Findings Citing § 200.332

2023-031 The Department of Commerce did not have adequate internal controls over and did not comply with requirements to perform risk assessments for subrecipients of the Coronavirus State and Local Fiscal Recovery Funds. Assistance Listing Number and Title: 21.027 COVID-19 Coronavirus State and Local Fiscal Recovery Funds Federal Grantor Name: U.S. Department of the Treasury Federal Award/Contract Number: SLFRP0002 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Prior Year Audit Finding: Yes, Finding 2022-021 Background The Coronavirus State and Local Fiscal Recovery Funds (SLFRF), as part of the America Rescue Plan Act of 2021, delivered $350 billion to state, local, and tribal governments to support the response to and recovery from the COVID-19 public health emergency. Washington received $4.4 billion of SLFRF money from the U.S. Department of the Treasury, which the state’s Office of Financial Management allocated to state agencies for various programs. In fiscal year 2023, state agencies spent about $1.9 billion in SLFRF funds, more than $718 million of which was spent by the Department of Commerce. The Legislature appropriated $100 million to the Department in SLFRF funding to award assistance to public and private water, sewer, garbage, electric, and natural gas utilities. With these funds, utilities could reduce residential customer account balances that were left unpaid due to the COVID-19 pandemic and the related economic downturn that were accrued between March 1, 2020, and December 31, 2021. The Department’s Energy Division expended about $100 million in payments to public and private utilities as subrecipients. Each utility that wished to participate in the program was required to submit an application for financial assistance documenting the current arrearage balances for residential customers as of March 31, 2022, as well as any available information on arrearage balances of low-income customers, including those receiving government assistance through the Low-Income Home Energy Assistance Program, Low-Income Water Assistance Program, or other ratepayer-funded Department programs as of March 31, 2022. In the event that the utility did not have access to this customer information, the Department distributed SLFRF funds to the community action program serving the same area as the utility. In determining the amount of funding that each utility could receive, the Department was required by the legislative mandate to consider: • Each participating utility’s proportion of the aggregate amount of arrearages among all participating utilities • Utility service areas that are situated in locations experiencing disproportionate environmental health disparities • American community survey poverty data • Whether the utility has leveraged other fund sources to reduce customer arrearages Pass-through entities are required to monitor the activities of subrecipients to ensure they are properly using federal funds for allowable activities and expenditures. To determine the appropriate level of monitoring, federal regulations require the Department to evaluate each subrecipient’s risk of noncompliance with federal statutes and regulations and the terms and conditions of the subaward. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In the prior audit we reported the Department did not have adequate internal controls over and did not comply with requirements to perform risk assessments for subrecipients of the SFLRF. The prior finding number was 2022-021. Description of Condition The Department did not have adequate internal controls over and did not comply with requirements to perform risk assessments for SLFRF subrecipients. During the audit period, the Department awarded more than $99.8 million in SLFRF funds to 62 different utilities and community action programs. We determined the Department did not perform a risk assessment to determine the appropriate level of monitoring for each of its 62 subrecipients. We consider this internal control deficiency to be a material weakness, which led to material noncompliance. Cause of Condition Program management for the Department was not aware of the requirement to conduct a formal risk assessment over each subrecipient’s use of SLFRF funds, and did not consider performing a risk assessment over the subrecipients when following legislative guidance. Additionally, management outside of the Department’s Energy Division did not monitor to ensure risk assessments were performed before executing subawards with utilities. Effect of Condition Without performing risk assessments of subrecipients that received SLFRF funding, which the federal government has classified as a program of higher risk, the Department cannot determine the appropriate amount of monitoring required for each subrecipient. Not performing new risk assessments also makes the Department less likely to detect subrecipients’ noncompliance with federal regulations and the terms and conditions of subawards. Recommendations We recommend the Department: • Establish internal controls to ensure it performs risk assessments for all subawards issued to subrecipients • Ensure it performs and documents the required risk assessments sufficiently for management to evaluate the results and demonstrate compliance with federal requirements • Update its risk assessment procedures to ensure factors related to potential noncompliance with requirements for low-income utility grants and SLFRF are incorporated into the risk assessment results Department’s Response The Department thanks the Washington State Auditor’s Office for the opportunity to respond to the finding. The Department respectfully disagrees with the finding as the Auditor’s Office has provided no requirements or codes nor has the Department been informed of any which require a risk assessment process for this award applied to arrearage balances. Additionally, the Department asserts it had internal controls in place for the program requirements. The Washington State Legislature issued the following proviso for funding by the Department: “$100,000,000 of the coronavirus state fiscal recovery fund federal appropriation is provided solely for grants for public and private water, sewer, garbage, electric, and natural gas utilities to address low-income customer arrearages compounded by the COVID-19 pandemic and the related economic downturn that were accrued between March 1, 2020, and December 31, 2021.” The Washington State Legislature informed utility representatives of the availability of funding following the funding awarded to the Department. Commerce received the award for this program as part of the supplemental operating budget included in Senate Bill 5693, affective March 31, 2022. The Department held webinars allowing all interested utility service providers to obtain information on how to fund outstanding arrearage balances compounded by the COVID-19 pandemic. Utility providers requesting funding communicated their customer arrearage balances to the Energy Office who followed a reporting process for funding. The reporting process included receipt of the number of customers with arrearage balances, the amount applied to customer balances, if they were low income customers amongst other elements required to receive funding. By May 27, 2022, each utility that wished to participate opted-in to the grant program by providing the Department with the specific information. The opt-in was available for all utility service providers who had customers who met the low-income requirements. The proviso did not include any requirements for subrecipient monitoring elements, including the performance of risk assessments of utility providers. The proviso included who was eligible for funding and the period of performance. The compliance supplement for Assistance Listing Number 21.027 under 2 CFR 200 did not include any requirements for subrecipient monitoring for risk assessments. The Department’s Assistant Director for the Energy Division created the process in which utility service providers provided information for funding. At that time the Assistant Director created internal controls over reporting, fiscal monitoring and subrecipient monitoring which included the submission of required information including, low-income eligibility, customer accounts had to be in an arrearage status, dates of arrearage balances and confirmation of expenses paid for customer arrearages. That data was compiled in a monitoring workbook, monitored and retained. Commerce did not identify or implement an internal control over risk assessments as utility service providers were not ranked or categorized for funding as the award included funding for all eligible customers from the utilities who requested funding. A risk assessment was not necessary nor required as part of the compliance supplement or any other Code of Federal Regulation related to this award. Commerce implemented internal controls for all areas in which the regulations required. Further, Commerce created and maintained an appropriate level of monitoring for the elements identified for funding by the legislature through our obtaining low-income eligibility status and other factors required for funding. No risk assessment process was required as all eligible utility providers were funded. The Department strives to meet all requirements related to federal funding and will continue to improve internal controls and compliance when deficiencies are identified. Auditor’s Remarks Federal regulations, specifically 2 CFR 200.332 - Requirements for pass-through entities, requires risk assessments be performed for all subrecipients to determine the appropriate level of monitoring required to ensure the subrecipient complies with terms and conditions of the subaward. The fact that the state legislative proviso did not contain this provision did not absolve the Department from complying with the federal requirement. We informed the Department during the audit that we would be assessing its compliance with this requirement. This requirement is also outlined in the state’s grant agreement with the Department of the Treasury and is outlined in the federal grant compliance supplement that is published by the federal Office of Management and Budget every year. We reaffirm our audit finding and will follow up on the Department’s corrective action during the next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200, Uniform Guidance, section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 332, Requirements for pass-through entities, establishes the requirements for all pass-through entities. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11.

2023-032 The Department of Commerce did not have adequate internal controls over and did not comply with requirements to ensure it communicated federal award identification elements to subrecipients of the Coronavirus State and Local Fiscal Recovery Fund. Assistance Listing Number and Title: 21.027 COVID-19 Coronavirus State and Local Fiscal Recovery Fund Federal Grantor Name: U.S. Department of the Treasury Federal Award/Contract Number: SLFRFP0002 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Prior Year Audit Finding: No Background The Coronavirus State and Local Fiscal Recovery Funds (SLFRF), as part of the America Rescue Plan Act of 2021, delivered $350 billion to state, local, and tribal governments to support the response to and recovery from the COVID-19 public health emergency. Washington received $4.4 billion of SLFRF money from the U.S. Department of the Treasury, which the state’s Office of Financial Management allocated to state agencies for various programs. In fiscal year 2023, state agencies spent about $1.9 billion in SLFRF funds, more than $718 million of which was spent by the Department of Commerce. The Department used SLFRF funds to administer and provide economic assistance to households at risk of eviction and homelessness primarily through the Eviction Rental Assistance Program, in addition to transportation, tourism, and other pandemic-recovery projects. During fiscal year 2023, the Department expended about $253.5 million on reimbursements and advance payments to local governments and nonprofit organizations as subrecipients. These subrecipients were responsible for making direct payments of rent and utilities for eligible low-income households with overdue rent payments dating as far back as March 2020. Federal regulations require pass-through entities to ensure that every subaward is clearly identified as a subaward to a subrecipient, and that it includes 14 federal award identification elements. These elements include the subrecipient’s unique entity identifier, the Federal Award Identification Number, the name of the federal awarding agency, the program’s Assistance Listing Number and title, and more. Federal regulations also require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The Department did not have adequate internal controls over and did not comply with federal requirements to ensure it communicated all federal award identification elements to subrecipients of the SLFRF. During the audit period, the Department awarded new contracts and amendments totaling more than $16.8 million in SLFRF funds to 13 subrecipients. We examined all 13 subawards and determined all 13 did not clearly identify the agreement as a federal subaward and the subrecipient was referred to as a contractor throughout the award. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition The Department could not provide documentation to show it had adequate internal controls in place to ensure that the subawards included all the correct information. Furthermore, the subrecipients were referred to as contractors throughout each award because the Department used a contract template; it did not have a subaward template available at the time the subawards were issued. Effect of Condition Without establishing adequate internal controls, the Department cannot ensure it has communicated all required data elements to its subrecipients. Furthermore, by not clearly identifying the subaward as such, the Department cannot ensure its subrecipients have been adequately informed of the program requirements, federal regulations, and the subaward’s terms and conditions that it must comply with. Under federal law requirements for a subrecipient and a contractor are substantially different. Recommendation We recommend the Department establish adequate internal controls to ensure it includes all required information in every federal subaward. This must include ensuring that the award is clearly identified as a subaward and not a contract. Department’s Response The Department treated the recipient as a subrecipient and followed all of the Code of Federal Regulations (CFR) requirements, including communicating the Requirements for Pass-through Entities to all recipients through the 14 elements checklist in a contract amendment process. The Department informed the audit team that they had this documentation but the documentation was not requested. The Department agrees with the Washington State Auditor’s Office (SAO) that our contract template refers to the subrecipient in the contract as a “contractor”. That terminology was used to identify the recipient as part of the contract, not the type of federal recipient. We identified the need to specify the federal recipient type in the contract in 2022 and in October 2022 we changed the face sheets of all of our federal contract templates to identify each recipient as a subrecipient or contractor. Unfortunately there was a timing issue with the issuance of the contract included in the audit and the prior federal template was used. Going forward, all program contracts will be issued on the updated federal contract templates which will designate the recipient type as either a subrecipient or contractor. The Department supports it communicated the Requirements for Pass-Through entities federal identification elements through the subaward amendments that were issued during the period, however, the communication was made during the audit year and did not cover the full period of performance. Short of an error being made, the Department feels this exception has been resolved. We thank the Auditor’s Office for the opportunity to respond to the finding. Auditor’s Remarks We acknowledge the Department updated its subaward template during the audit period. However, we want to clarify that for the subawards examined during this audit, the Department did not issue written subaward amendments to communicate federal subaward elements to its subrecipients. Instead, the Department sent email correspondence to each subrecipient with a file attachment listing the fields required under 2 CFR 200.332(a)(1)(i) through (xiv). This attachment was not incorporated by reference into the subaward amendments executed during the audit period, and therefore we did not consider the information as part of the Department’s subaward. We reaffirm our audit finding and will review the status of the Department’s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200, Uniform Guidance, section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 332, Requirements for pass-through entities, establishes requirements for all pass-through entities. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11.

2023-031 The Department of Commerce did not have adequate internal controls over and did not comply with requirements to perform risk assessments for subrecipients of the Coronavirus State and Local Fiscal Recovery Funds. Assistance Listing Number and Title: 21.027 COVID-19 Coronavirus State and Local Fiscal Recovery Funds Federal Grantor Name: U.S. Department of the Treasury Federal Award/Contract Number: SLFRP0002 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Prior Year Audit Finding: Yes, Finding 2022-021 Background The Coronavirus State and Local Fiscal Recovery Funds (SLFRF), as part of the America Rescue Plan Act of 2021, delivered $350 billion to state, local, and tribal governments to support the response to and recovery from the COVID-19 public health emergency. Washington received $4.4 billion of SLFRF money from the U.S. Department of the Treasury, which the state’s Office of Financial Management allocated to state agencies for various programs. In fiscal year 2023, state agencies spent about $1.9 billion in SLFRF funds, more than $718 million of which was spent by the Department of Commerce. The Legislature appropriated $100 million to the Department in SLFRF funding to award assistance to public and private water, sewer, garbage, electric, and natural gas utilities. With these funds, utilities could reduce residential customer account balances that were left unpaid due to the COVID-19 pandemic and the related economic downturn that were accrued between March 1, 2020, and December 31, 2021. The Department’s Energy Division expended about $100 million in payments to public and private utilities as subrecipients. Each utility that wished to participate in the program was required to submit an application for financial assistance documenting the current arrearage balances for residential customers as of March 31, 2022, as well as any available information on arrearage balances of low-income customers, including those receiving government assistance through the Low-Income Home Energy Assistance Program, Low-Income Water Assistance Program, or other ratepayer-funded Department programs as of March 31, 2022. In the event that the utility did not have access to this customer information, the Department distributed SLFRF funds to the community action program serving the same area as the utility. In determining the amount of funding that each utility could receive, the Department was required by the legislative mandate to consider: • Each participating utility’s proportion of the aggregate amount of arrearages among all participating utilities • Utility service areas that are situated in locations experiencing disproportionate environmental health disparities • American community survey poverty data • Whether the utility has leveraged other fund sources to reduce customer arrearages Pass-through entities are required to monitor the activities of subrecipients to ensure they are properly using federal funds for allowable activities and expenditures. To determine the appropriate level of monitoring, federal regulations require the Department to evaluate each subrecipient’s risk of noncompliance with federal statutes and regulations and the terms and conditions of the subaward. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In the prior audit we reported the Department did not have adequate internal controls over and did not comply with requirements to perform risk assessments for subrecipients of the SFLRF. The prior finding number was 2022-021. Description of Condition The Department did not have adequate internal controls over and did not comply with requirements to perform risk assessments for SLFRF subrecipients. During the audit period, the Department awarded more than $99.8 million in SLFRF funds to 62 different utilities and community action programs. We determined the Department did not perform a risk assessment to determine the appropriate level of monitoring for each of its 62 subrecipients. We consider this internal control deficiency to be a material weakness, which led to material noncompliance. Cause of Condition Program management for the Department was not aware of the requirement to conduct a formal risk assessment over each subrecipient’s use of SLFRF funds, and did not consider performing a risk assessment over the subrecipients when following legislative guidance. Additionally, management outside of the Department’s Energy Division did not monitor to ensure risk assessments were performed before executing subawards with utilities. Effect of Condition Without performing risk assessments of subrecipients that received SLFRF funding, which the federal government has classified as a program of higher risk, the Department cannot determine the appropriate amount of monitoring required for each subrecipient. Not performing new risk assessments also makes the Department less likely to detect subrecipients’ noncompliance with federal regulations and the terms and conditions of subawards. Recommendations We recommend the Department: • Establish internal controls to ensure it performs risk assessments for all subawards issued to subrecipients • Ensure it performs and documents the required risk assessments sufficiently for management to evaluate the results and demonstrate compliance with federal requirements • Update its risk assessment procedures to ensure factors related to potential noncompliance with requirements for low-income utility grants and SLFRF are incorporated into the risk assessment results Department’s Response The Department thanks the Washington State Auditor’s Office for the opportunity to respond to the finding. The Department respectfully disagrees with the finding as the Auditor’s Office has provided no requirements or codes nor has the Department been informed of any which require a risk assessment process for this award applied to arrearage balances. Additionally, the Department asserts it had internal controls in place for the program requirements. The Washington State Legislature issued the following proviso for funding by the Department: “$100,000,000 of the coronavirus state fiscal recovery fund federal appropriation is provided solely for grants for public and private water, sewer, garbage, electric, and natural gas utilities to address low-income customer arrearages compounded by the COVID-19 pandemic and the related economic downturn that were accrued between March 1, 2020, and December 31, 2021.” The Washington State Legislature informed utility representatives of the availability of funding following the funding awarded to the Department. Commerce received the award for this program as part of the supplemental operating budget included in Senate Bill 5693, affective March 31, 2022. The Department held webinars allowing all interested utility service providers to obtain information on how to fund outstanding arrearage balances compounded by the COVID-19 pandemic. Utility providers requesting funding communicated their customer arrearage balances to the Energy Office who followed a reporting process for funding. The reporting process included receipt of the number of customers with arrearage balances, the amount applied to customer balances, if they were low income customers amongst other elements required to receive funding. By May 27, 2022, each utility that wished to participate opted-in to the grant program by providing the Department with the specific information. The opt-in was available for all utility service providers who had customers who met the low-income requirements. The proviso did not include any requirements for subrecipient monitoring elements, including the performance of risk assessments of utility providers. The proviso included who was eligible for funding and the period of performance. The compliance supplement for Assistance Listing Number 21.027 under 2 CFR 200 did not include any requirements for subrecipient monitoring for risk assessments. The Department’s Assistant Director for the Energy Division created the process in which utility service providers provided information for funding. At that time the Assistant Director created internal controls over reporting, fiscal monitoring and subrecipient monitoring which included the submission of required information including, low-income eligibility, customer accounts had to be in an arrearage status, dates of arrearage balances and confirmation of expenses paid for customer arrearages. That data was compiled in a monitoring workbook, monitored and retained. Commerce did not identify or implement an internal control over risk assessments as utility service providers were not ranked or categorized for funding as the award included funding for all eligible customers from the utilities who requested funding. A risk assessment was not necessary nor required as part of the compliance supplement or any other Code of Federal Regulation related to this award. Commerce implemented internal controls for all areas in which the regulations required. Further, Commerce created and maintained an appropriate level of monitoring for the elements identified for funding by the legislature through our obtaining low-income eligibility status and other factors required for funding. No risk assessment process was required as all eligible utility providers were funded. The Department strives to meet all requirements related to federal funding and will continue to improve internal controls and compliance when deficiencies are identified. Auditor’s Remarks Federal regulations, specifically 2 CFR 200.332 - Requirements for pass-through entities, requires risk assessments be performed for all subrecipients to determine the appropriate level of monitoring required to ensure the subrecipient complies with terms and conditions of the subaward. The fact that the state legislative proviso did not contain this provision did not absolve the Department from complying with the federal requirement. We informed the Department during the audit that we would be assessing its compliance with this requirement. This requirement is also outlined in the state’s grant agreement with the Department of the Treasury and is outlined in the federal grant compliance supplement that is published by the federal Office of Management and Budget every year. We reaffirm our audit finding and will follow up on the Department’s corrective action during the next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200, Uniform Guidance, section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 332, Requirements for pass-through entities, establishes the requirements for all pass-through entities. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11.

2023-032 The Department of Commerce did not have adequate internal controls over and did not comply with requirements to ensure it communicated federal award identification elements to subrecipients of the Coronavirus State and Local Fiscal Recovery Fund. Assistance Listing Number and Title: 21.027 COVID-19 Coronavirus State and Local Fiscal Recovery Fund Federal Grantor Name: U.S. Department of the Treasury Federal Award/Contract Number: SLFRFP0002 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Prior Year Audit Finding: No Background The Coronavirus State and Local Fiscal Recovery Funds (SLFRF), as part of the America Rescue Plan Act of 2021, delivered $350 billion to state, local, and tribal governments to support the response to and recovery from the COVID-19 public health emergency. Washington received $4.4 billion of SLFRF money from the U.S. Department of the Treasury, which the state’s Office of Financial Management allocated to state agencies for various programs. In fiscal year 2023, state agencies spent about $1.9 billion in SLFRF funds, more than $718 million of which was spent by the Department of Commerce. The Department used SLFRF funds to administer and provide economic assistance to households at risk of eviction and homelessness primarily through the Eviction Rental Assistance Program, in addition to transportation, tourism, and other pandemic-recovery projects. During fiscal year 2023, the Department expended about $253.5 million on reimbursements and advance payments to local governments and nonprofit organizations as subrecipients. These subrecipients were responsible for making direct payments of rent and utilities for eligible low-income households with overdue rent payments dating as far back as March 2020. Federal regulations require pass-through entities to ensure that every subaward is clearly identified as a subaward to a subrecipient, and that it includes 14 federal award identification elements. These elements include the subrecipient’s unique entity identifier, the Federal Award Identification Number, the name of the federal awarding agency, the program’s Assistance Listing Number and title, and more. Federal regulations also require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The Department did not have adequate internal controls over and did not comply with federal requirements to ensure it communicated all federal award identification elements to subrecipients of the SLFRF. During the audit period, the Department awarded new contracts and amendments totaling more than $16.8 million in SLFRF funds to 13 subrecipients. We examined all 13 subawards and determined all 13 did not clearly identify the agreement as a federal subaward and the subrecipient was referred to as a contractor throughout the award. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition The Department could not provide documentation to show it had adequate internal controls in place to ensure that the subawards included all the correct information. Furthermore, the subrecipients were referred to as contractors throughout each award because the Department used a contract template; it did not have a subaward template available at the time the subawards were issued. Effect of Condition Without establishing adequate internal controls, the Department cannot ensure it has communicated all required data elements to its subrecipients. Furthermore, by not clearly identifying the subaward as such, the Department cannot ensure its subrecipients have been adequately informed of the program requirements, federal regulations, and the subaward’s terms and conditions that it must comply with. Under federal law requirements for a subrecipient and a contractor are substantially different. Recommendation We recommend the Department establish adequate internal controls to ensure it includes all required information in every federal subaward. This must include ensuring that the award is clearly identified as a subaward and not a contract. Department’s Response The Department treated the recipient as a subrecipient and followed all of the Code of Federal Regulations (CFR) requirements, including communicating the Requirements for Pass-through Entities to all recipients through the 14 elements checklist in a contract amendment process. The Department informed the audit team that they had this documentation but the documentation was not requested. The Department agrees with the Washington State Auditor’s Office (SAO) that our contract template refers to the subrecipient in the contract as a “contractor”. That terminology was used to identify the recipient as part of the contract, not the type of federal recipient. We identified the need to specify the federal recipient type in the contract in 2022 and in October 2022 we changed the face sheets of all of our federal contract templates to identify each recipient as a subrecipient or contractor. Unfortunately there was a timing issue with the issuance of the contract included in the audit and the prior federal template was used. Going forward, all program contracts will be issued on the updated federal contract templates which will designate the recipient type as either a subrecipient or contractor. The Department supports it communicated the Requirements for Pass-Through entities federal identification elements through the subaward amendments that were issued during the period, however, the communication was made during the audit year and did not cover the full period of performance. Short of an error being made, the Department feels this exception has been resolved. We thank the Auditor’s Office for the opportunity to respond to the finding. Auditor’s Remarks We acknowledge the Department updated its subaward template during the audit period. However, we want to clarify that for the subawards examined during this audit, the Department did not issue written subaward amendments to communicate federal subaward elements to its subrecipients. Instead, the Department sent email correspondence to each subrecipient with a file attachment listing the fields required under 2 CFR 200.332(a)(1)(i) through (xiv). This attachment was not incorporated by reference into the subaward amendments executed during the audit period, and therefore we did not consider the information as part of the Department’s subaward. We reaffirm our audit finding and will review the status of the Department’s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200, Uniform Guidance, section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 332, Requirements for pass-through entities, establishes requirements for all pass-through entities. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11.

2023-031 The Department of Commerce did not have adequate internal controls over and did not comply with requirements to perform risk assessments for subrecipients of the Coronavirus State and Local Fiscal Recovery Funds. Assistance Listing Number and Title: 21.027 COVID-19 Coronavirus State and Local Fiscal Recovery Funds Federal Grantor Name: U.S. Department of the Treasury Federal Award/Contract Number: SLFRP0002 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Prior Year Audit Finding: Yes, Finding 2022-021 Background The Coronavirus State and Local Fiscal Recovery Funds (SLFRF), as part of the America Rescue Plan Act of 2021, delivered $350 billion to state, local, and tribal governments to support the response to and recovery from the COVID-19 public health emergency. Washington received $4.4 billion of SLFRF money from the U.S. Department of the Treasury, which the state’s Office of Financial Management allocated to state agencies for various programs. In fiscal year 2023, state agencies spent about $1.9 billion in SLFRF funds, more than $718 million of which was spent by the Department of Commerce. The Legislature appropriated $100 million to the Department in SLFRF funding to award assistance to public and private water, sewer, garbage, electric, and natural gas utilities. With these funds, utilities could reduce residential customer account balances that were left unpaid due to the COVID-19 pandemic and the related economic downturn that were accrued between March 1, 2020, and December 31, 2021. The Department’s Energy Division expended about $100 million in payments to public and private utilities as subrecipients. Each utility that wished to participate in the program was required to submit an application for financial assistance documenting the current arrearage balances for residential customers as of March 31, 2022, as well as any available information on arrearage balances of low-income customers, including those receiving government assistance through the Low-Income Home Energy Assistance Program, Low-Income Water Assistance Program, or other ratepayer-funded Department programs as of March 31, 2022. In the event that the utility did not have access to this customer information, the Department distributed SLFRF funds to the community action program serving the same area as the utility. In determining the amount of funding that each utility could receive, the Department was required by the legislative mandate to consider: • Each participating utility’s proportion of the aggregate amount of arrearages among all participating utilities • Utility service areas that are situated in locations experiencing disproportionate environmental health disparities • American community survey poverty data • Whether the utility has leveraged other fund sources to reduce customer arrearages Pass-through entities are required to monitor the activities of subrecipients to ensure they are properly using federal funds for allowable activities and expenditures. To determine the appropriate level of monitoring, federal regulations require the Department to evaluate each subrecipient’s risk of noncompliance with federal statutes and regulations and the terms and conditions of the subaward. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In the prior audit we reported the Department did not have adequate internal controls over and did not comply with requirements to perform risk assessments for subrecipients of the SFLRF. The prior finding number was 2022-021. Description of Condition The Department did not have adequate internal controls over and did not comply with requirements to perform risk assessments for SLFRF subrecipients. During the audit period, the Department awarded more than $99.8 million in SLFRF funds to 62 different utilities and community action programs. We determined the Department did not perform a risk assessment to determine the appropriate level of monitoring for each of its 62 subrecipients. We consider this internal control deficiency to be a material weakness, which led to material noncompliance. Cause of Condition Program management for the Department was not aware of the requirement to conduct a formal risk assessment over each subrecipient’s use of SLFRF funds, and did not consider performing a risk assessment over the subrecipients when following legislative guidance. Additionally, management outside of the Department’s Energy Division did not monitor to ensure risk assessments were performed before executing subawards with utilities. Effect of Condition Without performing risk assessments of subrecipients that received SLFRF funding, which the federal government has classified as a program of higher risk, the Department cannot determine the appropriate amount of monitoring required for each subrecipient. Not performing new risk assessments also makes the Department less likely to detect subrecipients’ noncompliance with federal regulations and the terms and conditions of subawards. Recommendations We recommend the Department: • Establish internal controls to ensure it performs risk assessments for all subawards issued to subrecipients • Ensure it performs and documents the required risk assessments sufficiently for management to evaluate the results and demonstrate compliance with federal requirements • Update its risk assessment procedures to ensure factors related to potential noncompliance with requirements for low-income utility grants and SLFRF are incorporated into the risk assessment results Department’s Response The Department thanks the Washington State Auditor’s Office for the opportunity to respond to the finding. The Department respectfully disagrees with the finding as the Auditor’s Office has provided no requirements or codes nor has the Department been informed of any which require a risk assessment process for this award applied to arrearage balances. Additionally, the Department asserts it had internal controls in place for the program requirements. The Washington State Legislature issued the following proviso for funding by the Department: “$100,000,000 of the coronavirus state fiscal recovery fund federal appropriation is provided solely for grants for public and private water, sewer, garbage, electric, and natural gas utilities to address low-income customer arrearages compounded by the COVID-19 pandemic and the related economic downturn that were accrued between March 1, 2020, and December 31, 2021.” The Washington State Legislature informed utility representatives of the availability of funding following the funding awarded to the Department. Commerce received the award for this program as part of the supplemental operating budget included in Senate Bill 5693, affective March 31, 2022. The Department held webinars allowing all interested utility service providers to obtain information on how to fund outstanding arrearage balances compounded by the COVID-19 pandemic. Utility providers requesting funding communicated their customer arrearage balances to the Energy Office who followed a reporting process for funding. The reporting process included receipt of the number of customers with arrearage balances, the amount applied to customer balances, if they were low income customers amongst other elements required to receive funding. By May 27, 2022, each utility that wished to participate opted-in to the grant program by providing the Department with the specific information. The opt-in was available for all utility service providers who had customers who met the low-income requirements. The proviso did not include any requirements for subrecipient monitoring elements, including the performance of risk assessments of utility providers. The proviso included who was eligible for funding and the period of performance. The compliance supplement for Assistance Listing Number 21.027 under 2 CFR 200 did not include any requirements for subrecipient monitoring for risk assessments. The Department’s Assistant Director for the Energy Division created the process in which utility service providers provided information for funding. At that time the Assistant Director created internal controls over reporting, fiscal monitoring and subrecipient monitoring which included the submission of required information including, low-income eligibility, customer accounts had to be in an arrearage status, dates of arrearage balances and confirmation of expenses paid for customer arrearages. That data was compiled in a monitoring workbook, monitored and retained. Commerce did not identify or implement an internal control over risk assessments as utility service providers were not ranked or categorized for funding as the award included funding for all eligible customers from the utilities who requested funding. A risk assessment was not necessary nor required as part of the compliance supplement or any other Code of Federal Regulation related to this award. Commerce implemented internal controls for all areas in which the regulations required. Further, Commerce created and maintained an appropriate level of monitoring for the elements identified for funding by the legislature through our obtaining low-income eligibility status and other factors required for funding. No risk assessment process was required as all eligible utility providers were funded. The Department strives to meet all requirements related to federal funding and will continue to improve internal controls and compliance when deficiencies are identified. Auditor’s Remarks Federal regulations, specifically 2 CFR 200.332 - Requirements for pass-through entities, requires risk assessments be performed for all subrecipients to determine the appropriate level of monitoring required to ensure the subrecipient complies with terms and conditions of the subaward. The fact that the state legislative proviso did not contain this provision did not absolve the Department from complying with the federal requirement. We informed the Department during the audit that we would be assessing its compliance with this requirement. This requirement is also outlined in the state’s grant agreement with the Department of the Treasury and is outlined in the federal grant compliance supplement that is published by the federal Office of Management and Budget every year. We reaffirm our audit finding and will follow up on the Department’s corrective action during the next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200, Uniform Guidance, section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 332, Requirements for pass-through entities, establishes the requirements for all pass-through entities. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11.

2023-032 The Department of Commerce did not have adequate internal controls over and did not comply with requirements to ensure it communicated federal award identification elements to subrecipients of the Coronavirus State and Local Fiscal Recovery Fund. Assistance Listing Number and Title: 21.027 COVID-19 Coronavirus State and Local Fiscal Recovery Fund Federal Grantor Name: U.S. Department of the Treasury Federal Award/Contract Number: SLFRFP0002 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Prior Year Audit Finding: No Background The Coronavirus State and Local Fiscal Recovery Funds (SLFRF), as part of the America Rescue Plan Act of 2021, delivered $350 billion to state, local, and tribal governments to support the response to and recovery from the COVID-19 public health emergency. Washington received $4.4 billion of SLFRF money from the U.S. Department of the Treasury, which the state’s Office of Financial Management allocated to state agencies for various programs. In fiscal year 2023, state agencies spent about $1.9 billion in SLFRF funds, more than $718 million of which was spent by the Department of Commerce. The Department used SLFRF funds to administer and provide economic assistance to households at risk of eviction and homelessness primarily through the Eviction Rental Assistance Program, in addition to transportation, tourism, and other pandemic-recovery projects. During fiscal year 2023, the Department expended about $253.5 million on reimbursements and advance payments to local governments and nonprofit organizations as subrecipients. These subrecipients were responsible for making direct payments of rent and utilities for eligible low-income households with overdue rent payments dating as far back as March 2020. Federal regulations require pass-through entities to ensure that every subaward is clearly identified as a subaward to a subrecipient, and that it includes 14 federal award identification elements. These elements include the subrecipient’s unique entity identifier, the Federal Award Identification Number, the name of the federal awarding agency, the program’s Assistance Listing Number and title, and more. Federal regulations also require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The Department did not have adequate internal controls over and did not comply with federal requirements to ensure it communicated all federal award identification elements to subrecipients of the SLFRF. During the audit period, the Department awarded new contracts and amendments totaling more than $16.8 million in SLFRF funds to 13 subrecipients. We examined all 13 subawards and determined all 13 did not clearly identify the agreement as a federal subaward and the subrecipient was referred to as a contractor throughout the award. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition The Department could not provide documentation to show it had adequate internal controls in place to ensure that the subawards included all the correct information. Furthermore, the subrecipients were referred to as contractors throughout each award because the Department used a contract template; it did not have a subaward template available at the time the subawards were issued. Effect of Condition Without establishing adequate internal controls, the Department cannot ensure it has communicated all required data elements to its subrecipients. Furthermore, by not clearly identifying the subaward as such, the Department cannot ensure its subrecipients have been adequately informed of the program requirements, federal regulations, and the subaward’s terms and conditions that it must comply with. Under federal law requirements for a subrecipient and a contractor are substantially different. Recommendation We recommend the Department establish adequate internal controls to ensure it includes all required information in every federal subaward. This must include ensuring that the award is clearly identified as a subaward and not a contract. Department’s Response The Department treated the recipient as a subrecipient and followed all of the Code of Federal Regulations (CFR) requirements, including communicating the Requirements for Pass-through Entities to all recipients through the 14 elements checklist in a contract amendment process. The Department informed the audit team that they had this documentation but the documentation was not requested. The Department agrees with the Washington State Auditor’s Office (SAO) that our contract template refers to the subrecipient in the contract as a “contractor”. That terminology was used to identify the recipient as part of the contract, not the type of federal recipient. We identified the need to specify the federal recipient type in the contract in 2022 and in October 2022 we changed the face sheets of all of our federal contract templates to identify each recipient as a subrecipient or contractor. Unfortunately there was a timing issue with the issuance of the contract included in the audit and the prior federal template was used. Going forward, all program contracts will be issued on the updated federal contract templates which will designate the recipient type as either a subrecipient or contractor. The Department supports it communicated the Requirements for Pass-Through entities federal identification elements through the subaward amendments that were issued during the period, however, the communication was made during the audit year and did not cover the full period of performance. Short of an error being made, the Department feels this exception has been resolved. We thank the Auditor’s Office for the opportunity to respond to the finding. Auditor’s Remarks We acknowledge the Department updated its subaward template during the audit period. However, we want to clarify that for the subawards examined during this audit, the Department did not issue written subaward amendments to communicate federal subaward elements to its subrecipients. Instead, the Department sent email correspondence to each subrecipient with a file attachment listing the fields required under 2 CFR 200.332(a)(1)(i) through (xiv). This attachment was not incorporated by reference into the subaward amendments executed during the audit period, and therefore we did not consider the information as part of the Department’s subaward. We reaffirm our audit finding and will review the status of the Department’s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200, Uniform Guidance, section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 332, Requirements for pass-through entities, establishes requirements for all pass-through entities. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11.

2023-031 The Department of Commerce did not have adequate internal controls over and did not comply with requirements to perform risk assessments for subrecipients of the Coronavirus State and Local Fiscal Recovery Funds. Assistance Listing Number and Title: 21.027 COVID-19 Coronavirus State and Local Fiscal Recovery Funds Federal Grantor Name: U.S. Department of the Treasury Federal Award/Contract Number: SLFRP0002 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Prior Year Audit Finding: Yes, Finding 2022-021 Background The Coronavirus State and Local Fiscal Recovery Funds (SLFRF), as part of the America Rescue Plan Act of 2021, delivered $350 billion to state, local, and tribal governments to support the response to and recovery from the COVID-19 public health emergency. Washington received $4.4 billion of SLFRF money from the U.S. Department of the Treasury, which the state’s Office of Financial Management allocated to state agencies for various programs. In fiscal year 2023, state agencies spent about $1.9 billion in SLFRF funds, more than $718 million of which was spent by the Department of Commerce. The Legislature appropriated $100 million to the Department in SLFRF funding to award assistance to public and private water, sewer, garbage, electric, and natural gas utilities. With these funds, utilities could reduce residential customer account balances that were left unpaid due to the COVID-19 pandemic and the related economic downturn that were accrued between March 1, 2020, and December 31, 2021. The Department’s Energy Division expended about $100 million in payments to public and private utilities as subrecipients. Each utility that wished to participate in the program was required to submit an application for financial assistance documenting the current arrearage balances for residential customers as of March 31, 2022, as well as any available information on arrearage balances of low-income customers, including those receiving government assistance through the Low-Income Home Energy Assistance Program, Low-Income Water Assistance Program, or other ratepayer-funded Department programs as of March 31, 2022. In the event that the utility did not have access to this customer information, the Department distributed SLFRF funds to the community action program serving the same area as the utility. In determining the amount of funding that each utility could receive, the Department was required by the legislative mandate to consider: • Each participating utility’s proportion of the aggregate amount of arrearages among all participating utilities • Utility service areas that are situated in locations experiencing disproportionate environmental health disparities • American community survey poverty data • Whether the utility has leveraged other fund sources to reduce customer arrearages Pass-through entities are required to monitor the activities of subrecipients to ensure they are properly using federal funds for allowable activities and expenditures. To determine the appropriate level of monitoring, federal regulations require the Department to evaluate each subrecipient’s risk of noncompliance with federal statutes and regulations and the terms and conditions of the subaward. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In the prior audit we reported the Department did not have adequate internal controls over and did not comply with requirements to perform risk assessments for subrecipients of the SFLRF. The prior finding number was 2022-021. Description of Condition The Department did not have adequate internal controls over and did not comply with requirements to perform risk assessments for SLFRF subrecipients. During the audit period, the Department awarded more than $99.8 million in SLFRF funds to 62 different utilities and community action programs. We determined the Department did not perform a risk assessment to determine the appropriate level of monitoring for each of its 62 subrecipients. We consider this internal control deficiency to be a material weakness, which led to material noncompliance. Cause of Condition Program management for the Department was not aware of the requirement to conduct a formal risk assessment over each subrecipient’s use of SLFRF funds, and did not consider performing a risk assessment over the subrecipients when following legislative guidance. Additionally, management outside of the Department’s Energy Division did not monitor to ensure risk assessments were performed before executing subawards with utilities. Effect of Condition Without performing risk assessments of subrecipients that received SLFRF funding, which the federal government has classified as a program of higher risk, the Department cannot determine the appropriate amount of monitoring required for each subrecipient. Not performing new risk assessments also makes the Department less likely to detect subrecipients’ noncompliance with federal regulations and the terms and conditions of subawards. Recommendations We recommend the Department: • Establish internal controls to ensure it performs risk assessments for all subawards issued to subrecipients • Ensure it performs and documents the required risk assessments sufficiently for management to evaluate the results and demonstrate compliance with federal requirements • Update its risk assessment procedures to ensure factors related to potential noncompliance with requirements for low-income utility grants and SLFRF are incorporated into the risk assessment results Department’s Response The Department thanks the Washington State Auditor’s Office for the opportunity to respond to the finding. The Department respectfully disagrees with the finding as the Auditor’s Office has provided no requirements or codes nor has the Department been informed of any which require a risk assessment process for this award applied to arrearage balances. Additionally, the Department asserts it had internal controls in place for the program requirements. The Washington State Legislature issued the following proviso for funding by the Department: “$100,000,000 of the coronavirus state fiscal recovery fund federal appropriation is provided solely for grants for public and private water, sewer, garbage, electric, and natural gas utilities to address low-income customer arrearages compounded by the COVID-19 pandemic and the related economic downturn that were accrued between March 1, 2020, and December 31, 2021.” The Washington State Legislature informed utility representatives of the availability of funding following the funding awarded to the Department. Commerce received the award for this program as part of the supplemental operating budget included in Senate Bill 5693, affective March 31, 2022. The Department held webinars allowing all interested utility service providers to obtain information on how to fund outstanding arrearage balances compounded by the COVID-19 pandemic. Utility providers requesting funding communicated their customer arrearage balances to the Energy Office who followed a reporting process for funding. The reporting process included receipt of the number of customers with arrearage balances, the amount applied to customer balances, if they were low income customers amongst other elements required to receive funding. By May 27, 2022, each utility that wished to participate opted-in to the grant program by providing the Department with the specific information. The opt-in was available for all utility service providers who had customers who met the low-income requirements. The proviso did not include any requirements for subrecipient monitoring elements, including the performance of risk assessments of utility providers. The proviso included who was eligible for funding and the period of performance. The compliance supplement for Assistance Listing Number 21.027 under 2 CFR 200 did not include any requirements for subrecipient monitoring for risk assessments. The Department’s Assistant Director for the Energy Division created the process in which utility service providers provided information for funding. At that time the Assistant Director created internal controls over reporting, fiscal monitoring and subrecipient monitoring which included the submission of required information including, low-income eligibility, customer accounts had to be in an arrearage status, dates of arrearage balances and confirmation of expenses paid for customer arrearages. That data was compiled in a monitoring workbook, monitored and retained. Commerce did not identify or implement an internal control over risk assessments as utility service providers were not ranked or categorized for funding as the award included funding for all eligible customers from the utilities who requested funding. A risk assessment was not necessary nor required as part of the compliance supplement or any other Code of Federal Regulation related to this award. Commerce implemented internal controls for all areas in which the regulations required. Further, Commerce created and maintained an appropriate level of monitoring for the elements identified for funding by the legislature through our obtaining low-income eligibility status and other factors required for funding. No risk assessment process was required as all eligible utility providers were funded. The Department strives to meet all requirements related to federal funding and will continue to improve internal controls and compliance when deficiencies are identified. Auditor’s Remarks Federal regulations, specifically 2 CFR 200.332 - Requirements for pass-through entities, requires risk assessments be performed for all subrecipients to determine the appropriate level of monitoring required to ensure the subrecipient complies with terms and conditions of the subaward. The fact that the state legislative proviso did not contain this provision did not absolve the Department from complying with the federal requirement. We informed the Department during the audit that we would be assessing its compliance with this requirement. This requirement is also outlined in the state’s grant agreement with the Department of the Treasury and is outlined in the federal grant compliance supplement that is published by the federal Office of Management and Budget every year. We reaffirm our audit finding and will follow up on the Department’s corrective action during the next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200, Uniform Guidance, section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 332, Requirements for pass-through entities, establishes the requirements for all pass-through entities. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11.

2023-032 The Department of Commerce did not have adequate internal controls over and did not comply with requirements to ensure it communicated federal award identification elements to subrecipients of the Coronavirus State and Local Fiscal Recovery Fund. Assistance Listing Number and Title: 21.027 COVID-19 Coronavirus State and Local Fiscal Recovery Fund Federal Grantor Name: U.S. Department of the Treasury Federal Award/Contract Number: SLFRFP0002 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Prior Year Audit Finding: No Background The Coronavirus State and Local Fiscal Recovery Funds (SLFRF), as part of the America Rescue Plan Act of 2021, delivered $350 billion to state, local, and tribal governments to support the response to and recovery from the COVID-19 public health emergency. Washington received $4.4 billion of SLFRF money from the U.S. Department of the Treasury, which the state’s Office of Financial Management allocated to state agencies for various programs. In fiscal year 2023, state agencies spent about $1.9 billion in SLFRF funds, more than $718 million of which was spent by the Department of Commerce. The Department used SLFRF funds to administer and provide economic assistance to households at risk of eviction and homelessness primarily through the Eviction Rental Assistance Program, in addition to transportation, tourism, and other pandemic-recovery projects. During fiscal year 2023, the Department expended about $253.5 million on reimbursements and advance payments to local governments and nonprofit organizations as subrecipients. These subrecipients were responsible for making direct payments of rent and utilities for eligible low-income households with overdue rent payments dating as far back as March 2020. Federal regulations require pass-through entities to ensure that every subaward is clearly identified as a subaward to a subrecipient, and that it includes 14 federal award identification elements. These elements include the subrecipient’s unique entity identifier, the Federal Award Identification Number, the name of the federal awarding agency, the program’s Assistance Listing Number and title, and more. Federal regulations also require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The Department did not have adequate internal controls over and did not comply with federal requirements to ensure it communicated all federal award identification elements to subrecipients of the SLFRF. During the audit period, the Department awarded new contracts and amendments totaling more than $16.8 million in SLFRF funds to 13 subrecipients. We examined all 13 subawards and determined all 13 did not clearly identify the agreement as a federal subaward and the subrecipient was referred to as a contractor throughout the award. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition The Department could not provide documentation to show it had adequate internal controls in place to ensure that the subawards included all the correct information. Furthermore, the subrecipients were referred to as contractors throughout each award because the Department used a contract template; it did not have a subaward template available at the time the subawards were issued. Effect of Condition Without establishing adequate internal controls, the Department cannot ensure it has communicated all required data elements to its subrecipients. Furthermore, by not clearly identifying the subaward as such, the Department cannot ensure its subrecipients have been adequately informed of the program requirements, federal regulations, and the subaward’s terms and conditions that it must comply with. Under federal law requirements for a subrecipient and a contractor are substantially different. Recommendation We recommend the Department establish adequate internal controls to ensure it includes all required information in every federal subaward. This must include ensuring that the award is clearly identified as a subaward and not a contract. Department’s Response The Department treated the recipient as a subrecipient and followed all of the Code of Federal Regulations (CFR) requirements, including communicating the Requirements for Pass-through Entities to all recipients through the 14 elements checklist in a contract amendment process. The Department informed the audit team that they had this documentation but the documentation was not requested. The Department agrees with the Washington State Auditor’s Office (SAO) that our contract template refers to the subrecipient in the contract as a “contractor”. That terminology was used to identify the recipient as part of the contract, not the type of federal recipient. We identified the need to specify the federal recipient type in the contract in 2022 and in October 2022 we changed the face sheets of all of our federal contract templates to identify each recipient as a subrecipient or contractor. Unfortunately there was a timing issue with the issuance of the contract included in the audit and the prior federal template was used. Going forward, all program contracts will be issued on the updated federal contract templates which will designate the recipient type as either a subrecipient or contractor. The Department supports it communicated the Requirements for Pass-Through entities federal identification elements through the subaward amendments that were issued during the period, however, the communication was made during the audit year and did not cover the full period of performance. Short of an error being made, the Department feels this exception has been resolved. We thank the Auditor’s Office for the opportunity to respond to the finding. Auditor’s Remarks We acknowledge the Department updated its subaward template during the audit period. However, we want to clarify that for the subawards examined during this audit, the Department did not issue written subaward amendments to communicate federal subaward elements to its subrecipients. Instead, the Department sent email correspondence to each subrecipient with a file attachment listing the fields required under 2 CFR 200.332(a)(1)(i) through (xiv). This attachment was not incorporated by reference into the subaward amendments executed during the audit period, and therefore we did not consider the information as part of the Department’s subaward. We reaffirm our audit finding and will review the status of the Department’s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200, Uniform Guidance, section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 332, Requirements for pass-through entities, establishes requirements for all pass-through entities. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11.

2023-031 The Department of Commerce did not have adequate internal controls over and did not comply with requirements to perform risk assessments for subrecipients of the Coronavirus State and Local Fiscal Recovery Funds. Assistance Listing Number and Title: 21.027 COVID-19 Coronavirus State and Local Fiscal Recovery Funds Federal Grantor Name: U.S. Department of the Treasury Federal Award/Contract Number: SLFRP0002 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Prior Year Audit Finding: Yes, Finding 2022-021 Background The Coronavirus State and Local Fiscal Recovery Funds (SLFRF), as part of the America Rescue Plan Act of 2021, delivered $350 billion to state, local, and tribal governments to support the response to and recovery from the COVID-19 public health emergency. Washington received $4.4 billion of SLFRF money from the U.S. Department of the Treasury, which the state’s Office of Financial Management allocated to state agencies for various programs. In fiscal year 2023, state agencies spent about $1.9 billion in SLFRF funds, more than $718 million of which was spent by the Department of Commerce. The Legislature appropriated $100 million to the Department in SLFRF funding to award assistance to public and private water, sewer, garbage, electric, and natural gas utilities. With these funds, utilities could reduce residential customer account balances that were left unpaid due to the COVID-19 pandemic and the related economic downturn that were accrued between March 1, 2020, and December 31, 2021. The Department’s Energy Division expended about $100 million in payments to public and private utilities as subrecipients. Each utility that wished to participate in the program was required to submit an application for financial assistance documenting the current arrearage balances for residential customers as of March 31, 2022, as well as any available information on arrearage balances of low-income customers, including those receiving government assistance through the Low-Income Home Energy Assistance Program, Low-Income Water Assistance Program, or other ratepayer-funded Department programs as of March 31, 2022. In the event that the utility did not have access to this customer information, the Department distributed SLFRF funds to the community action program serving the same area as the utility. In determining the amount of funding that each utility could receive, the Department was required by the legislative mandate to consider: • Each participating utility’s proportion of the aggregate amount of arrearages among all participating utilities • Utility service areas that are situated in locations experiencing disproportionate environmental health disparities • American community survey poverty data • Whether the utility has leveraged other fund sources to reduce customer arrearages Pass-through entities are required to monitor the activities of subrecipients to ensure they are properly using federal funds for allowable activities and expenditures. To determine the appropriate level of monitoring, federal regulations require the Department to evaluate each subrecipient’s risk of noncompliance with federal statutes and regulations and the terms and conditions of the subaward. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In the prior audit we reported the Department did not have adequate internal controls over and did not comply with requirements to perform risk assessments for subrecipients of the SFLRF. The prior finding number was 2022-021. Description of Condition The Department did not have adequate internal controls over and did not comply with requirements to perform risk assessments for SLFRF subrecipients. During the audit period, the Department awarded more than $99.8 million in SLFRF funds to 62 different utilities and community action programs. We determined the Department did not perform a risk assessment to determine the appropriate level of monitoring for each of its 62 subrecipients. We consider this internal control deficiency to be a material weakness, which led to material noncompliance. Cause of Condition Program management for the Department was not aware of the requirement to conduct a formal risk assessment over each subrecipient’s use of SLFRF funds, and did not consider performing a risk assessment over the subrecipients when following legislative guidance. Additionally, management outside of the Department’s Energy Division did not monitor to ensure risk assessments were performed before executing subawards with utilities. Effect of Condition Without performing risk assessments of subrecipients that received SLFRF funding, which the federal government has classified as a program of higher risk, the Department cannot determine the appropriate amount of monitoring required for each subrecipient. Not performing new risk assessments also makes the Department less likely to detect subrecipients’ noncompliance with federal regulations and the terms and conditions of subawards. Recommendations We recommend the Department: • Establish internal controls to ensure it performs risk assessments for all subawards issued to subrecipients • Ensure it performs and documents the required risk assessments sufficiently for management to evaluate the results and demonstrate compliance with federal requirements • Update its risk assessment procedures to ensure factors related to potential noncompliance with requirements for low-income utility grants and SLFRF are incorporated into the risk assessment results Department’s Response The Department thanks the Washington State Auditor’s Office for the opportunity to respond to the finding. The Department respectfully disagrees with the finding as the Auditor’s Office has provided no requirements or codes nor has the Department been informed of any which require a risk assessment process for this award applied to arrearage balances. Additionally, the Department asserts it had internal controls in place for the program requirements. The Washington State Legislature issued the following proviso for funding by the Department: “$100,000,000 of the coronavirus state fiscal recovery fund federal appropriation is provided solely for grants for public and private water, sewer, garbage, electric, and natural gas utilities to address low-income customer arrearages compounded by the COVID-19 pandemic and the related economic downturn that were accrued between March 1, 2020, and December 31, 2021.” The Washington State Legislature informed utility representatives of the availability of funding following the funding awarded to the Department. Commerce received the award for this program as part of the supplemental operating budget included in Senate Bill 5693, affective March 31, 2022. The Department held webinars allowing all interested utility service providers to obtain information on how to fund outstanding arrearage balances compounded by the COVID-19 pandemic. Utility providers requesting funding communicated their customer arrearage balances to the Energy Office who followed a reporting process for funding. The reporting process included receipt of the number of customers with arrearage balances, the amount applied to customer balances, if they were low income customers amongst other elements required to receive funding. By May 27, 2022, each utility that wished to participate opted-in to the grant program by providing the Department with the specific information. The opt-in was available for all utility service providers who had customers who met the low-income requirements. The proviso did not include any requirements for subrecipient monitoring elements, including the performance of risk assessments of utility providers. The proviso included who was eligible for funding and the period of performance. The compliance supplement for Assistance Listing Number 21.027 under 2 CFR 200 did not include any requirements for subrecipient monitoring for risk assessments. The Department’s Assistant Director for the Energy Division created the process in which utility service providers provided information for funding. At that time the Assistant Director created internal controls over reporting, fiscal monitoring and subrecipient monitoring which included the submission of required information including, low-income eligibility, customer accounts had to be in an arrearage status, dates of arrearage balances and confirmation of expenses paid for customer arrearages. That data was compiled in a monitoring workbook, monitored and retained. Commerce did not identify or implement an internal control over risk assessments as utility service providers were not ranked or categorized for funding as the award included funding for all eligible customers from the utilities who requested funding. A risk assessment was not necessary nor required as part of the compliance supplement or any other Code of Federal Regulation related to this award. Commerce implemented internal controls for all areas in which the regulations required. Further, Commerce created and maintained an appropriate level of monitoring for the elements identified for funding by the legislature through our obtaining low-income eligibility status and other factors required for funding. No risk assessment process was required as all eligible utility providers were funded. The Department strives to meet all requirements related to federal funding and will continue to improve internal controls and compliance when deficiencies are identified. Auditor’s Remarks Federal regulations, specifically 2 CFR 200.332 - Requirements for pass-through entities, requires risk assessments be performed for all subrecipients to determine the appropriate level of monitoring required to ensure the subrecipient complies with terms and conditions of the subaward. The fact that the state legislative proviso did not contain this provision did not absolve the Department from complying with the federal requirement. We informed the Department during the audit that we would be assessing its compliance with this requirement. This requirement is also outlined in the state’s grant agreement with the Department of the Treasury and is outlined in the federal grant compliance supplement that is published by the federal Office of Management and Budget every year. We reaffirm our audit finding and will follow up on the Department’s corrective action during the next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200, Uniform Guidance, section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 332, Requirements for pass-through entities, establishes the requirements for all pass-through entities. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11.

2023-032 The Department of Commerce did not have adequate internal controls over and did not comply with requirements to ensure it communicated federal award identification elements to subrecipients of the Coronavirus State and Local Fiscal Recovery Fund. Assistance Listing Number and Title: 21.027 COVID-19 Coronavirus State and Local Fiscal Recovery Fund Federal Grantor Name: U.S. Department of the Treasury Federal Award/Contract Number: SLFRFP0002 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Prior Year Audit Finding: No Background The Coronavirus State and Local Fiscal Recovery Funds (SLFRF), as part of the America Rescue Plan Act of 2021, delivered $350 billion to state, local, and tribal governments to support the response to and recovery from the COVID-19 public health emergency. Washington received $4.4 billion of SLFRF money from the U.S. Department of the Treasury, which the state’s Office of Financial Management allocated to state agencies for various programs. In fiscal year 2023, state agencies spent about $1.9 billion in SLFRF funds, more than $718 million of which was spent by the Department of Commerce. The Department used SLFRF funds to administer and provide economic assistance to households at risk of eviction and homelessness primarily through the Eviction Rental Assistance Program, in addition to transportation, tourism, and other pandemic-recovery projects. During fiscal year 2023, the Department expended about $253.5 million on reimbursements and advance payments to local governments and nonprofit organizations as subrecipients. These subrecipients were responsible for making direct payments of rent and utilities for eligible low-income households with overdue rent payments dating as far back as March 2020. Federal regulations require pass-through entities to ensure that every subaward is clearly identified as a subaward to a subrecipient, and that it includes 14 federal award identification elements. These elements include the subrecipient’s unique entity identifier, the Federal Award Identification Number, the name of the federal awarding agency, the program’s Assistance Listing Number and title, and more. Federal regulations also require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The Department did not have adequate internal controls over and did not comply with federal requirements to ensure it communicated all federal award identification elements to subrecipients of the SLFRF. During the audit period, the Department awarded new contracts and amendments totaling more than $16.8 million in SLFRF funds to 13 subrecipients. We examined all 13 subawards and determined all 13 did not clearly identify the agreement as a federal subaward and the subrecipient was referred to as a contractor throughout the award. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition The Department could not provide documentation to show it had adequate internal controls in place to ensure that the subawards included all the correct information. Furthermore, the subrecipients were referred to as contractors throughout each award because the Department used a contract template; it did not have a subaward template available at the time the subawards were issued. Effect of Condition Without establishing adequate internal controls, the Department cannot ensure it has communicated all required data elements to its subrecipients. Furthermore, by not clearly identifying the subaward as such, the Department cannot ensure its subrecipients have been adequately informed of the program requirements, federal regulations, and the subaward’s terms and conditions that it must comply with. Under federal law requirements for a subrecipient and a contractor are substantially different. Recommendation We recommend the Department establish adequate internal controls to ensure it includes all required information in every federal subaward. This must include ensuring that the award is clearly identified as a subaward and not a contract. Department’s Response The Department treated the recipient as a subrecipient and followed all of the Code of Federal Regulations (CFR) requirements, including communicating the Requirements for Pass-through Entities to all recipients through the 14 elements checklist in a contract amendment process. The Department informed the audit team that they had this documentation but the documentation was not requested. The Department agrees with the Washington State Auditor’s Office (SAO) that our contract template refers to the subrecipient in the contract as a “contractor”. That terminology was used to identify the recipient as part of the contract, not the type of federal recipient. We identified the need to specify the federal recipient type in the contract in 2022 and in October 2022 we changed the face sheets of all of our federal contract templates to identify each recipient as a subrecipient or contractor. Unfortunately there was a timing issue with the issuance of the contract included in the audit and the prior federal template was used. Going forward, all program contracts will be issued on the updated federal contract templates which will designate the recipient type as either a subrecipient or contractor. The Department supports it communicated the Requirements for Pass-Through entities federal identification elements through the subaward amendments that were issued during the period, however, the communication was made during the audit year and did not cover the full period of performance. Short of an error being made, the Department feels this exception has been resolved. We thank the Auditor’s Office for the opportunity to respond to the finding. Auditor’s Remarks We acknowledge the Department updated its subaward template during the audit period. However, we want to clarify that for the subawards examined during this audit, the Department did not issue written subaward amendments to communicate federal subaward elements to its subrecipients. Instead, the Department sent email correspondence to each subrecipient with a file attachment listing the fields required under 2 CFR 200.332(a)(1)(i) through (xiv). This attachment was not incorporated by reference into the subaward amendments executed during the audit period, and therefore we did not consider the information as part of the Department’s subaward. We reaffirm our audit finding and will review the status of the Department’s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200, Uniform Guidance, section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 332, Requirements for pass-through entities, establishes requirements for all pass-through entities. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11.

2023-031 The Department of Commerce did not have adequate internal controls over and did not comply with requirements to perform risk assessments for subrecipients of the Coronavirus State and Local Fiscal Recovery Funds. Assistance Listing Number and Title: 21.027 COVID-19 Coronavirus State and Local Fiscal Recovery Funds Federal Grantor Name: U.S. Department of the Treasury Federal Award/Contract Number: SLFRP0002 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Prior Year Audit Finding: Yes, Finding 2022-021 Background The Coronavirus State and Local Fiscal Recovery Funds (SLFRF), as part of the America Rescue Plan Act of 2021, delivered $350 billion to state, local, and tribal governments to support the response to and recovery from the COVID-19 public health emergency. Washington received $4.4 billion of SLFRF money from the U.S. Department of the Treasury, which the state’s Office of Financial Management allocated to state agencies for various programs. In fiscal year 2023, state agencies spent about $1.9 billion in SLFRF funds, more than $718 million of which was spent by the Department of Commerce. The Legislature appropriated $100 million to the Department in SLFRF funding to award assistance to public and private water, sewer, garbage, electric, and natural gas utilities. With these funds, utilities could reduce residential customer account balances that were left unpaid due to the COVID-19 pandemic and the related economic downturn that were accrued between March 1, 2020, and December 31, 2021. The Department’s Energy Division expended about $100 million in payments to public and private utilities as subrecipients. Each utility that wished to participate in the program was required to submit an application for financial assistance documenting the current arrearage balances for residential customers as of March 31, 2022, as well as any available information on arrearage balances of low-income customers, including those receiving government assistance through the Low-Income Home Energy Assistance Program, Low-Income Water Assistance Program, or other ratepayer-funded Department programs as of March 31, 2022. In the event that the utility did not have access to this customer information, the Department distributed SLFRF funds to the community action program serving the same area as the utility. In determining the amount of funding that each utility could receive, the Department was required by the legislative mandate to consider: • Each participating utility’s proportion of the aggregate amount of arrearages among all participating utilities • Utility service areas that are situated in locations experiencing disproportionate environmental health disparities • American community survey poverty data • Whether the utility has leveraged other fund sources to reduce customer arrearages Pass-through entities are required to monitor the activities of subrecipients to ensure they are properly using federal funds for allowable activities and expenditures. To determine the appropriate level of monitoring, federal regulations require the Department to evaluate each subrecipient’s risk of noncompliance with federal statutes and regulations and the terms and conditions of the subaward. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In the prior audit we reported the Department did not have adequate internal controls over and did not comply with requirements to perform risk assessments for subrecipients of the SFLRF. The prior finding number was 2022-021. Description of Condition The Department did not have adequate internal controls over and did not comply with requirements to perform risk assessments for SLFRF subrecipients. During the audit period, the Department awarded more than $99.8 million in SLFRF funds to 62 different utilities and community action programs. We determined the Department did not perform a risk assessment to determine the appropriate level of monitoring for each of its 62 subrecipients. We consider this internal control deficiency to be a material weakness, which led to material noncompliance. Cause of Condition Program management for the Department was not aware of the requirement to conduct a formal risk assessment over each subrecipient’s use of SLFRF funds, and did not consider performing a risk assessment over the subrecipients when following legislative guidance. Additionally, management outside of the Department’s Energy Division did not monitor to ensure risk assessments were performed before executing subawards with utilities. Effect of Condition Without performing risk assessments of subrecipients that received SLFRF funding, which the federal government has classified as a program of higher risk, the Department cannot determine the appropriate amount of monitoring required for each subrecipient. Not performing new risk assessments also makes the Department less likely to detect subrecipients’ noncompliance with federal regulations and the terms and conditions of subawards. Recommendations We recommend the Department: • Establish internal controls to ensure it performs risk assessments for all subawards issued to subrecipients • Ensure it performs and documents the required risk assessments sufficiently for management to evaluate the results and demonstrate compliance with federal requirements • Update its risk assessment procedures to ensure factors related to potential noncompliance with requirements for low-income utility grants and SLFRF are incorporated into the risk assessment results Department’s Response The Department thanks the Washington State Auditor’s Office for the opportunity to respond to the finding. The Department respectfully disagrees with the finding as the Auditor’s Office has provided no requirements or codes nor has the Department been informed of any which require a risk assessment process for this award applied to arrearage balances. Additionally, the Department asserts it had internal controls in place for the program requirements. The Washington State Legislature issued the following proviso for funding by the Department: “$100,000,000 of the coronavirus state fiscal recovery fund federal appropriation is provided solely for grants for public and private water, sewer, garbage, electric, and natural gas utilities to address low-income customer arrearages compounded by the COVID-19 pandemic and the related economic downturn that were accrued between March 1, 2020, and December 31, 2021.” The Washington State Legislature informed utility representatives of the availability of funding following the funding awarded to the Department. Commerce received the award for this program as part of the supplemental operating budget included in Senate Bill 5693, affective March 31, 2022. The Department held webinars allowing all interested utility service providers to obtain information on how to fund outstanding arrearage balances compounded by the COVID-19 pandemic. Utility providers requesting funding communicated their customer arrearage balances to the Energy Office who followed a reporting process for funding. The reporting process included receipt of the number of customers with arrearage balances, the amount applied to customer balances, if they were low income customers amongst other elements required to receive funding. By May 27, 2022, each utility that wished to participate opted-in to the grant program by providing the Department with the specific information. The opt-in was available for all utility service providers who had customers who met the low-income requirements. The proviso did not include any requirements for subrecipient monitoring elements, including the performance of risk assessments of utility providers. The proviso included who was eligible for funding and the period of performance. The compliance supplement for Assistance Listing Number 21.027 under 2 CFR 200 did not include any requirements for subrecipient monitoring for risk assessments. The Department’s Assistant Director for the Energy Division created the process in which utility service providers provided information for funding. At that time the Assistant Director created internal controls over reporting, fiscal monitoring and subrecipient monitoring which included the submission of required information including, low-income eligibility, customer accounts had to be in an arrearage status, dates of arrearage balances and confirmation of expenses paid for customer arrearages. That data was compiled in a monitoring workbook, monitored and retained. Commerce did not identify or implement an internal control over risk assessments as utility service providers were not ranked or categorized for funding as the award included funding for all eligible customers from the utilities who requested funding. A risk assessment was not necessary nor required as part of the compliance supplement or any other Code of Federal Regulation related to this award. Commerce implemented internal controls for all areas in which the regulations required. Further, Commerce created and maintained an appropriate level of monitoring for the elements identified for funding by the legislature through our obtaining low-income eligibility status and other factors required for funding. No risk assessment process was required as all eligible utility providers were funded. The Department strives to meet all requirements related to federal funding and will continue to improve internal controls and compliance when deficiencies are identified. Auditor’s Remarks Federal regulations, specifically 2 CFR 200.332 - Requirements for pass-through entities, requires risk assessments be performed for all subrecipients to determine the appropriate level of monitoring required to ensure the subrecipient complies with terms and conditions of the subaward. The fact that the state legislative proviso did not contain this provision did not absolve the Department from complying with the federal requirement. We informed the Department during the audit that we would be assessing its compliance with this requirement. This requirement is also outlined in the state’s grant agreement with the Department of the Treasury and is outlined in the federal grant compliance supplement that is published by the federal Office of Management and Budget every year. We reaffirm our audit finding and will follow up on the Department’s corrective action during the next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200, Uniform Guidance, section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 332, Requirements for pass-through entities, establishes the requirements for all pass-through entities. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11.

2023-032 The Department of Commerce did not have adequate internal controls over and did not comply with requirements to ensure it communicated federal award identification elements to subrecipients of the Coronavirus State and Local Fiscal Recovery Fund. Assistance Listing Number and Title: 21.027 COVID-19 Coronavirus State and Local Fiscal Recovery Fund Federal Grantor Name: U.S. Department of the Treasury Federal Award/Contract Number: SLFRFP0002 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Prior Year Audit Finding: No Background The Coronavirus State and Local Fiscal Recovery Funds (SLFRF), as part of the America Rescue Plan Act of 2021, delivered $350 billion to state, local, and tribal governments to support the response to and recovery from the COVID-19 public health emergency. Washington received $4.4 billion of SLFRF money from the U.S. Department of the Treasury, which the state’s Office of Financial Management allocated to state agencies for various programs. In fiscal year 2023, state agencies spent about $1.9 billion in SLFRF funds, more than $718 million of which was spent by the Department of Commerce. The Department used SLFRF funds to administer and provide economic assistance to households at risk of eviction and homelessness primarily through the Eviction Rental Assistance Program, in addition to transportation, tourism, and other pandemic-recovery projects. During fiscal year 2023, the Department expended about $253.5 million on reimbursements and advance payments to local governments and nonprofit organizations as subrecipients. These subrecipients were responsible for making direct payments of rent and utilities for eligible low-income households with overdue rent payments dating as far back as March 2020. Federal regulations require pass-through entities to ensure that every subaward is clearly identified as a subaward to a subrecipient, and that it includes 14 federal award identification elements. These elements include the subrecipient’s unique entity identifier, the Federal Award Identification Number, the name of the federal awarding agency, the program’s Assistance Listing Number and title, and more. Federal regulations also require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The Department did not have adequate internal controls over and did not comply with federal requirements to ensure it communicated all federal award identification elements to subrecipients of the SLFRF. During the audit period, the Department awarded new contracts and amendments totaling more than $16.8 million in SLFRF funds to 13 subrecipients. We examined all 13 subawards and determined all 13 did not clearly identify the agreement as a federal subaward and the subrecipient was referred to as a contractor throughout the award. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition The Department could not provide documentation to show it had adequate internal controls in place to ensure that the subawards included all the correct information. Furthermore, the subrecipients were referred to as contractors throughout each award because the Department used a contract template; it did not have a subaward template available at the time the subawards were issued. Effect of Condition Without establishing adequate internal controls, the Department cannot ensure it has communicated all required data elements to its subrecipients. Furthermore, by not clearly identifying the subaward as such, the Department cannot ensure its subrecipients have been adequately informed of the program requirements, federal regulations, and the subaward’s terms and conditions that it must comply with. Under federal law requirements for a subrecipient and a contractor are substantially different. Recommendation We recommend the Department establish adequate internal controls to ensure it includes all required information in every federal subaward. This must include ensuring that the award is clearly identified as a subaward and not a contract. Department’s Response The Department treated the recipient as a subrecipient and followed all of the Code of Federal Regulations (CFR) requirements, including communicating the Requirements for Pass-through Entities to all recipients through the 14 elements checklist in a contract amendment process. The Department informed the audit team that they had this documentation but the documentation was not requested. The Department agrees with the Washington State Auditor’s Office (SAO) that our contract template refers to the subrecipient in the contract as a “contractor”. That terminology was used to identify the recipient as part of the contract, not the type of federal recipient. We identified the need to specify the federal recipient type in the contract in 2022 and in October 2022 we changed the face sheets of all of our federal contract templates to identify each recipient as a subrecipient or contractor. Unfortunately there was a timing issue with the issuance of the contract included in the audit and the prior federal template was used. Going forward, all program contracts will be issued on the updated federal contract templates which will designate the recipient type as either a subrecipient or contractor. The Department supports it communicated the Requirements for Pass-Through entities federal identification elements through the subaward amendments that were issued during the period, however, the communication was made during the audit year and did not cover the full period of performance. Short of an error being made, the Department feels this exception has been resolved. We thank the Auditor’s Office for the opportunity to respond to the finding. Auditor’s Remarks We acknowledge the Department updated its subaward template during the audit period. However, we want to clarify that for the subawards examined during this audit, the Department did not issue written subaward amendments to communicate federal subaward elements to its subrecipients. Instead, the Department sent email correspondence to each subrecipient with a file attachment listing the fields required under 2 CFR 200.332(a)(1)(i) through (xiv). This attachment was not incorporated by reference into the subaward amendments executed during the audit period, and therefore we did not consider the information as part of the Department’s subaward. We reaffirm our audit finding and will review the status of the Department’s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200, Uniform Guidance, section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 332, Requirements for pass-through entities, establishes requirements for all pass-through entities. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11.

2023-050 The Department of Health did not have adequate internal controls over and did not comply with fiscal monitoring requirements for the Epidemiology and Laboratory Capacity for Infectious Diseases program. Assistance Listing Number and Title: 93.323 Epidemiology and Laboratory Capacity for Infectious Diseases 93.323 COVID-19 Epidemiology and Laboratory Capacity for Infectious Diseases Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU50CK000515-05-00; NU50CK000515-01-06; NU50CK000515-01-07; NU50CK000515-01-08; NU50CK000515-02-04; NU50CK000515-01-09; NU50CK000515-02-01; NU50CK000515-02-06; NU50CK000515-02-03; NU50CK000515-02-09; NU50CK000515-02-07; NU50CK000515-03-03; NU50CK000515-03-01; NU50CK000515-04-00; NU50CK000515-04-03 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Prior Year Audit Finding: Yes, Finding 2022-033 Background The Department of Health administers the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) program. The goal of the program is to support state, local, and territories’ public health efforts to reduce morbidity and associated deaths caused by a wide range of infectious disease threats. ELC provides annual funding, strategic direction, and technical assistance to domestic jurisdictions for strengthening core capacities in epidemiology, laboratory, and health information systems activities. In addition to strengthening core infectious disease capacities nationwide, the program also supports many specific infectious disease programs and projects, and it provides special appropriations in response to infectious disease emergencies. The Department spent about $198.5 million in federal grant funds during fiscal year 2023, about $17 million of which was disbursed to subrecipients. In response to the COVID pandemic, ELC subrecipients have received a significant increase in funding over the last few years. Federal regulations require the Department to monitor the activities of subrecipients to ensure they use subawards for authorized purposes and in compliance with federal statutes, regulations, and the terms and conditions of the subaward. This monitoring must include reviewing financial reports and taking timely and appropriate action on all deficiencies pertaining to the federal award. The Department assigns each subrecipient a compliance risk level based on standardized criteria. The Department’s Fiscal Monitoring Unit (FMU) conducts on-site fiscal reviews of each subrecipient every two years. This review includes all federal awards the subrecipient received from the Department for the period under review. Reviewers complete a standardized template to document their work. Using the subrecipient’s reimbursement requests, reviewers judgmentally determine how many samples of payroll expenditures and contractor payments to review to ensure there is adequate source documentation. Reviewers also look at general accounting information, budget information, equipment purchases and other items. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In prior audits, we reported the Department did not have adequate internal controls over and did not comply with fiscal monitoring requirements to ensure subrecipients of the ELC program only used funds for allowable activities and met cost principles. The prior finding number was 2022-033. Description of Condition The Department did not have adequate internal controls over and did not comply with fiscal monitoring requirements for the ELC program. The Department does not have written procedures to guide reviewers on the number of reimbursement samples to review based on the subrecipient’s risk level. We used a nonstatistical sampling method to randomly select and examine five out of a total of 10 subrecipients that received a fiscal review during the audit period. For each subrecipients, we noted that the fiscal monitoring only covered between 0.19 percent and 3.37 percent of total grant awards. Additionally, the Department only sampled between one and nine transactions specific to the ELC program during the reviews. Furthermore, for each subrecipient, the Department only sampled from either payroll or contractor transactions, never both. These samples covered between 0.02 percent to 1.82 percent of the total ELC grant award for the subrecipients. The table below identifies the samples reviewed for each subrecipient. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition Management has not established guidance for how many transactions fiscal reviewers need to review from source documentation to have assurance subrecipients spent program funds spent accordance with grant requirements. Furthermore, management believed the level of review was adequate to ensure a sufficient level of monitoring. Effect of Condition Without establishing adequate internal controls, the Department cannot reasonably ensure its subrecipients are spending federal funds in accordance with grant requirements. Without adequately monitoring each subrecipient’s use of federal funds expended during the period of performance of the subaward, the Department does not have reasonable assurance that the subrecipient has complied with the terms and conditions of the subaward. Further, allowing staff to select samples without adequate guidance from management does not provide the Department with reasonable assurance that subrecipients spent program funds in accordance with grant requirements and federal regulations. Recommendation We recommend the Department strengthen internal controls to ensure it performs fiscal monitoring to a level that provides reasonable assurance that subrecipients’ use of federal funds complies with federal laws and regulations and the subaward’s terms and conditions. Department’s Response We do not concur with the finding. We understand that the State Auditor’s Office (SAO) reviewed a specific grant as part of the scope of this audit. The Department of Health (DOH) finds it misleading that SAO did not report on the subrecipient review process in its entirety. The DOH Fiscal Monitoring Unit (FMU) is not an audit department, therefore the standards DOH FMU functions on are very different than what SAO is recommending in the finding. FMU is audited annually by different federal partners, and those partners have identified no concerns with the monitoring visit methodology used as it is in line with compliance requirement 2 CFR 200.332. Federal guidance does not state DOH must select a certain percentage of samples to ensure adequate review. The DOH subrecipient monitoring process is a comprehensive process that starts with an initial risk assessment which is completed prior to contract execution. This assessment determines the level of support each subrecipient is required to submit as back up documentation for payment requests. Programs then have contract managers review this support prior to payment. In addition, monitoring visits are performed on subrecipients. As part of that process, the FMU reviews at least three months of invoices submitted by subrecipients and includes reviews of entity policies, procedures, internal controls both manual and automated, applicable contracts, history of compliance and applicable cost allocation methodology to ensure each entity is compliant with federal requirements and has adequate internal controls. As part of the review, each FMU staff member will judgmentally select items to review from the selected invoices. FMU staff make this selection using their subject matter expertise about DOH, specific programs and federal guidance to identify transactions for review. This review includes looking at supporting documentation such as timesheets and receipts. FMU reviews the entity, not a specific grant when performing a site visit. The reviewer must document the grants the entity receives and then selects a few transactions from each award type, if applicable. Each entity has a consistent control structure across all funding types so there is no value in reviewing a significant number of transactions from each award type as the controls do not vary. As you can see from the table provided, of the invoices reviewed, DOH typically reviews a quarter of the amount invoiced for. If a grant award is not represented in the invoices selected, FMU will select an additional invoice to ensure all awards are included. This happened in the case of sample three. In the case of sample one, no vendor payments were reviewed because the entity only invoiced for payroll for the selected months. Executive leadership supports the approach used by FMU and is not considering program changes related to the recommendation at this time. Auditor’s Remarks While federal regulations do not require a specific percentage of program expenditures be reviewed when entities monitor subrecipients, in our judgment, the amount reviewed by the Department for the ELC program did not provide management with reasonable assurance that subawards were used for authorized purposes, were spent in compliance with federal requirements and the terms and conditions of the awards. The Department cannot rely on reviews performed for other federal awards as an effective means to ensure compliance for the ELC program. The Department asserts that FMU staff selects invoices for all grant awards issued to the subrecipient. Then, FMU staff judgmentally pick samples from the three selected invoices, significantly limiting the number of expenditures reviewed, as evidence in our testing. Furthermore, the Department does not have written procedures guiding FMU staff on the level of fiscal review for federal grant expenditures. It also acknowledges that the risk assessment level drives the level of backup documentation required for payment requests. The risk assessment does not influence the level of fiscal review. The Department provided a table of the number of expenditures it asserts it reviewed at each subrecipient we tested but acknowledges that these expenditures are from all programs and not specific to ELC. The amount of review done for other federal programs or state funded programs is not relevant when determining whether the subrecipient complied with the terms of the ELC subaward. We reaffirm our finding, and we will review the status of the Department’s corrective action during our next audit. Applicable Laws and Regulations Title 45 U.S. Code of Federal Regulations (CFR) Part 75, section 303, Internal Controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 45 CFR Part 75, section 516, Audit findings, establishes reporting requirements for audit findings. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11.

2023-050 The Department of Health did not have adequate internal controls over and did not comply with fiscal monitoring requirements for the Epidemiology and Laboratory Capacity for Infectious Diseases program. Assistance Listing Number and Title: 93.323 Epidemiology and Laboratory Capacity for Infectious Diseases 93.323 COVID-19 Epidemiology and Laboratory Capacity for Infectious Diseases Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU50CK000515-05-00; NU50CK000515-01-06; NU50CK000515-01-07; NU50CK000515-01-08; NU50CK000515-02-04; NU50CK000515-01-09; NU50CK000515-02-01; NU50CK000515-02-06; NU50CK000515-02-03; NU50CK000515-02-09; NU50CK000515-02-07; NU50CK000515-03-03; NU50CK000515-03-01; NU50CK000515-04-00; NU50CK000515-04-03 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Prior Year Audit Finding: Yes, Finding 2022-033 Background The Department of Health administers the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) program. The goal of the program is to support state, local, and territories’ public health efforts to reduce morbidity and associated deaths caused by a wide range of infectious disease threats. ELC provides annual funding, strategic direction, and technical assistance to domestic jurisdictions for strengthening core capacities in epidemiology, laboratory, and health information systems activities. In addition to strengthening core infectious disease capacities nationwide, the program also supports many specific infectious disease programs and projects, and it provides special appropriations in response to infectious disease emergencies. The Department spent about $198.5 million in federal grant funds during fiscal year 2023, about $17 million of which was disbursed to subrecipients. In response to the COVID pandemic, ELC subrecipients have received a significant increase in funding over the last few years. Federal regulations require the Department to monitor the activities of subrecipients to ensure they use subawards for authorized purposes and in compliance with federal statutes, regulations, and the terms and conditions of the subaward. This monitoring must include reviewing financial reports and taking timely and appropriate action on all deficiencies pertaining to the federal award. The Department assigns each subrecipient a compliance risk level based on standardized criteria. The Department’s Fiscal Monitoring Unit (FMU) conducts on-site fiscal reviews of each subrecipient every two years. This review includes all federal awards the subrecipient received from the Department for the period under review. Reviewers complete a standardized template to document their work. Using the subrecipient’s reimbursement requests, reviewers judgmentally determine how many samples of payroll expenditures and contractor payments to review to ensure there is adequate source documentation. Reviewers also look at general accounting information, budget information, equipment purchases and other items. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In prior audits, we reported the Department did not have adequate internal controls over and did not comply with fiscal monitoring requirements to ensure subrecipients of the ELC program only used funds for allowable activities and met cost principles. The prior finding number was 2022-033. Description of Condition The Department did not have adequate internal controls over and did not comply with fiscal monitoring requirements for the ELC program. The Department does not have written procedures to guide reviewers on the number of reimbursement samples to review based on the subrecipient’s risk level. We used a nonstatistical sampling method to randomly select and examine five out of a total of 10 subrecipients that received a fiscal review during the audit period. For each subrecipients, we noted that the fiscal monitoring only covered between 0.19 percent and 3.37 percent of total grant awards. Additionally, the Department only sampled between one and nine transactions specific to the ELC program during the reviews. Furthermore, for each subrecipient, the Department only sampled from either payroll or contractor transactions, never both. These samples covered between 0.02 percent to 1.82 percent of the total ELC grant award for the subrecipients. The table below identifies the samples reviewed for each subrecipient. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition Management has not established guidance for how many transactions fiscal reviewers need to review from source documentation to have assurance subrecipients spent program funds spent accordance with grant requirements. Furthermore, management believed the level of review was adequate to ensure a sufficient level of monitoring. Effect of Condition Without establishing adequate internal controls, the Department cannot reasonably ensure its subrecipients are spending federal funds in accordance with grant requirements. Without adequately monitoring each subrecipient’s use of federal funds expended during the period of performance of the subaward, the Department does not have reasonable assurance that the subrecipient has complied with the terms and conditions of the subaward. Further, allowing staff to select samples without adequate guidance from management does not provide the Department with reasonable assurance that subrecipients spent program funds in accordance with grant requirements and federal regulations. Recommendation We recommend the Department strengthen internal controls to ensure it performs fiscal monitoring to a level that provides reasonable assurance that subrecipients’ use of federal funds complies with federal laws and regulations and the subaward’s terms and conditions. Department’s Response We do not concur with the finding. We understand that the State Auditor’s Office (SAO) reviewed a specific grant as part of the scope of this audit. The Department of Health (DOH) finds it misleading that SAO did not report on the subrecipient review process in its entirety. The DOH Fiscal Monitoring Unit (FMU) is not an audit department, therefore the standards DOH FMU functions on are very different than what SAO is recommending in the finding. FMU is audited annually by different federal partners, and those partners have identified no concerns with the monitoring visit methodology used as it is in line with compliance requirement 2 CFR 200.332. Federal guidance does not state DOH must select a certain percentage of samples to ensure adequate review. The DOH subrecipient monitoring process is a comprehensive process that starts with an initial risk assessment which is completed prior to contract execution. This assessment determines the level of support each subrecipient is required to submit as back up documentation for payment requests. Programs then have contract managers review this support prior to payment. In addition, monitoring visits are performed on subrecipients. As part of that process, the FMU reviews at least three months of invoices submitted by subrecipients and includes reviews of entity policies, procedures, internal controls both manual and automated, applicable contracts, history of compliance and applicable cost allocation methodology to ensure each entity is compliant with federal requirements and has adequate internal controls. As part of the review, each FMU staff member will judgmentally select items to review from the selected invoices. FMU staff make this selection using their subject matter expertise about DOH, specific programs and federal guidance to identify transactions for review. This review includes looking at supporting documentation such as timesheets and receipts. FMU reviews the entity, not a specific grant when performing a site visit. The reviewer must document the grants the entity receives and then selects a few transactions from each award type, if applicable. Each entity has a consistent control structure across all funding types so there is no value in reviewing a significant number of transactions from each award type as the controls do not vary. As you can see from the table provided, of the invoices reviewed, DOH typically reviews a quarter of the amount invoiced for. If a grant award is not represented in the invoices selected, FMU will select an additional invoice to ensure all awards are included. This happened in the case of sample three. In the case of sample one, no vendor payments were reviewed because the entity only invoiced for payroll for the selected months. Executive leadership supports the approach used by FMU and is not considering program changes related to the recommendation at this time. Auditor’s Remarks While federal regulations do not require a specific percentage of program expenditures be reviewed when entities monitor subrecipients, in our judgment, the amount reviewed by the Department for the ELC program did not provide management with reasonable assurance that subawards were used for authorized purposes, were spent in compliance with federal requirements and the terms and conditions of the awards. The Department cannot rely on reviews performed for other federal awards as an effective means to ensure compliance for the ELC program. The Department asserts that FMU staff selects invoices for all grant awards issued to the subrecipient. Then, FMU staff judgmentally pick samples from the three selected invoices, significantly limiting the number of expenditures reviewed, as evidence in our testing. Furthermore, the Department does not have written procedures guiding FMU staff on the level of fiscal review for federal grant expenditures. It also acknowledges that the risk assessment level drives the level of backup documentation required for payment requests. The risk assessment does not influence the level of fiscal review. The Department provided a table of the number of expenditures it asserts it reviewed at each subrecipient we tested but acknowledges that these expenditures are from all programs and not specific to ELC. The amount of review done for other federal programs or state funded programs is not relevant when determining whether the subrecipient complied with the terms of the ELC subaward. We reaffirm our finding, and we will review the status of the Department’s corrective action during our next audit. Applicable Laws and Regulations Title 45 U.S. Code of Federal Regulations (CFR) Part 75, section 303, Internal Controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 45 CFR Part 75, section 516, Audit findings, establishes reporting requirements for audit findings. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11.

Assistance Listing Number(s): 21.027 Name of Federal Program or Cluster: COVID-19 Coronavirus State and Local Fiscal Recovery Funds Name of Federal Agency: Department of the Treasury Name of Pass-through Entity: City of Madison, City of Sun Prairie, Wisconsin Department of Workforce Development Award Period: January 1, 2022 through December 31, 2022; September 22, 2021 through December 31, 2024; June 20, 2022 through June 30, 2025 Criteria or Specific Requirement: 2 CFR section 200.332(a) requires pass-through entities to ensure every subaward is clearly identified to the subrecipient as a subaward and includes the required federal award identification information, all requirements imposed by the pass-through entity on the subrecipient, any additional requirements the pass-through entity imposes on the subrecipient, an indirect cost rate, a requirement that the subrecipient permit the pass-through entity and auditors to have access to the subrecipient’s records and financial statements, and appropriate terms and conditions concerning the closeout of the subaward. 2 CFR section 200.332(b) requires the pass-through entity to evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions for determining appropriate subrecipient monitoring. 2 CFR section 200.332(d) requires the pass-through entity to monitor the activities of the subrecipient to ensure that the subaward is used for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward, and that the subaward performance goals are achieved. 2 CFR section 200.332(f) requires the passthrough entity to verify that every subrecipient is audited as required by the Uniform Guidance when it is expected that the subrecipient’s federal awards expended during the respective fiscal year equaled or exceeded $750,000. Condition and Context: No supporting documentation was provided for the three subrecipients. No subaward agreements included all required information and none were executed and signed. No risk assessments were performed and documented. No monitoring procedures were performed other than reviewing invoices to be paid. Per the draft subawards, quarterly site visits were to occur, but none were performed and documented. There was no documentation of whether the 3 subrecipients were expected to/are being audited per the Uniform Guidance. Cause: Internal controls have not been designed, implemented, and documented in written procedures. Internal controls are not designed or implemented to ensure subrecipient agreements include the required information, to perform risk assessments, to establish monitoring procedures based on risks, to ensure monitoring takes placed as planned, and to verify whether subrecipients that expended $750,000 or more in federal awards is audited in accordance with the Uniform Guidance. Effect or Potential Effect: Questioned costs may be disallowed and requested to be repaid. Questioned Costs: $298,051; amount per GL paid to three subrecipients during the fiscal year. Repeat Finding: No. Recommendation: Procedures for subrecipient monitoring to meet federal statutes, regulations, and terms and conditions of the awards should be developed and documented. Internal controls should be designed, implemented, and documented within the subrecipient monitoring procedures to ensure compliance with 2 CFR section 200.332. Subrecipient monitoring activities should be performed and documented. Views of Responsible Officials: Boys and Girls Club of Dane County, Inc. agrees with the finding and is implementing written procedures.

Assistance Listing Number(s): 21.027 Name of Federal Program or Cluster: COVID-19 Coronavirus State and Local Fiscal Recovery Funds Name of Federal Agency: Department of the Treasury Name of Pass-through Entity: City of Madison, City of Sun Prairie, Wisconsin Department of Workforce Development Award Period: January 1, 2022 through December 31, 2022; September 22, 2021 through December 31, 2024; June 20, 2022 through June 30, 2025 Criteria or Specific Requirement: 2 CFR section 200.332(a) requires pass-through entities to ensure every subaward is clearly identified to the subrecipient as a subaward and includes the required federal award identification information, all requirements imposed by the pass-through entity on the subrecipient, any additional requirements the pass-through entity imposes on the subrecipient, an indirect cost rate, a requirement that the subrecipient permit the pass-through entity and auditors to have access to the subrecipient’s records and financial statements, and appropriate terms and conditions concerning the closeout of the subaward. 2 CFR section 200.332(b) requires the pass-through entity to evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions for determining appropriate subrecipient monitoring. 2 CFR section 200.332(d) requires the pass-through entity to monitor the activities of the subrecipient to ensure that the subaward is used for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward, and that the subaward performance goals are achieved. 2 CFR section 200.332(f) requires the passthrough entity to verify that every subrecipient is audited as required by the Uniform Guidance when it is expected that the subrecipient’s federal awards expended during the respective fiscal year equaled or exceeded $750,000. Condition and Context: No supporting documentation was provided for the three subrecipients. No subaward agreements included all required information and none were executed and signed. No risk assessments were performed and documented. No monitoring procedures were performed other than reviewing invoices to be paid. Per the draft subawards, quarterly site visits were to occur, but none were performed and documented. There was no documentation of whether the 3 subrecipients were expected to/are being audited per the Uniform Guidance. Cause: Internal controls have not been designed, implemented, and documented in written procedures. Internal controls are not designed or implemented to ensure subrecipient agreements include the required information, to perform risk assessments, to establish monitoring procedures based on risks, to ensure monitoring takes placed as planned, and to verify whether subrecipients that expended $750,000 or more in federal awards is audited in accordance with the Uniform Guidance. Effect or Potential Effect: Questioned costs may be disallowed and requested to be repaid. Questioned Costs: $298,051; amount per GL paid to three subrecipients during the fiscal year. Repeat Finding: No. Recommendation: Procedures for subrecipient monitoring to meet federal statutes, regulations, and terms and conditions of the awards should be developed and documented. Internal controls should be designed, implemented, and documented within the subrecipient monitoring procedures to ensure compliance with 2 CFR section 200.332. Subrecipient monitoring activities should be performed and documented. Views of Responsible Officials: Boys and Girls Club of Dane County, Inc. agrees with the finding and is implementing written procedures.

Assistance Listing Number(s): 21.027 Name of Federal Program or Cluster: COVID-19 Coronavirus State and Local Fiscal Recovery Funds Name of Federal Agency: Department of the Treasury Name of Pass-through Entity: City of Madison, City of Sun Prairie, Wisconsin Department of Workforce Development Award Period: January 1, 2022 through December 31, 2022; September 22, 2021 through December 31, 2024; June 20, 2022 through June 30, 2025 Criteria or Specific Requirement: 2 CFR section 200.332(a) requires pass-through entities to ensure every subaward is clearly identified to the subrecipient as a subaward and includes the required federal award identification information, all requirements imposed by the pass-through entity on the subrecipient, any additional requirements the pass-through entity imposes on the subrecipient, an indirect cost rate, a requirement that the subrecipient permit the pass-through entity and auditors to have access to the subrecipient’s records and financial statements, and appropriate terms and conditions concerning the closeout of the subaward. 2 CFR section 200.332(b) requires the pass-through entity to evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions for determining appropriate subrecipient monitoring. 2 CFR section 200.332(d) requires the pass-through entity to monitor the activities of the subrecipient to ensure that the subaward is used for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward, and that the subaward performance goals are achieved. 2 CFR section 200.332(f) requires the passthrough entity to verify that every subrecipient is audited as required by the Uniform Guidance when it is expected that the subrecipient’s federal awards expended during the respective fiscal year equaled or exceeded $750,000. Condition and Context: No supporting documentation was provided for the three subrecipients. No subaward agreements included all required information and none were executed and signed. No risk assessments were performed and documented. No monitoring procedures were performed other than reviewing invoices to be paid. Per the draft subawards, quarterly site visits were to occur, but none were performed and documented. There was no documentation of whether the 3 subrecipients were expected to/are being audited per the Uniform Guidance. Cause: Internal controls have not been designed, implemented, and documented in written procedures. Internal controls are not designed or implemented to ensure subrecipient agreements include the required information, to perform risk assessments, to establish monitoring procedures based on risks, to ensure monitoring takes placed as planned, and to verify whether subrecipients that expended $750,000 or more in federal awards is audited in accordance with the Uniform Guidance. Effect or Potential Effect: Questioned costs may be disallowed and requested to be repaid. Questioned Costs: $298,051; amount per GL paid to three subrecipients during the fiscal year. Repeat Finding: No. Recommendation: Procedures for subrecipient monitoring to meet federal statutes, regulations, and terms and conditions of the awards should be developed and documented. Internal controls should be designed, implemented, and documented within the subrecipient monitoring procedures to ensure compliance with 2 CFR section 200.332. Subrecipient monitoring activities should be performed and documented. Views of Responsible Officials: Boys and Girls Club of Dane County, Inc. agrees with the finding and is implementing written procedures.

Finding 2023-003: Noncompliance with Subrecipient Monitoring U.S. Department of Health and Human Services Federal Program: Advanced Nursing Education Workforce Grant Program Federal Assistance Listing Number: 93.247 Federal Award Year: 2023 Repeat Finding: No Criteria: In accordance with 2 CFR 200.332(a), pass-through entities must ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the information listed in 2 CFR 200.332(a)(1) at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. In accordance with 2CFR 200.332(d), pass-through entities must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Condition: The Organization had memorandum of understanding agreements with each of its subrecipients. However, these agreements did not contain the information required by 2 CFR 200.332(a)(1). The Organization did not request or review the audits of its subrecipients in order to take timely and appropriate action on deficiencies detected through audits, if applicable. The Organization did not have sufficient documentation that internal controls were in place and operating effectively over risk assessment procedures required by the subrecipient monitoring compliance requirement. Cause: The Organization did not have adequate internal controls in place to ensure the agreements with its subrecipients included the required information. Additionally, the Organization did not have adequate controls in place to properly monitor the activities of its subrecipients, or perform the necessary risk assessment procedures. Effect: We tested two out of the four subrecipients the Organization passed funds to under this grant award. Of the two we tested, we noted that the Organization did not have properly executed subrecipient agreements with either subrecipient. We also noted that the Organization did not request the audits of either subrecipient, and did not adequately document its risk assessment. Recommendation: We recommend the Organization enhance its internal controls over the preparation of subrecipient agreements to ensure all required information is contained in the agreements. We also recommend that management enhance its internal controls over subrecipient monitoring to ensure that its subrecipients are utilizing the funds for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward. View of responsible officials of the auditee: Management agrees with the finding and recommendation.

Subrecipient Monitoring Material Weakness in Internal Control over Subrecipient Monitoring and Material Noncompliance Research and Development Cluster Criteria: In accordance with 2 CFR 200.331, a pass-through entity must make a case-by-case determination whether each agreement it makes for the disbursement of federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor. Additionally, in accordance with 2 CFR 200.332(b), the pass-through entity must evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for the purpose of determining the appropriate subrecipient monitoring. In furtherance of this, the pass-through entity should inquire as to whether or not the subrecipient was subject to a Single Audit. If the subrecipient was subject to a Single Audit, the pass-through entity must request the Single Audit report and review for any findings or questioned costs. In accordance with 2 CFR 200.521, the pass-through entity should issue a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity as applicable. Condition: The Organization does not document its evaluation of each party that it engages in business with as to whether they are a contractor or a subrecipient. For three (3) of the three (3) such parties selected for testing, the Organization did not maintain documentation regarding whether the entity was a subrecipient or a contractor. Furthermore, as it relates to the monitoring of entities determined to be subrecipients, the Organization has not formally documented its subrecipient monitoring procedures to ensure that subrecipients are in compliance with federal statutes, regulations, and the terms and conditions of the subawards. For three (3) of the three (3) subrecipients selected for testing, the Organization did not inquire as to whether the entity was subject to a Single Audit. Consequently, the Organization did not request the Single Audit report nor did they review them for any findings pertinent to the federal award provided to the subrecipient from the pass-through entity. Cause: The Organization did not have an effective process in place to determine whether entities receiving pass-through funds are subrecipients or contractors. Furthermore, once that determination has been made, the Organization did not have a process in place for evaluating subrecipients and their compliance with the applicable requirements of the Uniform Guidance. Effect or potential effect: Lack of proper consideration of subrecipient or contractor status may result in the Organization improperly classifying a recipient of federal funds, which may impact the recipient’s compliance with the Uniform Guidance. Furthermore, by not performing adequate monitoring over subrecipients, the Organization is not appropriately monitoring whether subrecipients are compliance with grant requirements. Questioned costs: None. Context: Our sample was not intended to be statistically valid. Recommendation: The Organization should institute a process whereby all entities that receive federal funds have proper documentation supporting their classification as a subrecipient or a contractor for the entire year. Additionally, the Organization should maintain a standardized checklist for all such entities that support their rationale for the classification. This checklist should be prepared by an employee with knowledge of the grant and approved by a second individual. Furthermore, as it relates to subrecipient monitoring, the Organization should institute an annual process whereby all subrecipients are asked whether they received a Single Audit. If the subrecipient was subject to a Single Audit, the Organization should receive and review the Single Audit report. The reviewer should submit a memorandum of any findings relevant to their federal grant, which should then be submitted to the project manager or other designated person for approval. Views of responsible officials and planned corrective actions: Management's response is reported in "Management's Views and Corrective Action Plan" included at the end of this report. Identification of prior year finding: 2022-004

Subrecipient Monitoring Material Weakness in Internal Control over Subrecipient Monitoring and Material Noncompliance Research and Development Cluster Criteria: In accordance with 2 CFR 200.331, a pass-through entity must make a case-by-case determination whether each agreement it makes for the disbursement of federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor. Additionally, in accordance with 2 CFR 200.332(b), the pass-through entity must evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for the purpose of determining the appropriate subrecipient monitoring. In furtherance of this, the pass-through entity should inquire as to whether or not the subrecipient was subject to a Single Audit. If the subrecipient was subject to a Single Audit, the pass-through entity must request the Single Audit report and review for any findings or questioned costs. In accordance with 2 CFR 200.521, the pass-through entity should issue a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity as applicable. Condition: The Organization does not document its evaluation of each party that it engages in business with as to whether they are a contractor or a subrecipient. For three (3) of the three (3) such parties selected for testing, the Organization did not maintain documentation regarding whether the entity was a subrecipient or a contractor. Furthermore, as it relates to the monitoring of entities determined to be subrecipients, the Organization has not formally documented its subrecipient monitoring procedures to ensure that subrecipients are in compliance with federal statutes, regulations, and the terms and conditions of the subawards. For three (3) of the three (3) subrecipients selected for testing, the Organization did not inquire as to whether the entity was subject to a Single Audit. Consequently, the Organization did not request the Single Audit report nor did they review them for any findings pertinent to the federal award provided to the subrecipient from the pass-through entity. Cause: The Organization did not have an effective process in place to determine whether entities receiving pass-through funds are subrecipients or contractors. Furthermore, once that determination has been made, the Organization did not have a process in place for evaluating subrecipients and their compliance with the applicable requirements of the Uniform Guidance. Effect or potential effect: Lack of proper consideration of subrecipient or contractor status may result in the Organization improperly classifying a recipient of federal funds, which may impact the recipient’s compliance with the Uniform Guidance. Furthermore, by not performing adequate monitoring over subrecipients, the Organization is not appropriately monitoring whether subrecipients are compliance with grant requirements. Questioned costs: None. Context: Our sample was not intended to be statistically valid. Recommendation: The Organization should institute a process whereby all entities that receive federal funds have proper documentation supporting their classification as a subrecipient or a contractor for the entire year. Additionally, the Organization should maintain a standardized checklist for all such entities that support their rationale for the classification. This checklist should be prepared by an employee with knowledge of the grant and approved by a second individual. Furthermore, as it relates to subrecipient monitoring, the Organization should institute an annual process whereby all subrecipients are asked whether they received a Single Audit. If the subrecipient was subject to a Single Audit, the Organization should receive and review the Single Audit report. The reviewer should submit a memorandum of any findings relevant to their federal grant, which should then be submitted to the project manager or other designated person for approval. Views of responsible officials and planned corrective actions: Management's response is reported in "Management's Views and Corrective Action Plan" included at the end of this report. Identification of prior year finding: 2022-004

Subrecipient Monitoring Material Weakness in Internal Control over Subrecipient Monitoring and Material Noncompliance Research and Development Cluster Criteria: In accordance with 2 CFR 200.331, a pass-through entity must make a case-by-case determination whether each agreement it makes for the disbursement of federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor. Additionally, in accordance with 2 CFR 200.332(b), the pass-through entity must evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for the purpose of determining the appropriate subrecipient monitoring. In furtherance of this, the pass-through entity should inquire as to whether or not the subrecipient was subject to a Single Audit. If the subrecipient was subject to a Single Audit, the pass-through entity must request the Single Audit report and review for any findings or questioned costs. In accordance with 2 CFR 200.521, the pass-through entity should issue a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity as applicable. Condition: The Organization does not document its evaluation of each party that it engages in business with as to whether they are a contractor or a subrecipient. For three (3) of the three (3) such parties selected for testing, the Organization did not maintain documentation regarding whether the entity was a subrecipient or a contractor. Furthermore, as it relates to the monitoring of entities determined to be subrecipients, the Organization has not formally documented its subrecipient monitoring procedures to ensure that subrecipients are in compliance with federal statutes, regulations, and the terms and conditions of the subawards. For three (3) of the three (3) subrecipients selected for testing, the Organization did not inquire as to whether the entity was subject to a Single Audit. Consequently, the Organization did not request the Single Audit report nor did they review them for any findings pertinent to the federal award provided to the subrecipient from the pass-through entity. Cause: The Organization did not have an effective process in place to determine whether entities receiving pass-through funds are subrecipients or contractors. Furthermore, once that determination has been made, the Organization did not have a process in place for evaluating subrecipients and their compliance with the applicable requirements of the Uniform Guidance. Effect or potential effect: Lack of proper consideration of subrecipient or contractor status may result in the Organization improperly classifying a recipient of federal funds, which may impact the recipient’s compliance with the Uniform Guidance. Furthermore, by not performing adequate monitoring over subrecipients, the Organization is not appropriately monitoring whether subrecipients are compliance with grant requirements. Questioned costs: None. Context: Our sample was not intended to be statistically valid. Recommendation: The Organization should institute a process whereby all entities that receive federal funds have proper documentation supporting their classification as a subrecipient or a contractor for the entire year. Additionally, the Organization should maintain a standardized checklist for all such entities that support their rationale for the classification. This checklist should be prepared by an employee with knowledge of the grant and approved by a second individual. Furthermore, as it relates to subrecipient monitoring, the Organization should institute an annual process whereby all subrecipients are asked whether they received a Single Audit. If the subrecipient was subject to a Single Audit, the Organization should receive and review the Single Audit report. The reviewer should submit a memorandum of any findings relevant to their federal grant, which should then be submitted to the project manager or other designated person for approval. Views of responsible officials and planned corrective actions: Management's response is reported in "Management's Views and Corrective Action Plan" included at the end of this report. Identification of prior year finding: 2022-004

Subrecipient Monitoring Material Weakness in Internal Control over Subrecipient Monitoring and Material Noncompliance Research and Development Cluster Criteria: In accordance with 2 CFR 200.331, a pass-through entity must make a case-by-case determination whether each agreement it makes for the disbursement of federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor. Additionally, in accordance with 2 CFR 200.332(b), the pass-through entity must evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for the purpose of determining the appropriate subrecipient monitoring. In furtherance of this, the pass-through entity should inquire as to whether or not the subrecipient was subject to a Single Audit. If the subrecipient was subject to a Single Audit, the pass-through entity must request the Single Audit report and review for any findings or questioned costs. In accordance with 2 CFR 200.521, the pass-through entity should issue a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity as applicable. Condition: The Organization does not document its evaluation of each party that it engages in business with as to whether they are a contractor or a subrecipient. For three (3) of the three (3) such parties selected for testing, the Organization did not maintain documentation regarding whether the entity was a subrecipient or a contractor. Furthermore, as it relates to the monitoring of entities determined to be subrecipients, the Organization has not formally documented its subrecipient monitoring procedures to ensure that subrecipients are in compliance with federal statutes, regulations, and the terms and conditions of the subawards. For three (3) of the three (3) subrecipients selected for testing, the Organization did not inquire as to whether the entity was subject to a Single Audit. Consequently, the Organization did not request the Single Audit report nor did they review them for any findings pertinent to the federal award provided to the subrecipient from the pass-through entity. Cause: The Organization did not have an effective process in place to determine whether entities receiving pass-through funds are subrecipients or contractors. Furthermore, once that determination has been made, the Organization did not have a process in place for evaluating subrecipients and their compliance with the applicable requirements of the Uniform Guidance. Effect or potential effect: Lack of proper consideration of subrecipient or contractor status may result in the Organization improperly classifying a recipient of federal funds, which may impact the recipient’s compliance with the Uniform Guidance. Furthermore, by not performing adequate monitoring over subrecipients, the Organization is not appropriately monitoring whether subrecipients are compliance with grant requirements. Questioned costs: None. Context: Our sample was not intended to be statistically valid. Recommendation: The Organization should institute a process whereby all entities that receive federal funds have proper documentation supporting their classification as a subrecipient or a contractor for the entire year. Additionally, the Organization should maintain a standardized checklist for all such entities that support their rationale for the classification. This checklist should be prepared by an employee with knowledge of the grant and approved by a second individual. Furthermore, as it relates to subrecipient monitoring, the Organization should institute an annual process whereby all subrecipients are asked whether they received a Single Audit. If the subrecipient was subject to a Single Audit, the Organization should receive and review the Single Audit report. The reviewer should submit a memorandum of any findings relevant to their federal grant, which should then be submitted to the project manager or other designated person for approval. Views of responsible officials and planned corrective actions: Management's response is reported in "Management's Views and Corrective Action Plan" included at the end of this report. Identification of prior year finding: 2022-004

Subrecipient Monitoring Material Weakness in Internal Control over Subrecipient Monitoring and Material Noncompliance Research and Development Cluster Criteria: In accordance with 2 CFR 200.331, a pass-through entity must make a case-by-case determination whether each agreement it makes for the disbursement of federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor. Additionally, in accordance with 2 CFR 200.332(b), the pass-through entity must evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for the purpose of determining the appropriate subrecipient monitoring. In furtherance of this, the pass-through entity should inquire as to whether or not the subrecipient was subject to a Single Audit. If the subrecipient was subject to a Single Audit, the pass-through entity must request the Single Audit report and review for any findings or questioned costs. In accordance with 2 CFR 200.521, the pass-through entity should issue a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity as applicable. Condition: The Organization does not document its evaluation of each party that it engages in business with as to whether they are a contractor or a subrecipient. For three (3) of the three (3) such parties selected for testing, the Organization did not maintain documentation regarding whether the entity was a subrecipient or a contractor. Furthermore, as it relates to the monitoring of entities determined to be subrecipients, the Organization has not formally documented its subrecipient monitoring procedures to ensure that subrecipients are in compliance with federal statutes, regulations, and the terms and conditions of the subawards. For three (3) of the three (3) subrecipients selected for testing, the Organization did not inquire as to whether the entity was subject to a Single Audit. Consequently, the Organization did not request the Single Audit report nor did they review them for any findings pertinent to the federal award provided to the subrecipient from the pass-through entity. Cause: The Organization did not have an effective process in place to determine whether entities receiving pass-through funds are subrecipients or contractors. Furthermore, once that determination has been made, the Organization did not have a process in place for evaluating subrecipients and their compliance with the applicable requirements of the Uniform Guidance. Effect or potential effect: Lack of proper consideration of subrecipient or contractor status may result in the Organization improperly classifying a recipient of federal funds, which may impact the recipient’s compliance with the Uniform Guidance. Furthermore, by not performing adequate monitoring over subrecipients, the Organization is not appropriately monitoring whether subrecipients are compliance with grant requirements. Questioned costs: None. Context: Our sample was not intended to be statistically valid. Recommendation: The Organization should institute a process whereby all entities that receive federal funds have proper documentation supporting their classification as a subrecipient or a contractor for the entire year. Additionally, the Organization should maintain a standardized checklist for all such entities that support their rationale for the classification. This checklist should be prepared by an employee with knowledge of the grant and approved by a second individual. Furthermore, as it relates to subrecipient monitoring, the Organization should institute an annual process whereby all subrecipients are asked whether they received a Single Audit. If the subrecipient was subject to a Single Audit, the Organization should receive and review the Single Audit report. The reviewer should submit a memorandum of any findings relevant to their federal grant, which should then be submitted to the project manager or other designated person for approval. Views of responsible officials and planned corrective actions: Management's response is reported in "Management's Views and Corrective Action Plan" included at the end of this report. Identification of prior year finding: 2022-004

Subrecipient Monitoring Material Weakness in Internal Control over Subrecipient Monitoring and Material Noncompliance Research and Development Cluster Criteria: In accordance with 2 CFR 200.331, a pass-through entity must make a case-by-case determination whether each agreement it makes for the disbursement of federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor. Additionally, in accordance with 2 CFR 200.332(b), the pass-through entity must evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for the purpose of determining the appropriate subrecipient monitoring. In furtherance of this, the pass-through entity should inquire as to whether or not the subrecipient was subject to a Single Audit. If the subrecipient was subject to a Single Audit, the pass-through entity must request the Single Audit report and review for any findings or questioned costs. In accordance with 2 CFR 200.521, the pass-through entity should issue a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity as applicable. Condition: The Organization does not document its evaluation of each party that it engages in business with as to whether they are a contractor or a subrecipient. For three (3) of the three (3) such parties selected for testing, the Organization did not maintain documentation regarding whether the entity was a subrecipient or a contractor. Furthermore, as it relates to the monitoring of entities determined to be subrecipients, the Organization has not formally documented its subrecipient monitoring procedures to ensure that subrecipients are in compliance with federal statutes, regulations, and the terms and conditions of the subawards. For three (3) of the three (3) subrecipients selected for testing, the Organization did not inquire as to whether the entity was subject to a Single Audit. Consequently, the Organization did not request the Single Audit report nor did they review them for any findings pertinent to the federal award provided to the subrecipient from the pass-through entity. Cause: The Organization did not have an effective process in place to determine whether entities receiving pass-through funds are subrecipients or contractors. Furthermore, once that determination has been made, the Organization did not have a process in place for evaluating subrecipients and their compliance with the applicable requirements of the Uniform Guidance. Effect or potential effect: Lack of proper consideration of subrecipient or contractor status may result in the Organization improperly classifying a recipient of federal funds, which may impact the recipient’s compliance with the Uniform Guidance. Furthermore, by not performing adequate monitoring over subrecipients, the Organization is not appropriately monitoring whether subrecipients are compliance with grant requirements. Questioned costs: None. Context: Our sample was not intended to be statistically valid. Recommendation: The Organization should institute a process whereby all entities that receive federal funds have proper documentation supporting their classification as a subrecipient or a contractor for the entire year. Additionally, the Organization should maintain a standardized checklist for all such entities that support their rationale for the classification. This checklist should be prepared by an employee with knowledge of the grant and approved by a second individual. Furthermore, as it relates to subrecipient monitoring, the Organization should institute an annual process whereby all subrecipients are asked whether they received a Single Audit. If the subrecipient was subject to a Single Audit, the Organization should receive and review the Single Audit report. The reviewer should submit a memorandum of any findings relevant to their federal grant, which should then be submitted to the project manager or other designated person for approval. Views of responsible officials and planned corrective actions: Management's response is reported in "Management's Views and Corrective Action Plan" included at the end of this report. Identification of prior year finding: 2022-004

Subrecipient Monitoring Material Weakness in Internal Control over Subrecipient Monitoring and Material Noncompliance Research and Development Cluster Criteria: In accordance with 2 CFR 200.331, a pass-through entity must make a case-by-case determination whether each agreement it makes for the disbursement of federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor. Additionally, in accordance with 2 CFR 200.332(b), the pass-through entity must evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for the purpose of determining the appropriate subrecipient monitoring. In furtherance of this, the pass-through entity should inquire as to whether or not the subrecipient was subject to a Single Audit. If the subrecipient was subject to a Single Audit, the pass-through entity must request the Single Audit report and review for any findings or questioned costs. In accordance with 2 CFR 200.521, the pass-through entity should issue a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity as applicable. Condition: The Organization does not document its evaluation of each party that it engages in business with as to whether they are a contractor or a subrecipient. For three (3) of the three (3) such parties selected for testing, the Organization did not maintain documentation regarding whether the entity was a subrecipient or a contractor. Furthermore, as it relates to the monitoring of entities determined to be subrecipients, the Organization has not formally documented its subrecipient monitoring procedures to ensure that subrecipients are in compliance with federal statutes, regulations, and the terms and conditions of the subawards. For three (3) of the three (3) subrecipients selected for testing, the Organization did not inquire as to whether the entity was subject to a Single Audit. Consequently, the Organization did not request the Single Audit report nor did they review them for any findings pertinent to the federal award provided to the subrecipient from the pass-through entity. Cause: The Organization did not have an effective process in place to determine whether entities receiving pass-through funds are subrecipients or contractors. Furthermore, once that determination has been made, the Organization did not have a process in place for evaluating subrecipients and their compliance with the applicable requirements of the Uniform Guidance. Effect or potential effect: Lack of proper consideration of subrecipient or contractor status may result in the Organization improperly classifying a recipient of federal funds, which may impact the recipient’s compliance with the Uniform Guidance. Furthermore, by not performing adequate monitoring over subrecipients, the Organization is not appropriately monitoring whether subrecipients are compliance with grant requirements. Questioned costs: None. Context: Our sample was not intended to be statistically valid. Recommendation: The Organization should institute a process whereby all entities that receive federal funds have proper documentation supporting their classification as a subrecipient or a contractor for the entire year. Additionally, the Organization should maintain a standardized checklist for all such entities that support their rationale for the classification. This checklist should be prepared by an employee with knowledge of the grant and approved by a second individual. Furthermore, as it relates to subrecipient monitoring, the Organization should institute an annual process whereby all subrecipients are asked whether they received a Single Audit. If the subrecipient was subject to a Single Audit, the Organization should receive and review the Single Audit report. The reviewer should submit a memorandum of any findings relevant to their federal grant, which should then be submitted to the project manager or other designated person for approval. Views of responsible officials and planned corrective actions: Management's response is reported in "Management's Views and Corrective Action Plan" included at the end of this report. Identification of prior year finding: 2022-004

Subrecipient Monitoring Material Weakness in Internal Control over Subrecipient Monitoring and Material Noncompliance Research and Development Cluster Criteria: In accordance with 2 CFR 200.331, a pass-through entity must make a case-by-case determination whether each agreement it makes for the disbursement of federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor. Additionally, in accordance with 2 CFR 200.332(b), the pass-through entity must evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for the purpose of determining the appropriate subrecipient monitoring. In furtherance of this, the pass-through entity should inquire as to whether or not the subrecipient was subject to a Single Audit. If the subrecipient was subject to a Single Audit, the pass-through entity must request the Single Audit report and review for any findings or questioned costs. In accordance with 2 CFR 200.521, the pass-through entity should issue a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity as applicable. Condition: The Organization does not document its evaluation of each party that it engages in business with as to whether they are a contractor or a subrecipient. For three (3) of the three (3) such parties selected for testing, the Organization did not maintain documentation regarding whether the entity was a subrecipient or a contractor. Furthermore, as it relates to the monitoring of entities determined to be subrecipients, the Organization has not formally documented its subrecipient monitoring procedures to ensure that subrecipients are in compliance with federal statutes, regulations, and the terms and conditions of the subawards. For three (3) of the three (3) subrecipients selected for testing, the Organization did not inquire as to whether the entity was subject to a Single Audit. Consequently, the Organization did not request the Single Audit report nor did they review them for any findings pertinent to the federal award provided to the subrecipient from the pass-through entity. Cause: The Organization did not have an effective process in place to determine whether entities receiving pass-through funds are subrecipients or contractors. Furthermore, once that determination has been made, the Organization did not have a process in place for evaluating subrecipients and their compliance with the applicable requirements of the Uniform Guidance. Effect or potential effect: Lack of proper consideration of subrecipient or contractor status may result in the Organization improperly classifying a recipient of federal funds, which may impact the recipient’s compliance with the Uniform Guidance. Furthermore, by not performing adequate monitoring over subrecipients, the Organization is not appropriately monitoring whether subrecipients are compliance with grant requirements. Questioned costs: None. Context: Our sample was not intended to be statistically valid. Recommendation: The Organization should institute a process whereby all entities that receive federal funds have proper documentation supporting their classification as a subrecipient or a contractor for the entire year. Additionally, the Organization should maintain a standardized checklist for all such entities that support their rationale for the classification. This checklist should be prepared by an employee with knowledge of the grant and approved by a second individual. Furthermore, as it relates to subrecipient monitoring, the Organization should institute an annual process whereby all subrecipients are asked whether they received a Single Audit. If the subrecipient was subject to a Single Audit, the Organization should receive and review the Single Audit report. The reviewer should submit a memorandum of any findings relevant to their federal grant, which should then be submitted to the project manager or other designated person for approval. Views of responsible officials and planned corrective actions: Management's response is reported in "Management's Views and Corrective Action Plan" included at the end of this report. Identification of prior year finding: 2022-004

Subrecipient Monitoring Material Weakness in Internal Control over Subrecipient Monitoring and Material Noncompliance Research and Development Cluster Criteria: In accordance with 2 CFR 200.331, a pass-through entity must make a case-by-case determination whether each agreement it makes for the disbursement of federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor. Additionally, in accordance with 2 CFR 200.332(b), the pass-through entity must evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for the purpose of determining the appropriate subrecipient monitoring. In furtherance of this, the pass-through entity should inquire as to whether or not the subrecipient was subject to a Single Audit. If the subrecipient was subject to a Single Audit, the pass-through entity must request the Single Audit report and review for any findings or questioned costs. In accordance with 2 CFR 200.521, the pass-through entity should issue a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity as applicable. Condition: The Organization does not document its evaluation of each party that it engages in business with as to whether they are a contractor or a subrecipient. For three (3) of the three (3) such parties selected for testing, the Organization did not maintain documentation regarding whether the entity was a subrecipient or a contractor. Furthermore, as it relates to the monitoring of entities determined to be subrecipients, the Organization has not formally documented its subrecipient monitoring procedures to ensure that subrecipients are in compliance with federal statutes, regulations, and the terms and conditions of the subawards. For three (3) of the three (3) subrecipients selected for testing, the Organization did not inquire as to whether the entity was subject to a Single Audit. Consequently, the Organization did not request the Single Audit report nor did they review them for any findings pertinent to the federal award provided to the subrecipient from the pass-through entity. Cause: The Organization did not have an effective process in place to determine whether entities receiving pass-through funds are subrecipients or contractors. Furthermore, once that determination has been made, the Organization did not have a process in place for evaluating subrecipients and their compliance with the applicable requirements of the Uniform Guidance. Effect or potential effect: Lack of proper consideration of subrecipient or contractor status may result in the Organization improperly classifying a recipient of federal funds, which may impact the recipient’s compliance with the Uniform Guidance. Furthermore, by not performing adequate monitoring over subrecipients, the Organization is not appropriately monitoring whether subrecipients are compliance with grant requirements. Questioned costs: None. Context: Our sample was not intended to be statistically valid. Recommendation: The Organization should institute a process whereby all entities that receive federal funds have proper documentation supporting their classification as a subrecipient or a contractor for the entire year. Additionally, the Organization should maintain a standardized checklist for all such entities that support their rationale for the classification. This checklist should be prepared by an employee with knowledge of the grant and approved by a second individual. Furthermore, as it relates to subrecipient monitoring, the Organization should institute an annual process whereby all subrecipients are asked whether they received a Single Audit. If the subrecipient was subject to a Single Audit, the Organization should receive and review the Single Audit report. The reviewer should submit a memorandum of any findings relevant to their federal grant, which should then be submitted to the project manager or other designated person for approval. Views of responsible officials and planned corrective actions: Management's response is reported in "Management's Views and Corrective Action Plan" included at the end of this report. Identification of prior year finding: 2022-004

Subrecipient Monitoring Material Weakness in Internal Control over Subrecipient Monitoring and Material Noncompliance Research and Development Cluster Criteria: In accordance with 2 CFR 200.331, a pass-through entity must make a case-by-case determination whether each agreement it makes for the disbursement of federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor. Additionally, in accordance with 2 CFR 200.332(b), the pass-through entity must evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for the purpose of determining the appropriate subrecipient monitoring. In furtherance of this, the pass-through entity should inquire as to whether or not the subrecipient was subject to a Single Audit. If the subrecipient was subject to a Single Audit, the pass-through entity must request the Single Audit report and review for any findings or questioned costs. In accordance with 2 CFR 200.521, the pass-through entity should issue a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity as applicable. Condition: The Organization does not document its evaluation of each party that it engages in business with as to whether they are a contractor or a subrecipient. For three (3) of the three (3) such parties selected for testing, the Organization did not maintain documentation regarding whether the entity was a subrecipient or a contractor. Furthermore, as it relates to the monitoring of entities determined to be subrecipients, the Organization has not formally documented its subrecipient monitoring procedures to ensure that subrecipients are in compliance with federal statutes, regulations, and the terms and conditions of the subawards. For three (3) of the three (3) subrecipients selected for testing, the Organization did not inquire as to whether the entity was subject to a Single Audit. Consequently, the Organization did not request the Single Audit report nor did they review them for any findings pertinent to the federal award provided to the subrecipient from the pass-through entity. Cause: The Organization did not have an effective process in place to determine whether entities receiving pass-through funds are subrecipients or contractors. Furthermore, once that determination has been made, the Organization did not have a process in place for evaluating subrecipients and their compliance with the applicable requirements of the Uniform Guidance. Effect or potential effect: Lack of proper consideration of subrecipient or contractor status may result in the Organization improperly classifying a recipient of federal funds, which may impact the recipient’s compliance with the Uniform Guidance. Furthermore, by not performing adequate monitoring over subrecipients, the Organization is not appropriately monitoring whether subrecipients are compliance with grant requirements. Questioned costs: None. Context: Our sample was not intended to be statistically valid. Recommendation: The Organization should institute a process whereby all entities that receive federal funds have proper documentation supporting their classification as a subrecipient or a contractor for the entire year. Additionally, the Organization should maintain a standardized checklist for all such entities that support their rationale for the classification. This checklist should be prepared by an employee with knowledge of the grant and approved by a second individual. Furthermore, as it relates to subrecipient monitoring, the Organization should institute an annual process whereby all subrecipients are asked whether they received a Single Audit. If the subrecipient was subject to a Single Audit, the Organization should receive and review the Single Audit report. The reviewer should submit a memorandum of any findings relevant to their federal grant, which should then be submitted to the project manager or other designated person for approval. Views of responsible officials and planned corrective actions: Management's response is reported in "Management's Views and Corrective Action Plan" included at the end of this report. Identification of prior year finding: 2022-004

Subrecipient Monitoring Material Weakness in Internal Control over Subrecipient Monitoring and Material Noncompliance Research and Development Cluster Criteria: In accordance with 2 CFR 200.331, a pass-through entity must make a case-by-case determination whether each agreement it makes for the disbursement of federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor. Additionally, in accordance with 2 CFR 200.332(b), the pass-through entity must evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for the purpose of determining the appropriate subrecipient monitoring. In furtherance of this, the pass-through entity should inquire as to whether or not the subrecipient was subject to a Single Audit. If the subrecipient was subject to a Single Audit, the pass-through entity must request the Single Audit report and review for any findings or questioned costs. In accordance with 2 CFR 200.521, the pass-through entity should issue a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity as applicable. Condition: The Organization does not document its evaluation of each party that it engages in business with as to whether they are a contractor or a subrecipient. For three (3) of the three (3) such parties selected for testing, the Organization did not maintain documentation regarding whether the entity was a subrecipient or a contractor. Furthermore, as it relates to the monitoring of entities determined to be subrecipients, the Organization has not formally documented its subrecipient monitoring procedures to ensure that subrecipients are in compliance with federal statutes, regulations, and the terms and conditions of the subawards. For three (3) of the three (3) subrecipients selected for testing, the Organization did not inquire as to whether the entity was subject to a Single Audit. Consequently, the Organization did not request the Single Audit report nor did they review them for any findings pertinent to the federal award provided to the subrecipient from the pass-through entity. Cause: The Organization did not have an effective process in place to determine whether entities receiving pass-through funds are subrecipients or contractors. Furthermore, once that determination has been made, the Organization did not have a process in place for evaluating subrecipients and their compliance with the applicable requirements of the Uniform Guidance. Effect or potential effect: Lack of proper consideration of subrecipient or contractor status may result in the Organization improperly classifying a recipient of federal funds, which may impact the recipient’s compliance with the Uniform Guidance. Furthermore, by not performing adequate monitoring over subrecipients, the Organization is not appropriately monitoring whether subrecipients are compliance with grant requirements. Questioned costs: None. Context: Our sample was not intended to be statistically valid. Recommendation: The Organization should institute a process whereby all entities that receive federal funds have proper documentation supporting their classification as a subrecipient or a contractor for the entire year. Additionally, the Organization should maintain a standardized checklist for all such entities that support their rationale for the classification. This checklist should be prepared by an employee with knowledge of the grant and approved by a second individual. Furthermore, as it relates to subrecipient monitoring, the Organization should institute an annual process whereby all subrecipients are asked whether they received a Single Audit. If the subrecipient was subject to a Single Audit, the Organization should receive and review the Single Audit report. The reviewer should submit a memorandum of any findings relevant to their federal grant, which should then be submitted to the project manager or other designated person for approval. Views of responsible officials and planned corrective actions: Management's response is reported in "Management's Views and Corrective Action Plan" included at the end of this report. Identification of prior year finding: 2022-004

Subrecipient Monitoring Material Weakness in Internal Control over Subrecipient Monitoring and Material Noncompliance Research and Development Cluster Criteria: In accordance with 2 CFR 200.331, a pass-through entity must make a case-by-case determination whether each agreement it makes for the disbursement of federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor. Additionally, in accordance with 2 CFR 200.332(b), the pass-through entity must evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for the purpose of determining the appropriate subrecipient monitoring. In furtherance of this, the pass-through entity should inquire as to whether or not the subrecipient was subject to a Single Audit. If the subrecipient was subject to a Single Audit, the pass-through entity must request the Single Audit report and review for any findings or questioned costs. In accordance with 2 CFR 200.521, the pass-through entity should issue a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity as applicable. Condition: The Organization does not document its evaluation of each party that it engages in business with as to whether they are a contractor or a subrecipient. For three (3) of the three (3) such parties selected for testing, the Organization did not maintain documentation regarding whether the entity was a subrecipient or a contractor. Furthermore, as it relates to the monitoring of entities determined to be subrecipients, the Organization has not formally documented its subrecipient monitoring procedures to ensure that subrecipients are in compliance with federal statutes, regulations, and the terms and conditions of the subawards. For three (3) of the three (3) subrecipients selected for testing, the Organization did not inquire as to whether the entity was subject to a Single Audit. Consequently, the Organization did not request the Single Audit report nor did they review them for any findings pertinent to the federal award provided to the subrecipient from the pass-through entity. Cause: The Organization did not have an effective process in place to determine whether entities receiving pass-through funds are subrecipients or contractors. Furthermore, once that determination has been made, the Organization did not have a process in place for evaluating subrecipients and their compliance with the applicable requirements of the Uniform Guidance. Effect or potential effect: Lack of proper consideration of subrecipient or contractor status may result in the Organization improperly classifying a recipient of federal funds, which may impact the recipient’s compliance with the Uniform Guidance. Furthermore, by not performing adequate monitoring over subrecipients, the Organization is not appropriately monitoring whether subrecipients are compliance with grant requirements. Questioned costs: None. Context: Our sample was not intended to be statistically valid. Recommendation: The Organization should institute a process whereby all entities that receive federal funds have proper documentation supporting their classification as a subrecipient or a contractor for the entire year. Additionally, the Organization should maintain a standardized checklist for all such entities that support their rationale for the classification. This checklist should be prepared by an employee with knowledge of the grant and approved by a second individual. Furthermore, as it relates to subrecipient monitoring, the Organization should institute an annual process whereby all subrecipients are asked whether they received a Single Audit. If the subrecipient was subject to a Single Audit, the Organization should receive and review the Single Audit report. The reviewer should submit a memorandum of any findings relevant to their federal grant, which should then be submitted to the project manager or other designated person for approval. Views of responsible officials and planned corrective actions: Management's response is reported in "Management's Views and Corrective Action Plan" included at the end of this report. Identification of prior year finding: 2022-004

Subrecipient Monitoring Material Weakness in Internal Control over Subrecipient Monitoring and Material Noncompliance Research and Development Cluster Criteria: In accordance with 2 CFR 200.331, a pass-through entity must make a case-by-case determination whether each agreement it makes for the disbursement of federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor. Additionally, in accordance with 2 CFR 200.332(b), the pass-through entity must evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for the purpose of determining the appropriate subrecipient monitoring. In furtherance of this, the pass-through entity should inquire as to whether or not the subrecipient was subject to a Single Audit. If the subrecipient was subject to a Single Audit, the pass-through entity must request the Single Audit report and review for any findings or questioned costs. In accordance with 2 CFR 200.521, the pass-through entity should issue a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity as applicable. Condition: The Organization does not document its evaluation of each party that it engages in business with as to whether they are a contractor or a subrecipient. For three (3) of the three (3) such parties selected for testing, the Organization did not maintain documentation regarding whether the entity was a subrecipient or a contractor. Furthermore, as it relates to the monitoring of entities determined to be subrecipients, the Organization has not formally documented its subrecipient monitoring procedures to ensure that subrecipients are in compliance with federal statutes, regulations, and the terms and conditions of the subawards. For three (3) of the three (3) subrecipients selected for testing, the Organization did not inquire as to whether the entity was subject to a Single Audit. Consequently, the Organization did not request the Single Audit report nor did they review them for any findings pertinent to the federal award provided to the subrecipient from the pass-through entity. Cause: The Organization did not have an effective process in place to determine whether entities receiving pass-through funds are subrecipients or contractors. Furthermore, once that determination has been made, the Organization did not have a process in place for evaluating subrecipients and their compliance with the applicable requirements of the Uniform Guidance. Effect or potential effect: Lack of proper consideration of subrecipient or contractor status may result in the Organization improperly classifying a recipient of federal funds, which may impact the recipient’s compliance with the Uniform Guidance. Furthermore, by not performing adequate monitoring over subrecipients, the Organization is not appropriately monitoring whether subrecipients are compliance with grant requirements. Questioned costs: None. Context: Our sample was not intended to be statistically valid. Recommendation: The Organization should institute a process whereby all entities that receive federal funds have proper documentation supporting their classification as a subrecipient or a contractor for the entire year. Additionally, the Organization should maintain a standardized checklist for all such entities that support their rationale for the classification. This checklist should be prepared by an employee with knowledge of the grant and approved by a second individual. Furthermore, as it relates to subrecipient monitoring, the Organization should institute an annual process whereby all subrecipients are asked whether they received a Single Audit. If the subrecipient was subject to a Single Audit, the Organization should receive and review the Single Audit report. The reviewer should submit a memorandum of any findings relevant to their federal grant, which should then be submitted to the project manager or other designated person for approval. Views of responsible officials and planned corrective actions: Management's response is reported in "Management's Views and Corrective Action Plan" included at the end of this report. Identification of prior year finding: 2022-004

Subrecipient Monitoring Material Weakness in Internal Control over Subrecipient Monitoring and Material Noncompliance Research and Development Cluster Criteria: In accordance with 2 CFR 200.331, a pass-through entity must make a case-by-case determination whether each agreement it makes for the disbursement of federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor. Additionally, in accordance with 2 CFR 200.332(b), the pass-through entity must evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for the purpose of determining the appropriate subrecipient monitoring. In furtherance of this, the pass-through entity should inquire as to whether or not the subrecipient was subject to a Single Audit. If the subrecipient was subject to a Single Audit, the pass-through entity must request the Single Audit report and review for any findings or questioned costs. In accordance with 2 CFR 200.521, the pass-through entity should issue a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity as applicable. Condition: The Organization does not document its evaluation of each party that it engages in business with as to whether they are a contractor or a subrecipient. For three (3) of the three (3) such parties selected for testing, the Organization did not maintain documentation regarding whether the entity was a subrecipient or a contractor. Furthermore, as it relates to the monitoring of entities determined to be subrecipients, the Organization has not formally documented its subrecipient monitoring procedures to ensure that subrecipients are in compliance with federal statutes, regulations, and the terms and conditions of the subawards. For three (3) of the three (3) subrecipients selected for testing, the Organization did not inquire as to whether the entity was subject to a Single Audit. Consequently, the Organization did not request the Single Audit report nor did they review them for any findings pertinent to the federal award provided to the subrecipient from the pass-through entity. Cause: The Organization did not have an effective process in place to determine whether entities receiving pass-through funds are subrecipients or contractors. Furthermore, once that determination has been made, the Organization did not have a process in place for evaluating subrecipients and their compliance with the applicable requirements of the Uniform Guidance. Effect or potential effect: Lack of proper consideration of subrecipient or contractor status may result in the Organization improperly classifying a recipient of federal funds, which may impact the recipient’s compliance with the Uniform Guidance. Furthermore, by not performing adequate monitoring over subrecipients, the Organization is not appropriately monitoring whether subrecipients are compliance with grant requirements. Questioned costs: None. Context: Our sample was not intended to be statistically valid. Recommendation: The Organization should institute a process whereby all entities that receive federal funds have proper documentation supporting their classification as a subrecipient or a contractor for the entire year. Additionally, the Organization should maintain a standardized checklist for all such entities that support their rationale for the classification. This checklist should be prepared by an employee with knowledge of the grant and approved by a second individual. Furthermore, as it relates to subrecipient monitoring, the Organization should institute an annual process whereby all subrecipients are asked whether they received a Single Audit. If the subrecipient was subject to a Single Audit, the Organization should receive and review the Single Audit report. The reviewer should submit a memorandum of any findings relevant to their federal grant, which should then be submitted to the project manager or other designated person for approval. Views of responsible officials and planned corrective actions: Management's response is reported in "Management's Views and Corrective Action Plan" included at the end of this report. Identification of prior year finding: 2022-004

Subrecipient Monitoring Material Weakness in Internal Control over Subrecipient Monitoring and Material Noncompliance Research and Development Cluster Criteria: In accordance with 2 CFR 200.331, a pass-through entity must make a case-by-case determination whether each agreement it makes for the disbursement of federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor. Additionally, in accordance with 2 CFR 200.332(b), the pass-through entity must evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for the purpose of determining the appropriate subrecipient monitoring. In furtherance of this, the pass-through entity should inquire as to whether or not the subrecipient was subject to a Single Audit. If the subrecipient was subject to a Single Audit, the pass-through entity must request the Single Audit report and review for any findings or questioned costs. In accordance with 2 CFR 200.521, the pass-through entity should issue a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity as applicable. Condition: The Organization does not document its evaluation of each party that it engages in business with as to whether they are a contractor or a subrecipient. For three (3) of the three (3) such parties selected for testing, the Organization did not maintain documentation regarding whether the entity was a subrecipient or a contractor. Furthermore, as it relates to the monitoring of entities determined to be subrecipients, the Organization has not formally documented its subrecipient monitoring procedures to ensure that subrecipients are in compliance with federal statutes, regulations, and the terms and conditions of the subawards. For three (3) of the three (3) subrecipients selected for testing, the Organization did not inquire as to whether the entity was subject to a Single Audit. Consequently, the Organization did not request the Single Audit report nor did they review them for any findings pertinent to the federal award provided to the subrecipient from the pass-through entity. Cause: The Organization did not have an effective process in place to determine whether entities receiving pass-through funds are subrecipients or contractors. Furthermore, once that determination has been made, the Organization did not have a process in place for evaluating subrecipients and their compliance with the applicable requirements of the Uniform Guidance. Effect or potential effect: Lack of proper consideration of subrecipient or contractor status may result in the Organization improperly classifying a recipient of federal funds, which may impact the recipient’s compliance with the Uniform Guidance. Furthermore, by not performing adequate monitoring over subrecipients, the Organization is not appropriately monitoring whether subrecipients are compliance with grant requirements. Questioned costs: None. Context: Our sample was not intended to be statistically valid. Recommendation: The Organization should institute a process whereby all entities that receive federal funds have proper documentation supporting their classification as a subrecipient or a contractor for the entire year. Additionally, the Organization should maintain a standardized checklist for all such entities that support their rationale for the classification. This checklist should be prepared by an employee with knowledge of the grant and approved by a second individual. Furthermore, as it relates to subrecipient monitoring, the Organization should institute an annual process whereby all subrecipients are asked whether they received a Single Audit. If the subrecipient was subject to a Single Audit, the Organization should receive and review the Single Audit report. The reviewer should submit a memorandum of any findings relevant to their federal grant, which should then be submitted to the project manager or other designated person for approval. Views of responsible officials and planned corrective actions: Management's response is reported in "Management's Views and Corrective Action Plan" included at the end of this report. Identification of prior year finding: 2022-004

Subrecipient Monitoring Federal Program: Department of Health and Human Services Federal Assistance Listing No. 93.044, 93.045, and 93.053 - Aging Cluster Criteria: Uniform Guidance requires pass-through entities to oversee the activities of service providers with respect to provision of services, reporting, voluntary contributions, and coordination of services under 2 CFR 200.332. Condition: The Agency Board did not comply with the Uniform Guidance requirement to evaluate each subrecipient's risk of non-compliance and to monitor activities to ensure the federal award is used for authorized purposes. Questioned Costs: $0 Cause: The Agency's internal control did not effectively identify policies and procedures for monitoring subrecipients, and the Agency did not comply with federal requirements regarding subrecipient monitoring. The Agency experienced significant key employee turnover during the year. Effect: The Agency was not in compliance with Uniform Guidance 2 CFR 200.332. Recommendation: We recommend the Agency monitors its subrecipients regularly. View of Responsible Officials and Planned Corrective Action: Management agrees with the finding and in March 2023, the Agency hired a new Executive Director and in August 2023, a new Fiscal Officer. The new management team has implemented policies and procedures to comply with subrecipient monitoring requirements.

Subrecipient Monitoring Federal Program: Department of Health and Human Services Federal Assistance Listing No. 93.044, 93.045, and 93.053 - Aging Cluster Criteria: Uniform Guidance requires pass-through entities to oversee the activities of service providers with respect to provision of services, reporting, voluntary contributions, and coordination of services under 2 CFR 200.332. Condition: The Agency Board did not comply with the Uniform Guidance requirement to evaluate each subrecipient's risk of non-compliance and to monitor activities to ensure the federal award is used for authorized purposes. Questioned Costs: $0 Cause: The Agency's internal control did not effectively identify policies and procedures for monitoring subrecipients, and the Agency did not comply with federal requirements regarding subrecipient monitoring. The Agency experienced significant key employee turnover during the year. Effect: The Agency was not in compliance with Uniform Guidance 2 CFR 200.332. Recommendation: We recommend the Agency monitors its subrecipients regularly. View of Responsible Officials and Planned Corrective Action: Management agrees with the finding and in March 2023, the Agency hired a new Executive Director and in August 2023, a new Fiscal Officer. The new management team has implemented policies and procedures to comply with subrecipient monitoring requirements.

Subrecipient Monitoring Federal Program: Department of Health and Human Services Federal Assistance Listing No. 93.044, 93.045, and 93.053 - Aging Cluster Criteria: Uniform Guidance requires pass-through entities to oversee the activities of service providers with respect to provision of services, reporting, voluntary contributions, and coordination of services under 2 CFR 200.332. Condition: The Agency Board did not comply with the Uniform Guidance requirement to evaluate each subrecipient's risk of non-compliance and to monitor activities to ensure the federal award is used for authorized purposes. Questioned Costs: $0 Cause: The Agency's internal control did not effectively identify policies and procedures for monitoring subrecipients, and the Agency did not comply with federal requirements regarding subrecipient monitoring. The Agency experienced significant key employee turnover during the year. Effect: The Agency was not in compliance with Uniform Guidance 2 CFR 200.332. Recommendation: We recommend the Agency monitors its subrecipients regularly. View of Responsible Officials and Planned Corrective Action: Management agrees with the finding and in March 2023, the Agency hired a new Executive Director and in August 2023, a new Fiscal Officer. The new management team has implemented policies and procedures to comply with subrecipient monitoring requirements.

Subrecipient Monitoring Federal Program: Department of Health and Human Services Federal Assistance Listing No. 93.044, 93.045, and 93.053 - Aging Cluster Criteria: Uniform Guidance requires pass-through entities to oversee the activities of service providers with respect to provision of services, reporting, voluntary contributions, and coordination of services under 2 CFR 200.332. Condition: The Agency Board did not comply with the Uniform Guidance requirement to evaluate each subrecipient's risk of non-compliance and to monitor activities to ensure the federal award is used for authorized purposes. Questioned Costs: $0 Cause: The Agency's internal control did not effectively identify policies and procedures for monitoring subrecipients, and the Agency did not comply with federal requirements regarding subrecipient monitoring. The Agency experienced significant key employee turnover during the year. Effect: The Agency was not in compliance with Uniform Guidance 2 CFR 200.332. Recommendation: We recommend the Agency monitors its subrecipients regularly. View of Responsible Officials and Planned Corrective Action: Management agrees with the finding and in March 2023, the Agency hired a new Executive Director and in August 2023, a new Fiscal Officer. The new management team has implemented policies and procedures to comply with subrecipient monitoring requirements.

Subrecipient Monitoring Federal Program: Department of Health and Human Services Federal Assistance Listing No. 93.044, 93.045, and 93.053 - Aging Cluster Criteria: Uniform Guidance requires pass-through entities to oversee the activities of service providers with respect to provision of services, reporting, voluntary contributions, and coordination of services under 2 CFR 200.332. Condition: The Agency Board did not comply with the Uniform Guidance requirement to evaluate each subrecipient's risk of non-compliance and to monitor activities to ensure the federal award is used for authorized purposes. Questioned Costs: $0 Cause: The Agency's internal control did not effectively identify policies and procedures for monitoring subrecipients, and the Agency did not comply with federal requirements regarding subrecipient monitoring. The Agency experienced significant key employee turnover during the year. Effect: The Agency was not in compliance with Uniform Guidance 2 CFR 200.332. Recommendation: We recommend the Agency monitors its subrecipients regularly. View of Responsible Officials and Planned Corrective Action: Management agrees with the finding and in March 2023, the Agency hired a new Executive Director and in August 2023, a new Fiscal Officer. The new management team has implemented policies and procedures to comply with subrecipient monitoring requirements.

2 CFR § 3474.1 provides the Department of Education (DOE) adopts the Office of Management and Budget (OMB) Guidance in 2 CFR part 200, except for 2 CFR § 200.102(a) and 2 CFR § 200.207(a). Thus, this part gives regulatory effect to the OMB guidance and supplements the guidance as needed for the DOE. 2 CFR § 200.329(a) provides that the non-Federal entity is responsible for oversight of the operations of the Federal award supported activities. The non-Federal entity must monitor its activities under Federal awards to assure compliance with applicable Federal requirements and performance expectations are being achieved. Monitoring by the non-Federal entity must cover each program, function or activity. See also § 200.332. 2 CFR § 200.302(b)(2) provides, in part, that the financial management system of each non-Federal entity must provide for accurate, current, and complete disclosure of the financial results of each Federal award or program in accordance with the reporting requirements set forth in §§ 200.328 and 200.329. 2 CFR § 200.332(d) provides, in part, that a pass-through entity must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) reviewing financial and performance reports required by the pass-through entity. The Ohio Department of Education requires school districts to file a Final Expenditure Report each year by September 30, unless stated otherwise in the grant application. ODE further requires subgrantees to obligate funds within the approved project period as set forth in the approved application and to liquidate said obligations not later than 90 days after the end of the project period for electronic applications for grants, with obligations having the same meaning as in 2 CFR §§ 200.343 and 200.1. ODE also requires all allowable grant expenditures obligated by the project end date as designated in the grant agreement to be reported in the FER. The District did file the Final Expenditure Report with ODE before the required reporting deadline, however, due to deficiencies in the internal policies and procedures over Federal compliance, the District did not exclude the prior grant year expenditures obligated during the prior fiscal year, but not paid until after June 30, 2022. This resulted in expenditures being overreported in the amount of $78,795; however, this oversight did not result in additional federal funding. Failure to file accurate financial information in the Final Expenditure Report could lead to material misstatements and could impact future grant funding. The District should review the Final Expenditure Report before submission to help ensure all required amounts are included.

2 CFR § 3474.1 provides the Department of Education (DOE) adopts the Office of Management and Budget (OMB) Guidance in 2 CFR part 200, except for 2 CFR § 200.102(a) and 2 CFR § 200.207(a). Thus, this part gives regulatory effect to the OMB guidance and supplements the guidance as needed for the DOE. 2 CFR § 200.329(a) provides that the non-Federal entity is responsible for oversight of the operations of the Federal award supported activities. The non-Federal entity must monitor its activities under Federal awards to assure compliance with applicable Federal requirements and performance expectations are being achieved. Monitoring by the non-Federal entity must cover each program, function or activity. See also § 200.332. 2 CFR § 200.302(b)(2) provides, in part, that the financial management system of each non-Federal entity must provide for accurate, current, and complete disclosure of the financial results of each Federal award or program in accordance with the reporting requirements set forth in §§ 200.328 and 200.329. 2 CFR § 200.332(d) provides, in part, that a pass-through entity must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) reviewing financial and performance reports required by the pass-through entity. The Ohio Department of Education requires school districts to file a Final Expenditure Report each year by September 30, unless stated otherwise in the grant application. ODE further requires subgrantees to obligate funds within the approved project period as set forth in the approved application and to liquidate said obligations not later than 90 days after the end of the project period for electronic applications for grants, with obligations having the same meaning as in 2 CFR §§ 200.343 and 200.1. ODE also requires all allowable grant expenditures obligated by the project end date as designated in the grant agreement to be reported in the FER. The District did file the Final Expenditure Report with ODE before the required reporting deadline, however, due to deficiencies in the internal policies and procedures over Federal compliance, the District did not exclude the prior grant year expenditures obligated during the prior fiscal year, but not paid until after June 30, 2022. This resulted in expenditures being overreported in the amount of $78,795; however, this oversight did not result in additional federal funding. Failure to file accurate financial information in the Final Expenditure Report could lead to material misstatements and could impact future grant funding. The District should review the Final Expenditure Report before submission to help ensure all required amounts are included.

Program: Emergency Solutions Grant Program (ESG) ALN #: 14.231 Federal Agency: Housing and Urban Development Federal Award Numbers: E-20-MC-25-005, E-21-MC-25-0005, E-22-MC-25-0005, E-20-MW-25-005, and E-20-MW-35-005 Award Year: July 1, 2022–June 30, 2023 Subrecipient Monitoring Type of finding: Material weakness and noncompliance Prior-year finding: Yes Statistically valid sample: No Criteria The 2 CFR sections 200.332(d) through (f) provide the principles to be applied to monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, complies with the terms and conditions of the subaward, and achieves performance goals. According to 2 CFR 200.303, the nonfederal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The City does not have properly designed controls and documented procedures in place to ensure compliance with the following requirements: • Each subrecipients risk of noncompliance is appropriately evaluated. • Verification that subrecipients are audited as required when they are expected to exceed the threshold for having a single audit. During our audit, we noted that audited financial statements were obtained for the four subrecipients selected for testing, but there was no documentation to evidence the nature and extent of the City’s review of the audit reports obtained. Additionally, a documented risk assessment was not performed by the City over the four subrecipients selected for testing prior to entering into a contract. Cause The City requires that audited financial statements are obtained for subrecipients, but there is no checklist or formal documentation required to indicate what should be reviewed when reviewing the audit reports to ensure compliance with subrecipient monitoring requirements. Additionally, the City requires a risk assessment be completed over each subrecipient. However, due to time constraints, a risk assessment was not completed. Effect Lack of effective controls and written policies and procedures over subrecipient monitoring could result in the City’s noncompliance with program requirements. Questioned Costs None Recommendation We recommend the City establish a checklist or formal documentation requirements for both risk assessments and review of single audit report procedures. Employees can complete these checklists when obtaining subrecipient audit reports to ensure required monitoring procedures are performed and well documented. Views of Responsible Officials and Corrective Actions The City has established an Audit Review Certification form that is completed by employees to formally document review of subrecipient agencies' audit reports. Implementation Date The City implemented use of the Audit Review Certification form starting in Spring 2023 as part of the ESG subrecipient application process for the FY24 program year beginning July 1, 2023, and will continue use of the form for the FY25 program year beginning on July 1, 2024. Responsible Officials Anthony Woods, Planner and Contract Manager, and Liz Mengers, Planning and Development Manager

Program: Emergency Solutions Grant Program (ESG) ALN #: 14.231 Federal Agency: Housing and Urban Development Federal Award Numbers: E-20-MC-25-005, E-21-MC-25-0005, E-22-MC-25-0005, E-20-MW-25-005, and E-20-MW-35-005 Award Year: July 1, 2022–June 30, 2023 Subrecipient Monitoring Type of finding: Material weakness and noncompliance Prior-year finding: Yes Statistically valid sample: No Criteria The 2 CFR sections 200.332(d) through (f) provide the principles to be applied to monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, complies with the terms and conditions of the subaward, and achieves performance goals. According to 2 CFR 200.303, the nonfederal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The City does not have properly designed controls and documented procedures in place to ensure compliance with the following requirements: • Each subrecipients risk of noncompliance is appropriately evaluated. • Verification that subrecipients are audited as required when they are expected to exceed the threshold for having a single audit. During our audit, we noted that audited financial statements were obtained for the four subrecipients selected for testing, but there was no documentation to evidence the nature and extent of the City’s review of the audit reports obtained. Additionally, a documented risk assessment was not performed by the City over the four subrecipients selected for testing prior to entering into a contract. Cause The City requires that audited financial statements are obtained for subrecipients, but there is no checklist or formal documentation required to indicate what should be reviewed when reviewing the audit reports to ensure compliance with subrecipient monitoring requirements. Additionally, the City requires a risk assessment be completed over each subrecipient. However, due to time constraints, a risk assessment was not completed. Effect Lack of effective controls and written policies and procedures over subrecipient monitoring could result in the City’s noncompliance with program requirements. Questioned Costs None Recommendation We recommend the City establish a checklist or formal documentation requirements for both risk assessments and review of single audit report procedures. Employees can complete these checklists when obtaining subrecipient audit reports to ensure required monitoring procedures are performed and well documented. Views of Responsible Officials and Corrective Actions The City has established an Audit Review Certification form that is completed by employees to formally document review of subrecipient agencies' audit reports. Implementation Date The City implemented use of the Audit Review Certification form starting in Spring 2023 as part of the ESG subrecipient application process for the FY24 program year beginning July 1, 2023, and will continue use of the form for the FY25 program year beginning on July 1, 2024. Responsible Officials Anthony Woods, Planner and Contract Manager, and Liz Mengers, Planning and Development Manager

Program: HOME Investment Partnerships Program (HOME) ALN #: 14.239 Federal Agency: Department of Housing and Urban Development Federal Award Number: M22-MC250202 Award Year: July 1, 2022–June 30, 2023 Eligibility/Subrecipient Monitoring Type of finding: Noncompliance Prior-year finding: No Statistically valid sample: No Criteria 24 CFR 92.252, Qualification as affordable housing: Rental housing (e) Periods of affordability. The HOME-assisted units must meet the affordability requirements for not less than the applicable period specified in the following table, beginning after project completion. (1) The affordability requirements: (i) Apply without regard to the term of any loan or mortgage, repayment of the HOME investment, or the transfer of ownership (ii) Must be imposed by a deed restriction, a covenant running with the land, an agreement restricting the use of the property, or other mechanisms approved by HUD and must give the participating jurisdiction the right to require specific performance (except that the participating jurisdiction may provide that the affordability restrictions may terminate upon foreclosure or transfer in lieu of foreclosure) (iii) Must be recorded in accordance with State recordation laws. (2) The participating jurisdiction may use purchase options, rights of first refusal, or other preemptive rights to purchase the housing before foreclosure or deed in lieu of foreclosure in order to preserve affordability. (3) The affordability restrictions shall be revived according to the original terms if, during the original affordability period, the owner of record before the foreclosure, or deed in lieu of foreclosure, or any entity that includes the former owner or those with whom the former owner has or had family or business ties obtains an ownership interest in the project or property. 4) The termination of the restrictions on the project does not terminate the participating jurisdiction’s repayment obligation under § 92.503(b). (h) Tenant income. The income of each tenant must be determined initially in accordance with § 92.203(a)(1)(i). In addition, each year during the period of affordability the project owner must reexamine each tenant’s annual income in accordance with one of the options in § 92.203 selected by the participating jurisdiction. 24 CFR92.203 Income determinations (a) The HOME program has income-targeting requirements for the HOME program and for HOME projects. Therefore, the participating jurisdiction must determine each family is income eligible by determining the family’s annual income. (1) For families who are tenants in HOME-assisted housing and not receiving HOME tenant-based rental assistance, the participating jurisdiction must initially determine annual income using the method in paragraph (a)(1)(i) of this section. For subsequent income determinations during the period of affordability, the participating jurisdiction may use any one of the following methods in accordance with § 92.252(h): (ii) Obtain from the family a written statement of the amount of the family’s annual income and family size, along with a certification that the information is complete and accurate. The certification must state that the family will provide source documents upon request. Title 45 US Code of Federal Regulations Part 75 (45 CFR part 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HHS Awards, section 75.303 also states that nonfederal entities must establish and maintain effective internal control over the federal award that provides reasonable assurance that the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Additionally, the 2 CFR sections 200.332(d) through (f) provide the principles to be applied to monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, complies with the terms and conditions of the subaward, and achieves performance goals. Condition During our testwork, we noted there were two individuals residing in a facility financed with a City HOME loan who did not meet the low-income requirements and were therefore determined not to be eligible. Cause The City’s property manager failed to ensure that another unit, or the next available unit, within the building would be designated as a HOME-floating unit as required in its loan agreement with the City. Effect Ineligible recipients could potentially cause the City to not be in compliance with HUD requirements. Questioned Costs Not determinable Recommendation We recommend the City work collaboratively with its property managers to ensure that the correct number of units are being designated as HOME-assisted units. Views of Responsible Officials and Corrective Actions The two individuals determined to have incomes in excess of HOME Program limits were noted in our FY23 monitoring of properties assisted with HOME funds. The HOME Program allows for a unit to be occupied by a household who was initially eligible and whose income later increases, but requires that a comparable unit be designated as a HOME unit and leased to an eligible household when one is available. Owners of each property were made aware of the circumstance when City monitoring was completed. Each will designate comparable units to be HOME units when available and lease them to eligible households. Implementation Date Dependent on when residents move and/or appropriate units are available. Responsible Officials Chris Cotter, Housing Director & Judith Tumusiime, Federal Grants Manager, Cambridge Community Development Department

Program: Housing Opportunities for Persons with AIDS (HOPWA) ALN #: 14.241 Federal Agency: Housing and Urban Development Federal Award Numbers: MAH22-F005, MAH20-F005, and MAH21-F005 Award Year: July 1, 2022–June 30, 2023 Subrecipient Monitoring Type of finding: Material weakness and noncompliance Prior-year finding: No Statistically valid sample: No Criteria The 2 CFR sections 200.332(d) through (f) provide the principles to be applied to monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, complies with the terms and conditions of the subaward, and achieves performance goals. According to 2 CFR 200.303, the nonfederal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The City does not have properly designed controls and documented procedures in place to ensure compliance with the following requirements: • Each subrecipients risk of noncompliance is appropriately evaluated. • Verification that subrecipients are audited as required when they are expected to exceed the threshold for having a single audit. During our audit, we noted that audited financial statements were obtained for the four subrecipients selected for testing, but there was no documentation to evidence the nature and extent of the City’s review of the reports obtained. Additionally, a documented risk assessment was not performed by the City over the four subrecipients selected for testing prior to entering into a contract. Cause The City requires that audited financial statements are obtained for subrecipients, but there is no checklist or formal documentation required to indicate what should be reviewed when reviewing the audit reports to ensure compliance with subrecipient monitoring requirements. Additionally, the City requires a risk assessment be completed over each subrecipient. However, due to time constraints, a risk assessment was not completed. Effect Lack of effective controls and written policies and procedures over subrecipient monitoring could result in the City’s noncompliance with program requirements. Questioned Costs None Recommendation We recommend the City establish a checklist or formal documentation requirements for both risk assessments and review of single audit report procedures. Employees can complete these checklists when obtaining subrecipient audit reports to ensure required monitoring procedures are performed and well documented. Views of Responsible Officials and Corrective Actions The City will incorporate a more formal review of financial audits of subrecipients in conjunction with new contracts moving forward. These audits, and City staff’s verification of assessment will be included in each subrecipient file. Implementation Date FY2025 Contracts Responsible Officials Robert Keller, Project Planner, Cambridge Community Development Department, and Judith Tumusiime, Federal Grants Manager, Cambridge Community Development Department

Program: Housing Opportunities for Persons with AIDS (HOPWA) ALN #: 14.241 Federal Agency: Housing and Urban Development Federal Award Numbers: MAH22-F005, MAH20-F005, and MAH21-F005 Award Year: July 1, 2022–June 30, 2023 Subrecipient Monitoring Type of finding: Material weakness and noncompliance Prior-year finding: No Statistically valid sample: No Criteria The 2 CFR sections 200.332(d) through (f) provide the principles to be applied to monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, complies with the terms and conditions of the subaward, and achieves performance goals. According to 2 CFR 200.303, the nonfederal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The City does not have properly designed controls and documented procedures in place to ensure compliance with the following requirements: • Each subrecipients risk of noncompliance is appropriately evaluated. • Verification that subrecipients are audited as required when they are expected to exceed the threshold for having a single audit. During our audit, we noted that audited financial statements were obtained for the four subrecipients selected for testing, but there was no documentation to evidence the nature and extent of the City’s review of the reports obtained. Additionally, a documented risk assessment was not performed by the City over the four subrecipients selected for testing prior to entering into a contract. Cause The City requires that audited financial statements are obtained for subrecipients, but there is no checklist or formal documentation required to indicate what should be reviewed when reviewing the audit reports to ensure compliance with subrecipient monitoring requirements. Additionally, the City requires a risk assessment be completed over each subrecipient. However, due to time constraints, a risk assessment was not completed. Effect Lack of effective controls and written policies and procedures over subrecipient monitoring could result in the City’s noncompliance with program requirements. Questioned Costs None Recommendation We recommend the City establish a checklist or formal documentation requirements for both risk assessments and review of single audit report procedures. Employees can complete these checklists when obtaining subrecipient audit reports to ensure required monitoring procedures are performed and well documented. Views of Responsible Officials and Corrective Actions The City will incorporate a more formal review of financial audits of subrecipients in conjunction with new contracts moving forward. These audits, and City staff’s verification of assessment will be included in each subrecipient file. Implementation Date FY2025 Contracts Responsible Officials Robert Keller, Project Planner, Cambridge Community Development Department, and Judith Tumusiime, Federal Grants Manager, Cambridge Community Development Department

Program: Coronavirus State and Local Fiscal Recovery Funds ALN #: 21.027 Federal Agency: U.S. Department of Treasury Federal Award Number: NA Award Year: July 1, 2022–June 30, 2023 Subrecipient Monitoring Type of finding: Material weakness and noncompliance Prior-year finding: Yes Statistically valid sample: No Criteria The 2 CFR sections 200.332(d) through (f) provide the principles to be applied to monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, complies with the terms and conditions of the subaward, and achieves performance goals. According to 2 CFR 200.303, the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The City does not have properly designed controls and documented procedures in place to ensure compliance with the following requirements: • Each subrecipients risk of noncompliance is appropriately evaluated. • Verification that subrecipients are audited as required when they are expected to exceed the threshold for having a single audit. During our audit, we noted that audited financial statements were obtained for the four subrecipients selected for testing, but there was no documentation to evidence the nature and extent of the City’s review of the audit reports obtained. Additionally, a documented risk assessment was not performed by the City over the four subrecipients selected for testing prior to entering into a contract. Cause The City requires that audited financial statements are obtained for subrecipients, but there is no checklist or formal documentation required to indicate what should be reviewed when reviewing the audit reports to ensure compliance with subrecipient monitoring requirements. Additionally, the City requires a risk assessment be completed over each subrecipient. However, due to time constraints, a risk assessment was not completed or documented. Effect Lack of effective controls and written policies and procedures over subrecipient monitoring could result in the City’s noncompliance with program requirements. Questioned Costs None Recommendation We recommend the City establish a checklist or formal documentation requirements for both risk assessments and review of single audit report procedures. Employees can complete these checklists when obtaining subrecipient audit reports to ensure required monitoring procedures are performed and well documented. Views of Responsible Officials and Corrective Actions The City will use a subrecipient audit certification form and a subrecipient risk assessment questionnaire to evaluate a subrecipient's risk/experience with federal funds as well as assess their federal funding threshold for having a single audit. Implementation Date FY25 Contracts (7/1/2024) Responsible Officials Michele Kincaid, Assistant Finance Director, and Sharon Pu, Grants Management

Program: Coronavirus State and Local Fiscal Recovery Funds ALN #: 21.027 Federal Agency: U.S. Department of Treasury Federal Award Number: NA Award Year: July 1, 2022–June 30, 2023 Subrecipient Monitoring Type of finding: Material weakness and noncompliance Prior-year finding: Yes Statistically valid sample: No Criteria The 2 CFR sections 200.332(d) through (f) provide the principles to be applied to monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, complies with the terms and conditions of the subaward, and achieves performance goals. According to 2 CFR 200.303, the non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the nonfederal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition The City does not have properly designed controls and documented procedures in place to ensure compliance with the following requirements: • Each subrecipients risk of noncompliance is appropriately evaluated. • Verification that subrecipients are audited as required when they are expected to exceed the threshold for having a single audit. During our audit, we noted that audited financial statements were obtained for the four subrecipients selected for testing, but there was no documentation to evidence the nature and extent of the City’s review of the audit reports obtained. Additionally, a documented risk assessment was not performed by the City over the four subrecipients selected for testing prior to entering into a contract. Cause The City requires that audited financial statements are obtained for subrecipients, but there is no checklist or formal documentation required to indicate what should be reviewed when reviewing the audit reports to ensure compliance with subrecipient monitoring requirements. Additionally, the City requires a risk assessment be completed over each subrecipient. However, due to time constraints, a risk assessment was not completed or documented. Effect Lack of effective controls and written policies and procedures over subrecipient monitoring could result in the City’s noncompliance with program requirements. Questioned Costs None Recommendation We recommend the City establish a checklist or formal documentation requirements for both risk assessments and review of single audit report procedures. Employees can complete these checklists when obtaining subrecipient audit reports to ensure required monitoring procedures are performed and well documented. Views of Responsible Officials and Corrective Actions The City will use a subrecipient audit certification form and a subrecipient risk assessment questionnaire to evaluate a subrecipient's risk/experience with federal funds as well as assess their federal funding threshold for having a single audit. Implementation Date FY25 Contracts (7/1/2024) Responsible Officials Michele Kincaid, Assistant Finance Director, and Sharon Pu, Grants Management

Reference Number: 2023-007 Federal Agency: U.S. Department of Treasury Federal Program: COVID-19 – Coronavirus State and Local Fiscal Recovery Funds Assistance Listing Number: 21.027 Award Number and Year: 2021 Compliance Requirement: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Controls over Compliance, Other Matters Criteria or Specific Requirement: Compliance - 2 CFR Section 200.332 – Requirements for Pass-Through Entities states in part, that all pass-through entities must: (a) Verify that every subrecipient is audited as required by Subpart F – Audit Requirements of this part when it is expected that the subrecipient’s Federal award expended during the respective fiscal year equaled or exceeded the threshold set forth in section 200.501 Audit requirements. Control - Per 2 CDF 200.303(a), a non-Federal entity must: Establish a maintain effective internal control over the federal award that provides reasonable assurance that the non-Federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal awards. These internal controls should comply with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The County was not able to provide support to show it ensured its subrecipients were audited as required by 2 CFR Part 200 Subpart F – Audit Requirements (Subpart F). Context: Exceptions were noted for 8 of 8 subrecipients selected for testing: • The County was unable to provide support that it ensured the subrecipient was audited as required by Subpart F. The County could not produce evidence of verification that the subrecipient’s Federal awards expended during the fiscal year were below the threshold set forth in section 200.501 Audit Requirements. Cause: The County did not establish effective internal controls and procedures over subrecipient monitoring. Effect: Without ensuring subrecipients have obtained audits as required by Subpart F, there is an increased risk that subrecipients could be inappropriately spending and/or inaccurately tracking and reporting federal funds over multiple years, and these discrepancies may not be properly monitored, detected, and corrected by the County personnel on a timely basis. Questioned Costs: Undetermined. Recommendation: The County should review and enhance internal controls and procedures to ensure that evaluation of independent audits is performed. Views of Responsible Officials: The County agrees with this finding. See separate Correction Action Plan related to this finding.

Reference Number: 2023-007 Federal Agency: U.S. Department of Treasury Federal Program: COVID-19 – Coronavirus State and Local Fiscal Recovery Funds Assistance Listing Number: 21.027 Award Number and Year: 2021 Compliance Requirement: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Controls over Compliance, Other Matters Criteria or Specific Requirement: Compliance - 2 CFR Section 200.332 – Requirements for Pass-Through Entities states in part, that all pass-through entities must: (a) Verify that every subrecipient is audited as required by Subpart F – Audit Requirements of this part when it is expected that the subrecipient’s Federal award expended during the respective fiscal year equaled or exceeded the threshold set forth in section 200.501 Audit requirements. Control - Per 2 CDF 200.303(a), a non-Federal entity must: Establish a maintain effective internal control over the federal award that provides reasonable assurance that the non-Federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal awards. These internal controls should comply with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The County was not able to provide support to show it ensured its subrecipients were audited as required by 2 CFR Part 200 Subpart F – Audit Requirements (Subpart F). Context: Exceptions were noted for 8 of 8 subrecipients selected for testing: • The County was unable to provide support that it ensured the subrecipient was audited as required by Subpart F. The County could not produce evidence of verification that the subrecipient’s Federal awards expended during the fiscal year were below the threshold set forth in section 200.501 Audit Requirements. Cause: The County did not establish effective internal controls and procedures over subrecipient monitoring. Effect: Without ensuring subrecipients have obtained audits as required by Subpart F, there is an increased risk that subrecipients could be inappropriately spending and/or inaccurately tracking and reporting federal funds over multiple years, and these discrepancies may not be properly monitored, detected, and corrected by the County personnel on a timely basis. Questioned Costs: Undetermined. Recommendation: The County should review and enhance internal controls and procedures to ensure that evaluation of independent audits is performed. Views of Responsible Officials: The County agrees with this finding. See separate Correction Action Plan related to this finding.

Reference Number: 2023-007 Federal Agency: U.S. Department of Treasury Federal Program: COVID-19 – Coronavirus State and Local Fiscal Recovery Funds Assistance Listing Number: 21.027 Award Number and Year: 2021 Compliance Requirement: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Controls over Compliance, Other Matters Criteria or Specific Requirement: Compliance - 2 CFR Section 200.332 – Requirements for Pass-Through Entities states in part, that all pass-through entities must: (a) Verify that every subrecipient is audited as required by Subpart F – Audit Requirements of this part when it is expected that the subrecipient’s Federal award expended during the respective fiscal year equaled or exceeded the threshold set forth in section 200.501 Audit requirements. Control - Per 2 CDF 200.303(a), a non-Federal entity must: Establish a maintain effective internal control over the federal award that provides reasonable assurance that the non-Federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal awards. These internal controls should comply with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The County was not able to provide support to show it ensured its subrecipients were audited as required by 2 CFR Part 200 Subpart F – Audit Requirements (Subpart F). Context: Exceptions were noted for 8 of 8 subrecipients selected for testing: • The County was unable to provide support that it ensured the subrecipient was audited as required by Subpart F. The County could not produce evidence of verification that the subrecipient’s Federal awards expended during the fiscal year were below the threshold set forth in section 200.501 Audit Requirements. Cause: The County did not establish effective internal controls and procedures over subrecipient monitoring. Effect: Without ensuring subrecipients have obtained audits as required by Subpart F, there is an increased risk that subrecipients could be inappropriately spending and/or inaccurately tracking and reporting federal funds over multiple years, and these discrepancies may not be properly monitored, detected, and corrected by the County personnel on a timely basis. Questioned Costs: Undetermined. Recommendation: The County should review and enhance internal controls and procedures to ensure that evaluation of independent audits is performed. Views of Responsible Officials: The County agrees with this finding. See separate Correction Action Plan related to this finding.