporting and the subsequent failure to implement required monitoring protocols for entities that were, in fact, subrecipients. Effect: The failure to correctly identify and monitor subrecipients constitutes noncompliance with 2 CFR 200.332 and resulted in inaccurate SEFA reporting. Although no subrecipient noncompliance impacting the program was ultimately identified in this instance, the absence of required monitoring activities (including risk assessment and review of audit reports) creates a risk that subrecipient noncompliance could occur and not be detected by LCOG in a timely manner. This condition represents a material weakness in internal control over compliance. Recommendation: We recommend LCOG implement procedures to: 99 Formally document the determination of whether entities receiving federal funds are subrecipients or contractors prior to entering into agreements and preparing the SEFA, using the criteria in 2 CFR 200.331. Develop and implement a risk-based monitoring plan for all identified subrecipients, ensuring that required monitoring activities (including review of reports and Single Audits, where applicable) are performed and documented throughout the period of performance. Ensure the SEFA accurately reflects subrecipient relationships and amounts passed through. Auditee Views: While we agree that we did not have a formal monitoring plan in place, now that we are aware of the need for such a plan, we will put a plan in place immediately. Once we became aware, we immediately reviewed the single audit reports all subrecipients. As to whether all subrecipients were properly reported on the SEFA, LCOG and ODOT had been in discussions for several months over whether certain entities contracted by LCOG under the Secure Routes to Schools program were, in fact, subrecipients and was unclear due to conflicting guidance received from various individuals. We will begin consulting with ODOT prior to the audit to make sure they agree with the classification of fund recipients as either contractor or subrecipient.
2024-011 U.S. Department of Housing and Urban Development, For the period July 1, 2023, through June 30, 2024, ALN # 14.239– HOME Investment Partnerships Program Criteria: Per 2 CFR §200.331(b), pass-through entities must evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Furthermore, 2 CFR §200.332(d) requires pass-through entities to follow up on any audit findings identified in subrecipients’ Single Audit reports that pertain to the federal award. Condition: The City did not perform a documented risk assessment of subrecipients under the HOME program to determine the appropriate level and type of monitoring. Additionally, the City did not obtain or review subrecipients’ Single Audit reports to identify and follow up on any findings related to the HOME program. Two of the four contracts with expenditures in fiscal year 2024 were tested. Cause: The City has not established formal procedures to assess subrecipient risk or to review and follow up on audit findings related to the HOME program. Effect: Without a documented risk assessment and review of subrecipient audit reports: • The City may not tailor its monitoring procedures appropriately, increasing the risk of undetected noncompliance. • Potential issues identified in subrecipient audits may go unaddressed, jeopardizing the integrity of the program and federal funding. Recommendation: The City should implement formal procedures to conduct and document risk assessments for all subrecipients of the HOME program, obtain and review subrecipient Single Audit reports annually, follow up on any findings related to the HOME program to ensure corrective actions are taken. Questioned Costs: none
FINDING REFERENCE NUMBER 2024-012 FEDERAL PROGRAM (ALN 84.287) TWENTY-FIRST CENTURY COMMUNITY LEARNING CENTERS U.S. DEPARTMENT OF EDUCATION AWARD NUMBERS S287C190039C (07/01/2019 – 09/30/2020); S287C200039C (07/01/2020 – 09/30/2021); S287C220039C (07/01/2022 – 09/30/2023) COMPLIANCE REQUIREMENT SUBRECIPIENT MONITORING TYPE OF FINDING MATERIAL NONCOMPLIANCE AND MATERIAL WEAKNESS CRITERIA In accordance with 2 CFR § 200.332(f), pass-through entities are required to monitor the activities of subrecipients as necessary to ensure that the subaward is used for authorized purposes and in compliance with Federal statutes, regulations, and the terms and conditions of the subaward. This includes reviewing subrecipient Single Audit reports to determine whether any audit findings related to the subaward exist and whether appropriate corrective actions are being taken. STATEMENT OF CONDITION As part of our audit procedures, we obtained the list of subrecipients active during the fiscal year 2023-2024, monitoring visit schedules and disbursements made. We selected a sample of three (3) subrecipients to test compliance with internal control policies and compliance with the subrecipient monitoring requirement. We noted the following deficiencies during our tests: 1. For three (3) subrecipients, we did not find any evidence of the receipt of the Single Audit Report or the required financial statements and special Agreed-Upon Procedure Report. 2. For three (3) subrecipients, we were unable to review the performance reports submitted by the subrecipients during the fiscal year because no documentation was provided for our evaluation. 3. The monitoring plan for the fiscal year 2023-2024 was not provided for our evaluation. QUESTIONED COSTS None PERSPECTIVE INFORMATION The PRDE does not maintain an internal control process that provides reasonable assurance of complying with the requirement of receipt, evaluation and issuance of management decisions as required by Federal regulations and the required corrections of any findings and disposition of questioned costs within the required timeframes of the Federal regulations from audit or monitoring process. STATEMENT OF CAUSE The PRDE did not have formal procedures in place to ensure timely collection and review of subrecipients’ Single Audit Report. Responsibilities for this function were not clearly assigned, and monitoring activities were inconsistently documented. POSSIBLE ASSERTED EFFECT Failure to review subrecipient Single Audit Reports increases the risk that audit findings or noncompliance at the subrecipient level may go undetected and unaddressed. This may lead to improper use of Federal funds and noncompliance with Federal requirements. IDENTIFICATION AS A REPEAT FINDING Not previously reported. RECOMMENDATION We recommend that the PRDE establish and implement formal procedures to: Identify all subrecipients subject to Single Audit requirements, obtain and review their audit reports in a timely manner, follow up on relevant audit findings, and maintain documentation of all monitoring activities performed. VIEWS OF RESPONSIBLE OFFICIALS The PRDE acknowledges the auditor’s finding. It Is important to note that information requested is available and exists just that it was not provided in a timely manner for evaluation. The PRDE and the area accepts the recommendations and will work on corrective action plans that help mitigate the delay in providing information per auditors’ requests. IMPLEMENTATION DATE None RESPONSIBLE PERSON Luis M. Oppenheimer Rosario Program Coordinator María de los Ángeles Lizardi Valdés Office of Federal Affairs Director
CRITERIA/SPECIFIC REQUIREMENT: The Code of Federal Regulations (Code) (2 CFR § 200.332 (e)) requires the Regional Office of Education No. 39 to monitor the activities of the subrecipient to ensure the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. The Code (2 CFR §200.303 (a)) requires the Regional Office of Education No. 39 to establish and maintain effective internal control over the federal award to provide reasonable assurance the Regional Office of Education No. 39 is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Effective internal controls should include procedures over subrecipient monitoring. CONDITION: The Regional Office of Education No. 39 did not have adequate controls over subrecipient monitoring in compliance with the Code. CONTEXT: During our testing of four subrecipients, we noted the Regional Office of Education No. 39 did not adequately monitor its subrecipients’ grant reporting requirements: • 43 of 48 (90%) monthly expenditure reports were not received. • 4 of 48 (8%) monthly expenditure reports were received five to 183 days late. • 4 of 4 (100%) annual performance reports were received 51 to 114 days late. EFFECT: Lack of controls over subrecipient monitoring may result in subrecipients not properly administering the federal programs in accordance with federal regulations. CAUSE: Management indicated this was due to oversight and staffing limitation. RECOMMENDATION: We recommend the Regional Office of Education No. 39 establish and implement procedures over subrecipient monitoring. MANAGEMENT’S RESPONSE: The Regional Office of Education No. 39 agrees with the audit findings and although some subrecipient monitoring was conducted, not all of the required reports were received, or they were not received in a timely manner. The Regional Office of Education No. 39 is implementing policies and procedures to ensure subrecipient monitoring is not only received but received in a timely manner as well.
Finding 2024-012 – Noncompliance with Subrecipient Monitoring Over Federal Grant – Coronavirus State and Local Fiscal Recovery Funds (Repeat Finding – 2023-012) PASS-THROUGH GRANTOR: Direct Grant FEDERAL AGENCY: U.S. Department of Treasury ASSISTANE LISTING: 21.027 FEDERAL PROGRAM NAME: Coronavirus State and Local Fiscal Recovery Funds FEDERAL AWARD YEAR: 2021 CONTROL CATEGORY: Subrecipient Monitoring QUESTIONED COSTS: $-0- Condition: The County does not have a subrecipient monitoring policy, and not all subrecipient agreements include the following information: • Subrecipient Authorized Representative and program contact information • Subrecipient Employee Identification Number (EIN) and DUNS number • Federal Award Identification Number (FAIN) • Name of Federal Awarding Agency • Contact information for the official at the Federal Awarding Agency • Subaward Budget Period Start and End Date • Catalog of Assistance Listing (AL) number and name • Federal award date • Provide close out terms and conditions Further, subrecipient and beneficiary agreements approved by the Board of County Commissioners state that subrecipient or beneficiary shall provide monthly performance reports until all Coronavirus State and Local Fiscal Recovery Funds awarded hereunder have been expended. Through the observation of records, it was determined that monthly performance reports were not submitted each month by the following entities receiving Coronavirus State and Local Fiscal Recovery Funds: • City of Chickasha • City of Minco • Grady County Volunteer Fire Departments • Rural Water #6 • Rural Water #7 • Grady County Memorial Hospital (ER Renovations Project) Cause of Condition: Policies and procedures have not been designed and implemented to ensure federal expenditures are made in accordance with compliance requirements. Effect of Condition: This condition resulted in noncompliance with federal grant requirements. Recommendation: OSAI recommends the County gain an understanding of the requirements for this program and implement internal controls to ensure compliance with these requirements. OSAI also recommends that entities receiving ARPA funding submit monthly progress reports as stated under the reporting section of the agreements signed by the Board of County Commissioners. Management Response: Chairman of the Board of County Commissioners: The Board of County Commissioners will take measures to ensure future compliance with all requirements of federal grants Criteria: 2 CFR 200, §200.332 Requirements for Pass-Through Entities states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. (2) All requirements imposed by the pass-through entity on the subrecipient so that the Federal award is used in accordance with Federal statutes, regulations and the terms and conditions of the Federal award. (5) A requirement that the subrecipient permit the pass-through entity and auditors to have access to the subrecipient's records and financial statements as necessary for the pass-through entity to meet the requirements of this part. (6) Appropriate terms and conditions concerning closeout of the subaward.
FINDING 2024-210 The Department did not complete sufficient subrecipient monitoring for the Individuals with Disabilities Education Act (IDEA) program during fiscal year 2024. Type of Finding: Significant Deficiency, Noncompliance Assistance Listing Title: Special Education Cluster Assistance Listing Number: 84.027; 84.173 Federal Award Number: 170ED2131; 170ED2231; 500ED2131; 500ED2141; 500ED2231; 500ED2241; 500ED2331; 500ED2341 Program Year: July 1, 2021 – September 30, 2023; July 1, 2022 – September 30, 2024; July 1, 2021 – September 30, 2023; July 1, 2023 – September 30, 2025 Federal Agency: U.S. Department of Education Compliance Requirement: Subrecipient Monitoring Questioned Costs: None Criteria: The U.S. Code of Federal Regulations (CFR) Uniform Administration Requirements, Cost Principles, and Audit Requirements for Federal Awards (2 CFR 200.303) states that nonfederal entities must establish and maintain effective internal control over the federal award that provides reasonable assurance that the nonfederal entity is managing the federal award in compliance with federal statutes, regulations and the terms and conditions of the federal award. The requirements for pass-through entities are in 2 CFR 200.332, which states that all pass-through entities must ensure that every subaward is clearly identified to the subrecipient as a subaward and include the following information at the time of the subaward or if information changes. The required information includes: • Federal Award Identification. 1. Subrecipient’s name (which must match the name associated with its unique entity identifier) 2. Subrecipient’s unique entity identifier 3. Federal Award Identification Number (FAIN) 4. Federal award date of award to the recipient by the federal agency 5. Subaward period of performance start and end date 6. Subaward budget period start and end date 7. Amount of federal funds obligated by this action by the pass-through entity to the subrecipient 8. Total amount of federal funds obligated to the subrecipient by the pass-through entity to the subrecipient 9. Total amount of the federal award committed to the subrecipient by the pass-through entity 10. Federal award project description, as required to be responsive to the Federal Funding Accountability and Transparency Act (FFATA) 11. Name of awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity 12. Assistance Listings (AL) number and title 13. Identification of whether the award is research and development (R&D) 14. Indirect cost rate for the federal award • All requirements imposed by the pass-through entity on the subrecipient so that the federal award is used in accordance with federal statutes, regulations, and the terms and conditions of the federal award. • Any additional requirements that the pass-through entity imposes on the subrecipient in order for the pass-through entity to meet its own responsibility to the federal awarding agency, included identification of any required financial and performance reports. Pass-through entities must also: • Evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for the purpose of determining the appropriate subrecipient monitoring. • Consider imposing specific subaward conditions upon a subrecipient, if appropriate. • Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subawards, and that subaward performance goals are achieved. • Verify that every subrecipient is audited as required by 2 CFR 200, Subpart F, and follow up on the results of those audits. Further guidance is provided by the U.S. Department of Education in the State General Supervision Responsibilities Under Parts B and C of the IDEA, Monitoring, Technical Assistance, and Enforcement, which states that a state should monitor all LEAs within a reasonable period of time and at least once within a six-year period. Condition: The Department has designed a monitoring plan to meet the IDEA subrecipient monitoring requirements that includes reviewing all LEAs in the State within a five-year period. The USED guidelines indicate reviews should occur within a reasonable amount of time and at least once within a six-year period. The annual award notification letters to LEAs contain the required grant award information. The program administrators perform an annual risk assessment of all LEAs and subrecipients receiving IDEA Funds. The risk assessment dictates the frequency of completed monitoring. The LEAs are scheduled to be reviewed every year for high risk, every two years for medium risk, and every four to five years for low risk. There are approximately 180 LEAs receiving IDEA funding each year; therefore, between 36 and 45 subrecipients should be monitored each year. Fiscal year 2022 was the first year in the monitoring cycle, and monitoring was completed during calendar year 2022 for 35 LEAs. Fiscal year 2023 activity monitoring included 5 LEAs monitored in calendar year 2023, 8 LEAs monitored in calendar year 2024, and 14 LEAs monitored in calendar year 2025. Based on the number of reviews completed in the prior four years, it is unlikely that the Department could complete those remaining 118 reviews in calendar year 2026 to be compliant with the Department’s internal policy or at the conclusion of calendar year 2027 to be compliant with USED monitoring guidelines. Cause: The Department does not have effective written policies and procedures to ensure all LEAs are monitored for IDEA activity within an appropriate amount of time. Further, the Department has not implemented appropriate procedures to ensure monitoring is completed at a sufficient level to ensure compliance with federal program requirements. Effect: Monitoring for fiscal year 2023 activity took three years to complete. This created a significant backlog of monitoring to be completed for activity in fiscal years 2024, 2025, and 2026 that ensures every LEA is reviewed at least once in a six-year period to be compliant with federal monitoring requirements. Monitoring LEAs is a critical requirement in accepting federal funds and ensuring that those funds are spent in compliance with allowable costs and other guidelines provided by the grantor. Lack of monitoring of LEAs increases the risk that LEAs may not comply with the grant terms. Recommendation: We recommend that the Department implement robust written procedures outlining monitoring activities so that an appropriate number of LEAs are monitored annually to help ensure compliance with federal requirements. Management’s View: The Department disagrees with this finding. Corrective Action: Although the Department agrees that not as many LEAs were monitored as might normally be in a given year, the Department is on track to have monitoring activities completed for all LEAs within the five-year cycle and in accordance with the US Department of Education’s six-year cycle. There is no statute that states a certain amount of monitoring must take place each year. Rather, states are required to monitor all LEAs within a six-year period. In Office of Special Education Programs (OSEP) QA 23-01, State General Supervision Responsibilities under Parts B and C of the IDEA, it states: “States should ensure all LEAs or EIS programs are monitored at least once within the six-year cycle of the State’s SPP/APR, presumptively implementing a reasonable timeframe for monitoring.” (See also Q A-11). The special education fiscal monitoring process includes robust written policies and procedures to meet federal requirements, and the Department underwent thorough federal on-site monitoring by OSEP in FY 2024 and passed without any fiscal findings. The LEA fiscal monitoring is assigned and takes place throughout the state fiscal year. The Department has completed or is in the process of completing 88 LEA monitors for the first three years in the cycle before the end of calendar year 2025. Corrective actions will be forthcoming, and LEAs have 365 days to complete any state monitoring and enforcement corrective actions under 34 CFR 300.600(e). This program-specific rule complements the Uniform Grant Guidance of 2 CFR 200.332(d) in which passthrough entities (SEAs) “must ensure subrecipients take ‘timely and appropriate action’ to correct deficiencies.” The Department is currently transitioning to year four of the five-year cycle for FY 2025-26 (reviewing FY 2024-25 records). With the support of five contracted staff, 60 LEAs are scheduled between December 2025 and June 2026 to review FY 2024-25 fiscal records (made available in November 2025 when CPA audits are due to the state). The Department is also continuing to close out corrective action plans for LEAs from prior reviews. Year five (FY 2026-27) of the cycle will evaluate the FY 2025-26 fiscal records of remaining LEAs. Those LEAs will not be available to monitor until November 2026 when LEA CPA audits are finalized and available. The Department will conduct those reviews in FY 2026-27 (after November 2026). The Department will continue to conduct other monitoring activities throughout the year for all LEAs including through claim reimbursement reviews, the annual IDEA Part B Application, and the risk assessment activities in alignment with Idaho’s Special Education System of General Supervision. Auditor’s Concluding Remarks: We thank the Department for its cooperation and assistance throughout the audit. We continue to assert that the Department’s documented progress monitoring LEAs through the end of fiscal year 2024 does not indicate it will comply with federal monitoring requirements. As stated in the finding, documentation reviewed shows that only 62 out of 180 LEAs have been monitored over three and ¾ years, between January 2022 and October 2025. Approximately 63% of the available 6 year monitoring period has elapsed and the Department has only completed approximately 34% of the required reviews. While the Department indicates its intention to catch up the completed reviews, it is unlikely to occur until the Department not only outline a well-defined schedule of monitoring to be completed that complies with the requirements, but also tracks its performance of monitoring completed each year to ensure that each LEA is monitored at least once every six years in accordance with federal monitoring guidelines.
FINDING 2024-215 The Department did not document subrecipient risk assessments or ensure subrecipient audits were received for the Coronavirus State and Local Fiscal Recovery Fund. Type of Finding: Significant Deficiency, Noncompliance Assistance Listing Title: Coronavirus State and Local Fiscal Recovery Funds Assistance Listing Number: 21.027 Federal Award Number: SLFRP0142 Program Year: March 3, 2021 – December 31, 2024 Federal Agency: Department of the Treasury Compliance Requirement: Subrecipient Monitoring Questioned Costs: None Criteria: The U.S. Code of Federal Regulations (CFR) Uniform Administration Requirements, Cost Principles, and Audit Requirements for Federal Awards (2 CFR 200.303) states that nonfederal entities must establish and maintain effective internal control over the federal award that provides reasonable assurance that the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. The requirements for pass-through entities are in 2 CFR 200.332, which states that all pass-through entities must: • Evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations and the terms and conditions of the subaward for the purpose of determining the appropriate subrecipient monitoring. • Consider imposing specific subaward conditions upon a subrecipient, if appropriate. • Verify that every subrecipient is audited as required by 2 CFR 200, Subpart F, and follow up on the results of those audits. A non-Federal entity that expends $750,000 or more during the non-Federal entity’s fiscal year in Federal awards must have a single or program-specific audit conducted for that year. Condition: The Department received funds for the Coronavirus State and Local Fiscal Recovery Fund (Assistance Listing Number 21.027) from the U.S. Department of Treasury through the Idaho Department of Financial Management. The funds were for two specific program areas within the Department: planning and construction grants for the clean and drinking water infrastructure projects and waste management projects. During fiscal year 2024, there were 128 subrecipients for these funds. The Department established oversight for these funds under the Grant Loan Bureau (planning and infrastructure grants) and the Waste Management Group (various waste management projects). The Department complied with some, but not all, of the pass-through entity requirements. Noncompliance was identified in the following areas: 1) The Department did not adequately document their evaluation of each subrecipient’s risk of noncompliance with federal statutes, regulations, and terms and conditions of the subaward for 13 out of 13 (100 percent) of the sample tested. The Department completes thorough reviews throughout the project timeline to ensure that subrecipients are complying, but those reviews do not adequately assess the subrecipients risk of noncompliance with a subaward, prior to award, as required by 2 CFR 200.332(c). While the Department’s review does ensure each subrecipient has financial review controls in place, the Department does not document a formal risk assessment that evaluates each subrecipient’s risk of noncompliance based on the subrecipient’s prior experience with the same or similar awards, the results of previous awards including whether the subrecipient receives a Single Audit, whether the subrecipient has new personnel, or the extent and results of any Federal agency monitoring. 2) The Department does not have a process in place to ensure that subrecipients are audited, as required by 2 CFR 200, Subpart F for 1 out of 13 (7.69 percent) of the contracts tested. In the prior-year audit, it was stated that the planning/construction group in the Grants Loans Bureau were aware of this issue and have procedures in place within their Loan Grant Tracking Software (LGTS) and that the Waste Program was aware that the subrecipients also required procedures; however, no procedures are in place. During this year’s audit, however, no documentation was submitted in support of the Grants Loan Bureau or the Waste Program. Cause: The Department did not have a formal documented risk assessment process in place as they believed the application process and monitoring during the actual grant award period met the requirements. The Department has procedures in place to check the Federal Audit Clearinghouse for Single Audit Act (SAA) grant audits to see if a subrecipient has a recent audit, however, this procedure alone does not satisfy the requirement. The Department did not deem it necessary to implement additional procedures to ensure an audit was completed for subrecipients meeting the threshold because the grant makes up more than 50 percent of the total project cost and are reimbursement grants. The fact that these are reimbursement grants does not exempt the Department from ensuring that the subrecipient is audited as required by 2 CFR 200, Subpart F. Effect: Subrecipient monitoring is a critical requirement when accepting federal funds and ensuring that those funds are spent in compliance with allowable costs and other guidelines provided by the grantor. Assessing the risk of subrecipient noncompliance enables a pass-through entity to determine the proper level of monitoring procedures. Without completing the risk assessment process, a pass-thought entity may increase the risk that appropriate monitoring procedures will not be performed, and noncompliance may occur and go undetected. Subrecipient audit reports may identify internal control issues and noncompliance with federal award requirements. Reviewing these reports and ensuring that potential issues are addressed decreases the overall risk of noncompliance with the federal award requirements. Recommendation: We recommend that the Department design and implement appropriate procedures to ensure that subrecipient risk assessments are properly completed and documented and subrecipient audits are completed and reviewed in accordance with federal grant regulations. Management’s View: We agree with and acknowledge the three findings presented and are committed to addressing them with the following corrective actions being taken by DEQ. Corrective Action: The Department created a Subrecipient Monitoring Policy that will be implemented by the end of this calendar year, December 31, 2025. This policy includes a risk assessment checklist that will be used prior to issuing a subaward. The results of the risk assessment, the overall risk level, and the level of monitoring will be included in the subaward agreement. The risk assessment and the process will be documented with each subaward request. DEQ has had significant turnover in the fiscal office, which has resulted in gaps of knowledge of policies and practices. In summer 2025, DEQ leadership reorganized the fiscal department to improve efficiency, enhance oversight of grants and contracts, and strengthen financial controls. The fiscal office is currently in a rebuilding phase and is dedicated to training and developing staff, implementing best practices, and documenting processes and procedures. Along with these changes, the grants and contracts teams have been combined to help with oversight and consistency. This is particularly valuable when contracting or procuring goods or services with grant or federal funds. Auditor’s Concluding Remarks: We thank the Department for its cooperation and assistance throughout the audit.
FINDING 2024-231 Supporting documentation for subrecipient risk assessments for the Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises program was not available for review. Type of Finding: Significant Deficiency, Noncompliance Related to Prior Finding: 2023-222 AL Title: Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises AL Number: 93.391 Federal Award Number: 1 NH75OT000105-01-00, 6 NH75OT000105-01-00 Program Year: June 1, 2021 – May 31, 2024 Federal Agency: Department of Health and Human Services Requirement: Subrecipient Monitoring Questioned Costs: None Criteria: The U.S. Code of Federal Regulations (CFR), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) included in 2 CFR 200.303 requires that nonfederal entities receiving federal awards establish and maintain internal control over the federal awards that provides reasonable assurance that the nonfederal entity is managing the federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal awards. The Internal Control Integrated Framework published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) identifies control activities that help ensure management directives are carried out and risks are mitigated. These activities include approvals, authorizations, verifications, reconciliations, and segregation of duties. The Uniform Guidance included in 2 CFR 200.332(b) states that all pass-through entities must evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Additionally, 2 CFR 200.332(c)(2) states that all pass-through entities must evaluate each subrecipient's fraud risk and risk of noncompliance with a subaward to determine the appropriate subrecipient monitoring described in paragraph (f) of this section. When evaluating a subrecipient's risk, a pass-through entity should consider the results of previous audits. This includes considering whether the subrecipient receives a Single Audit in accordance with 2 CFR 200 subpart F and the extent to which the same or similar subawards have been audited as a major program. Condition: The Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises program had a total of 6 subrecipients during fiscal year 2024. During testing, the Department was unable to provide a subrecipient risk assessment for 2 out of 6 subrecipients tested (or 33 percent). In the risk assessment, the Department documents the need for a subrecipient to have a Single Audit, if necessary, and the Department’s review of required subrecipient Single Audits. The Department was compliant with all other aspects of the subrecipient monitoring compliance requirements for the subrecipients. Cause: Staff turnover led to the documentation creation and retention shortcomings as new staff were being trained and onboarded when risk assessments should have been completed and documented, including Single Audit requirements. Effect: The Department is exposed to increased risk of noncompliance related to subrecipients and improper payments in the STLT Health Department Response to Public Health or Healthcare Crises program. Recommendation: We recommend that the Department strengthen internal controls to ensure required risk assessments are completed and supporting documentation is retained. Management’s View: The Department Agrees with this Finding. Corrective Action: The Division of Public Health updates its standard operating procedures annually and communicates updates to staff. The DPH Federal Compliance Officer is conducting monthly trainings to cover all required steps in the process and will begin conducting mini audits in calendar year 2026 to ensure all steps are being followed consistently. Auditor’s Concluding Remarks: We thank the Department for its cooperation and assistance throughout the audit.
Criteria or specific requirement: Per 2 CFR 200.303(a), California Department of Transportation (Caltrans) must establish and maintain effective internal control over the Federal award that provides reasonable assurance that it is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in the “Internal Control Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Per 2 CFR section 200.332(a), all pass-through entities must ensure that every subaward is clearly identified to the subrecipient as a subaward and includes certain information at the time of the subaward and if any of these data elements change, include the changes in the subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes identification of the (ii) Subrecipient's unique entity identifier. (iii) Federal Award Identification Number (FAIN) (xiii) Identification of whether the Federal award is for research and development. Condition: Audit procedures included a review of a sample of subrecipient contracts for required information with the following results noted. For 60 of 60 samples, the contract did not include neither Subrecipients unique entity identifier, Federal Award Identification Number (FAIN), nor the identification of whether the Federal award is for research and development. Questioned costs: None Context: See “Condition.” Cause: Current internal controls in place to ensure a review of subaward agreements is taking place to verify that all required elements are included per 2 CFR 200 §200.332 are not being done correctly. Effect: Providing incomplete information to subrecipients may result in inaccurate reporting by the subrecipients and ultimately by Caltrans. Repeat Finding: This was reported in the previous year as finding 2023-006. Recommendation: We recommend management enhance existing controls around the review of all subaward agreements to ensure that all pass-through agreements include each of the required elements by 2 CFR §200.332. Views of responsible officials: Management’s response is reported in “Management’s Response and Corrective Action Plan” included in a separate section at the end of this report.
Criteria or specific requirement: Per 2 CFR section 200.303(a), the Department must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Title 2 – Grants and Agreements. Subtitle A – Office of Management and Budget Guidance for Grants and Agreements. Chapter II – Office of Management and Budget Guidance. Part 200 – Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards. Subpart D – Post Federal Award Requirements. §200.332 Requirements for pass-through entities (2 CFR 200.332): All pass-through entities must: (a) Verify that the subrecipient is not excluded or disqualified in accordance with §180.300. Verification methods are provided in §180.300, which include confirming in SAM.gov that a potential subrecipient is not suspended, debarred, or otherwise excluded from receiving Federal funds. (b) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. 1) Federal award identification. a) Subrecipient name (which must match the name associated with its unique entity identifier); b) Subrecipient’s unique entity identifier; c) Federal Award Identification Number (FAIN); d) Federal Award Date (see the definition of Federal award date in § 200.1 of this part) of award to the recipient by the Federal agency; e) Subaward Period of Performance Start and End Date; f) Subaward Budget Period Start and End Date; g) Amount of Federal Funds Obligated by this action by the pass-through entity to the subrecipient; h) Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity including the current financial obligation; i) Total Amount of the Federal Award committed to the subrecipient by the pass-through entity; j) Federal award project description, as required to be responsive to the Federal Funding Accountability and Transparency Act (FFATA); k) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the Pass-through entity; l) Assistance Listings number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; m) Identification of whether the award is R&D; and n) Indirect cost rate for the Federal award (including if the de minimis rate is charged) per §200.414. (c) Evaluate each subrecipient’s fraud risk and risk of noncompliance with a subaward to determine the appropriate subrecipient monitoring described in paragraphs (f) of this section. When evaluating a subrecipient’s risk, a passthrough entity should consider the following: 1) The subrecipient’s prior experience with the same or similar subawards: 2) The results of previous audits. This includes considering whether or not the subrecipient receives a Single Audit in accordance with Subpart F and the extent to which the same or similar subawards have been audited as a major program; 3) Whether the subrecipient has new personnel or new or substantially changed systems; and 4) The extent and results of Federal agency monitoring (for example, if the subrecipient also receives Federal awards directly from the Federal agency). Condition: Public Health established a formal risk assessment process over its subrecipients of federal awards by which to determine the frequency and extent of subrecipient monitoring to be performed, however the process was established after the period under audit and applied prospectively. In addition, Public Health used a Department Allocation Letter (DAL) for the COVID-19 program instead of an agreement or contract for the subaward to subrecipients. Certain required information for the subaward federal award information such as Assistance Listings number and Title and Federal Award Identification Number (FAIN) were not clearly identified in the DAL. Questioned costs: None Context: See “Condition.” Cause: Procedures to ensure that all relevant information is included in the grant agreements and risk assessments are performed were not in place at the time of the agreements which resulted in the oversight. Effect: By not properly evaluating the risk of noncompliance, Public Health may inadvertently award grant funds to subrecipients who lack the necessary mechanisms or understanding to comply with federal statutes. This increases the likelihood of noncompliance arising during the performance of the grant-funded activities. Furthermore, failure to provide the necessary documentation to subrecipients may result in misuse or misreporting of funding. Repeat Finding: This was reported in the previous year as finding 2023-009. Recommendation: Public Health should ensure every subaward includes all requirements imposed on the subrecipient so that the federal award is used in accordance with Federal statutes, regulations and the terms and conditions of the federal award. Views of responsible officials: Management’s response is reported in “Management’s Response and Corrective Action Plan” included in a separate section at the end of this report.
Criteria or specific requirement: Title 2 – Grants and Agreements. Subtitle A – Office of Management and Budget Guidance for Grants and Agreements. Chapter II – Office of Management and Budget Guidance. Part 200 – Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards. Subpart D – Post Federal Award Requirements. Standards for Financial and Program Management. §200.303 Internal controls (2 CFR 200.303): The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Title 2 – Grants and Agreements. Subtitle A – Office of Management and Budget Guidance for Grants and Agreements. Chapter II – Office of Management and Budget Guidance. Part 200 – Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards. Subpart D – Post Federal Award Requirements. Subrecipient Monitoring and Management. §200.332 Requirements for pass-through entities (2 CFR 200.332): A pass-through entity must: (c) Evaluate each subrecipient’s fraud risk and risk of noncompliance with a subaward to determine the appropriate subrecipient monitoring described in paragraph (f) of this section. When evaluating a subrecipient’s risk, a passthrough entity should consider the following: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits. This includes considering whether or not the subrecipient receives a Single Audit in accordance with subpart F and the extent to which the same or similar subawards have been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of any Federal agency monitoring (for example, if the subrecipient also receives Federal awards directly from the Federal agency). (e) Monitor the activities of a subrecipient as necessary to ensure that the subrecipient complies with Federal statutes, regulations, and the terms and conditions of the subaward. The pass-through entity is responsible for monitoring the overall performance of a subrecipient to ensure that the goals and objectives of the subaward are achieved. In monitoring a subrecipient, a pass-through entity must: (1) Review financial and performance reports. (2) Ensure that the subrecipient takes corrective action on all significant developments that negatively affect the subaward. Significant developments include Single Audit findings related to the subaward, other audit findings, site visits, and written notifications from a subrecipient of adverse conditions which will impact their ability to meet the milestones or the objectives of a subaward. When significant developments negatively impact the subaward, a subrecipient must provide the pass-through entity with information on their plan for corrective action and any assistance needed to resolve the situation. (3) Issue a management decision for audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521. (4) Resolve audit findings specifically related to the subaward. However, the pass-through entity is not responsible for resolving cross-cutting audit findings that apply to the subaward and other Federal awards or subawards. If a subrecipient has a current Single Audit report and has not been excluded from receiving Federal funding (meaning, has not been debarred or suspended), the pass-through entity may rely on the subrecipient’s cognizant agency for audit or oversight agency for audit to perform audit follow-up and make management decisions related to crosscutting audit findings in accordance with section §200.513(a)(4)(viii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. California Code of Regulations. Title 5 Education. § 18023. Compliance Reviews of Contractors. (b) At least once every three (3) years and as resources permit, the California Department of Education shall conduct reviews at the contractor's office(s) and operating facility(ies) to determine the contractor's compliance with applicable laws, regulations or contractual provisions. Child Care and Development Fund (CCDF) Plan for State/Territory California FFY 2022-24, Amendment 4. Chapter 8 Ensure Grantee Program Integrity and Accountability. 8.1 Internal Controls and Accountability Measures to Help Ensure Program Integrity. 8.1.1 Process to train about CCDF requirements and program integrity. States and territories are required to describe effective internal controls that are in place to ensure program integrity and accountability (98.68(a)), including processes to train child care providers and staff of the Lead Agency and other agencies engaged in the administration of CCDF about program requirements and integrity. v. Monitor and assess policy implementation on an ongoing basis. The Lead Agency conducts announced Categorical Program Monitoring (CPM)/Contract Monitoring Reviews (CMRs) for each contractor on a three- or four-year cycle for non-LEAs and LEAs respectively. The Lead Agency’s Governance and Administration Unit (GAU) conducts ongoing review of individual contractors by sampling the eligibility and need documentation in family files to estimate and reduce error rates. Additionally, the Lead Agency provides ongoing training and technical assistance to contractors in regional sessions, in one-on-one sessions, and/or in cluster with webinars or during face to-face presentations. These sessions address CCDF program administration, requirements, and integrity Condition: We selected 60 subrecipient contracts (21 local educational agency (LEA) contracts and 39 non-LEA contracts) from 60 subrecipient entities and tested compliance with subrecipient monitoring requirements. We noted the following: LEA • 2 LEA contracts/contractors had no record of on-site monitoring over five years. Non-LEA • 3 non-LEA contracts/contractors had no records available to demonstrate risk assessment of the contractor. • 11 non-LEA contracts/contractors had no record of on-site monitoring over five years. Questioned costs: None Context: See “Condition.” Cause: In fiscal year 2021, the administration of the CCDF Cluster program was transitioned from the California Department of Education (CDE) to CDSS. CDSS has been in the process of revising certain policies and procedures, including contractor monitoring. In addition, certain records related to CDE monitoring activities for the contracts selected were unavailable for review. Effect: CDSS is at risk for contractor noncompliance if monitoring procedures are not properly designed or executed, and/or documents demonstrating monitoring are not maintained. Repeat Finding: This was reported in the previous year as finding 2023-012. Recommendation: To enhance the effectiveness of the annual risk assessment process, we recommend a thorough evaluation that focuses on the identification and inclusion of all subrecipients and defined risk criteria as mandated in 2 CFR 200.332. Furthermore, it is crucial to establish and document a transparent basis for risk profiling that directly correlates such profiles with compliance monitoring activities across fiscal, program, and single audit requirements. Furthermore, we recommend CDSS perform a comprehensive post-transition review to ensure all monitoring responsibilities transferred from CDE have been fully identified and assigned. This review should validate robust mechanisms are in place for the accurate documentation and proper retention of records. Views of responsible officials: Management’s response is reported in “Management’s Response and Corrective Action Plan” included in a separate section at the end of this report.
Criteria or specific requirement: Per 2 CFR 200.303(a), California Department of Fish and Wildlife (CDFW) must establish and maintain effective internal control over the Federal award that provides reasonable assurance that it is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in the “Internal Control Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Per 2 CFR section 200.332(a), all pass-through entities must ensure that every subaward is clearly identified to the subrecipient as a subaward and includes certain information at the time of the subaward and if any of these data elements change, include the changes in the subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes identification of the (xii) Assistance Listing Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings number at time of disbursement. (xiii) Identification of whether the award is R&D. Per 2 CFR §200.332(f), pass-through entities must verify that subrecipients expected to be audited as required by Subpart F have met this requirement. This verification may be performed as part of the monitoring required under §200.332(d)(2), which includes ensuring subrecipients take timely and appropriate action on deficiencies detected through audits. Condition: Audit procedures included a review of a sample of subrecipient contracts for required information with the following results noted. For 10 of 10 samples, the contract did not include neither the Assistance Listing Number nor the identification of whether the award is R&D. Furthermore, the agency did not perform required monitoring to verify that subrecipients subject to the Single Audit requirement (2 CFR Part 200, Subpart F) completed their audits and addressed any findings. Specifically, the agency did not obtain or review subrecipient audit reports for the fiscal year under audit. Questioned costs: None. Context: See “Condition.” Cause: Current internal controls in place to ensure a review of subaward agreements is taking place to verify that all required elements are included per 2 CFR 200 §200.332 are not being done correctly. The agency lacked formal procedures and internal controls to ensure timely collection and review of subrecipient audit reports. CDFW was not performing requirements to document verification of audit completion and corrective actions. Effect: Providing incomplete information to subrecipients may result in inaccurate reporting by the subrecipients and ultimately by CDFW. Without proper monitoring, the agency cannot ensure that subrecipients comply with federal audit requirements or that corrective actions are taken on identified deficiencies. This increases the risk of noncompliance and potential misuse of federal funds. Repeat Finding: This is not a repeat finding. Recommendation: We recommend management enhance existing controls around the review of all subaward agreements to ensure that all pass-through agreements include each of the required elements by 2 CFR §200.332. We recommend that management establish and implement comprehensive procedures to ensure compliance with subrecipient monitoring requirements. These procedures should include identifying which subrecipients are subject to Single Audit requirements, obtaining and reviewing their audit reports on an annual basis, documenting verification of compliance, and ensuring timely follow-up on any corrective actions related to audit findings. Views of responsible officials: Management’s response is reported in “Management’s Response and Corrective Action Plan” included in a separate section at the end of this report.
Assistance Listing 93.136 Injury Prevention and Control Research and State/Community Based Programs Condition: The City’s Department of Public Health (DPH) did not perform risk assessments or monitor the performance of the eight subrecipients tested for this program. Specifically, DPH did not evaluate the risk of fraud and non-compliance or review the financial and performance reports for these eight entities, Funding for this program is received from the U.S. Department of Health and Human Services. Criteria: OMB’s Uniform Guidance 2 CFR Part 200.332(c) states that the pass-through entity is responsible for evaluating each subrecipient’s fraud risk and risk of noncompliance with a subaward to determine the appropriate subrecipient monitoring.2 CFR Part 200.332(f)further states that depending on the pass-through entity’s assessment of the risk posed by the subrecipient, the pass-through entity may need to provide training and technical assistance on program matters, perform site visits to review program operations, or arrange for other agreed-upon procedures, to ensure compliance with program requirements and achievement of performance goals. Finally, 2 CFR Part 200.332(e) requires the pass-through entity to monitor the activities of subrecipients by reviewing the financial and performance reports of subrecipients to ensure that the entities comply with federal statutes, regulations, and the terms and conditions of their subawards. Effect: Failure to perform risk assessments and review the financial and performance reports of subrecipients resulted in noncompliance with subrecipient monitoring requirements set forth in the Uniform Guidance. Without these reviews, DPH may not adequately determine the appropriate level of monitoring needed to ensure that subrecipients comply with program requirements, federal regulations, and other requirements of their subawards. This noncompliance could also lead to the city having to pay back federal awards. Cause: DPH incurred significant staff turnover. Recommendation: DPH should strengthen its policies and procedures to ensure that risk assessments and required monitoring procedures are performed for all subrecipients. Additionally, for subrecipients determined to be high-risk, DPH should provide training and technical assistance, perform site visits, and/or apply other agreed-upon procedures to help ensure that subrecipients are properly accountable for subawards and comply with program requirements. Views of the Responsible Officials and Corrective Action Plan: The Philadelphia Department of Public Health (PDPH) acknowledges the findings of the Office of the City Controllers. PDPH confirms that risk assessments and related monitoring documentation for all subrecipients were not consistently completed or retained during the audit period, primarily due to staff turnover and limited administrative capacity within the grants management function. To address this, the Division of Substance Use Prevention and Harm Reduction (SUPHR) has initiated corrective measures to strengthen compliance with the requirements of 2 CFR 200.332. These measures include implementation of standardized tools and procedures to ensure that subrecipient risk assessments, monitoring activities, and the review of financial and performance reports are conducted in a consistent, timely, and well-documented manner. Implementation of these improvements will enhance internal controls, ensure appropriate oversight of subrecipients, and promote full compliance with federal regulations. The Department anticipates that tools and standard operating procedures will be finalized by December 19, 2025, with full implementation of corrective actions by March 3, 2026. Contact Person: Daniel Teixeira da Silva, Director, Division of Substance Use Prevention and Harm Reduction (SUPHR), 267-760-0307
Assistance Listing 93.323 Epidemiology and Laboratory Capacity for Infectious Diseases Program Condition: The city’s Department of Public Health (DPH) did not perform risk assessments or monitor the performance of three subrecipient entities tested for this program. Specifically, DPH did not evaluate the risk of fraud and non-compliance or review the financial and performance reports for these three entities. Funding for this program is received from the U.S. Department of Health and Human Services. Criteria: OMB’s Uniform Guidance 2 CFR Part 200.331(a) states that a subaward recipient may be considered a subrecipient of the pass-through agency if the recipient 1) determines who is eligible to receive federal assistance, 2) has its performance measured in relation to whether the objectives of a federal program were met, and 3) has responsibility for programmatic decision-making. OMB’s Uniform Guidance 2 CFR Part 200.332(c) states that the pass-through entity is responsible for evaluating each subrecipient’s fraud risk and risk of noncompliance with a subaward to determine the appropriate subrecipient monitoring. 2 CFR Part 200.332(f) further states that depending on the pass-through entity’s assessment of the risk posed by the subrecipient, the pass-through entity may need to provide training and technical assistance on program matters, perform site visits to review program operations, or arrange for other agreed-upon procedures, to ensure compliance with program requirements and achievement of performance goals. Finally, 2 CFR Part 200.332(e) requires the pass-through entity to monitor the activities of subrecipients by reviewing the financial and performance reports of subrecipients to ensure that the entities comply with federal statutes, regulations, and the terms and conditions of their subawards. Effect: Failure to perform risk assessments and review financial and performance reports for subrecipients resulted in noncompliance with subrecipient monitoring requirements set forth in the Uniform Guidance. Without these reviews, DPH may not adequately determine the appropriate level of monitoring needed to ensure that subrecipients comply with program requirements, federal regulations, and other requirements of their subawards. This noncompliance could also lead to the city having to pay back federal awards. Cause: DPH management misclassified these three entities as contractors, rather than subrecipients. For purposes of the Epidemiology and Laboratory Capacity Program, contracts between DPH and the three entities in question specifically state that each of the entities would serve as subrecipients for grant funding awarded through the contracts. Subawards were used to hire additional staff for DPH’s COVID-19 Containment Program, for duties that included determining who is eligible to receive federal assistance, achieving the objectives established by the program, making programmatic decisions, and adhering to all applicable federal program compliance requirements. Recommendation: DPH management should reevaluate the criteria used to determine whether subaward recipients are classified as subrecipients or contractors. Additionally, management should ensure that risk assessments and required monitoring procedures are performed for all entities classified as subrecipients. Views of the Responsible Officials and Corrective Action Plan: The Philadelphia Department of Public Health (PDPH) acknowledges the Office of the City Controller’s finding. PDPH maintains a process to identify subrecipients during the contracting process. Contracts with subrecipients include federal compliance language. The three entities identified in this finding, including Concilio, Urban Affairs Coalition (UAC), and Public Health Management Corporation (PHMC), should have been classified as vendors and not subrecipients. These entities were not responsible for programmatic decision-making. This error has been corrected in subsequent contracts. Despite the misclassification, appropriate vendor monitoring was conducted, including supervision of staff hiring and monitoring and reconciliation of monthly invoice packages. Contact Person: Jessica Caum, Director, Department of Public Health, 215-685-6731 Naomi Mirowitz, Performance and Compliance Officer, Department of Public Health, 215-964-5050
Assistance Listing 93.914 HIV Emergency Relief Project Grants Condition: The Office of Health and Human Services' (HHS) Audit Unit failed to issue a management decision for audit findings related to two subrecipients of the city, who each had audit findings reported in their respective single audits. The fiscal year 2023 single audit of Bebashi and the fiscal year 2024 single audit of The Children's Hospital of Pennsylvania had a significant deficiency reported under the HIV Emergency Relief Program (ALN 93.914) in the Internal Controls over Major Programs section of the Schedule of Findings and Questioned Costs. Funding for HIV Emergency Relief program is received directly from the U.S. Department of Health and Human Services. Criteria: 2 CFR section 200.332(e) states that the pass-through entity must issue a management decision for audit findings pertaining only to the federal award provided to the subrecipient from the pass-through entity as required by 2 CFR 200.521. Effect: The management decision serves to confirm the audit findings and outline a corrective action plan for the subrecipient. Failure to issue a management decision could lead to unresolved findings at the subrecipient level. Cause: HHS incorrectly relies on the auditing firms that perform subrecipient single audits to issue a management decision per 2 CFR section 200.312(e). Recommendation: We recommend that HHS management modifies and/or strengthens its current policies and procedures to ensure that a management decision letter will be issued for audit findings relating to any federal awards that were provided to subrecipients. Views of the Responsible Officials and Corrective Action Plan: HHS acknowledges the Controller’s finding that management decision letters were not issued for specific subrecipient audit findings under ALN 93.914, as required under 2 CFR 200.332(e) and 200.521. While the formal letters were not issued, HHS did review the audit findings, obtained and evaluated the subrecipients’ corrective action plans and confirmed that no questioned costs or additional risks remained. These steps ensured that the underlying corrective actions were completed. To strengthen documentation and ensure consistency across all federal programs, HHS will adopt the following corrective measures: 1. Standard management Decision Template • HHS will adopt a simple, uniform management decision template and clear steps for documenting decisions within the required federal timelines. 2. Central Location for Documentation • HHS will store all management decision letters and related materials in one designated shared location to ensure accessibility and consistent record-keeping. 3. Brief Staff Guidance • HHS will provide concise written guidance to staff outlining: o When a management decision is required, o How to complete it using the template, and o What documentation must be retained? These corrective actions will ensure consistent compliance with federal requirements while supporting the City’s long-term goal of standardizing financial processes across departments. Contact Person: Landuleni Shipanga, Controller, City of Philadelphia Office of Children and Families, 215-683-6366
Finding: 2024-002 Subrecipient Monitoring (Significant Deficiency) Information on the Federal Programs: ALN #10.937 Partnerships for Climate-Smart Commodities Criteria or Specific Requirement (including Statutory, Regulatory, or Other Citation): Per 2 CFR 200.332 Requirements for pass-through entities: Pass-through entities must clearly identify to subrecipients the award information, including the Assistance Listing number, subrecipient’s UEI, Federal award identification number, and Federal award project title (§200.332(a)(1)). Pass-through entities must evaluate each subrecipient’s risk of noncompliance to determine the appropriate subrecipient monitoring (§200.332(b)). Pass-through entities must monitor the activities of subrecipients as necessary to ensure compliance with Federal statutes, regulations, and the terms and conditions of the subaward (§200.332(d)). Pass-through entities must verify that every subrecipient required to have an audit under 2 CFR 200 Subpart F has one completed, and issue management decisions on findings (§200.332(g)). Condition: During our testing of subrecipient monitoring, we noted several deficiencies: 1. Subaward agreements were structured more like subcontracts rather than subrecipient agreements and did not include all elements required under 2 CFR 200.332(a), such as the subrecipient’s UEI and Assistance Listing number. 2. Subrecipients were required to submit periodic invoices for reimbursement instead of financial reports detailing costs incurred by budget line item, cumulative expenditures, cash receipts, and cash balances. 3. CIF did not verify the subrecipient’s audit requirements in a timely manner as required under 2 CFR 200.332(g). 4. Pre-award risk assessments were completed; however, the assessments were undated, preventing the audit team from verifying that they occurred prior to subaward execution. Additionally, the monitoring procedures described in policy were not clearly linked to assessed risk levels, and in certain instances, subrecipients with no prior Federal grant management experience were assigned a “low risk” classification. Cause: These conditions occurred due to a lack of formalized procedures to align subrecipient agreements, reporting requirements, and monitoring activities with the specific requirements of 2 CFR 200.332. Management relied on existing subcontract templates and internal policies that were not fully updated to reflect Uniform Guidance requirements. Effect or Potential Effect: Failure to properly structure subaward agreements, obtain adequate financial reporting, and timely verify audit requirements, increases the risk that subrecipients may not comply with Federal statutes and regulations. Questioned Costs: N/A Context: We tested a statistically valid sample of subawards charged to Federal awards. The deficiencies noted were consistent across the sample population, indicating a systemic issue rather than isolated exceptions. Identification as a Repeat Finding, if Applicable: N/ARecommendation: We recommend that management: Update subaward agreement templates to include all elements required under 2 CFR 200.332(a). Require subrecipients to submit periodic financial reports by budget line item, cumulative expenditures, cash receipts, and cash balances, rather than invoices alone. Establish procedures to ensure subrecipient audit requirements are verified and documented in a timely manner in accordance with 2 CFR 200.332(g). CIF should document the impact of any subrecipient audit findings on the program and the planned corrective action. Revise pre-award risk assessment procedures to include dating and ensure that results are documented prior to subaward execution. Strengthen policies to ensure monitoring procedures are explicitly linked to risk assessment results, with higher levels of oversight required for subrecipients new to Federal grant management.
Criteria: 2 CFR 200.303 Internal Controls (a) Establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control- Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2 CFR 200.329 Monitoring and reporting program performance (a) Monitoring by the recipient and subrecipient. The recipient and subrecipient are responsible for the oversight of the Federal award. The recipient and subrecipient must monitor their activities under Federal awards to ensure they are compliant with all requirements and meeting performance expectations. Monitoring by the recipient and subrecipient must cover each program, function, or activity. See also § 200.332. Condition: • Supporting documentation was not available for 4 out of 8 monitoring reports selected for testing. • None of the monitoring reports selected were approved by a second individual as required by the WIB’s policy. Cause: • Documentation was not retained as required. • Internal controls are not in place over eligibility and monitoring as required by the WIB’s policy. Effect: • Funding may be provided to individuals or entities who are not eligible to receive funding under the federal award programs. • Possible reduction of future funding due to noncompliance with federal award program requirements. Questioned Costs: N/A Repeat Finding: No Recommendation: We recommend that the WIB implement controls and document procedures over eligibility monitoring to ensure compliance with federal award requirements.
Condition: During our test of (2) expenditures totaling $332,735, for the Coronavirus State and Local Fiscal Recovery Funds, it was noted the County did not have a subrecipient monitoring policy and did not obtain subrecipient agreements from its two (2) subrecipients comparing the following information: • Subrecipient name. • Subrecipient Authorized Representative and program contact information. • Subrecipient Employee Identification Number (EIN) and Data Universal Numbering System (DUNS) number. • Federal Award Identification Number (FAIN). • Name of Federal Awarding Agency. • Contact information for the official at the Federal Awarding Agency. • Catalog of Assistance Listing (AL) number and name. • Federal award date. • Total amount of the federal award and indirect cost rate. • Federal award project description. • Start and end date of the agreement. • Amount of federal funds budgeted for the agreement and indirect cost rate allowed. • A statement that all activities must be in accordance with federal statutes, regulations, and terms and conditions of the federal award. The subrecipient should receive a copy of the award documents. • A detailed description of any additional requirements you want the subrecipient to be responsible for such as performance and/or financial reports, attending meetings and/or trainings, etc. • A statement about the monitoring activities, such as where/when they will take place; also include a statement indicating the subrecipient will collaborate on monitoring activities including providing requested financial documents. • A statement indicating if any of the items in the agreement change during the period of performance, the agreement will be amended. • Provide close out terms and conditions. Cause of Condition: Policies and procedures have not been designed and implemented to ensure federal expenditures are made in accordance with compliance requirements. Effect of Condition: This condition resulted in noncompliance with grant requirements. Recommendation: OSAI recommends the County gain an understanding of the requirements for this program and implement internal controls to ensure compliance with these requirements. Management Response: Chairman of the Board of County Commissioners: This issue originated under the prior County Clerk’s administration where key reporting processes were not followed. The Board of County Commissioners and the other elected officials have made correcting this a top priority. Together, we are: • developing a comprehensive SOP to ensure accurate and timely tracking and reporting of Federal funds, • improving communication and oversight between all county offices to ensure consistent reporting standards, • and ensuring annual compliance with federal reporting requirements. Our collective goal is to implement the policies and structures that will keep Osage County operating with the highest standard of accountability and excellence County Clerk: I was not the County Clerk in office at this time. To correct this issue, the County plans to develop a SOP to timely and accurately track and report on Grants and Awards. The SOP will be reviewed, adopted, and monitored by the Board of County Commissioners. Criteria: 2 CFR 200, §200.332 Requirements for Pass-Through Entities states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. (2) All requirements imposed by the pass-through entity on the subrecipient so that the Federal award is used in accordance with Federal statutes, regulations and the terms and conditions of the Federal award. (5) A requirement that the subrecipient permit the pass-through entity and auditors to have access to the subrecipient's records and financial statements as necessary for the pass-through entity to meet the requirements of this part. (6) Appropriate terms and conditions concerning closeout of the subaward.
2024-007 Federal Agencies: U.S. Department of Agriculture Federal Program Names: The Child Nutrition Cluster: National School Lunch Program Summer Food Service Program Child and Adult Care Food Program Assistance Listing Numbers: 10.555 10.559 10.558 Pass-Through Agency: Commonwealth of Pennsylvania, Department of Education Pass-Through Number: 359-46-477-8 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Material Weakness in Internal Control over Compliance Criteria: Under 2 CFR 200.332(d), pass-through entities must monitor the activities of subrecipients as necessary to ensure that the subaward is used for authorized purposes and in compliance with Federal statutes, regulations, and the terms and conditions of the subaward. Additionally, Child and Adult Care Program (CACFP), National School Lunch Program (NSLP) and Summer Food Service Program (SFSP) monitoring requirements established by the Pennsylvania Department of Education (PDE) require CBS Food Program to conduct meal observation reviews at each contracted center every six months, including at least two unannounced visits, and maintain documentation of such reviews. Condition: During our testing of subrecipient monitoring activities for PDE programs CACFP, NLSP, and SFSP, we selected 31 contracted centers at random. Management provided documentation for each site, including contracts, meal pattern usage records, licensure and training documentation, and both announced and unannounced meal observation reviews. However, we found that CBS Food Program did not always maintain sufficient evidence to prove required monitoring was performed under the CACFP program. For one center, management could not produce proof that meal observation reviews or the mandated two unannounced visits occurred. At another center, neither a contract nor any meal observation review records, including the two required unannounced visits, could be provided. For the NLSP and SFSP, management was unable to provide contracts for any of the seven sampled centers. Additionally, there was no evidence of training for one center, and a second center had a noncompliant monitoring visit; although corrective action was prepared, follow-up occurred only after 66 days instead of within the required 45-day window. Questioned Costs: None Cause: Management did not maintain sufficient internal controls to ensure required monitoring documentation was consistently obtained, retained, and reviewed for each contracted center. In some cases, monitoring activities may not have been performed, or they were completed but not properly documented. Effect: Failure to perform and/or document required monitoring procedures increases the risk that contracted centers may not comply with PDE CACFP, NLSP and SFSP requirements, potentially resulting in: • Noncompliance with federal monitoring requirements • Inaccurate or unsupported program reimbursements • Risk of disallowed costs or questioned costs under the PDE CACFP, NLSP, and SFSP grants • Inability to demonstrate program oversight during audits Recommendation: We recommend that management strengthen internal controls to ensure all required PDE CACFP, NLSP and SFSP subrecipient monitoring activities, including scheduled meal observations and the mandated unannounced visits—are consistently performed, documented, and retained. Management should implement a centralized tracking system to monitor review deadlines, required follow up actions, and receipt of supporting documentation from each contracted center. In addition, staff responsible for monitoring should receive periodic refresher training on PDE CACFP, NLSP and SFSP specific expectations. Finally, management should conduct periodic internal reviews to verify that monitoring documentation is complete, compliant, and appropriately maintained. Views of Responsible Officers and Corrective Action Plan: Please refer to Community Benefit Solutions dba CBS Food Program’s Corrective Action Plan.
Reference Number: 2024-016 Prior Year Finding: 2023-011 Federal Agency: U.S Department of the Treasury U.S. Department of Education State Agency: Department of Education Federal Program: COVID-19 - Coronavirus State and Local Fiscal Recovery Funds (CSLFRF) COVID-19 – Education Stabilization Fund (ESF) Assistance Listing Number: 21.027 84.425 C, D, R, U, V, W Award Number and Year: CSLFRF: 2021 ESF: S425C210002, 2021-2023 S425D210005, 2021-2023 S425R210006, 2021-2023 S425U210005, 2021-2024 S425V210006, 2022-2024 S425W210021, 2021-2024 Compliance Requirement: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Control Over Compliance, Other Matters Criteria or specific requirement: Compliance: Per 2 CFR 200 section 200.332 (a)1 (ii) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes required federal award information at the time of the subaward. If any of the data elements change, include the changes in subsequent subaward modifications. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: Subrecipient's unique entity identifier. Per 2 CFR 200 section 200.332 (a)1(d) a non-Federal entity should monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Internal Control: Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should comply with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The Department of Education (Department) was unable to provide documentation that it had subrecipient monitoring procedures in place, nor that monitoring activities were performed. The Department also did not include all required information in subawards it issued to subrecipients. The Department’s 2023 corrective action plan noted that resolution of the finding would not be until FY 2025. The auditor obtained the Department’s project monitoring plan and monitoring survey implemented during fiscal year 2025. Context: ESF: Twenty-nine subrecipients were selected for testing and the following exceptions were noted: • For 29 of 29 subrecipients selected for testing, the Department was unable to provide documentation that subrecipient monitoring procedures were in place nor that subrecipient monitoring was performed. • For 2 of 29 subrecipients selected for testing, the subrecipient’s unique identifier was not obtained. The subaward did not contain the required information nor did the Department provide documentation of obtaining the information for the subrecipient. CSLFRF: For seven of seven subrecipients selected for testing, the Department was unable to provide documentation that subrecipient monitoring procedures were in place nor that subrecipient monitoring was performed. Cause: The subawards for non-public schools did not contain the required information, which was not identified during the review process. The Department’s 2023 corrective action plan noted that resolution of the finding would not be until FY 2025. The auditor obtained the Department’s project monitoring plan and monitoring survey implemented during fiscal year 2025. Effect: The Department is not in compliance with the grantor’s reporting requirements during the audit period. Questioned costs: None noted. Recommendation: We recommend that the Department continue to implement the sub recipient monitoring procedures and develop internal controls to ensure that the monitoring requirements are performed in a consistent and timely manner. Furthermore, the procedures should ensure that the documentation supporting compliance is maintained and readily available for review. We also recommend that the subawards contain all required federal award information. Views of responsible officials: Management agrees with the finding.
Finding 2024-007 U.S. Department of Health and Human Services Assistance Listing Number 93.137 – Community Programs to Improve Minority Health Grant Program Material Weakness and Noncompliance over Subrecipient Monitoring Repeat Finding: Yes, 2023-007, 2023-008, 2023-009 Criteria: A pass-through entity (PTE) must clearly identify to the subrecipient the award as a subaward at the time of subaward (or subsequent subaward modification) by providing the information described in 2 CFR section 200.331(a)(1); all requirements imposed by the PTE on the subrecipient so that the federal award is used in accordance with federal statutes, regulations, and the terms and conditions of the award (2 CFR section 200.331(a)(2)); and any additional requirements that the PTE imposes on the subrecipient in order for the PTE to meet its own responsibility for the federal award (e.g., financial, performance, and special reports) (2 CFR section 200.331(a)(3)). A PTE must also evaluate each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward (2 CFR section 200.332(b)),and monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, complies with the terms and conditions of the subaward, and achieves performance goals (2 CFR sections 200.332(d) through (f)). Condition and Context: For 1 out of 1 selection, the City was not able to provide support showing evidence of the risk assessment performed prior to granting funds to the subrecipient and of the monitoring of the subrecipient during the year. Additionally, various information related to the funding source and the grant were missing on the memorandum of understanding (assistance listing number, federal department grantor, single audit requirements, etc.) Cause: The program has had significant employee turnover and there was a lack of documentation of these policies and procedures. Program management does not have knowledge of the process used to select subrecipients. Monitoring procedures performed were not documented and reports submitted by the subrecipients were not reviewed. Effect or Potential Effect: Failure to explicitly state federally-imposed requirements and regulations may result in noncompliance by the subrecipient. Selecting subrecipients without a formal evaluation process and performing minimal monitoring procedures increases the risk of noncompliance for the City and could lead to a loss of funding if the subrecipients are deemed noncompliant. Questioned Costs: Unknown. Recommendation: Program management should revise subaward agreements to specifically note the requirements and regulations of the Uniform Guidance, as noted in Section 200.331(a). Additionally, program management should develop standardized procedures for selecting and granting subawards. These procedures should be formalized and maintained for future reference. Brief minutes of progress meetings should be taken to show that monitoring is taking place. All reporting by the subrecipient should be reviewed by management of the program. Views of Responsible Officials: Management agrees with the finding. Refer to the Corrective Action Plan Section of this report.
State Agency: Illinois Governor’s Office of Management and Budget (GOMB) Federal Agency: U.S. Department of Agriculture (USDA), U.S. Department of Justice (DOJ), U.S. Department of Labor (DOL), U.S. Department of Transportation (DOT), U.S. Department of the Treasury (TREAS), U.S. Department of Education (USDE), U.S. Department of Health and Human Services (USDHHS), U.S. Department of Homeland Security (USDHS) Program Name: WIC Special Supplemental Nutrition Program for Women, Infants and Children, Cild and Adult Care Food Program (CACFP), Crime Victims Assistance Program (CVA), WIOA Cluster (WIOA), Highway Planning and Construction (Highway Planning), Coronavirus State and Local Fiscal Recovery Funds (SLFRF),Title I Grants to Local Educational Agencies (Title I), Special Education Cluster (IDEA), Twenty-First Century Community Learning Centers (Twenty-First Century), Supporting Effective Instruction State Grants (SEISG) Education Stabilization Fund (ESF), Aging Cluster, Epidemiology and Laboratory Capacity for Infectious Diseases (ELC), Temporary Assistance for Needy Families (TANF), Child Support Services, Low-Income Home Energy Assistance (LIHEAP), Child Care and Development Fund (CCDF) Cluster, Social Services Block Grant (SSBG), Block Grants for Prevention and Treatment of Substance Abuse (SAPT), Homeland Security Grant Program (Homeland Security) ALN and Program Expenditures: 10.557 ($181,526,312), 10.558 ($170,354,298), 16.575 ($53,095,634), 17.258/17.259/17.278 ($142,310,788), 20.205 ($2,192,857,212), 21.027 ($230,448,761), 84.010A ($696,900,040), 84.027/84.173 ($639,950,722), 84.287C ($61,131,992), 84.367A ($79,837,486), 84.425 ($2,176,294,000), 93.044/93.045/93.053 ($68,210,944), 93.323 ($94,269,102), 93.558 ($583,126,272), 93.563 ($135,029,923), 93.568 ($205,171,791), 93.575/93.596 ($747,612,292), 93.667 ($55,634,435), 93.959 ($114,897,412), 97.067 ($78,892,342) Award Numbers: Various – see table of award numbers Federal Award Year: Various – see table of award numbers Questioned Costs: None Compliance Requirement: Subrecipient Monitoring Finding 2024-002: Inadequate Monitoring of Subrecipient Single Audit Reviews Condition Found: The State of Illinois did not establish adequate controls to monitor the completion and documentation of the review of single audit reports for its subrecipients of the Special Supplemental Nutrition Program for Women, Infants, and Children (WIC), Child and Adult Care Food Program (CACFP), Crime Victims Assistance Program (CVA), WIOA Cluster (WIOA), Highway and Planning Construction (Highway), Coronavirus State and Local Fiscal Recovery Funds (SLFRF), Title I Grants to Local Education Agencies (Title I), Special Education Cluster (IDEA), Twenty-First Century Community Learning Centers (Twenty-First Century), Supporting Effective Instruction State Grants (SEISG), Education Stabilization Funds (ESF), Aging Cluster (Aging), Epidemiology and Laboratory Capacity for Infectious Diseases (ELC), Temporary Assistance for Needy Families (TANF), Child Support Services (CSS), Low-Income Home Energy Assistance (LIHEAP), Child Care and Development Fund (CCDF) Cluster, Social Services Block Grant (SSBG), Block Grants for Prevention and Treatment of Substance Abuse (SAPT), and Homeland Security Grant (Homeland Security) programs in the State's Grant Accountability and Transparency Act (GATA) Audit Report Review Management System (ARRMS). The State of Illinois established the Grant Accountability Transparency Unit (GATU) to implement the provisions of GATA on a centralized basis. GATU has established standardized reporting requirements for subrecipients of the various Federal programs administered by the State through its various departments. Subrecipients of the State are required to certify whether they expended more than $750,000 in federal awards during the fiscal year and submit their single audit reporting packages to the Federal Audit Clearinghouse (if required). GATU is then responsible for obtaining the single audit reporting package, verifying the report meets the single audit requirements, and assigning, to the applicable state agency, any findings attributable to amounts passed through to the subrecipient(s) by the State and working with program personnel to issue management decisions on findings. The State utilizes a contractor to perform the centralized functions of obtaining the single audit report, verifying the report meets the requirements, and assigning findings to the applicable State agency. During our testing of subrecipient single audit desk review files for our 2024 major programs, we noted instances where single audit desk reviews were still in process and had not been finalized within GATA ARRMS as of the date of our testing (July 10, 2025). Upon further review of data contained within GATA ARRMS, we identified 637 single audit reviews were identified as incomplete in GATA ARRMS for grantees who: (1) reported expenditures under fiscal year 2024 major programs, (2) had an audit report with a Federal Audit Clearinghouse acceptance date between January 2, 2023 and January 2, 2024 (requiring the report to be reviewed during fiscal year 2024) and (3) were not sanctioned (placed on the Illinois Stop Payment List) by the State for noncompliance with reporting requirements. These 637 reviews were in varying stages of completion with the majority (587 audits) pending documentation supporting the issuance of a final completion letter by the cognizant agency. The remaining 50 audits (7.8%) were pending receipt of documentation, pending a review, or had another error requiring follow-up. These 637 audits included 295 audits (46.3%) with one or more findings potentially requiring a management decision to be issued. We noted the cognizant agencies for the 637 incomplete single audit reviews in GATA ARRMS were as follows: "See Table in the Audit Report" The 637 incomplete single audit reviews in GATA ARRMS pertained to subrecipients of the following major programs: "See Table in the Audit Report" While in many instances there was evidence the State agencies had completed the necessary procedures outside of GATA ARRMS, the purpose of GATA ARRMS is to reduce the duplication of effort across State agencies and to provide a single submission point for the State’s subrecipients. The lack of monitoring controls around this centralized process may result in noncompliance with subrecipient single audit desk review requirements. The State’s subrecipient expenditures under the federal programs for the year ended June 30, 2024 were as follows: "See Table in the Audit Report" Criteria or Requirement: According to 2 CFR 200.332(d), a pass-through entity is required to monitor the activities of subrecipients as necessary to ensure the federal awards are used for authorized purposes in compliance with laws, regulations, and the provisions of contracts or grant agreements and that performance goals are achieved. Further, 2 CFR 200.332(d)(3) and 2 CFR 200.521 state that a pass-through entity is required to issue a management decision on audit findings within six months of acceptance of the audit report by the FAC and ensure that the subrecipient takes timely and appropriate corrective action on all audit findings. In addition, 2 CFR 200.303 requires nonfederal entities to, among other things, establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. Effective internal controls should include implementing procedures to monitor whether single audit reports are reviewed, management decision letters are issued, and single audit desk review files are closed out in GATA ARRMS in a timely manner. Cause: In discussing these conditions with GOMB officials, management stated that the incompleteness of the State’s audit reviews in GATA ARRMS was due to oversight. Possible Asserted Effect: Failure to complete and document reviews of subrecipient single audit reports in GATA ARRMS in a timely manner may result in noncompliance with the State’s obligation as a pass-through entity to appropriately monitor its subrecipients. Repeat Finding: A similar finding was reported in the prior year audit as finding number 2024-002. (Finding Code 2024-002, 2023-002) Statistical Sampling: The sample was not intended to be, and was not, a statistically valid sample. Recommendation: We recommend GOMB establish procedures to monitor the completion and documentation of single audit report reviews in GATA ARRMS to ensure the State complies with its obligation as a pass-through entity. Views of GOMB Officials: GOMB agrees with the finding.
State Agency: Illinois Department of Human Services (IDHS) Federal Agency: U.S. Department of the Treasury (TREAS) Program Name: COVID-19 – Coronavirus State and Local Fiscal Recovery Funds ALN and Program Expenditures: 21.027 ($230,448,761) Award Numbers: Various – see table of award numbers Federal Award Year: Various – see table of award numbers Questioned Costs: None Compliance Requirement: Subrecipient Monitoring Finding 2024-004: Inadequate Monitoring of Subrecipients of the CSLFRF Program Condition Found: Coronavirus State and Local Fiscal Recovery Funds (CSLFRF) program during the year ended June 30, 2024. Multiple State agencies are involved in awarding, expending, and administering funding under the CSLFRF program in Illinois. As a result, each State agency is responsible for monitoring the subrecipients they award CSLFRF funding. As a pass-through entity of the CLSFRF program, IDHS was responsible for: • Identifying the awards and applicable requirements, • Evaluating each subrecipient’s risks of noncompliance for purposes of determining the appropriate monitoring procedures related to the subaward, • Monitoring the activities of each subrecipient as necessary to ensure the subaward is used for authorized purposes, the subrecipients comply with the terms and conditions of the subawards, and the subrecipients achieve performance goals, and • Issuing a management decision for audit findings pertaining to the federal award provided to each subrecipient, if applicable. IDHS requires CSLFRF subrecipients to provide periodic performance reports which contain performance measures and program accomplishments to permit IDHS to monitor CSLFRF program results. During our testing of documentation provided by IDHS for 28 CSLFRF grantees (with expenditures of $23,703,366), IDHS could not provide evidence periodic performance reports were obtained or reviewed during the audit period by IDHS for 26 of the subrecipients tested. Because the CSLFRF program funds a variety of State programs operated by various program areas and bureaus within IDHS, we noted a variety of report templates were received and methods were used to document reviews. Accordingly, we noted the date certain periodic performance reports were received and reviewed by IDHS could not be validated as they were documented electronically in a spreadsheet which can be modified. Amounts passed through by IDHS to CSLFRF subrecipients totaled $28,591,405 during the year ended June 30, 2024. Criteria or Requirement: According to 2 CFR 200.332(c), a pass-through entity must evaluate each subrecipient's risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward. According to 2 CFR 200.332(e), a pass-through entity is required to monitor the activities of subrecipients as necessary to ensure that federal awards are used for authorized purposes in compliance with laws, regulations, and the provisions of contracts or grant agreements and that performance goals are achieved. 2 CFR 200.332(e)(3) requires pass-through entities to issue management decisions for applicable audit findings pertaining to the federal awards provided to the subrecipient and 2 CFR 200.332(e)(4) requires pass through entities to resolve audit findings through corrective action plans (CAP). In addition, 2 CFR 200.303 requires non-Federal entities receiving Federal awards to establish and maintain internal controls designed to reasonably ensure compliance with Federal laws, regulations, and program compliance requirements. Effective internal controls should include performing monitoring procedures in accordance with Uniform Guidance and program requirements. Cause: In discussing these conditions with IDHS officials, management stated IDHS was unable to produce all requested Periodic Performance Reports (PPR) and evidence of review due to inconsistency in applied procedures, staffing changes, and the lack of a central repository. Possible Asserted Effect: Failure to adequately monitor subrecipients may result in the subrecipient not properly administering the federal program in accordance with laws, regulations, and the grant agreement. Repeat Finding: 2024-004, 2023-018) Statistical Sampling: The sample was not intended to be, and was not, a statistically valid sample. Recommendation: We recommend IDHS implement subrecipient monitoring procedures in accordance with federal regulations. Views of IDHS Officials: The Department accepts the recommendation. IDHS recognizes the importance of performance monitoring and will implement additional controls to ensure evidence is maintained to support that PPRs are obtained from subrecipients and are appropriately reviewed by IDHS.
State Agency: Illinois Department of Human Services (IDHS) Federal Agency: U.S. Department of Health and Human Services (USDHHS) Program Name: Temporary Assistance for Needy Families, Child Care Development Fund (CCDF) Cluster, Social Services Block Grant, Block Grants for Prevention and Treatment of Substance Abuse ALN and Program Expenditures: 93.558 ($583,126,272), 93.575/93.596 ($747,612,292), 93.667 ($55,634,435), 93.959 ($114,897,412) Award Numbers: Various – see table of award numbers Federal Award Year: Various – see table of award numbers Questioned Costs: Cannot be determined Compliance Requirement: Subrecipient Monitoring Finding 2024-007: Failure to Follow Established Program Subrecipient Monitoring Procedures Condition Found: IDHS did not follow its established program monitoring policies and procedures for subrecipients of the Temporary Assistance for Needy Families (TANF), Child Care Development Fund Cluster (CCDF), Social Services Block Grant (SSBG), and Block Grants for Prevention and Treatment of Substance Abuse (SAPT) programs. IDHS has implemented procedures whereby program staff perform periodic program on-site and desk reviews of IDHS subrecipient compliance with regulations applicable to the federal programs administered by IDHS. IDHS also has implemented procedures whereby staff perform periodic on-site and desk reviews of IDHS subrecipient compliance with fiscal and administrative requirements applicable to multiple State and federal programs. Generally, these reviews are formally documented and include the issuance of a report of the review results to the subrecipient summarizing the procedures performed, results of the procedures, and any findings or observations for improvement noted. IDHS’s policies require the subrecipient to respond to each finding by providing a written corrective action plan. Additionally, IDHS program staff perform reviews of expenditure reports submitted by subrecipients. IDHS subrecipient monitoring procedures are subject to the review and approval of a supervisor. During our test work over program on-site review procedures performed for 82 subrecipients of the TANF, CCDF, SSBG, and SAPT programs, we noted IDHS did not follow its established program monitoring procedures as follows: We tested the program on-site review procedures and fiscal administrative review procedures performed by IDHS during the year ended June 30, 2024 for a sample of subrecipients of the TANF, CCDF, SSBG, and SAPT programs comprised of the following: "See Table in the Audit Report" We noted the following exceptions in our testing of program on-site reviews performed during the year ended June 30, 2024: ● IDHS did not perform on-site monitoring reviews of subrecipients in fiscal year 2024 in accordance with IDHS’ planned monitoring schedule and/or could not provide support for the review. Specifically, we noted the following exceptions: "See Table in the Audit Report" ● IDHS did not provide timely notification (within 60 days) of the results of the programmatic on-site reviews. We noted the following exceptions: "See Table in the Audit Report" ● IDHS did not complete their quality review on a timely basis (within 60 days). We noted the following exceptions: "See Table in the Audit Report" ● IDHS did not receive a corrective action plan from the subrecipient after findings were identified during the review. We noted the following exceptions: "See Table in the Audit Report" During our testing of 31 fiscal and administrative reviews performed for subrecipients of all IDHS’ federal and State programs, we noted IDHS did not provide timely notification (within 180 days) of the results of the fiscal and administrative reviews. Specifically, we noted the delays in the reporting of results to two subrecipients tested ranged from 32 days to 50 days. IDHS could not provide documentation evidencing communication or follow up being performed for these subrecipients during the extended review period. In addition, we noted the SAPT program requires subrecipients to submit periodic reports to allow IDHS to monitor certain programmatic performance metrics. These reports are reviewed quarterly by IDHS program personnel. Any subrecipients who meet less than 80% of the performance metrics reported are also required to submit a corrective action plan to IDHS. During our testing, we noted IDHS was unable to provide documentation evidencing monitoring of the quarterly program reports for our sample of 25 subrecipients (with expenditures of $52,116,654 during the year ended June 30, 2024). Further, IDHS did not have adequate policies or procedures to ensure fiscal and administrative reviews were completed timely to detect potential non-compliance. Criteria or Requirement: According to 2 CFR 200.332(d), a pass-through entity is required to monitor the activities of subrecipients as necessary to ensure that federal awards are used for authorized purposes in compliance with laws, regulations, and the provisions of contracts or grant agreements and that performance goals are achieved. According to 2 CFR 200.332(b), a pass-through entity must evaluate each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward. In addition, 2 CFR 200.303 requires nonfederal entities to, among other things, establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. Effective internal controls should include ensuring on-site program procedures and expenditure reviews are performed in a timely manner and adequate documentation is maintained. Cause: In discussing these conditions with IDHS officials, management stated that the deficiencies noted are due to a combination of factors including operational constraints due to staffing, oversight, system transitions, and a need to strengthen governance over timeliness, monitoring and documentation controls. Possible Asserted Effect: Failure to adequately perform and document program on-site monitoring reviews of subrecipients and notify subrecipients of findings in a timely manner may result in subrecipients not properly administering the Federal programs in accordance with laws, regulations, and the grant agreement. Failure to properly review subrecipient expenditures may result in inaccurate payments or unallowable costs. Repeat Finding: A similar finding was reported in the prior year audit as finding number 2023-010. (Finding Code 2024-007, 2023-010, 2022-008, 2021-017, 2020-015, 2019-013, 2018-012, 2017-013, 2016-012, 2015-011, 2014-008, 2013-009, 12-07, 11-09) Statistical Sampling: The sample was not intended to be, and was not, a statistically valid sample. Recommendation: We recommend IDHS ensure programmatic on-site and expenditure report reviews are performed and documented for subrecipients in accordance with established policies and procedures. In addition, we recommend IDHS review its process for reporting and following up on program findings relative to subrecipient on-site reviews to ensure timely corrective action is taken. Views of IDHS Officials: The Department accepts the recommendation. IDHS will work to ensure programmatic on-site and expenditure report reviews are completed and documented in accordance with policies and procedures and review its process for reporting and follow up on program findings resulting from on-site reviews. IDHS will continue to work to fill vacancies, administer training programs, increase oversight, develop automated processes, and revise procedures to improve internal controls over these functions.
State Agency: Illinois State Board of Education (ISBE) Federal Agency: U.S. Department of Education (USDE) Program Name: Twenty-First Century Community Learning Centers (21st Century) ALN and Program Expenditures: 84.287 ($61,131,992) Award Numbers: Various – see table of award numbers Federal Award Year: Various – see table of award numbers Questioned Costs: None Compliance Requirement: Subrecipient Monitoring Finding 2024-025: Inadequate Monitoring of 21st Century Subrecipients Condition Found: ISBE did not adequately monitor and document program monitoring procedures performed over subrecipients of the 21st Century Community Learning Centers (21st Century) program. The 21st Century program operates to provide State educational agencies and local educational agencies (LEAs) with funding specific to rural and inner-city public schools. To monitor the 21st Century program activities performed by Illinois elementary and secondary schools, ISBE has established Tier I, Tier II, and Tier III monitoring activities which are applied to each subrecipient (LEA or school district) depending upon the annual risk score determined by ISBE. ISBE’s 21st Century program subrecipient monitoring manual outlines the risk assessment procedures to determine the tier of monitoring required, the methods used for tier determination, and documentation required for each tier of monitoring. Because the size and scope of each subrecipient can vary greatly, ISBE has further subdivided subrecipients into cohorts and sites (individual schools) for purposes of applying certain monitoring procedures. Tier I subrecipient monitoring procedures apply to all subrecipients, with no consideration of the risk assessment score they have received and consist of a twice-a-year call in which ISBE personnel discuss enrollment and registration statistics, progression towards goals specific to the district, and budgetary changes. A notification email is sent twice a year, alerting the subrecipient that a call is required to be scheduled. Once the call is scheduled, a call form detailing the responses to the discussion points is completed by ISBE personnel during the call to evidence the call was conducted and any matters for follow up. documentation provided by the subrecipient to address each portion of review. ISBE documents the completion of its desk review procedures with a letter to the subrecipient communicating any noncompliance and requesting corrective action, if applicable. Any required corrective action plans are reviewed and formally accepted by ISBE in a letter to the subrecipient. Tier III applies to specific subrecipient sites who receive a high-risk assessment score and consists of an on-site review including interviews with the project director and site coordinators, and observations of the academics and academic enrichment taking place at each site. ISBE personnel complete monitoring checklists to evidence the completion of its on-site procedures and a summary checklist is completed after the on-site visit to summarize all areas of noncompliance. A letter is sent to the subrecipient communicating the completion of the on-site review, any noncompliance, and requesting corrective action, if applicable. Any required corrective action plans are reviewed and formally accepted by ISBE in a letter to the subrecipient. During the year ended June 30, 2024, ISBE identified 33 Tier III high-risk subrecipients (with expenditures totaling $36,676,176) which included 47 total subrecipient sites required to have on-site reviews performed. During our testing of seven high risk subrecipient sites selected for testing (related to seven subrecipients with expenditures totaling $15,207,297), we noted ISBE was unable to provide documentation evidencing on-site reviews were performed for five of the subrecipient sites samples. We also noted documentation was not available to evidence the reviews of the other two subrecipient sites sampled were completed as ISBE could not locate documentation of the procedures performed, conclusions reached, or communication of the review results to the subrecipient sites. In addition, we noted ISBE’s internal controls over subrecipient on-site monitoring are not designed at an appropriate level of precision to ensure monitoring of subrecipients is completed, documented, and retained as required by ISBE policies and procedures. ISBE passed through approximately $59,630,722 to 78 subrecipients of the 21st Century program during the year ended June 30, 2024. Criteria or Requirement: According to 2 CFR 200.332(d), a pass-through entity must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations and the terms and conditions of the subaward, and that the subaward performance goals are achieved. According to 2 CFR200.332(b), a pass-through entity must evaluate each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward. Additionally, 2 CFR 200.303 requires non-Federal entities receiving Federal awards to establish and maintain internal controls designed to reasonably ensure compliance with Federal laws, regulations, and program compliance requirements. Effective internal controls should include establishing supervisory procedures at an appropriate level of precision to ensure adequate monitoring is performed and documentation is maintained. Cause: In discussing these conditions with ISBE officials, they stated the inability to provide required documentation is attributable to staff turnover as those responsible for these monitoring activities have since left ISBE. Possible Asserted Effect: Failure to perform required monitoring procedures and maintain documentation may result in subrecipients not properly administering the Federal programs in accordance with laws, regulations, and grant agreements. Repeat Finding: A similar finding was reported in the prior year audit as finding number 2023-045. (Finding Code 2024-025, 2023-045) Statistical Sampling: The sample was not intended to be, and was not, a statistically valid sample. Recommendation:We recommend ISBE establish policies and procedures to ensure programmatic monitoring is performed and appropriately documented. Views of ISBE Officials: Management agrees with the finding and has developed processes and structures to correct it.
State Agency: Illinois Department of Transportation (IDOT) Federal Agency: U.S. Department of Transportation Program Name: Highway Planning and Construction (HPC) Program ALN and Program Expenditures: 20.205 ($2,192,857,212) Award Numbers: Various – see table of award numbers Federal Award Year: Various – see table of award numbers Questioned Costs: None Compliance Requirement: Subrecipient Monitoring Finding 2024-041: Failure to Communicate Award Information to Subrecipients Condition Found: IDOT did not follow its established policies and procedures for monitoring subrecipients of the Highway Planning and Construction program. During our testwork of the award communications for our sample of subrecipients, we selected the contracts under which funds were disbursed during fiscal year 2024 to review for compliance with federal award communication requirements. During our review of the award communication files for a sample of 30 awards (related to subrecipient expenditures of $46,016,588), we noted the following information was not communicated in the subrecipient award agreement for three subrecipients sampled (with payments totaling $742,559): • Federal Award Identification Number (FAIN) • Assistance Listing Number (ALN) • Subaward Period of Performance Start and End Date • Subrecipient’s Unique Entity Identifier Amounts passed through to subrecipients under the Highway Planning and Construction program totaled $94,970,638 during the year ended June 30, 2024. Criteria or Requirement: According to 2 CFR 200.332(a), a pass-through entity is required to identify Federal awards made to the subrecipient by informing each subrecipient of required information. In addition, 2 CFR 200.303 requires nonfederal entities to, among other things, establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. Effective internal controls should include controls to ensure required information is properly communicated. Cause: In discussing these conditions with IDOT officials, they stated there are two separate causes for this finding. For two of the agreements, the FAIN and ALN were overlooked when drafting the agreement. In these instances, it was employee oversight. For the final agreement noted, elements were missing from the template at that time, and IDOT was unaware of any requirements to have the CFDA# (ALN), DUNS number (UEI), or single audit included in the agreement as it was executed in 2002. Possible Asserted Effect: Failure to communicate required award information may result in subrecipients not properly administering the Federal programs in accordance with laws, regulations, and the grant agreement. Repeat Finding: A similar finding was not reported in the prior year audit. (Finding Code 2024-041) Recommendation: We recommend IDOT implement additional procedures to ensure award information communicated to subrecipients is reviewed for completeness and accuracy. Views of IDOT Officials: IDOT agrees with the finding.
State Agency: Illinois Criminal Justice Information Authority (ICJIA) Federal Agency: U.S. Department of Justice (USDOJ) Program Name: Crime Victim Assistance ALN and Program Expenditures: 16.575 ($53,095,634) Award Numbers: Various – see table of award numbers Federal Award Year: Various – see table of award numbers Questioned Costs: None Compliance Requirement: Subrecipient Monitoring Finding 2024-042: Failure to Adequately Monitor Subrecipients Condition Found: ICJIA did not follow its established program monitoring policies and procedures for subrecipients of the Crime Victim Assistance (CVA) program during fiscal year 2024. ICJIA selects subrecipients of the CVA program to perform programmatic monitoring procedures using a risk-based approach. Among other things, ICJIA has identified subrecipients receiving CVA funding under shorter term programs (12 months or less in duration) as higher risk and requires an on-site review to be performed once during the period of performance. Additionally, longer term programs (12 to 36 months in duration) require an on-site review in the first twelve months of the period of performance and a second on-site review during the remaining period of performance. In scheduling the timing of its on-site reviews, ICJIA considers whether there are any additional subrecipient specific risk factors that warrant an earlier review time. Based upon ICJIA’s monitoring criteria, we noted ICJIA should have conducted site visits for 51 subrecipients (with expenditures totaling $26,561,276) from longer term programs during the year ended June 30, 2024. During our review of the subrecipient site visits conducted during State fiscal year 2024, we noted 14 of the 51 subrecipients from longer term programs (with expenditures of $4,215,392 during the year ended June 30, 2024) were not subjected to site visits. Additionally, we noted three of the 51 reviews required to be performed during the year ended June 30, 2024 were not performed within the required time period. Specifically, we noted reviews for three subrecipients (with expenditures of $659,442) were performed 19 to 21 days late. ICJIA passed through $50,412,108 to subrecipients of the CVA program during the year ended June 30, 2024. Criteria or Requirement: According to 2 CFR 200.332(e), a pass-through entity is required to monitor the activities of subrecipients as necessary to ensure that federal awards are used for authorized purposes in compliance with laws, regulations, and the provisions of contracts or grant agreements and that performance goals are achieved. ICJIA’s Site Visits policy requires Grant Specialists to conduct two site visits within thirty-six months of the start of a grant with the first site visit taking place within the first twelve months, unless the grantee’s Program Risk Assessment requires that a site visit be completed within a shorter time period. In addition, 2 CFR 200.303 requires non-Federal entities to, among other things, establish and maintain internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. Effective internal controls should include ensuring on-site program monitoring procedures are performed in a timely manner. Cause: In discussing these conditions with ICJIA officials, they stated due to staffing shortages within the federal and state grants unit, all of the required visits were not completed. Possible Asserted Effect: Failure to adequately perform on-site monitoring reviews of subrecipients may result in subrecipients not properly administering the Federal programs in accordance with laws, regulations, and the grant agreement. Repeat Finding: A similar finding was reported in the prior year audit as finding number 2023-033. (Finding Code 2024-042, 2023-033) Recommendation: We recommend ICJIA ensure programmatic on-site reviews are performed and documented for subrecipients in accordance with established policies and procedures. Views of ICJIA Officials: ICJIA acknowledges that these gaps in documentation and consistency contributed to the finding and has taken corrective actions to strengthen monitoring procedures, enhance documentation standards, and ensure timely follow-up with subrecipients.
State Agency: Illinois Criminal Justice Information Authority (ICJIA) Federal Agency: U.S. Department of Justice (USDOJ) Program Name: Crime Victim Assistance ALN and Program Expenditures: 16.575 ($53,095,634) Award Numbers: Various – see table of award numbers Federal Award Year: Various – see table of award numbers Questioned Costs: None Compliance Requirement: Subrecipient Monitoring Finding 2024-043: Inadequate Review of Subrecipient Single Audit Reports Condition Found: ICJIA did not adequately review single audit reports received from its subrecipients for the Crime Victim Assistance Program (CVA) program on a timely basis. The State of Illinois established the Grant Accountability and Transparency Unit (GATU) to implement the provisions of the State’s Grant Accountability and Transparency Act (GATA) on a centralized basis. GATU has established standardized reporting requirements for subrecipients of the various Federal and State programs administered by the State through its various departments. Subrecipients of the State are required to certify whether they expended more than $750,000 in federal awards during the fiscal year and submit their single audit reporting packages to the Federal Audit Clearinghouse (if required). GATU is then responsible for obtaining the single audit reporting package, verifying the report meets the single audit requirements, and assigning, to the applicable state agency, any findings attributable to amounts passed through to the subrecipient(s) by the State. As a State agency, ICJIA is responsible for reviewing the reports assigned to them by GATU and determining whether Federal funds reported in the consolidated year-end financial report (CYEFR) reconcile to ICJIA records. Additionally, as the cognizant State agency, ICJIA is responsible for issuing management decisions on findings reported and applying sanctions to subrecipients who do not comply with reporting requirements (i.e. stop pay process). During our testing of a sample of single audit desk review files for 14 subrecipients (with expenditures of $37,884,972 in the fiscal year), we noted the following: • For five subrecipients (with expenditures totaling $19,501,158), ICJIA did not issue a management decision letter in a timely manner. The delays in issuing management decision letters ranged from 61 to 128 days beyond the required timeframe. • For 11 subrecipients (with expenditures totaling $24,680,412), ICJIA did not reconcile the CYEFR to ICJIA’s records as required. As of the date we communicated our findings to ICJIA (January 27, 2026), ICJIA had still not reconciled the CYEFR to ICJIA’s records for 10 subrecipients (with expenditures totaling $24,097,663). • For one subrecipient (with expenditures of $295,572), the subrecipient single audit reporting package was not submitted within the required timeframe, and ICJIA did not follow up with the subrecipient or invoke the stop pay process. ICJIA has not established controls over subrecipient single audit reviews at an adequate level of precision to ensure single audit reporting requirements, including obtaining and reviewing single audit reporting packages, issuing management decision letters, reconciling CYEFRs to agency records, and invoking stop payment actions, are performed within required timeframes. ICJIA passed through $50,412,108 to subrecipients of the CVA program during the year ended June 30, 2024. Criteria or Requirement: According to 2 CFR 200.332(e), a pass-through entity must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statues, regulations and the terms and conditions of the subaward, and that the subaward performance goals are achieved. Additionally, 2 CFR 200.332(e)(3) and 2 CFR 200.521 state that a pass-through entity is required to issue a management decision on federal awards audit findings within six months of the acceptance of the report by the Federal Audit Clearinghouse and ensure the subrecipient takes timely and appropriate corrective action on all audit findings. In addition, 2 CFR 200.303 requires non-Federal entities to, among other things, establish and maintain internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. Effective internal controls should include procedures to ensure Single Audit reports are reviewed in a timely manner and management decisions are issued within required timeframes. Cause: In discussing these conditions with ICJIA officials, they stated this GATA responsibility has not been performed as consistently as other responsibilities due to competing priorities and staff shortages. Possible Asserted Effect: Failure to complete and document reviews of subrecipient single audit reports in a timely manner may result in federal funds being expended for unallowable purposes and subrecipients not administering the federal programs in accordance with laws, regulations, and the grant agreement. Repeat Finding: A similar finding was reported in the prior year audit as finding number 2023-034. (Finding Code 2024-043, 2023-034) Statistical Sampling: The sample was not intended to be, and was not, a statistically valid sample. Recommendation: We recommend ICJIA establish procedures to ensure subrecipient single audit report reviews are completed and documented in a timely manner. Additionally, ICJIA should implement procedures to ensure timely reconciliation of funds, issuance of management decision letters, and initiation of the stop pay process. Views of ICJIA Officials: ICJIA agrees with the finding and the cause. Staffing continues to be a priority for resolving the single audit review process.
State Agency: Illinois Criminal Justice Information Authority (ICJIA) Federal Agency: U.S. Department of Justice (USDOJ) Program Name: Crime Victim Assistance ALN and Program Expenditures: 16.575 ($53,095,634) Award Numbers: Various – see table of award numbers Federal Award Year: Various – see table of award numbers Questioned Costs: None Compliance Requirement: Subrecipient Monitoring Finding 2024-044: Inadequate Fiscal Monitoring of Subrecipients Condition Found: ICJIA did not follow its established policies and procedures for monitoring subrecipients of the Crime Victim Assistance (CVA) program. ICJIA selects subrecipients of the CVA program over which to perform fiscal monitoring procedures using a risk-based approach. Specifically, a risk assessment is performed annually over the subrecipient, which includes calculating a risk score based upon criteria established by ICJIA. ICJIA’s risk assessment criteria include the total award amount, the subgrantee’s experience with ICJIA grant awards, results of financial monitoring, the percentage of grant expended to date, the quality of financial submissions, the timeliness of financial submissions, and the payment type. Based upon the risk score, each subrecipient is designated as needing high, moderate, or low oversight. The oversight category assigned determines the frequency and type of financial monitoring (i.e. desk review or fiscal audit). During our audit procedures, we noted three CVA subrecipients (with expenditures of $582,277) were designated for high oversight and did not have a fiscal audit performed over their CVA program grants. Agency personnel indicated additional risk assessment criteria were considered to reduce the number of high oversight subrecipients; however, these additional criteria are not documented in the fiscal monitoring policy or risk score documentation. ICJIA passed through approximately $50,412,108 to subrecipients of the CVA program during the year ended June 30, 2024. Criteria or Requirement: According to 2 CFR 200.332(e), a pass-through entity must evaluate each subrecipient's risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward. According to 2 CFR 200.332(e), a pass-through entity is required to monitor the activities of subrecipients as necessary to ensure that federal awards are used for authorized purposes in compliance with laws, regulations, and the provisions of contracts or grant agreements and that performance goals are achieved. 2 CFR 200.332(e)(3) requires pass-through entities to issue management decisions for applicable audit findings pertaining to the federal awards provided to the subrecipient and 2 CFR 200.332(e)(4) requires pass through entities to resolve audit findings through corrective action plans (CAP). In addition, 2 CFR 200.303 requires non-Federal entities receiving Federal awards to establish and maintain internal controls designed to reasonably ensure compliance with Federal laws, regulations, and program compliance requirements. Effective internal controls should include establishing and performing monitoring procedures in accordance with Uniform Guidance and program requirements. Cause: In discussing these conditions with ICJIA officials, they stated ICJIA utilizes both a formal, documented policy to determine a risk score for over 600 active grantees and a more subjective, unwritten assessment to determine which higher and medium risk grantees actually will be scheduled to receive active fiscal monitoring procedures. The subjective analysis is used by ICJIA to adjust the potential volume of monitoring effort to the anticipated number of resources available in a given period. Due to the scarcity of resources, the agency prioritized reviews for subrecipients of other ICJIA programs. Possible Asserted Effect: Failure to fully document required risk assessments and to adequately monitor subrecipients may result in the subrecipient not properly administering the federal program in accordance with laws, regulations, and the grant agreement. Repeat Finding: A similar finding was reported in the prior year audit as finding number 2023-035. (Finding Code 2024-044, 2023-035) Statistical Sampling: The sample was not intended to be, and was not, a statistically valid sample. Recommendation: We recommend ICJIA review their fiscal subrecipient monitoring procedures and implement additional procedures as necessary to ensure proper monitoring procedures are performed and documentation of monitoring activities are adequately maintained. Views of ICJIA Officials: ICJIA agrees with the findings as we have additional risk assessment criteria that are established but not documented.
State Agency: Illinois Department on Aging (IDOA) Federal Agency: U.S. Department of Health and Human Services (USDHHS) Program Name: Aging Cluster ALN and Program Expenditures: 93.044/93.045/93.053 ($68,210,944) Award Numbers: Various – see table of award numbers Federal Award Year: Various – see table of award numbers Questioned Costs: None Compliance Requirement: Subrecipient Monitoring Finding 2024-049: Inadequate Review of Subrecipient Single Audit Reports Condition Found: IDOA did not adequately document review of single audit reports received from its subrecipients for the Aging Cluster program on a timely basis. The State of Illinois established the Grant Accountability and Transparency Unit (GATU) to implement the provisions of the State’s Grant Accountability and Transparency Act (GATA) on a centralized basis. GATU has established standardized reporting requirements for subrecipients of the various Federal and State programs administered by the State through its various departments. Subrecipients of the State are required to certify whether they expended more than $750,000 in federal awards during the fiscal year and submit their single audit reporting packages to the Federal Audit Clearinghouse (if required). GATU is then responsible for obtaining the single audit reporting package, verifying the report meets the single audit requirements, and assigning to the applicable state agency any findings attributable to amounts passed through to the subrecipient(s) by the State. IDOA staff are responsible for reviewing the reports assigned to them by GATU and determining whether: (1) federal funds reported in the schedule of expenditures of federal awards reconcile to IDOA records; (2) issuing management decisions on findings reported within required timeframes; and (3) applying sanctions to subrecipients who do not comply with reporting requirements (i.e. stop pay process). During our testing of a sample of single audit desk review files for seven subrecipients (with expenditures of $40,522,841 in the fiscal year), we noted the following: • For five subrecipients (with expenditures totaling $23,626,549), IDOA did not issue a management decision letter. • For one subrecipient (with expenditures totaling $2,117,589), IDOA did not issue a management decision letter over the subrecipient’s single audit that was received during state fiscal year 2024. In addition, the subrecipient did not file a single audit for the prior year with the Federal Audit Clearinghouse. While IDOA received a copy of the unfiled single audit report, a review was not performed and funding was not suspended in accordance with the State’s established policies. IDOA has not established controls over subrecipient single audit reviews at an adequate level of precision to ensure single audit reporting requirements, including obtaining and reviewing single audit reporting packages, issuing management decision letters, and invoking stop payment actions are performed within required timeframes. IDOA passed through $66,724,826 to subrecipients of the Aging Cluster program during the year ended June 30, 2024. Criteria or Requirement: According to 2 CFR 200.332(d), a pass-through entity must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statues, regulations and the terms and conditions of the subaward, and that the subaward performance goals are achieved. Additionally, 2 CFR 200.332(d)(3) and 2 CFR 200.521 state that a pass-through entity is required to issue a management decision on federal award audit findings within six months of the acceptance of the report by the Federal Audit Clearinghouse and ensure the subrecipient takes timely and appropriate corrective action on all audit findings. In addition, 2 CFR 200.303 requires non-Federal entities to, among other things, establish and maintain internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. Effective internal controls should include procedures to ensure Single Audit reports are reviewed in a timely manner and management decisions are issued within required timeframes. Cause: In discussing these conditions with IDOA officials, they stated competing priorities and limited resources have impacted the Department’s ability to comply with this requirement. Possible Asserted Effect: Failure to complete and document reviews of subrecipient single audit reports in a timely manner may result in federal funds being expended for unallowable purposes and subrecipients not administering the federal programs in accordance with laws, regulations, and the grant agreement. Additionally, failure to issue management decision letters within six months of acceptance of the single audit report by the FAC results in noncompliance with federal regulations. Repeat Finding: A similar finding was not reported in the prior year audit. (Finding Code 2024-049) Statistical Sampling: The sample was not intended to be, and was not, a statistically valid sample. Recommendation: We recommend IDOA establish procedures to ensure (1) subrecipient single audit report reviewed within established deadlines, (2) management decision letters are issued for all findings affecting its federal programs in accordance with the Uniform Guidance, and (3) follow up procedures are performed to ensure subrecipients have taken timely and appropriate corrective action. Views of IDOA Officials: The Department agrees with this finding. Although the Department shows that all the Area Agency on Aging single audits were received in the audit report review management system (ARRMS), there is one pending approval by the Audit Clearinghouse. The Department did not get the audits reconciled during state fiscal year 2024. The Department did not issue any management decision letters for those audits.
Finding 2023-001: Subrecipient Monitoring Identification of federal program: Program Title: Community Economic Adjustment Assistance for Compatible Use and Joint Land Use Studies Assistance Listing Number: 12.610 Award Identification: W9124J2120002 Federal Agency: U.S. Department of Defense, Office of Local Defense Community Cooperation Criteria or Specific Requirement: Title 2 CFR § 200.303(a) requires pass-through entities to establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. All pass-through entities are required to have subrecipient monitoring policies and procedures in place, which conform to the requirements of Title 2 CFR § 200.332 to identify subawards, evaluate risk of noncompliance, and perform monitoring procedures based upon identified risks. Condition: In testing compliance over subrecipient monitoring, we noted the Fund does not have a subrecipient monitoring policy in place that fully conforms with requirements of Title 2 CFR § 200.332. Cause: Historically the Fund has had few subawards and therefore has not developed full written subrecipient monitoring policies and procedures. Effect: The Fund should implement policies and procedures for monitoring subrecipients in accordance with Title 2 CFR § 200.332. Questioned Costs: None Context: While management’s existing process includes certain elements of subrecipient monitoring, a formal adopted policy is not in place that that fully conforms with requirements of Title 2 CFR § 200.332. Repeat finding: No Recommendation: Implement policies and procedures for monitoring subrecipients, including adequate documentation that conforms to the requirements of Title 2 CFR § 200.332. Views of responsible individuals: Management concurs with and will implement the recommendation. See corrective action plan.
Finding 2023-001 – Reporting Identification of federal program: Assistance Listing No. 93.558 – Temporary Assistance for Needy Families. Criteria or specific requirement: Section 200.332 of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) provides the requirements for pass-through entities. A pass-through entity (PTE) must clearly identify to the subrecipient the award as a subaward at the time of subaward (or subsequent subaward modification) by providing the information described in 2 CFR section 200.332(a)(2); all requirements imposed by the PTE on the subrecipient so that the federal award is used in accordance with federal statutes, regulations, and the terms and conditions of the award (2 CFR section 200.331(a)(2)); and (3) any additional requirements that the PTE imposes on the subrecipient in order for the PTE to meet its own responsibility for the federal award (e.g., financial, performance, and special reports) (2 CFR section 200.332(a)(3)). Condition: The Organization was not able to provide executed agreements with its subrecipients covering the period under audit that meet the requirements of Section 200.332 of the Uniform Guidance. Cause: Management indicated that the existing subaward agreements, which do not cover the year ended December 31, 2023, were not updated due to an oversight attributed to personnel vacancies. Effect or potential effect: Noncompliance with Section 200.332 of the Uniform Guidance could result in misunderstanding in program compliance requirements. Questioned cost: not applicable. Context: The Organization was not able to provide executed agreements that cover the audit period for the two subawards made under this program. Recommendation: We recommend that the Organization update and execute agreements with its subrecipients that contains all the required elements of Section 200.332 of the Uniform Guidance. Views of responsible officials: The Organization concurs with this finding. See page 40 for corrective action plan.
Finding 2023-001 – Reporting Identification of federal program: Assistance Listing No. 93.558 – Temporary Assistance for Needy Families. Criteria or specific requirement: Section 200.332 of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) provides the requirements for pass-through entities. A pass-through entity (PTE) must clearly identify to the subrecipient the award as a subaward at the time of subaward (or subsequent subaward modification) by providing the information described in 2 CFR section 200.332(a)(2); all requirements imposed by the PTE on the subrecipient so that the federal award is used in accordance with federal statutes, regulations, and the terms and conditions of the award (2 CFR section 200.331(a)(2)); and (3) any additional requirements that the PTE imposes on the subrecipient in order for the PTE to meet its own responsibility for the federal award (e.g., financial, performance, and special reports) (2 CFR section 200.332(a)(3)). Condition: The Organization was not able to provide executed agreements with its subrecipients covering the period under audit that meet the requirements of Section 200.332 of the Uniform Guidance. Cause: Management indicated that the existing subaward agreements, which do not cover the year ended December 31, 2023, were not updated due to an oversight attributed to personnel vacancies. Effect or potential effect: Noncompliance with Section 200.332 of the Uniform Guidance could result in misunderstanding in program compliance requirements. Questioned cost: not applicable. Context: The Organization was not able to provide executed agreements that cover the audit period for the two subawards made under this program. Recommendation: We recommend that the Organization update and execute agreements with its subrecipients that contains all the required elements of Section 200.332 of the Uniform Guidance. Views of responsible officials: The Organization concurs with this finding. See page 40 for corrective action plan.
Finding 2023-001 – Reporting Identification of federal program: Assistance Listing No. 93.558 – Temporary Assistance for Needy Families. Criteria or specific requirement: Section 200.332 of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) provides the requirements for pass-through entities. A pass-through entity (PTE) must clearly identify to the subrecipient the award as a subaward at the time of subaward (or subsequent subaward modification) by providing the information described in 2 CFR section 200.332(a)(2); all requirements imposed by the PTE on the subrecipient so that the federal award is used in accordance with federal statutes, regulations, and the terms and conditions of the award (2 CFR section 200.331(a)(2)); and (3) any additional requirements that the PTE imposes on the subrecipient in order for the PTE to meet its own responsibility for the federal award (e.g., financial, performance, and special reports) (2 CFR section 200.332(a)(3)). Condition: The Organization was not able to provide executed agreements with its subrecipients covering the period under audit that meet the requirements of Section 200.332 of the Uniform Guidance. Cause: Management indicated that the existing subaward agreements, which do not cover the year ended December 31, 2023, were not updated due to an oversight attributed to personnel vacancies. Effect or potential effect: Noncompliance with Section 200.332 of the Uniform Guidance could result in misunderstanding in program compliance requirements. Questioned cost: not applicable. Context: The Organization was not able to provide executed agreements that cover the audit period for the two subawards made under this program. Recommendation: We recommend that the Organization update and execute agreements with its subrecipients that contains all the required elements of Section 200.332 of the Uniform Guidance. Views of responsible officials: The Organization concurs with this finding. See page 40 for corrective action plan.
Finding 2023-001 – Reporting Identification of federal program: Assistance Listing No. 93.558 – Temporary Assistance for Needy Families. Criteria or specific requirement: Section 200.332 of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) provides the requirements for pass-through entities. A pass-through entity (PTE) must clearly identify to the subrecipient the award as a subaward at the time of subaward (or subsequent subaward modification) by providing the information described in 2 CFR section 200.332(a)(2); all requirements imposed by the PTE on the subrecipient so that the federal award is used in accordance with federal statutes, regulations, and the terms and conditions of the award (2 CFR section 200.331(a)(2)); and (3) any additional requirements that the PTE imposes on the subrecipient in order for the PTE to meet its own responsibility for the federal award (e.g., financial, performance, and special reports) (2 CFR section 200.332(a)(3)). Condition: The Organization was not able to provide executed agreements with its subrecipients covering the period under audit that meet the requirements of Section 200.332 of the Uniform Guidance. Cause: Management indicated that the existing subaward agreements, which do not cover the year ended December 31, 2023, were not updated due to an oversight attributed to personnel vacancies. Effect or potential effect: Noncompliance with Section 200.332 of the Uniform Guidance could result in misunderstanding in program compliance requirements. Questioned cost: not applicable. Context: The Organization was not able to provide executed agreements that cover the audit period for the two subawards made under this program. Recommendation: We recommend that the Organization update and execute agreements with its subrecipients that contains all the required elements of Section 200.332 of the Uniform Guidance. Views of responsible officials: The Organization concurs with this finding. See page 40 for corrective action plan.
2023-001 Material Weakness – Subrecipient Monitoring – Material Noncompliance Agency: U.S. Department of Treasury Federal Assistance Listing Number: 21.027 COVID-19 - Coronavirus State and Local Recovery Funds Criteria: 2 CFR 200.332(b) requires a pass-through entity to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. 2 CFR 200.332(d) requires the passthrough entity to monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Statement of Condition: Lutheran Social Services of Wisconsin and Upper Michigan, Inc. did not document their evaluation of the subrecipients risk of noncompliance and perform monitoring of the subrecipient, as required. Questioned Costs: The amount of questioned costs could not be determined. Context: Lutheran Social Services of Wisconsin and Upper Michigan, Inc.’s subrecipient was required by their contract to provide all requests for disbursement from the grantor to Lutheran Social Services of Wisconsin and Upper Michigan, Inc. for review and approval, prior to requesting the funds from the grantor. Lutheran Social Services of Wisconsin and Upper Michigan, Inc. did not receive nor did they review the three (3) draw requests during the period. Additionally, no other processes or controls were in place over the subrecipient monitoring requirement. Effect: Failure to adequately monitor the activity of a subrecipient may result in unallowable costs being charged to the federal program. Cause: Lutheran Social Services of Wisconsin and Upper Michigan, Inc. did not have proper controls in place to monitor their subrecipient. Management was unaware the subrecipient was expending passthrough funds and receiving disbursements from the federal grantor. Recommendation: We recommend management review their processes and controls surrounding subrecipients to ensure appropriate oversight is maintained and compliance with all program and contract requirements occurs. Management Response: LSS received a grant from Illinois Housing Development Authority (IHDA) which was ‘passed through’ to a tax credit project entity (the subrecipient of the grant). The agreements governing the grant to Lutheran Social Services of Wisconsin and Upper Michigan, Inc. (LSS) and loan to the subrecipient specifically called for multiple layers of review and approval by the subrecipient, IHDA, other project lenders, a title company, and at IHDA’s request, LSS. The lead developer, a member of the tax credit project entity, is responsible for managing the construction project and for preparation of all draw requests. The agreements specifically called for the tax credit project entity (as subrecipient) to certify to LSS that the draw package met the grant agreement requirements and specifications, on which certification LSS would then rely to make a corresponding certification to IHDA that the draw package met the grant agreement requirements and specifications. In this instance, the lead developer properly prepared certain draw requests (as the subrecipient), made the required certifications, and submitted them directly to IHDA without informing LSS of such draw request. Rather than requiring strict compliance with the grant agreements and rejecting the subrecipient’s draw request for the lack of LSS’s certification, IHDA elected to accept a direct certification from the subrecipient and effectively waive the LSS certification requirement. We agree that LSS did not have a monitoring system in place to ensure that the subrecipient informed LSS of draw requests and ensure that LSS’s intervening certification to IHDA be made, however there are other factors impacting the program: 1. IHDA did not notify the subrecipient or LSS under the terms of the grant documents that the intervening LSS certification was missing, and instead elected to disburse proceeds directly to the subrecipient based on the subrecipient’s direct certification which served as a waiver of the requirement of the intervening LSS certification. 2. All draw requests were approved by the contractor, the architect, the construction lender, and the title company, which multiple additional layers of review put into place by LSS and IHDA as part of grant document negotiation ensured that grant funds were properly utilized for qualifying project expenses. 3. All parties have been made aware of this issue and it has not resulted in any financial, operational or reputation implications. We have put in place a process to ensure all draw requests come to LSS for review and documented sign-off approval before submission to IHDA.
2023-001 Material Weakness – Subrecipient Monitoring – Material Noncompliance Agency: U.S. Department of Treasury Federal Assistance Listing Number: 21.027 COVID-19 - Coronavirus State and Local Recovery Funds Criteria: 2 CFR 200.332(b) requires a pass-through entity to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. 2 CFR 200.332(d) requires the passthrough entity to monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Statement of Condition: Lutheran Social Services of Wisconsin and Upper Michigan, Inc. did not document their evaluation of the subrecipients risk of noncompliance and perform monitoring of the subrecipient, as required. Questioned Costs: The amount of questioned costs could not be determined. Context: Lutheran Social Services of Wisconsin and Upper Michigan, Inc.’s subrecipient was required by their contract to provide all requests for disbursement from the grantor to Lutheran Social Services of Wisconsin and Upper Michigan, Inc. for review and approval, prior to requesting the funds from the grantor. Lutheran Social Services of Wisconsin and Upper Michigan, Inc. did not receive nor did they review the three (3) draw requests during the period. Additionally, no other processes or controls were in place over the subrecipient monitoring requirement. Effect: Failure to adequately monitor the activity of a subrecipient may result in unallowable costs being charged to the federal program. Cause: Lutheran Social Services of Wisconsin and Upper Michigan, Inc. did not have proper controls in place to monitor their subrecipient. Management was unaware the subrecipient was expending passthrough funds and receiving disbursements from the federal grantor. Recommendation: We recommend management review their processes and controls surrounding subrecipients to ensure appropriate oversight is maintained and compliance with all program and contract requirements occurs. Management Response: LSS received a grant from Illinois Housing Development Authority (IHDA) which was ‘passed through’ to a tax credit project entity (the subrecipient of the grant). The agreements governing the grant to Lutheran Social Services of Wisconsin and Upper Michigan, Inc. (LSS) and loan to the subrecipient specifically called for multiple layers of review and approval by the subrecipient, IHDA, other project lenders, a title company, and at IHDA’s request, LSS. The lead developer, a member of the tax credit project entity, is responsible for managing the construction project and for preparation of all draw requests. The agreements specifically called for the tax credit project entity (as subrecipient) to certify to LSS that the draw package met the grant agreement requirements and specifications, on which certification LSS would then rely to make a corresponding certification to IHDA that the draw package met the grant agreement requirements and specifications. In this instance, the lead developer properly prepared certain draw requests (as the subrecipient), made the required certifications, and submitted them directly to IHDA without informing LSS of such draw request. Rather than requiring strict compliance with the grant agreements and rejecting the subrecipient’s draw request for the lack of LSS’s certification, IHDA elected to accept a direct certification from the subrecipient and effectively waive the LSS certification requirement. We agree that LSS did not have a monitoring system in place to ensure that the subrecipient informed LSS of draw requests and ensure that LSS’s intervening certification to IHDA be made, however there are other factors impacting the program: 1. IHDA did not notify the subrecipient or LSS under the terms of the grant documents that the intervening LSS certification was missing, and instead elected to disburse proceeds directly to the subrecipient based on the subrecipient’s direct certification which served as a waiver of the requirement of the intervening LSS certification. 2. All draw requests were approved by the contractor, the architect, the construction lender, and the title company, which multiple additional layers of review put into place by LSS and IHDA as part of grant document negotiation ensured that grant funds were properly utilized for qualifying project expenses. 3. All parties have been made aware of this issue and it has not resulted in any financial, operational or reputation implications. We have put in place a process to ensure all draw requests come to LSS for review and documented sign-off approval before submission to IHDA.
2023-001 Material Weakness – Subrecipient Monitoring – Material Noncompliance Agency: U.S. Department of Treasury Federal Assistance Listing Number: 21.027 COVID-19 - Coronavirus State and Local Recovery Funds Criteria: 2 CFR 200.332(b) requires a pass-through entity to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. 2 CFR 200.332(d) requires the passthrough entity to monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Statement of Condition: Lutheran Social Services of Wisconsin and Upper Michigan, Inc. did not document their evaluation of the subrecipients risk of noncompliance and perform monitoring of the subrecipient, as required. Questioned Costs: The amount of questioned costs could not be determined. Context: Lutheran Social Services of Wisconsin and Upper Michigan, Inc.’s subrecipient was required by their contract to provide all requests for disbursement from the grantor to Lutheran Social Services of Wisconsin and Upper Michigan, Inc. for review and approval, prior to requesting the funds from the grantor. Lutheran Social Services of Wisconsin and Upper Michigan, Inc. did not receive nor did they review the three (3) draw requests during the period. Additionally, no other processes or controls were in place over the subrecipient monitoring requirement. Effect: Failure to adequately monitor the activity of a subrecipient may result in unallowable costs being charged to the federal program. Cause: Lutheran Social Services of Wisconsin and Upper Michigan, Inc. did not have proper controls in place to monitor their subrecipient. Management was unaware the subrecipient was expending passthrough funds and receiving disbursements from the federal grantor. Recommendation: We recommend management review their processes and controls surrounding subrecipients to ensure appropriate oversight is maintained and compliance with all program and contract requirements occurs. Management Response: LSS received a grant from Illinois Housing Development Authority (IHDA) which was ‘passed through’ to a tax credit project entity (the subrecipient of the grant). The agreements governing the grant to Lutheran Social Services of Wisconsin and Upper Michigan, Inc. (LSS) and loan to the subrecipient specifically called for multiple layers of review and approval by the subrecipient, IHDA, other project lenders, a title company, and at IHDA’s request, LSS. The lead developer, a member of the tax credit project entity, is responsible for managing the construction project and for preparation of all draw requests. The agreements specifically called for the tax credit project entity (as subrecipient) to certify to LSS that the draw package met the grant agreement requirements and specifications, on which certification LSS would then rely to make a corresponding certification to IHDA that the draw package met the grant agreement requirements and specifications. In this instance, the lead developer properly prepared certain draw requests (as the subrecipient), made the required certifications, and submitted them directly to IHDA without informing LSS of such draw request. Rather than requiring strict compliance with the grant agreements and rejecting the subrecipient’s draw request for the lack of LSS’s certification, IHDA elected to accept a direct certification from the subrecipient and effectively waive the LSS certification requirement. We agree that LSS did not have a monitoring system in place to ensure that the subrecipient informed LSS of draw requests and ensure that LSS’s intervening certification to IHDA be made, however there are other factors impacting the program: 1. IHDA did not notify the subrecipient or LSS under the terms of the grant documents that the intervening LSS certification was missing, and instead elected to disburse proceeds directly to the subrecipient based on the subrecipient’s direct certification which served as a waiver of the requirement of the intervening LSS certification. 2. All draw requests were approved by the contractor, the architect, the construction lender, and the title company, which multiple additional layers of review put into place by LSS and IHDA as part of grant document negotiation ensured that grant funds were properly utilized for qualifying project expenses. 3. All parties have been made aware of this issue and it has not resulted in any financial, operational or reputation implications. We have put in place a process to ensure all draw requests come to LSS for review and documented sign-off approval before submission to IHDA.
Finding 2023-002: Pre-Award Risk Assessment for Sub-Recipient Information on the Federal Program: 93.048 Criteria: As stated in 2 CFR 200.331 part (b), all pass-through entities must evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring procedures to prescribe to each individual subrecipient. Condition: During our testing performed over subrecipient expenditures, we were unable to obtain evidence that pre-award risk assessment procedures were performed over subrecipients, consistent with 2 CFR §200.332(b). Cause: The Organization's internal policies and procedures governing risk assessment on subrecipients was not performed. Effect or Potential Effect: The Organization could inadvertently be engaged in relationships with subrecipients of higher risk without the appropriate level of oversight to ensure subrecipients are expending funds in accordance with the provisions and terms of the subaward. Questioned Costs: None noted. Context: Our audit procedures consisted of substantive testwork over a sample of subrecipients. We consider our sample to be representative of the population. The samples were made using statistical sampling and we believe the condition appeared to be systematic in nature. Identification as a Repeat Finding, if Applicable: Not a repeat finding. Recommendation: We recommend that the Organization follow their internal policies regarding performing a pre-award risk assessment on all new sub-recipients engaged throughout the life of the award. For repeat sub-recipients, the risk assessment should be re-visited throughout the award term to ensure that conditions have not changed and the original risk assessment remains reasonable.
Criteria or specific requirement: The Code of Federal Regulations, 2 CFR 200.332, states that nonfederal entities passing federal awards through to other entities are required to ensure that subawards to subrecipients include required federal award identification and detail of all compliance and other requirements for the federal award. Condition: During our testing we noted that the Company did not include the federally required elements of the award in the subrecipient agreement. Context: For 6 of the 9 subrecipients selected, the Company did not include in their agreements the required federal award information as outlined by 2 CFR 200.332. Cause: Management was made aware of requirements during the award period and created addendums for agreements with subrecipients. For 6 of the 9 subrecipients selected, addendums with the conditions of the award were not created at the time of our review, and the required information was not provided to subrecipients. Effect: The Company is not in compliance with subrecipient monitoring requirements as outlined by 2 CFR 200.332. Recommendation: We recommend the Company to include all guidance under 2 CFR 200.332 in the agreements entered with subrecipients. Views of responsible officials: There is no disagreement with the audit finding. The company has investigated why the information was not provided, and found the cause was an isolated incident, and the error of a former employee who has since been removed from the company. Measures have been put in place to ensure future compliance.
U.S. Department of Treasury Passed-through the Colorado Department of Local Affairs FFAL #21.027 COVID-19 Coronavirus State and Local Fiscal Recovery Funds Subrecipient Monitoring Material Noncompliance Material Weakness in Internal Controls Criteria: Section 2 CFR 200.331 establishes the determination of whether there is a subrecipient or contractor of the federal award. The non-Federal entity may concurrently receive Federal awards as a recipient, a subrecipient, and a contractor, depending on the substance of its agreements with Federal awarding agencies and pass-through entities. Therefore, a passthrough entity must make case-by-case determinations whether each agreement it makes for the disbursement of Federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor. The Federal awarding agency may supply and require recipients to comply with additional guidance to support these determinations provided such guidance does not conflict with this section. Once it is determined the recipient is a sub-recipient there are certain requirements for pass-through entities established in 2 CFR 200.332. Per 2 CFR 200.332, pass-through entities are responsible for informing subrecipients of the Federal award identifiers including but not limited to award date, period of performance and Federal awarding agency and Assistance Listing Number and title. Pass-through entities are required to assess the subrecipient’s risk of noncompliance with Federal statutes, regulations and the terms and conditions of the subaward. Further, the pass-through entity is required to perform certain monitoring activities to ensure the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Finally, the pass-through entity should also verify the subrecipient is audited as required by Subpart F - Audit Requirement under the Uniform Guidance. The monitoring policy should include an initial valuation of risk of noncompliance to determine the appropriate level of monitoring required related to the subaward as well as appropriate awarding documentation. Condition: The County did not appropriately identify two subrecipients of the grant and initially determined them to be contractors. The County failed to perform any subrecipient monitoring as required by the Uniform Guidance. Cause: Due to the County’s failure to understand the sub-recipient monitoring requirements, two of subawards were incorrectly identified as contractors and none of the required award and monitoring procedures were performed for the four subrecipients of the grant. Effect: Insufficient procedures and internal controls related to subrecipients resulted in noncompliance. Questioned Costs: No questioned costs were identified as a result of our procedures. 16 Summit County, Colorado Schedule of Findings and Questioned Costs Year Ended December 31, 2023 Context/Sampling: All four subrecipients were selected for subrecipient monitoring testing. Repeat Finding from Prior Years: No. Recommendation: We recommend that the County establish and adhere to policies and procedures, including internal controls, to ensure compliance with subrecipient monitoring requirements as established by 2 CFR 200.331 and 2 CFR 200.332. Views of Responsible Officials: Management agrees with the finding.