Findings Citing § 200.332

Finding Reference Number: 2022-008 NH Governor?s Office of Emergency Relief and Recovery COVID-19 Coronavirus State and Local Fiscal Recovery Funds (Assistance Listing #21.027) Federal Award Numbers: SLFRP0145 Federal Award Year: 2021 U.S. Department of Treasury Compliance Requirement: Subrecipient Monitoring Type of Finding: Significant Deficiency Prior Year Finding: None Statistically Valid Sample: No Criteria A pass-through entity must: 1. Clearly identify to the subrecipient required award information and applicable requirements described in 2 CFR section 200.332(a); 2. Evaluate each subrecipient?s risk of noncompliance for the purposes of determining the appropriate subrecipient monitoring related to the subaward (2 CFR section 300.332(b)); 3. Issuing a management decision for audit findings pertaining to federal award provided to the subrecipient from the subrecipient as required by 2 CFR section 200.521. Additionally, per 2 CFR section 200.303, non-federal entities must establish and maintain effective internal control over federal awards that provide reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Condition As part of the Coronavirus State and Local Fiscal Recovery Funds program, the State of New Hampshire (the State) entered into grant agreements with local entities to support allowable activities under the federal program. During the year ended June 30, 2022, the State passed through $2,108,597 to subrecipients. As part of our testwork over the subrecipient monitoring process, we noted the following breakdown of internal controls: A. The State communicates award information to subrecipients through the approved grant agreement. Per review of the grant agreement, for 5 of the 10 subrecipients selected for testwork, the State did not communicate all the required award information as outlined in 2 CFR section 200.332. Specifically, the following elements were not communicated: a. Indirect cost rate for federal awards (including if the deminimus rate is charged per 2 CFR section 200.414) was not communicated for 5 of 10 subrecipients selected for testwork. b. Identification of whether the award is R&D was not communicated for 3 of 10 subrecipients selected for testwork. A. For 2 of 10 subrecipients selected for testwork, there was no documented risk assessment performed over the subrecipient. The State indicated that they had previous experience with these 2 subrecipients and based upon the previous relationship a formal risk assessment was not necessary. As part of our audit, we inquired as to whether a risk assessment was performed in connection with other federal awards that were granted to these entities, but a risk assessment was not able to be provided. While a risk assessment was not performed, we noted that for all each of these 2 subrecipients that the State performed during the award monitoring procedures. B. The State did not appear to have policies and procedures in place to determine if a subrecipient had a Uniform Guidance report if the amount awarded to the subrecipient under this program was under the audit threshold of $750,000. Based on our independent review of uniform guidance submissions within the Federal Audit Clearinghouse, none of the 10 subrecipients selected for testwork had a submitted uniform guidance report, and as such, a management decision letter would not have been required to be submitted for the each of the 10 subrecipients. Cause The cause of the condition found is primarily due to insufficient internal controls and procedures to ensure that award identification information is properly communicated, that risk assessments are performed to ensure sufficient during the awarded monitoring is performed and that all subrecipients are reviewed to determine if a uniform guidance audit was issued regardless of amount awarded to the subrecipient. Given the nature of this program, several Departments within the State entered into subrecipient grants resulting in a decentralized process. Not all Departments within the State are experienced with subrecipient relationships and may not have had developed policies to comply with subrecipient monitoring requirements. Effect The effect of the condition found is that the State did not have sufficient internal controls in place in accordance with 2 CFR section 200.303(a)) and 200.332.(a). In addition, subrecipients could have had a uniform guidance report issued in which a management decision letter needed to be issued but as the Department does not evaluate this for subrecipient?s that were not granted more than $750,000, they would not be able to recognize the need for a management decision letter timely. Questioned Costs None. Recommendation We recommend that the State review its existing internal controls, policies, and procedures to ensure that the State complies with the provisions of 2 CFR section 200.332(a), 2 CFR section 200.332(b), and 2 CFR section 200.251. This would include ensuring that: 1. All required award information is communicated to subrecipients; 2. Documented risk assessments are performed over all subrecipients; and 3. All subrecipients are reviewed regardless of amount awarded to determine if a uniform guidance report was issued and if a management decision letter should be issued. View of Responsible Officials The State largely concurs with the findings and recommendations and has either implemented procedures to address the identified conditions already or will do so. With regard to condition A(a) and (b), although the State illustrated that it includes clauses related to allowed costs in its subawards, including direct and indirect costs, it will work to ensure that agencies entering into such agreements clearly indicate the terms required by Uniform Guidance, including permitted indirect cost rates and whether the award is for R&D. With regard to condition B, the State agrees that risk assessments should have been completed and has since implemented a framework to help ensure that agencies are more consistently conducting and documenting subrecipient risk assessments. With regard to condition C, the State concurs and has already implemented an agency-wide framework to help ensure procedures and policies are in place concerning Uniform Guidance Report review and the issuance of any necessary management decision letters, to the extent required. It is worth noting that the State in most cases has timely conducted risk assessments of subrecipients and reviewed relevant Uniform Guidance Reports, but its corrective actions will result in better documentation and more consistent and timelier follow through. Anticipated Completion Date: The corrective actions indicated above relative to conditions B and C have already been implemented as of the date of this response. The State will work to address Condition A before the end of the current Fiscal Year. Contact Person: Chase Hagaman and Steve Giovinelli

Finding Reference Number: 2022-012 NH Department of Business and Economic Affairs COVID-19 State Small Business Credit Initiative Technical Assistance Grant Program (Assistance Listing #21.031) Federal Award Numbers: NOI-0000178 Federal Award Year: 2022 U.S. Department of Treasury Compliance Requirement: Subrecipient Monitoring Type of Finding: Material Weakness and Material Noncompliance Prior Year Finding: None Statistically Valid Sample: No Criteria In accordance with 2 CFR section 200.1, a subrecipient is an entity, usually but not limited to non-federal entities, that receives a subaward from a pass-through entity to carry out part of a federal award; but does not include an individual that is a beneficiary of such award. A pass-through entity must clearly identify to the subrecipient required award information and applicable requirements described in 2 CFR section 200.332(a). The following items are required to be communicated: a. Subrecipient name (which must match the name associated with its unique entity identifier); b. Subrecipient's unique entity identifier; c. Federal Award Identification Number (FAIN); d. Federal Award Date (see ? 200.39 Federal award date) of award to the recipient by the Federal agency; e. Subaward Period of Performance Start and End Date; f. Amount of Federal Funds Obligated by this action by the pass-through entity to the subrecipient; g. Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity including the current obligation; h. Total Amount of the Federal Award committed to the subrecipient by the pass-through entity; i. Federal award project description, as required to be responsive to the Federal Funding Accountability and Transparency Act (FFATA); j. Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the Pass-through entity; k. CFDA Number and Name; the pass-through entity must identify the dollar amount made available under each Federal award and the CFDA number at time of disbursement; l. Identification of whether the award is R&D; and m. Indirect cost rate for the Federal award (including if the de minimis rate is charged per ? 200.414 Indirect (F&A) costs). Additionally, per 2 CFR section 200.303, non-federal entities must establish and maintain effective internal control over federal awards that provide reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Condition As part of the State Small Business Credit Initiative Technical Assistance Grant Program (SSBCI), the New Hampshire Department of Business and Economic Affairs (the Department) entered into a Memorandum of Understanding (MOU) with a subrecipient that passed through all programmatic and financial responsibilities of the federal award to the subrecipient. The total amount of funds passed through during the period ending June 30, 2022 was $19,661,597. During our review of the MOU, the Department did not communicate any of the required award information outlined within 2 CFR 200.332(a). Cause The cause of the condition found was the result of the Department being unaware that the agreement they entered was a subrecipient relationship and that they were required to communicate the required award information contained within 2 CFR 200.332(a). Effect The effect of the condition found is that the Department did not comply with 2 CFR section 200.332(a). Questioned Costs None. Recommendation We recommend that the Department review its existing internal controls, policies, and procedures to ensure that the Department complies with the provisions of 2 CFR section 200.332(a) by ensuring that all required award information is communicated to subrecipients. View of Responsible Officials The Department acknowledges the misinterpretation of the agreement as a subaward has led to a failure to comply with 2 CFR section 200.332(a). Underlying this misinterpretation was the Department?s failure to differentiate between entering into agreements with other state agencies and entities recognized as component units of state government such as the NH Business Finance Authority; noting agreements between state agencies would not require such compliance. Accordingly, the Department will review existing policies and procedures related to subawarding and subrecipient monitoring to ensure agreements with component units of state government are properly considered. Additionally, the Department will amend the existing agreement to ensure required award information is communicated and ensure all other subrecipient monitoring protocols are applied to the subaward. Anticipated Completion Date: June 30, 2023 Contact Person: Taylor Caswell

Finding Reference Number: 2022-014 NH Department of Education Special Education Cluster (Assistance Listing #84.027 and #84.173) Federal Award Numbers: H027A210103, H173A210109, H027A180103, H173A180109 Federal Award Year: 2021, 2022 U.S. Department of Education Compliance Requirement: Subrecipient Monitoring Type of Finding: Material Weakness and Material Noncompliance Prior Year Finding: None Statistically Valid Sample: No Criteria A pass-through entity must clearly identify to the subrecipient required award information and applicable requirements described in 2 CFR section 200.332(a); Additionally, per 2 CFR section 200.303, non-federal entities must establish and maintain effective internal control over federal awards that provide reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Condition During the year ended June 30, 2022, the New Hampshire Department of Education (the Department) passed through $50,310,796 of federal funding to 174 subrecipients. As part of our testing related subrecipient monitoring, we noted that the Department communicates to subrecipients through the Grant Award Notifications (GANs). Per review of the GAN, we noted the following: A. For 44 of 44 subrecipients selected for testwork, the Department did not communicate the federal award identification number. B. For 15 of 44 subrecipients selected for testwork, the Department did not communicate the full award amount. Instead, the Department only communicated the subrecipients first installment amount entered into Grant Management System (GMS) which is a portion of the subrecipient?s total federal funding allocation. Cause The cause of the condition found was primarily due to breakdown of internal controls to ensure that the Grant Award Notification sent to subrecipients includes all required award data elements, including federal award identification number and full award amount. Effect The effect of the condition found is that the Department may not be in compliance with 2 CFR section 200.332(a)(1). Questioned Costs Not determinable. Recommendation We recommend that the Department review its existing policies and procedures over subrecipient monitoring award identification requirements and revise procedures and internal controls to ensure that information described in 2 CFR section 200.332(a)(1) is clearly identified to the subrecipient at the time of subaward (or subsequent subaward modification). View of Responsible Officials NHED concurs with the finding identified in section A. This was an oversight on the part of NHED, and a process has been implemented to ensure that when the GAN template is generated, there is a review by 2 separate staff members to ensure all required elements on the GAN are complete. NHED concurs with the finding identified in Section B. The previous Division Director of Learner Support, without understanding the unintended consequences, required that the IDEA allocations be uploaded in separate installments instead of including the full year award amount. This led to a GAN generation that included only the first installment. This procedure has since been corrected and NHED is now uploading the full year allocation amount in GMS, this will then generate a GAN that reflects the full year grant amount. If a reallocation does occur, there is a review by 2 separate staff members to ensure that the amount is verified and that a new GAN is manually generated to include that verified amount, and then the GAN is reissued to the recipient. Anticipated Completion Date: Already completed Contact Person: Lindsey Labonville

Finding Reference Number: 2022-014 NH Department of Education Special Education Cluster (Assistance Listing #84.027 and #84.173) Federal Award Numbers: H027A210103, H173A210109, H027A180103, H173A180109 Federal Award Year: 2021, 2022 U.S. Department of Education Compliance Requirement: Subrecipient Monitoring Type of Finding: Material Weakness and Material Noncompliance Prior Year Finding: None Statistically Valid Sample: No Criteria A pass-through entity must clearly identify to the subrecipient required award information and applicable requirements described in 2 CFR section 200.332(a); Additionally, per 2 CFR section 200.303, non-federal entities must establish and maintain effective internal control over federal awards that provide reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Condition During the year ended June 30, 2022, the New Hampshire Department of Education (the Department) passed through $50,310,796 of federal funding to 174 subrecipients. As part of our testing related subrecipient monitoring, we noted that the Department communicates to subrecipients through the Grant Award Notifications (GANs). Per review of the GAN, we noted the following: A. For 44 of 44 subrecipients selected for testwork, the Department did not communicate the federal award identification number. B. For 15 of 44 subrecipients selected for testwork, the Department did not communicate the full award amount. Instead, the Department only communicated the subrecipients first installment amount entered into Grant Management System (GMS) which is a portion of the subrecipient?s total federal funding allocation. Cause The cause of the condition found was primarily due to breakdown of internal controls to ensure that the Grant Award Notification sent to subrecipients includes all required award data elements, including federal award identification number and full award amount. Effect The effect of the condition found is that the Department may not be in compliance with 2 CFR section 200.332(a)(1). Questioned Costs Not determinable. Recommendation We recommend that the Department review its existing policies and procedures over subrecipient monitoring award identification requirements and revise procedures and internal controls to ensure that information described in 2 CFR section 200.332(a)(1) is clearly identified to the subrecipient at the time of subaward (or subsequent subaward modification). View of Responsible Officials NHED concurs with the finding identified in section A. This was an oversight on the part of NHED, and a process has been implemented to ensure that when the GAN template is generated, there is a review by 2 separate staff members to ensure all required elements on the GAN are complete. NHED concurs with the finding identified in Section B. The previous Division Director of Learner Support, without understanding the unintended consequences, required that the IDEA allocations be uploaded in separate installments instead of including the full year award amount. This led to a GAN generation that included only the first installment. This procedure has since been corrected and NHED is now uploading the full year allocation amount in GMS, this will then generate a GAN that reflects the full year grant amount. If a reallocation does occur, there is a review by 2 separate staff members to ensure that the amount is verified and that a new GAN is manually generated to include that verified amount, and then the GAN is reissued to the recipient. Anticipated Completion Date: Already completed Contact Person: Lindsey Labonville

Program: AL 84.010 ? Title I Grants to Local Educational Agencies ? Allowability and Subrecipient Monitoring Grant Number & Year: S010A190027, FFY 2020; S010A200027, FFY 2021 Federal Grantor Agency: U.S. Department of Education Criteria: Per 2 CFR ? 3474.1 (January 1, 2022), the U.S. Department of Education adopted the OMB Uniform Guidance in 2 CFR part 200, except for 2 CFR ? 200.102(a) and 200.207(a). Per 2 CFR ? 200.403 (January 1, 2022), allowable costs must be necessary, reasonable, and adequately documented. 2 CFR ? 200.430(i)(1) (January 1, 2022) states, in relevant part, the following: Charges to Federal awards for salaries and wages must be based on records that accurately reflect the work performed. These records must: (i) Be supported by a system of internal control which provides reasonable assurance that the charges are accurate, allowable, and properly allocated; (ii) Be incorporated into the official records of the non-Federal entity; (iii) Reasonably reflect the total activity for which the employee is compensated by the non-Federal entity, not exceeding 100% of compensated activities . . . . ; (iv) Encompass federally-assisted and all other activities compensated by the non-Federal entity on an integrated basis, but may include the use of subsidiary records as defined in the non-Federal entity?s written policy; (v) Comply with the established accounting policies and practices of the non-Federal entity . . . . ; and * * * * (vii) Support the distribution of the employee?s salary or wages among specific activities or cost objectives if the employee works on more than one Federal award; a Federal award and non-Federal award; an indirect cost activity and a direct cost activity; two or more indirect activities which are allocated using different allocation bases; or an unallowable activity and a direct or indirect cost activity. Enclosure A of the ?Letter to Chief State School Officers on Granting Administrative Flexibility for Better Measures of Success? (September 7, 2012) provides guidelines for local educational agencies (LEAs), using a substitute system for time-and-effort reporting. Enclosure A states, in relevant part, the following: (3) Employee schedules must: a. Indicate the specific activity or cost objective that the employee worked on for each segment of the employee?s schedule; b. Account for the total hours for which each employee is compensated during the period reflected on the employee?s schedule; and c. Be certified at least semiannually and signed by the employee and a supervisory official having firsthand knowledge of the work performed by the employee. 2 CFR ? 200.332 (January 1, 2022) states, in relevant part, the following: All pass-through entities must: * * * * (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: * * * * (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient . . . . A good internal control plan requires that adequate documentation be maintained to support amounts claimed by and paid to subrecipients. Good internal control also requires procedures to follow up with subrecipients to ensure they are correcting deficiencies and in compliance with applicable regulations. Condition: The Agency lacked procedures to ensure that subrecipients documented their use of Federal awards appropriately. Repeat Finding: No Questioned Costs: $145,101 known (S010A190027, $8,041; S010A200027, $137,060) Statistical Sample: No Context: We randomly selected 25 subrecipient payments and also chose the largest subrecipient payment for testing. We noted the following: ? Several employees? salaries and benefits were included in the reimbursement requests; however, the Agency did not require subrecipients to submit documentation for these expenditures, other than reports from their accountings systems, at the time of reimbursement. We provided the Agency with an opportunity to request documentation from its subrecipients to support that their salaries and benefits expenses were allowable and in accordance with Federal cost principles; however, two of the subrecipients did not provide adequate support to show that their salaries and benefits were allocable to the grant, resulting in $8,041 sample questioned costs and $137,060 non-sample questioned costs. ? The Agency?s procedure is to perform fiscal reviews of each subrecipient at least once every three years. We reviewed the most recent fiscal reviews for the same 26 subrecipients selected for testing above. For five of these reviews, the Agency noted that the subrecipient did not maintain adequate documentation for salaries and benefits. When we inquired with the Agency regarding what had been done to follow up on its findings, the Agency replied that the findings did not require follow-up. Payment errors noted for the sample tested were $8,041. The total sample tested was $1,494,006. Subrecipient aid payments for the fiscal year ended June 30, 2022, totaled $91,043,602. The sample population was $84,396,850 (total population $91,043,602 less $6,646,752 to largest subrecipient that was separately determined to be allowable). Based on the sample tested, the case error rate was 8% (2/25). The dollar error rate for the sample was 0.54% ($8,041/$1,494,006), which estimates the potential dollars at risk for fiscal year 2022 to be $455,753 (dollar rate multiplied by the population). Cause: Inadequate procedures. Effect: Without adequate supporting documentation and monitoring procedures, there is an increased risk that Federal awards could be used for unallowable costs. Recommendation: We recommend the Agency improve procedures to monitor subrecipients, including reviewing detailed supporting documentation for payroll expenses and following up with subrecipients to ensure that they correct errors noted. Management Response: The Department agrees the two subrecipients sampled did not complete one time and effort certification semi-annually (rather completed annually instead) or with all language suggested in the guidelines from the U.S. Department of Education. However, the Department disagrees with the reimbursement being questioned costs as the time and effort certifications demonstrated adequate documentation to support the employees? activities were allowable for the Title I grant. In the absence of this information, the Department submitted affidavits from the two LEA?s supervisory staff with personal knowledge of the work performed consistent with the U.S. Department of Education?s audit resolutions practices; whereas the APA does not consider documentation after the fact to be adequate to eliminate the finding. The findings noted in the subrecipient fiscal monitoring exit letters were identified for technical assistance purposes only and not considered to have met a level of materiality that required a corrective action plan. Corrective action plans are clearly noted in subrecipient fiscal monitoring exit letters when issued and proper follow-up action is taken when this occurs. Technical assistance was provided to each of the subrecipients at the time of the monitoring review as well as to all subrecipients periodically throughout the year. APA Response: Per the Uniform Guidance, questioned costs include expenditures that lack adequate supporting documentation at the time of the audit. 2 CFR ? 200.430(i)(1) (January 1, 2022), as referenced in the report comment, says that such documentation must ?accurately reflect the work performed? and be ?supported by a system of internal control which provides reasonable assurance that the charges are accurate, allowable, and properly allocated.? Affidavits dated February 27, 2023, some 18 months after the salary and benefit expenses occurred, cannot possibly satisfy either of these requirements and are, therefore, not acceptable. As the documentation provided did not meet the minimum requirements set forth in Uniform Guidance and guidance issued by the U.S. Department of Education, the expenditures at issue must be considered questioned costs. Moreover, the Uniform Guidance requires the Agency, as the pass-through entity, to ensure that the subrecipient takes timely and appropriate action to address deficiencies identified not only during audits but also from the Agency?s own reviews. The Agency has noted issues similar to those addressed by the APA ? namely, that the subrecipients have lacked adequate supporting documentation for salary and benefit expenses. The Agency performs subrecipient fiscal monitoring for most subrecipients only every third year. Thus, effective follow-up procedures, as required by 2 CFR ? 200.332 (January 1, 2022), are needed to ensure that subrecipients implement the technical assistance provided by the Agency.

Program: AL 20.205 ? Highway Planning & Construction ? Subrecipient Monitoring Grant Number & Year: Various Federal Grantor Agency: U.S. Department of Transportation Criteria: Per 2 CFR ? 1201.1 (January 1, 2022), the U.S. Department of Transportation adopted the Uniform Administrative Requirements, Cost Principles, and Audit Requirements set forth at Title 2 CFR part 200. 2 CFR ? 200.332(a) (January 1, 2022) requires all pass-through entities to do the following: Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification . . . . Required information includes: (1) Federal award identification. * * * * (ii) Subrecipient's unique entity identifier; (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal award date in ? 200.1 of this part) of award to the recipient by the Federal agency; * * * * (vii) Amount of Federal Funds Obligated by this action by the pass-through entity to the subrecipient; (viii) Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity including the current financial obligation; (ix) Total Amount of the Federal Award committed to the subrecipient by the pass-through entity; * * * * (xii) Assistance Listings number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; Good internal control requires procedure to ensure that subrecipients are informed of all required information. Condition: The Agency did not communicate all required information to subrecipients. We noted further that the Agency lacked procedures for ensuring subrecipients have sufficient accounting controls to manage Federal funds properly. Repeat Finding: No Questioned Costs: Unknown Statistical Sample: No Context: During the fiscal year, there were 46 subaward projects to a total of eight subrecipients. We tested five subawards and noted the Agency did not properly communicate the subrecipients? unique entity identifier, the Federal Award Identification Number, Federal award date, and amount of Federal funds obligated and committed for all five subrecipient projects tested. Additionally, for one of five projects tested, the Assistance Listing number and title was not communicated. Subrecipient expenditures totaled $29,277,795 during the fiscal year. Cause: The program agreement template used for subrecipient awards does not include all required Federal award identification data elements. For the one project where the Federal Assistance Listings number and title was not communicated, the program agreement was completed in 2006, prior to the program agreement template being changed to include this information. Effect: Noncompliance with Federal regulations could result in sanctions. When subrecipients are not informed of all required information, there is an increased risk for subrecipient noncompliance, including with audit requirements. Recommendation: We recommend the Agency implement procedures to ensure that subrecipient program agreements include all information required to be communicated. Management Response: NDOT concurs with finding and will review all current active agreements to ensure notification of each federal subaward is clearly identified to the subrecipient.

Program: AL 20.509 ? Formula Grants for Rural Areas ? Allowability & Subrecipient Monitoring Grant Number & Year: NE-2019-013-00, FFY 2017 Federal Grantor Agency: U.S. Department of Transportation Criteria: Per 2 CFR ? 1201.1 (January 1, 2022), the U.S. Department of Transportation adopted the Uniform Administrative Requirements, Cost Principles, and Audit Requirements set forth at Title 2 CFR part 200. 2 CFR ? 200.403 (January 1, 2022) requires costs to be reasonable, necessary, and adequately documented. A good internal control plan requires procedures to be in place to ensure compliance with Federal and State requirements. 2 CFR ? 200.332(d) (January 1, 2022) requires the pass-through entity to do the following: Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. 2 CFR ? 200.430(i)(1) (January 1, 2022) states the following, in relevant part: Charges to Federal awards for salaries and wages must be based on records that accurately reflect the work performed. These records must: (i) Be supported by a system of internal control which provides reasonable assurance that the charges are accurate, allowable, and properly allocated; * * * * (vii) Support the distribution of the employee?s salary or wages among specific activities or cost objectives if the employee works on more than one Federal award; a Federal award and non-Federal award; an indirect cost activity and a direct cost activity; two or more indirect activities which are allocated using different allocation bases; or an unallowable activity and a direct or indirect cost activity. (viii) Budget estimates (i.e., estimates determined before the services are performed) alone do not qualify as support for charges to Federal awards . . . [.] Per 2 CFR ? 200.405(a) (January 1, 2022), ?A cost is allocable to a particular Federal award or other cost objective if the goods or services involved are chargeable or assignable to that Federal award or cost objective in accordance with relative benefits received.? Condition: The Agency lacked adequate documentation to support that payments were for allowable activities and in accordance with Federal cost principles. A similar finding was noted in the prior audit. Repeat Finding: 2021-065 Questioned Costs: $64,704 known Statistical Sample: No Context: We tested 25 payments to 22 subrecipients and three vendors. The Agency performed financial desk reviews for subrecipients; however, the reviews tested were not adequate. When desk reviews were not adequate, we provided the Agency with the opportunity to obtain additional support from the subrecipient; however, adequate support was not obtained. We noted the following: ? For nine subrecipients tested, documentation was not adequate to support that personnel charges were allowable and in accordance with Federal cost principles. The Agency did not have timesheets, time certifications, or other payroll documentation on file for all reimbursement requests. In some cases, payroll documentation was on file, but there was not adequate support to verify that the correct amount was charged to the program, as timesheets were not sufficient to identify time allocated to the program when the employee did not work entirely on the Federal program. In addition, for some subrecipients there was not sufficient documentation to support the benefits reimbursed. ? For one subrecipient tested, fuel costs and maintenance expenses were not adequately supported. The expenses were not supported by invoices. ? For seven subrecipients tested, capital and nonoperating costs were not adequately supported. The Agency did not obtain documentation to support the percentage of nonoperating expenditures allocated to the program. Subrecipients may share building space with other city or county offices and, therefore, may be charged a portion of the rent and utilities. While this is allowable, the Agency must obtain documentation to support that the percent allocated to the transit program is reasonable; however, such supporting documentation was not available. We also noted that one subrecipient was improperly reimbursed for sales taxes. The sample population totaled $15,537,764, which included $12,810,135 paid to 60 subrecipients and $2,727,629 vendor payments. Federal payment errors noted in the sample totaled $24,600. The total Federal sample tested was $353,695. Based on the sample tested, the dollar error rate was 6.96% ($24,600/$353,695), which estimates the potential dollars at risk for fiscal year 2022 to be $1,081,428 (dollar error rate multiplied by population). North Fork Area Transit During the course of our audit, we became aware of potential fraud related to the North Fork Area Transit (NFAT), a subrecipient of the Agency. On December 15, 2022, the Director of NFAT was suspended. A warrant was issued for his arrest the next day, alleging theft of up to $1 million between April and December 2022. From April 1, 2022, through June 30, 2022, the Program reimbursed NFAT a total of $582,587. As a result, we selected the April 2022 reimbursement paid to NFAT in June 2022, totaling $101,519, for additional testing. During that testing we identified $40,104 in questioned costs due to the following: ? For all four non-operating personnel (director and managers), documentation was inadequate to support that personnel charges were allowable and in accordance with Federal cost principles, as the timesheets identified only times in and out and did not specify what work the nonoperating employee was performing for the Federal grant. Questioned costs due to the lack of support for nonoperating personnel totaled $24,104. ? A $20,000 payment for vehicle insurance was reported; however, there was no documentation to support how the amount was determined or why it was reasonable. Furthermore, the $20,000 paid was inconsistent with past vehicle insurance payments. We observed a check in March 2022 for $600 with the description that it was for March bus insurance, and previous testing identified $600 bus insurance checks in August 2020 and August 2021. As a result, we question the Federal share of $16,000. ? We also noted inconsistencies in supporting documentation for operating personnel (drivers and dispatchers). Variances were noted between timesheet hours and the payroll register. Due to the NFAT concerns, the APA has now commenced a thorough review of this entire matter, which will be reported separately at a later date. Cause: Procedures were not adequate to ensure that costs were in accordance with Federal requirements. Effect: Increased risk for errors or misuse of funds. Recommendation: We recommend the Agency strengthen subrecipient monitoring procedures. We further recommend the Agency improve procedures to ensure expenditures are allowable and in accordance with Federal regulations. Management Response: The NDOT Local Assistance Division has increased transit staff by 1.5 FTEs for a total of 3.5 FTEs dedicated to reviewing monthly invoices. NDOT continues to engage and educate transit recipients. In late 2022, the North Fork Area Transit (NFAT) Board began an internal review process which revealed an inappropriate use of funds and authorities were notified. In December 2022, the NFAT Board engaged NDOT and requested assistance from the Mobility Management Team following the allegation. The Mobility Management Team is assisting the NFAT Board in managing operations, review of existing reporting and financial policies, and review and update of step-by-step checks and balances process. NDOT is financially supporting the Mobility Management Team in an effort to support and resume services at NFAT.

Program: AL 21.026 ? COVID-19 Homeowner Assistance Fund ? Subrecipient Monitoring Grant Number & Year: N/A Federal Grantor Agency: U.S. Department of the Treasury Criteria: Per 2 CFR ? 1000.10 (January 1, 2022), the U.S. Department of the Treasury adopted the Uniform Administrative Requirements, Cost Principles, and Audit Requirements set forth at 2 CFR part 200. 2 CFR ? 200.332 (January 1, 2022) states the following, in relevant part: All pass through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: (1) Federal award identification (i) Subrecipient name (which must match the name associated with its unique entity identifier); (ii) Subrecipient?s unique entity identifier (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal award date in ? 200.1 of this part) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (vi) Subaward Budget Period Start and End Date; (vii) Amount of Federal Funds Obligated by this action by the pass-through entity to the subrecipient; (viii) Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity including the current financial obligation; (ix) Total Amount of the Federal Award committed to the subrecipient by the pass-through entity; (x) Federal award project description, as required to be responsive to the Federal Funding Accountability and Transparency Act (FFATA); (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the Pass-through entity; (xii) Assistance Listings number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (xiii) Identification of whether the award is R&D; and (xiv) Indirect cost rate for the Federal award (including if the de minimis rate is charged) per ? 200.414. * * * * (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. 2 CFR ? 200.333 (January 1, 2022) states the following: With prior written approval from the Federal awarding agency, a pass-through entity may provide subawards based on fixed amounts up to the Simplified Acquisition Threshold, provided that the subawards meet the requirements for fixed amount awards in ?200.201. 2 CFR ? 200.201 (January 1, 2022) states the following, in relevant part: (b) Fixed amount awards. In addition to the options described in paragraph (a) of this section, Federal awarding agencies, or pass-through entities as permitted in ? 200.333, may use fixed amount awards (see Fixed amount awards in ? 200.1) to which the following conditions apply: (1) The Federal award amount is negotiated using the cost principles (or other pricing information) as a guide. The Federal awarding agency or pass-through entity may use fixed amount awards if the project scope has measurable goals and objectives and if adequate cost, historical, or unit pricing data is available to establish a fixed amount award based on a reasonable estimate of actual cost. . . . Good internal controls require procedures for the proper maintenance of program documents. Condition: The Agency lacked adequate procedures for monitoring subrecipients. Repeat Finding: No Questioned Costs: $451,851 known Statistical Sample: No Context: On November 2, 2021, the Agency signed a Memorandum of Understanding (MOU) with the Nebraska Investment Finance Authority (NIFA) to assist the Agency in carrying out the Homeowner Assistance Fund (HAF) Program. The Agency agreed to pay NIFA an amount not to exceed $1,200,000 for services during the initial contract period of November 1, 2021, through January 31, 2023. This included: 1) a flat fee of $78,348 for delivery of an accepted HAF Plan; 2) a flat fee of $90,700 for implementation of the Program, payable the month following program launch; and 3) $69,081 per month, beginning February 2022, for ongoing project administration. During the fiscal year ended June 30, 2022, the Agency paid NIFA $451,581. We noted the following: ? The Agency did not have controls and procedures in place to ensure that subrecipient requirements were met. ? The Agency did not communicate the Federal award identification items required by 2 CFR ? 200.332. ? NIFA was to be paid fixed amounts; however, prior written approval of these fixed-amount payments, as required by 2 CFR ? 200.333, could not be provided. In addition, the Agency did not have adequate support to ensure that the amounts paid were reasonable, as required by 2 CFR ? 200.201. Furthermore, per an Employee Time Summary report, the actual cost for February through June 2022 was $152,301, compared to the $345,404 billed and paid for monthly services. Cause: Inadequate procedures. Effect: Increased risk of fraud and non-compliance with Federal guidelines. Recommendation: We recommend the Agency implement procedures to ensure that Federal guidelines are followed, and controls are in place for subrecipient monitoring. Management Response: The Military Department disagrees with this finding. The Military Department does require NIFA to comply with 2 CFR 200 and executes procedures and controls to ensure the Federal guidelines are followed. These include (but are not limited to) weekly program updates, monthly reporting of plan metrics, compliance reviews, monthly manpower evaluations of NIFA personnel against invoices to substantiate project management supporting the program and reasonableness of administration fees. In addition, the MOU with NIFA was amended to require monthly manpower evaluations to substantiate the monthly fee for project management and administration of the program beginning with July 2022 invoicing, thus changing from a flat fee to actual costs incurred. APA Response: Per 2 CFR ? 1000.10 (January 1, 2022), the U.S. Department of the Treasury adopted the Uniform Administrative Requirements, Cost Principles, and Audit Requirements set forth at 2 CFR part 200; therefore, the Agency is required to follow 2 CFR part 200. Payments during fiscal year ended June 30, 2022, were made under a fixed amount subaward. Fixed amount subawards are allowable only with prior written approval from the Federal awarding agency. The failure to communicate items required by 2 CFR ? 200.332 (January 1, 2022) illustrates further the inadequacy of Agency procedures.

Assistance Listing Number, Federal Agency, and Program Name - ALN 21.027, Department of Treasury, COVID-19 Coronavirus State and Local Fiscal Recovery Fund (CSLFRF) Federal Award Identification Number and Year - N/A Pass-through Entity - N/A Finding Type - Significant deficiency and material noncompliance with laws and regulations Repeat Finding - No Criteria - Per 2 CFR 200.332 (a), all pass-through entities must ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and, if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the federal award and subaward. Required information includes the following: (1) Federal award identification (i) Subrecipient name (which must match the name associated with its unique entity identifier) (ii) Subrecipient's unique entity identifier (iii) Federal Award Identification Number (FAIN) (iv) Federal award date (see the definition of federal award date in ? 200.1 of this part) of award to the recipient by the federal agency (v) Subaward period of performance start and end date (vi) Subaward budget period start and end date (vii) Amount of federal funds obligated by this action by the pass-through entity to the subrecipient (viii) Total amount of federal funds obligated to the subrecipient by the pass-through entity, including the current financial obligation (ix) Total amount of the federal award committed to the subrecipient by the pass-through entity (x) Federal award project description, as required to be responsive to the Federal Funding Accountability and Transparency Act (FFATA) (xi) Name of federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity (xii) Assistance Listing Numbers and title; the pass-through entity must identify the dollar amount made available under each federal award and the Assistance Listing Numbers at time of disbursement (xiii) Identification of whether the award is R&D (xiv) Indirect cost rate for the federal award (including if the de minimis rate is charged) per ? 200.414 Condition - The CSLFRF subrecipient agreements did not include the CSLFRF assistance Listing Number (ALN), as required per 2 CFR 200.332 (a)(1)(xii). Questioned Costs - None Identification of How Questioned Costs Were Computed - N/A Context - During the fiscal year, the City passed through CSLFRF funding to three subrecipients. The agreements with the subrecipients included a reference to the applicable regulations provided by the Treasury and all the elements outlined under 2 CFR 200.331 (a)(1) with the exception of the ALN. Cause and Effect - The City?s controls did not ensure that the subrecipient agreements included all the required elements, as outlined under 2 CFR 200.332 (a)(1). The lack of information could result in noncompliance by the subrecipient, as well as incorrect SEFA reporting. Recommendation - We recommend the City implement adequate controls to ensure subrecipient agreements included all the required elements, as outlined under 2 CFR 200.332 a)(1). Views of Responsible Officials and Planned Corrective Actions - The City has implemented a process to ensure that all subrecipient agreements contain the federal ALN, as required by 2 CFR 200.332. All subrecipient agreements will include a new exhibit as an attachment in the agreement that will include the ALN and any other required grant elements.

Assistance Listing Number, Federal Agency, and Program Name - ALN 21.027, Department of Treasury, COVID-19 Coronavirus State and Local Fiscal Recovery Fund (CSLFRF) Federal Award Identification Number and Year - N/A Pass-through Entity - N/A Finding Type - Significant deficiency and material noncompliance with laws and regulations Repeat Finding - No Criteria - Per 2 CFR 200.332 (a), all pass-through entities must ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and, if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the federal award and subaward. Required information includes the following: (1) Federal award identification (i) Subrecipient name (which must match the name associated with its unique entity identifier) (ii) Subrecipient's unique entity identifier (iii) Federal Award Identification Number (FAIN) (iv) Federal award date (see the definition of federal award date in ? 200.1 of this part) of award to the recipient by the federal agency (v) Subaward period of performance start and end date (vi) Subaward budget period start and end date (vii) Amount of federal funds obligated by this action by the pass-through entity to the subrecipient (viii) Total amount of federal funds obligated to the subrecipient by the pass-through entity, including the current financial obligation (ix) Total amount of the federal award committed to the subrecipient by the pass-through entity (x) Federal award project description, as required to be responsive to the Federal Funding Accountability and Transparency Act (FFATA) (xi) Name of federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity (xii) Assistance Listing Numbers and title; the pass-through entity must identify the dollar amount made available under each federal award and the Assistance Listing Numbers at time of disbursement (xiii) Identification of whether the award is R&D (xiv) Indirect cost rate for the federal award (including if the de minimis rate is charged) per ? 200.414 Condition - The CSLFRF subrecipient agreements did not include the CSLFRF assistance Listing Number (ALN), as required per 2 CFR 200.332 (a)(1)(xii). Questioned Costs - None Identification of How Questioned Costs Were Computed - N/A Context - During the fiscal year, the City passed through CSLFRF funding to three subrecipients. The agreements with the subrecipients included a reference to the applicable regulations provided by the Treasury and all the elements outlined under 2 CFR 200.331 (a)(1) with the exception of the ALN. Cause and Effect - The City?s controls did not ensure that the subrecipient agreements included all the required elements, as outlined under 2 CFR 200.332 (a)(1). The lack of information could result in noncompliance by the subrecipient, as well as incorrect SEFA reporting. Recommendation - We recommend the City implement adequate controls to ensure subrecipient agreements included all the required elements, as outlined under 2 CFR 200.332 a)(1). Views of Responsible Officials and Planned Corrective Actions - The City has implemented a process to ensure that all subrecipient agreements contain the federal ALN, as required by 2 CFR 200.332. All subrecipient agreements will include a new exhibit as an attachment in the agreement that will include the ALN and any other required grant elements.

Assistance Listing Number, Federal Agency, and Program Name - ALN 21.027, Department of Treasury, COVID-19 Coronavirus State and Local Fiscal Recovery Fund (CSLFRF) Federal Award Identification Number and Year - N/A Pass-through Entity - N/A Finding Type - Significant deficiency and material noncompliance with laws and regulations Repeat Finding - No Criteria - Per 2 CFR 200.332 (a), all pass-through entities must ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and, if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the federal award and subaward. Required information includes the following: (1) Federal award identification (i) Subrecipient name (which must match the name associated with its unique entity identifier) (ii) Subrecipient's unique entity identifier (iii) Federal Award Identification Number (FAIN) (iv) Federal award date (see the definition of federal award date in ? 200.1 of this part) of award to the recipient by the federal agency (v) Subaward period of performance start and end date (vi) Subaward budget period start and end date (vii) Amount of federal funds obligated by this action by the pass-through entity to the subrecipient (viii) Total amount of federal funds obligated to the subrecipient by the pass-through entity, including the current financial obligation (ix) Total amount of the federal award committed to the subrecipient by the pass-through entity (x) Federal award project description, as required to be responsive to the Federal Funding Accountability and Transparency Act (FFATA) (xi) Name of federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity (xii) Assistance Listing Numbers and title; the pass-through entity must identify the dollar amount made available under each federal award and the Assistance Listing Numbers at time of disbursement (xiii) Identification of whether the award is R&D (xiv) Indirect cost rate for the federal award (including if the de minimis rate is charged) per ? 200.414 Condition - The CSLFRF subrecipient agreements did not include the CSLFRF assistance Listing Number (ALN), as required per 2 CFR 200.332 (a)(1)(xii). Questioned Costs - None Identification of How Questioned Costs Were Computed - N/A Context - During the fiscal year, the City passed through CSLFRF funding to three subrecipients. The agreements with the subrecipients included a reference to the applicable regulations provided by the Treasury and all the elements outlined under 2 CFR 200.331 (a)(1) with the exception of the ALN. Cause and Effect - The City?s controls did not ensure that the subrecipient agreements included all the required elements, as outlined under 2 CFR 200.332 (a)(1). The lack of information could result in noncompliance by the subrecipient, as well as incorrect SEFA reporting. Recommendation - We recommend the City implement adequate controls to ensure subrecipient agreements included all the required elements, as outlined under 2 CFR 200.332 a)(1). Views of Responsible Officials and Planned Corrective Actions - The City has implemented a process to ensure that all subrecipient agreements contain the federal ALN, as required by 2 CFR 200.332. All subrecipient agreements will include a new exhibit as an attachment in the agreement that will include the ALN and any other required grant elements.

Assistance Listing Number, Federal Agency, and Program Name - ALN 21.027, Department of Treasury, COVID-19 Coronavirus State and Local Fiscal Recovery Fund (CSLFRF) Federal Award Identification Number and Year - N/A Pass-through Entity - N/A Finding Type - Significant deficiency and material noncompliance with laws and regulations Repeat Finding - No Criteria - Per 2 CFR 200.332 (a), all pass-through entities must ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and, if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the federal award and subaward. Required information includes the following: (1) Federal award identification (i) Subrecipient name (which must match the name associated with its unique entity identifier) (ii) Subrecipient's unique entity identifier (iii) Federal Award Identification Number (FAIN) (iv) Federal award date (see the definition of federal award date in ? 200.1 of this part) of award to the recipient by the federal agency (v) Subaward period of performance start and end date (vi) Subaward budget period start and end date (vii) Amount of federal funds obligated by this action by the pass-through entity to the subrecipient (viii) Total amount of federal funds obligated to the subrecipient by the pass-through entity, including the current financial obligation (ix) Total amount of the federal award committed to the subrecipient by the pass-through entity (x) Federal award project description, as required to be responsive to the Federal Funding Accountability and Transparency Act (FFATA) (xi) Name of federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity (xii) Assistance Listing Numbers and title; the pass-through entity must identify the dollar amount made available under each federal award and the Assistance Listing Numbers at time of disbursement (xiii) Identification of whether the award is R&D (xiv) Indirect cost rate for the federal award (including if the de minimis rate is charged) per ? 200.414 Condition - The CSLFRF subrecipient agreements did not include the CSLFRF assistance Listing Number (ALN), as required per 2 CFR 200.332 (a)(1)(xii). Questioned Costs - None Identification of How Questioned Costs Were Computed - N/A Context - During the fiscal year, the City passed through CSLFRF funding to three subrecipients. The agreements with the subrecipients included a reference to the applicable regulations provided by the Treasury and all the elements outlined under 2 CFR 200.331 (a)(1) with the exception of the ALN. Cause and Effect - The City?s controls did not ensure that the subrecipient agreements included all the required elements, as outlined under 2 CFR 200.332 (a)(1). The lack of information could result in noncompliance by the subrecipient, as well as incorrect SEFA reporting. Recommendation - We recommend the City implement adequate controls to ensure subrecipient agreements included all the required elements, as outlined under 2 CFR 200.332 a)(1). Views of Responsible Officials and Planned Corrective Actions - The City has implemented a process to ensure that all subrecipient agreements contain the federal ALN, as required by 2 CFR 200.332. All subrecipient agreements will include a new exhibit as an attachment in the agreement that will include the ALN and any other required grant elements.

Assistance Listing Number, Federal Agency, and Program Name - ALN 21.027, Department of Treasury, COVID-19 Coronavirus State and Local Fiscal Recovery Fund (CSLFRF) Federal Award Identification Number and Year - N/A Pass-through Entity - N/A Finding Type - Significant deficiency and material noncompliance with laws and regulations Repeat Finding - No Criteria - Per 2 CFR 200.332 (a), all pass-through entities must ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and, if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the federal award and subaward. Required information includes the following: (1) Federal award identification (i) Subrecipient name (which must match the name associated with its unique entity identifier) (ii) Subrecipient's unique entity identifier (iii) Federal Award Identification Number (FAIN) (iv) Federal award date (see the definition of federal award date in ? 200.1 of this part) of award to the recipient by the federal agency (v) Subaward period of performance start and end date (vi) Subaward budget period start and end date (vii) Amount of federal funds obligated by this action by the pass-through entity to the subrecipient (viii) Total amount of federal funds obligated to the subrecipient by the pass-through entity, including the current financial obligation (ix) Total amount of the federal award committed to the subrecipient by the pass-through entity (x) Federal award project description, as required to be responsive to the Federal Funding Accountability and Transparency Act (FFATA) (xi) Name of federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity (xii) Assistance Listing Numbers and title; the pass-through entity must identify the dollar amount made available under each federal award and the Assistance Listing Numbers at time of disbursement (xiii) Identification of whether the award is R&D (xiv) Indirect cost rate for the federal award (including if the de minimis rate is charged) per ? 200.414 Condition - The CSLFRF subrecipient agreements did not include the CSLFRF assistance Listing Number (ALN), as required per 2 CFR 200.332 (a)(1)(xii). Questioned Costs - None Identification of How Questioned Costs Were Computed - N/A Context - During the fiscal year, the City passed through CSLFRF funding to three subrecipients. The agreements with the subrecipients included a reference to the applicable regulations provided by the Treasury and all the elements outlined under 2 CFR 200.331 (a)(1) with the exception of the ALN. Cause and Effect - The City?s controls did not ensure that the subrecipient agreements included all the required elements, as outlined under 2 CFR 200.332 (a)(1). The lack of information could result in noncompliance by the subrecipient, as well as incorrect SEFA reporting. Recommendation - We recommend the City implement adequate controls to ensure subrecipient agreements included all the required elements, as outlined under 2 CFR 200.332 a)(1). Views of Responsible Officials and Planned Corrective Actions - The City has implemented a process to ensure that all subrecipient agreements contain the federal ALN, as required by 2 CFR 200.332. All subrecipient agreements will include a new exhibit as an attachment in the agreement that will include the ALN and any other required grant elements.

Assistance Listing Number, Federal Agency, and Program Name - ALN 21.027, Department of Treasury, COVID-19 Coronavirus State and Local Fiscal Recovery Fund (CSLFRF) Federal Award Identification Number and Year - N/A Pass-through Entity - N/A Finding Type - Significant deficiency and material noncompliance with laws and regulations Repeat Finding - No Criteria - Per 2 CFR 200.332 (a), all pass-through entities must ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and, if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the federal award and subaward. Required information includes the following: (1) Federal award identification (i) Subrecipient name (which must match the name associated with its unique entity identifier) (ii) Subrecipient's unique entity identifier (iii) Federal Award Identification Number (FAIN) (iv) Federal award date (see the definition of federal award date in ? 200.1 of this part) of award to the recipient by the federal agency (v) Subaward period of performance start and end date (vi) Subaward budget period start and end date (vii) Amount of federal funds obligated by this action by the pass-through entity to the subrecipient (viii) Total amount of federal funds obligated to the subrecipient by the pass-through entity, including the current financial obligation (ix) Total amount of the federal award committed to the subrecipient by the pass-through entity (x) Federal award project description, as required to be responsive to the Federal Funding Accountability and Transparency Act (FFATA) (xi) Name of federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity (xii) Assistance Listing Numbers and title; the pass-through entity must identify the dollar amount made available under each federal award and the Assistance Listing Numbers at time of disbursement (xiii) Identification of whether the award is R&D (xiv) Indirect cost rate for the federal award (including if the de minimis rate is charged) per ? 200.414 Condition - The CSLFRF subrecipient agreements did not include the CSLFRF assistance Listing Number (ALN), as required per 2 CFR 200.332 (a)(1)(xii). Questioned Costs - None Identification of How Questioned Costs Were Computed - N/A Context - During the fiscal year, the City passed through CSLFRF funding to three subrecipients. The agreements with the subrecipients included a reference to the applicable regulations provided by the Treasury and all the elements outlined under 2 CFR 200.331 (a)(1) with the exception of the ALN. Cause and Effect - The City?s controls did not ensure that the subrecipient agreements included all the required elements, as outlined under 2 CFR 200.332 (a)(1). The lack of information could result in noncompliance by the subrecipient, as well as incorrect SEFA reporting. Recommendation - We recommend the City implement adequate controls to ensure subrecipient agreements included all the required elements, as outlined under 2 CFR 200.332 a)(1). Views of Responsible Officials and Planned Corrective Actions - The City has implemented a process to ensure that all subrecipient agreements contain the federal ALN, as required by 2 CFR 200.332. All subrecipient agreements will include a new exhibit as an attachment in the agreement that will include the ALN and any other required grant elements.

Assistance Listing Number, Federal Agency, and Program Name - ALN 21.027, Department of Treasury, COVID-19 Coronavirus State and Local Fiscal Recovery Fund (CSLFRF) Federal Award Identification Number and Year - N/A Pass-through Entity - N/A Finding Type - Significant deficiency and material noncompliance with laws and regulations Repeat Finding - No Criteria - Per 2 CFR 200.332 (a), all pass-through entities must ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and, if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the federal award and subaward. Required information includes the following: (1) Federal award identification (i) Subrecipient name (which must match the name associated with its unique entity identifier) (ii) Subrecipient's unique entity identifier (iii) Federal Award Identification Number (FAIN) (iv) Federal award date (see the definition of federal award date in ? 200.1 of this part) of award to the recipient by the federal agency (v) Subaward period of performance start and end date (vi) Subaward budget period start and end date (vii) Amount of federal funds obligated by this action by the pass-through entity to the subrecipient (viii) Total amount of federal funds obligated to the subrecipient by the pass-through entity, including the current financial obligation (ix) Total amount of the federal award committed to the subrecipient by the pass-through entity (x) Federal award project description, as required to be responsive to the Federal Funding Accountability and Transparency Act (FFATA) (xi) Name of federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity (xii) Assistance Listing Numbers and title; the pass-through entity must identify the dollar amount made available under each federal award and the Assistance Listing Numbers at time of disbursement (xiii) Identification of whether the award is R&D (xiv) Indirect cost rate for the federal award (including if the de minimis rate is charged) per ? 200.414 Condition - The CSLFRF subrecipient agreements did not include the CSLFRF assistance Listing Number (ALN), as required per 2 CFR 200.332 (a)(1)(xii). Questioned Costs - None Identification of How Questioned Costs Were Computed - N/A Context - During the fiscal year, the City passed through CSLFRF funding to three subrecipients. The agreements with the subrecipients included a reference to the applicable regulations provided by the Treasury and all the elements outlined under 2 CFR 200.331 (a)(1) with the exception of the ALN. Cause and Effect - The City?s controls did not ensure that the subrecipient agreements included all the required elements, as outlined under 2 CFR 200.332 (a)(1). The lack of information could result in noncompliance by the subrecipient, as well as incorrect SEFA reporting. Recommendation - We recommend the City implement adequate controls to ensure subrecipient agreements included all the required elements, as outlined under 2 CFR 200.332 a)(1). Views of Responsible Officials and Planned Corrective Actions - The City has implemented a process to ensure that all subrecipient agreements contain the federal ALN, as required by 2 CFR 200.332. All subrecipient agreements will include a new exhibit as an attachment in the agreement that will include the ALN and any other required grant elements.

Assistance Listing Number, Federal Agency, and Program Name - ALN 21.027, Department of Treasury, COVID-19 Coronavirus State and Local Fiscal Recovery Fund (CSLFRF) Federal Award Identification Number and Year - N/A Pass-through Entity - N/A Finding Type - Significant deficiency and material noncompliance with laws and regulations Repeat Finding - No Criteria - Per 2 CFR 200.332 (a), all pass-through entities must ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and, if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the federal award and subaward. Required information includes the following: (1) Federal award identification (i) Subrecipient name (which must match the name associated with its unique entity identifier) (ii) Subrecipient's unique entity identifier (iii) Federal Award Identification Number (FAIN) (iv) Federal award date (see the definition of federal award date in ? 200.1 of this part) of award to the recipient by the federal agency (v) Subaward period of performance start and end date (vi) Subaward budget period start and end date (vii) Amount of federal funds obligated by this action by the pass-through entity to the subrecipient (viii) Total amount of federal funds obligated to the subrecipient by the pass-through entity, including the current financial obligation (ix) Total amount of the federal award committed to the subrecipient by the pass-through entity (x) Federal award project description, as required to be responsive to the Federal Funding Accountability and Transparency Act (FFATA) (xi) Name of federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity (xii) Assistance Listing Numbers and title; the pass-through entity must identify the dollar amount made available under each federal award and the Assistance Listing Numbers at time of disbursement (xiii) Identification of whether the award is R&D (xiv) Indirect cost rate for the federal award (including if the de minimis rate is charged) per ? 200.414 Condition - The CSLFRF subrecipient agreements did not include the CSLFRF assistance Listing Number (ALN), as required per 2 CFR 200.332 (a)(1)(xii). Questioned Costs - None Identification of How Questioned Costs Were Computed - N/A Context - During the fiscal year, the City passed through CSLFRF funding to three subrecipients. The agreements with the subrecipients included a reference to the applicable regulations provided by the Treasury and all the elements outlined under 2 CFR 200.331 (a)(1) with the exception of the ALN. Cause and Effect - The City?s controls did not ensure that the subrecipient agreements included all the required elements, as outlined under 2 CFR 200.332 (a)(1). The lack of information could result in noncompliance by the subrecipient, as well as incorrect SEFA reporting. Recommendation - We recommend the City implement adequate controls to ensure subrecipient agreements included all the required elements, as outlined under 2 CFR 200.332 a)(1). Views of Responsible Officials and Planned Corrective Actions - The City has implemented a process to ensure that all subrecipient agreements contain the federal ALN, as required by 2 CFR 200.332. All subrecipient agreements will include a new exhibit as an attachment in the agreement that will include the ALN and any other required grant elements.

Assistance Listing Number, Federal Agency, and Program Name - ALN 21.027, Department of Treasury, COVID-19 Coronavirus State and Local Fiscal Recovery Fund (CSLFRF) Federal Award Identification Number and Year - N/A Pass-through Entity - N/A Finding Type - Significant deficiency and material noncompliance with laws and regulations Repeat Finding - No Criteria - Per 2 CFR 200.332 (a), all pass-through entities must ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and, if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the federal award and subaward. Required information includes the following: (1) Federal award identification (i) Subrecipient name (which must match the name associated with its unique entity identifier) (ii) Subrecipient's unique entity identifier (iii) Federal Award Identification Number (FAIN) (iv) Federal award date (see the definition of federal award date in ? 200.1 of this part) of award to the recipient by the federal agency (v) Subaward period of performance start and end date (vi) Subaward budget period start and end date (vii) Amount of federal funds obligated by this action by the pass-through entity to the subrecipient (viii) Total amount of federal funds obligated to the subrecipient by the pass-through entity, including the current financial obligation (ix) Total amount of the federal award committed to the subrecipient by the pass-through entity (x) Federal award project description, as required to be responsive to the Federal Funding Accountability and Transparency Act (FFATA) (xi) Name of federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity (xii) Assistance Listing Numbers and title; the pass-through entity must identify the dollar amount made available under each federal award and the Assistance Listing Numbers at time of disbursement (xiii) Identification of whether the award is R&D (xiv) Indirect cost rate for the federal award (including if the de minimis rate is charged) per ? 200.414 Condition - The CSLFRF subrecipient agreements did not include the CSLFRF assistance Listing Number (ALN), as required per 2 CFR 200.332 (a)(1)(xii). Questioned Costs - None Identification of How Questioned Costs Were Computed - N/A Context - During the fiscal year, the City passed through CSLFRF funding to three subrecipients. The agreements with the subrecipients included a reference to the applicable regulations provided by the Treasury and all the elements outlined under 2 CFR 200.331 (a)(1) with the exception of the ALN. Cause and Effect - The City?s controls did not ensure that the subrecipient agreements included all the required elements, as outlined under 2 CFR 200.332 (a)(1). The lack of information could result in noncompliance by the subrecipient, as well as incorrect SEFA reporting. Recommendation - We recommend the City implement adequate controls to ensure subrecipient agreements included all the required elements, as outlined under 2 CFR 200.332 a)(1). Views of Responsible Officials and Planned Corrective Actions - The City has implemented a process to ensure that all subrecipient agreements contain the federal ALN, as required by 2 CFR 200.332. All subrecipient agreements will include a new exhibit as an attachment in the agreement that will include the ALN and any other required grant elements.

Assistance Listing Number, Federal Agency, and Program Name - ALN 21.027, Department of Treasury, COVID-19 Coronavirus State and Local Fiscal Recovery Fund (CSLFRF) Federal Award Identification Number and Year - N/A Pass-through Entity - N/A Finding Type - Significant deficiency and material noncompliance with laws and regulations Repeat Finding - No Criteria - Per 2 CFR 200.332 (a), all pass-through entities must ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and, if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the federal award and subaward. Required information includes the following: (1) Federal award identification (i) Subrecipient name (which must match the name associated with its unique entity identifier) (ii) Subrecipient's unique entity identifier (iii) Federal Award Identification Number (FAIN) (iv) Federal award date (see the definition of federal award date in ? 200.1 of this part) of award to the recipient by the federal agency (v) Subaward period of performance start and end date (vi) Subaward budget period start and end date (vii) Amount of federal funds obligated by this action by the pass-through entity to the subrecipient (viii) Total amount of federal funds obligated to the subrecipient by the pass-through entity, including the current financial obligation (ix) Total amount of the federal award committed to the subrecipient by the pass-through entity (x) Federal award project description, as required to be responsive to the Federal Funding Accountability and Transparency Act (FFATA) (xi) Name of federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity (xii) Assistance Listing Numbers and title; the pass-through entity must identify the dollar amount made available under each federal award and the Assistance Listing Numbers at time of disbursement (xiii) Identification of whether the award is R&D (xiv) Indirect cost rate for the federal award (including if the de minimis rate is charged) per ? 200.414 Condition - The CSLFRF subrecipient agreements did not include the CSLFRF assistance Listing Number (ALN), as required per 2 CFR 200.332 (a)(1)(xii). Questioned Costs - None Identification of How Questioned Costs Were Computed - N/A Context - During the fiscal year, the City passed through CSLFRF funding to three subrecipients. The agreements with the subrecipients included a reference to the applicable regulations provided by the Treasury and all the elements outlined under 2 CFR 200.331 (a)(1) with the exception of the ALN. Cause and Effect - The City?s controls did not ensure that the subrecipient agreements included all the required elements, as outlined under 2 CFR 200.332 (a)(1). The lack of information could result in noncompliance by the subrecipient, as well as incorrect SEFA reporting. Recommendation - We recommend the City implement adequate controls to ensure subrecipient agreements included all the required elements, as outlined under 2 CFR 200.332 a)(1). Views of Responsible Officials and Planned Corrective Actions - The City has implemented a process to ensure that all subrecipient agreements contain the federal ALN, as required by 2 CFR 200.332. All subrecipient agreements will include a new exhibit as an attachment in the agreement that will include the ALN and any other required grant elements.

Assistance Listing Number, Federal Agency, and Program Name - ALN 21.027, Department of Treasury, COVID-19 Coronavirus State and Local Fiscal Recovery Fund (CSLFRF) Federal Award Identification Number and Year - N/A Pass-through Entity - N/A Finding Type - Significant deficiency and material noncompliance with laws and regulations Repeat Finding - No Criteria - Per 2 CFR 200.332 (a), all pass-through entities must ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and, if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the federal award and subaward. Required information includes the following: (1) Federal award identification (i) Subrecipient name (which must match the name associated with its unique entity identifier) (ii) Subrecipient's unique entity identifier (iii) Federal Award Identification Number (FAIN) (iv) Federal award date (see the definition of federal award date in ? 200.1 of this part) of award to the recipient by the federal agency (v) Subaward period of performance start and end date (vi) Subaward budget period start and end date (vii) Amount of federal funds obligated by this action by the pass-through entity to the subrecipient (viii) Total amount of federal funds obligated to the subrecipient by the pass-through entity, including the current financial obligation (ix) Total amount of the federal award committed to the subrecipient by the pass-through entity (x) Federal award project description, as required to be responsive to the Federal Funding Accountability and Transparency Act (FFATA) (xi) Name of federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity (xii) Assistance Listing Numbers and title; the pass-through entity must identify the dollar amount made available under each federal award and the Assistance Listing Numbers at time of disbursement (xiii) Identification of whether the award is R&D (xiv) Indirect cost rate for the federal award (including if the de minimis rate is charged) per ? 200.414 Condition - The CSLFRF subrecipient agreements did not include the CSLFRF assistance Listing Number (ALN), as required per 2 CFR 200.332 (a)(1)(xii). Questioned Costs - None Identification of How Questioned Costs Were Computed - N/A Context - During the fiscal year, the City passed through CSLFRF funding to three subrecipients. The agreements with the subrecipients included a reference to the applicable regulations provided by the Treasury and all the elements outlined under 2 CFR 200.331 (a)(1) with the exception of the ALN. Cause and Effect - The City?s controls did not ensure that the subrecipient agreements included all the required elements, as outlined under 2 CFR 200.332 (a)(1). The lack of information could result in noncompliance by the subrecipient, as well as incorrect SEFA reporting. Recommendation - We recommend the City implement adequate controls to ensure subrecipient agreements included all the required elements, as outlined under 2 CFR 200.332 a)(1). Views of Responsible Officials and Planned Corrective Actions - The City has implemented a process to ensure that all subrecipient agreements contain the federal ALN, as required by 2 CFR 200.332. All subrecipient agreements will include a new exhibit as an attachment in the agreement that will include the ALN and any other required grant elements.

Assistance Listing Number, Federal Agency, and Program Name - ALN 21.027, Department of Treasury, COVID-19 Coronavirus State and Local Fiscal Recovery Fund (CSLFRF) Federal Award Identification Number and Year - N/A Pass-through Entity - N/A Finding Type - Significant deficiency and material noncompliance with laws and regulations Repeat Finding - No Criteria - Per 2 CFR 200.332 (a), all pass-through entities must ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and, if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the federal award and subaward. Required information includes the following: (1) Federal award identification (i) Subrecipient name (which must match the name associated with its unique entity identifier) (ii) Subrecipient's unique entity identifier (iii) Federal Award Identification Number (FAIN) (iv) Federal award date (see the definition of federal award date in ? 200.1 of this part) of award to the recipient by the federal agency (v) Subaward period of performance start and end date (vi) Subaward budget period start and end date (vii) Amount of federal funds obligated by this action by the pass-through entity to the subrecipient (viii) Total amount of federal funds obligated to the subrecipient by the pass-through entity, including the current financial obligation (ix) Total amount of the federal award committed to the subrecipient by the pass-through entity (x) Federal award project description, as required to be responsive to the Federal Funding Accountability and Transparency Act (FFATA) (xi) Name of federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity (xii) Assistance Listing Numbers and title; the pass-through entity must identify the dollar amount made available under each federal award and the Assistance Listing Numbers at time of disbursement (xiii) Identification of whether the award is R&D (xiv) Indirect cost rate for the federal award (including if the de minimis rate is charged) per ? 200.414 Condition - The CSLFRF subrecipient agreements did not include the CSLFRF assistance Listing Number (ALN), as required per 2 CFR 200.332 (a)(1)(xii). Questioned Costs - None Identification of How Questioned Costs Were Computed - N/A Context - During the fiscal year, the City passed through CSLFRF funding to three subrecipients. The agreements with the subrecipients included a reference to the applicable regulations provided by the Treasury and all the elements outlined under 2 CFR 200.331 (a)(1) with the exception of the ALN. Cause and Effect - The City?s controls did not ensure that the subrecipient agreements included all the required elements, as outlined under 2 CFR 200.332 (a)(1). The lack of information could result in noncompliance by the subrecipient, as well as incorrect SEFA reporting. Recommendation - We recommend the City implement adequate controls to ensure subrecipient agreements included all the required elements, as outlined under 2 CFR 200.332 a)(1). Views of Responsible Officials and Planned Corrective Actions - The City has implemented a process to ensure that all subrecipient agreements contain the federal ALN, as required by 2 CFR 200.332. All subrecipient agreements will include a new exhibit as an attachment in the agreement that will include the ALN and any other required grant elements.

Assistance Listing Number, Federal Agency, and Program Name - ALN 21.027, Department of Treasury, COVID-19 Coronavirus State and Local Fiscal Recovery Fund (CSLFRF) Federal Award Identification Number and Year - N/A Pass-through Entity - N/A Finding Type - Significant deficiency and material noncompliance with laws and regulations Repeat Finding - No Criteria - Per 2 CFR 200.332 (a), all pass-through entities must ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and, if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the federal award and subaward. Required information includes the following: (1) Federal award identification (i) Subrecipient name (which must match the name associated with its unique entity identifier) (ii) Subrecipient's unique entity identifier (iii) Federal Award Identification Number (FAIN) (iv) Federal award date (see the definition of federal award date in ? 200.1 of this part) of award to the recipient by the federal agency (v) Subaward period of performance start and end date (vi) Subaward budget period start and end date (vii) Amount of federal funds obligated by this action by the pass-through entity to the subrecipient (viii) Total amount of federal funds obligated to the subrecipient by the pass-through entity, including the current financial obligation (ix) Total amount of the federal award committed to the subrecipient by the pass-through entity (x) Federal award project description, as required to be responsive to the Federal Funding Accountability and Transparency Act (FFATA) (xi) Name of federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity (xii) Assistance Listing Numbers and title; the pass-through entity must identify the dollar amount made available under each federal award and the Assistance Listing Numbers at time of disbursement (xiii) Identification of whether the award is R&D (xiv) Indirect cost rate for the federal award (including if the de minimis rate is charged) per ? 200.414 Condition - The CSLFRF subrecipient agreements did not include the CSLFRF assistance Listing Number (ALN), as required per 2 CFR 200.332 (a)(1)(xii). Questioned Costs - None Identification of How Questioned Costs Were Computed - N/A Context - During the fiscal year, the City passed through CSLFRF funding to three subrecipients. The agreements with the subrecipients included a reference to the applicable regulations provided by the Treasury and all the elements outlined under 2 CFR 200.331 (a)(1) with the exception of the ALN. Cause and Effect - The City?s controls did not ensure that the subrecipient agreements included all the required elements, as outlined under 2 CFR 200.332 (a)(1). The lack of information could result in noncompliance by the subrecipient, as well as incorrect SEFA reporting. Recommendation - We recommend the City implement adequate controls to ensure subrecipient agreements included all the required elements, as outlined under 2 CFR 200.332 a)(1). Views of Responsible Officials and Planned Corrective Actions - The City has implemented a process to ensure that all subrecipient agreements contain the federal ALN, as required by 2 CFR 200.332. All subrecipient agreements will include a new exhibit as an attachment in the agreement that will include the ALN and any other required grant elements.

Assistance Listing Number, Federal Agency, and Program Name - ALN 21.027, Department of Treasury, COVID-19 Coronavirus State and Local Fiscal Recovery Fund (CSLFRF) Federal Award Identification Number and Year - N/A Pass-through Entity - N/A Finding Type - Significant deficiency and material noncompliance with laws and regulations Repeat Finding - No Criteria - Per 2 CFR 200.332 (a), all pass-through entities must ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and, if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the federal award and subaward. Required information includes the following: (1) Federal award identification (i) Subrecipient name (which must match the name associated with its unique entity identifier) (ii) Subrecipient's unique entity identifier (iii) Federal Award Identification Number (FAIN) (iv) Federal award date (see the definition of federal award date in ? 200.1 of this part) of award to the recipient by the federal agency (v) Subaward period of performance start and end date (vi) Subaward budget period start and end date (vii) Amount of federal funds obligated by this action by the pass-through entity to the subrecipient (viii) Total amount of federal funds obligated to the subrecipient by the pass-through entity, including the current financial obligation (ix) Total amount of the federal award committed to the subrecipient by the pass-through entity (x) Federal award project description, as required to be responsive to the Federal Funding Accountability and Transparency Act (FFATA) (xi) Name of federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity (xii) Assistance Listing Numbers and title; the pass-through entity must identify the dollar amount made available under each federal award and the Assistance Listing Numbers at time of disbursement (xiii) Identification of whether the award is R&D (xiv) Indirect cost rate for the federal award (including if the de minimis rate is charged) per ? 200.414 Condition - The CSLFRF subrecipient agreements did not include the CSLFRF assistance Listing Number (ALN), as required per 2 CFR 200.332 (a)(1)(xii). Questioned Costs - None Identification of How Questioned Costs Were Computed - N/A Context - During the fiscal year, the City passed through CSLFRF funding to three subrecipients. The agreements with the subrecipients included a reference to the applicable regulations provided by the Treasury and all the elements outlined under 2 CFR 200.331 (a)(1) with the exception of the ALN. Cause and Effect - The City?s controls did not ensure that the subrecipient agreements included all the required elements, as outlined under 2 CFR 200.332 (a)(1). The lack of information could result in noncompliance by the subrecipient, as well as incorrect SEFA reporting. Recommendation - We recommend the City implement adequate controls to ensure subrecipient agreements included all the required elements, as outlined under 2 CFR 200.332 a)(1). Views of Responsible Officials and Planned Corrective Actions - The City has implemented a process to ensure that all subrecipient agreements contain the federal ALN, as required by 2 CFR 200.332. All subrecipient agreements will include a new exhibit as an attachment in the agreement that will include the ALN and any other required grant elements.

Assistance Listing Number, Federal Agency, and Program Name - ALN 21.027, Department of Treasury, COVID-19 Coronavirus State and Local Fiscal Recovery Fund (CSLFRF) Federal Award Identification Number and Year - N/A Pass-through Entity - N/A Finding Type - Significant deficiency and material noncompliance with laws and regulations Repeat Finding - No Criteria - Per 2 CFR 200.332 (a), all pass-through entities must ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and, if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the federal award and subaward. Required information includes the following: (1) Federal award identification (i) Subrecipient name (which must match the name associated with its unique entity identifier) (ii) Subrecipient's unique entity identifier (iii) Federal Award Identification Number (FAIN) (iv) Federal award date (see the definition of federal award date in ? 200.1 of this part) of award to the recipient by the federal agency (v) Subaward period of performance start and end date (vi) Subaward budget period start and end date (vii) Amount of federal funds obligated by this action by the pass-through entity to the subrecipient (viii) Total amount of federal funds obligated to the subrecipient by the pass-through entity, including the current financial obligation (ix) Total amount of the federal award committed to the subrecipient by the pass-through entity (x) Federal award project description, as required to be responsive to the Federal Funding Accountability and Transparency Act (FFATA) (xi) Name of federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity (xii) Assistance Listing Numbers and title; the pass-through entity must identify the dollar amount made available under each federal award and the Assistance Listing Numbers at time of disbursement (xiii) Identification of whether the award is R&D (xiv) Indirect cost rate for the federal award (including if the de minimis rate is charged) per ? 200.414 Condition - The CSLFRF subrecipient agreements did not include the CSLFRF assistance Listing Number (ALN), as required per 2 CFR 200.332 (a)(1)(xii). Questioned Costs - None Identification of How Questioned Costs Were Computed - N/A Context - During the fiscal year, the City passed through CSLFRF funding to three subrecipients. The agreements with the subrecipients included a reference to the applicable regulations provided by the Treasury and all the elements outlined under 2 CFR 200.331 (a)(1) with the exception of the ALN. Cause and Effect - The City?s controls did not ensure that the subrecipient agreements included all the required elements, as outlined under 2 CFR 200.332 (a)(1). The lack of information could result in noncompliance by the subrecipient, as well as incorrect SEFA reporting. Recommendation - We recommend the City implement adequate controls to ensure subrecipient agreements included all the required elements, as outlined under 2 CFR 200.332 a)(1). Views of Responsible Officials and Planned Corrective Actions - The City has implemented a process to ensure that all subrecipient agreements contain the federal ALN, as required by 2 CFR 200.332. All subrecipient agreements will include a new exhibit as an attachment in the agreement that will include the ALN and any other required grant elements.

Program: Foster Care Federal Financial Assistance Listing Number: 93.658 Federal Grantor: U.S. Department of Health and Human Services Pass-Through: California Department of Social Services Award No. and Year: 2201CAFOST and 2022, 2101CAFOST and 2021 Compliance Requirements: Subrecipient Monitoring Type of Finding: Material Weakness in Internal Control over Compliance and Material Noncompliance Criteria: In accordance with Title 2 U.S. Code of Federal Regulations (CFR) 200.332, pass-through entities must comply with the following: ? 2 CFR 200.332(d)- Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include the information at 2 CFR 200.332(d)(1) through (4). ? 2 CFR 200.332(f) ? Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in 200.501. The California Department of Social Services further clarifies in its County Fiscal Letter No. 21/22 ? 115 that Foster Family Agency (FFA), Group Home, and Short Term Residential Therapeutic Programs (STRTP) are ?considered subrecipients and subject to the same audit requirements and require the same degree of oversight as other subrecipients?. Further, while there are some licensing and oversight functions performed by the state over FFAs, group homes, and STRTPs, ?counties are still ultimately responsible for review of these audits and their findings, any follow-up to ensure compliance, and any other form of monitoring and oversight required by federal and state laws and regulations.? Condition: The County did not have any formal controls or procedures in place for subrecipient monitoring for the Foster Care program. Cause: The County did not maintain procedures to monitor the activities of each subrecipient, or verify that every subrecipient is audited, as required. Effect: The County did not maintain policies and procedures to align with the Subrecipient Monitoring requirements in 2 CFR 200.332 and did not comply with subrecipient monitoring requirements related to the program. Questioned Costs: No questioned costs were identified as a result of our procedures. Context/Sampling: A nonstatistical sample of eight (8) out of 53 subrecipients were sampled, which included six (6) FFA, and two (2) STRTP types. The condition noted above was identified during our procedures related to subrecipient monitoring, and was pervasive to the program. Repeat Findings from Prior Years: No. Recommendation: We recommend that the County implement policies and procedures in accordance with 2 CFR 200.332 to ensure compliance with subrecipient monitoring requirements. Views of Responsible Officials: Management agrees. See separately issued Corrective Action Plan.

Program: Foster Care Federal Financial Assistance Listing Number: 93.658 Federal Grantor: U.S. Department of Health and Human Services Pass-Through: California Department of Social Services Award No. and Year: 2201CAFOST and 2022, 2101CAFOST and 2021 Compliance Requirements: Subrecipient Monitoring Type of Finding: Material Weakness in Internal Control over Compliance and Material Noncompliance Criteria: In accordance with Title 2 U.S. Code of Federal Regulations (CFR) 200.332, pass-through entities must comply with the following: ? 2 CFR 200.332(d)- Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include the information at 2 CFR 200.332(d)(1) through (4). ? 2 CFR 200.332(f) ? Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in 200.501. The California Department of Social Services further clarifies in its County Fiscal Letter No. 21/22 ? 115 that Foster Family Agency (FFA), Group Home, and Short Term Residential Therapeutic Programs (STRTP) are ?considered subrecipients and subject to the same audit requirements and require the same degree of oversight as other subrecipients?. Further, while there are some licensing and oversight functions performed by the state over FFAs, group homes, and STRTPs, ?counties are still ultimately responsible for review of these audits and their findings, any follow-up to ensure compliance, and any other form of monitoring and oversight required by federal and state laws and regulations.? Condition: The County did not have any formal controls or procedures in place for subrecipient monitoring for the Foster Care program. Cause: The County did not maintain procedures to monitor the activities of each subrecipient, or verify that every subrecipient is audited, as required. Effect: The County did not maintain policies and procedures to align with the Subrecipient Monitoring requirements in 2 CFR 200.332 and did not comply with subrecipient monitoring requirements related to the program. Questioned Costs: No questioned costs were identified as a result of our procedures. Context/Sampling: A nonstatistical sample of eight (8) out of 53 subrecipients were sampled, which included six (6) FFA, and two (2) STRTP types. The condition noted above was identified during our procedures related to subrecipient monitoring, and was pervasive to the program. Repeat Findings from Prior Years: No. Recommendation: We recommend that the County implement policies and procedures in accordance with 2 CFR 200.332 to ensure compliance with subrecipient monitoring requirements. Views of Responsible Officials: Management agrees. See separately issued Corrective Action Plan.

Program: Foster Care Federal Financial Assistance Listing Number: 93.658 Federal Grantor: U.S. Department of Health and Human Services Pass-Through: California Department of Social Services Award No. and Year: 2201CAFOST and 2022, 2101CAFOST and 2021 Compliance Requirements: Subrecipient Monitoring Type of Finding: Material Weakness in Internal Control over Compliance and Material Noncompliance Criteria: In accordance with Title 2 U.S. Code of Federal Regulations (CFR) 200.332, pass-through entities must comply with the following: ? 2 CFR 200.332(d)- Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include the information at 2 CFR 200.332(d)(1) through (4). ? 2 CFR 200.332(f) ? Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in 200.501. The California Department of Social Services further clarifies in its County Fiscal Letter No. 21/22 ? 115 that Foster Family Agency (FFA), Group Home, and Short Term Residential Therapeutic Programs (STRTP) are ?considered subrecipients and subject to the same audit requirements and require the same degree of oversight as other subrecipients?. Further, while there are some licensing and oversight functions performed by the state over FFAs, group homes, and STRTPs, ?counties are still ultimately responsible for review of these audits and their findings, any follow-up to ensure compliance, and any other form of monitoring and oversight required by federal and state laws and regulations.? Condition: The County did not have any formal controls or procedures in place for subrecipient monitoring for the Foster Care program. Cause: The County did not maintain procedures to monitor the activities of each subrecipient, or verify that every subrecipient is audited, as required. Effect: The County did not maintain policies and procedures to align with the Subrecipient Monitoring requirements in 2 CFR 200.332 and did not comply with subrecipient monitoring requirements related to the program. Questioned Costs: No questioned costs were identified as a result of our procedures. Context/Sampling: A nonstatistical sample of eight (8) out of 53 subrecipients were sampled, which included six (6) FFA, and two (2) STRTP types. The condition noted above was identified during our procedures related to subrecipient monitoring, and was pervasive to the program. Repeat Findings from Prior Years: No. Recommendation: We recommend that the County implement policies and procedures in accordance with 2 CFR 200.332 to ensure compliance with subrecipient monitoring requirements. Views of Responsible Officials: Management agrees. See separately issued Corrective Action Plan.

Program: Foster Care Federal Financial Assistance Listing Number: 93.658 Federal Grantor: U.S. Department of Health and Human Services Pass-Through: California Department of Social Services Award No. and Year: 2201CAFOST and 2022, 2101CAFOST and 2021 Compliance Requirements: Subrecipient Monitoring Type of Finding: Material Weakness in Internal Control over Compliance and Material Noncompliance Criteria: In accordance with Title 2 U.S. Code of Federal Regulations (CFR) 200.332, pass-through entities must comply with the following: ? 2 CFR 200.332(d)- Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include the information at 2 CFR 200.332(d)(1) through (4). ? 2 CFR 200.332(f) ? Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in 200.501. The California Department of Social Services further clarifies in its County Fiscal Letter No. 21/22 ? 115 that Foster Family Agency (FFA), Group Home, and Short Term Residential Therapeutic Programs (STRTP) are ?considered subrecipients and subject to the same audit requirements and require the same degree of oversight as other subrecipients?. Further, while there are some licensing and oversight functions performed by the state over FFAs, group homes, and STRTPs, ?counties are still ultimately responsible for review of these audits and their findings, any follow-up to ensure compliance, and any other form of monitoring and oversight required by federal and state laws and regulations.? Condition: The County did not have any formal controls or procedures in place for subrecipient monitoring for the Foster Care program. Cause: The County did not maintain procedures to monitor the activities of each subrecipient, or verify that every subrecipient is audited, as required. Effect: The County did not maintain policies and procedures to align with the Subrecipient Monitoring requirements in 2 CFR 200.332 and did not comply with subrecipient monitoring requirements related to the program. Questioned Costs: No questioned costs were identified as a result of our procedures. Context/Sampling: A nonstatistical sample of eight (8) out of 53 subrecipients were sampled, which included six (6) FFA, and two (2) STRTP types. The condition noted above was identified during our procedures related to subrecipient monitoring, and was pervasive to the program. Repeat Findings from Prior Years: No. Recommendation: We recommend that the County implement policies and procedures in accordance with 2 CFR 200.332 to ensure compliance with subrecipient monitoring requirements. Views of Responsible Officials: Management agrees. See separately issued Corrective Action Plan.

Program: Foster Care Federal Financial Assistance Listing Number: 93.658 Federal Grantor: U.S. Department of Health and Human Services Pass-Through: California Department of Social Services Award No. and Year: 2201CAFOST and 2022, 2101CAFOST and 2021 Compliance Requirements: Subrecipient Monitoring Type of Finding: Material Weakness in Internal Control over Compliance and Material Noncompliance Criteria: In accordance with Title 2 U.S. Code of Federal Regulations (CFR) 200.332, pass-through entities must comply with the following: ? 2 CFR 200.332(d)- Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include the information at 2 CFR 200.332(d)(1) through (4). ? 2 CFR 200.332(f) ? Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in 200.501. The California Department of Social Services further clarifies in its County Fiscal Letter No. 21/22 ? 115 that Foster Family Agency (FFA), Group Home, and Short Term Residential Therapeutic Programs (STRTP) are ?considered subrecipients and subject to the same audit requirements and require the same degree of oversight as other subrecipients?. Further, while there are some licensing and oversight functions performed by the state over FFAs, group homes, and STRTPs, ?counties are still ultimately responsible for review of these audits and their findings, any follow-up to ensure compliance, and any other form of monitoring and oversight required by federal and state laws and regulations.? Condition: The County did not have any formal controls or procedures in place for subrecipient monitoring for the Foster Care program. Cause: The County did not maintain procedures to monitor the activities of each subrecipient, or verify that every subrecipient is audited, as required. Effect: The County did not maintain policies and procedures to align with the Subrecipient Monitoring requirements in 2 CFR 200.332 and did not comply with subrecipient monitoring requirements related to the program. Questioned Costs: No questioned costs were identified as a result of our procedures. Context/Sampling: A nonstatistical sample of eight (8) out of 53 subrecipients were sampled, which included six (6) FFA, and two (2) STRTP types. The condition noted above was identified during our procedures related to subrecipient monitoring, and was pervasive to the program. Repeat Findings from Prior Years: No. Recommendation: We recommend that the County implement policies and procedures in accordance with 2 CFR 200.332 to ensure compliance with subrecipient monitoring requirements. Views of Responsible Officials: Management agrees. See separately issued Corrective Action Plan.

Program: Homeland Security Grant Program Federal Financial Assistance Listing Number: 97.067 Federal Grantor: U.S. Department of Homeland Security Passed-Through: California Office of Emergency Services Award No. and Year: 2019-0035 and 2020; 2020-0095 and 2021 Compliance Requirements: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Control and Instance of Noncompliance Criteria: 2 CFR section 200.332(b), Requirements for Pass-Through Entities, states that all pass-through entities must evaluate each subrecipient?s risk of noncompliance with Federal statues, regulations and the terms and conditions of the subaward for purpose of determining the appropriate subrecipient monitoring. Condition: During our testing of Homeland Security Grant Program (HSGP) of the Sheriff-Coroner department?s provisions for evaluating subrecipient?s risk of noncompliance with Federal statutes, regulations and the terms and conditions of the subaward, we noted for two (2) of two (2) subrecipients selected, the required evaluation of the subrecipient?s risk of noncompliance was not documented. Further, onsite reviews were not performed. Cause: The Sheriff-Coroner department did not adhere to established policies and procedures relating to documentation of the risk assessment when a subrecipient contract is awarded. With respect to onsite reviews, these were not performed due to COVID restrictions. Effect: There is an increased risk that the monitoring procedures performed may not address the subrecipient?s risk of noncompliance. Questioned Costs: No questioned costs were identified as a result of our procedures. Context/Sampling: The entire population of two (2) subrecipients were selected for subrecipient monitoring testing from the Sheriff-Coroner department for the Homeland Security Grant Program. Repeat Finding from Prior Years: No. Recommendation: We recommend that the Sheriff-Coroner department follow the implemented policies and procedures to ensure that the required evaluation of the subrecipient?s risk of noncompliance be documented in accordance with 2 CFR section 200.332(b). Views of Responsible Officials: Management agrees. See separately issued Corrective Action Plan.

Program: Homeland Security Grant Program Federal Financial Assistance Listing Number: 97.067 Federal Grantor: U.S. Department of Homeland Security Passed-Through: California Office of Emergency Services Award No. and Year: 2019-0035 and 2020; 2020-0095 and 2021 Compliance Requirements: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Control and Instance of Noncompliance Criteria: 2 CFR section 200.332(b), Requirements for Pass-Through Entities, states that all pass-through entities must evaluate each subrecipient?s risk of noncompliance with Federal statues, regulations and the terms and conditions of the subaward for purpose of determining the appropriate subrecipient monitoring. Condition: During our testing of Homeland Security Grant Program (HSGP) of the Sheriff-Coroner department?s provisions for evaluating subrecipient?s risk of noncompliance with Federal statutes, regulations and the terms and conditions of the subaward, we noted for two (2) of two (2) subrecipients selected, the required evaluation of the subrecipient?s risk of noncompliance was not documented. Further, onsite reviews were not performed. Cause: The Sheriff-Coroner department did not adhere to established policies and procedures relating to documentation of the risk assessment when a subrecipient contract is awarded. With respect to onsite reviews, these were not performed due to COVID restrictions. Effect: There is an increased risk that the monitoring procedures performed may not address the subrecipient?s risk of noncompliance. Questioned Costs: No questioned costs were identified as a result of our procedures. Context/Sampling: The entire population of two (2) subrecipients were selected for subrecipient monitoring testing from the Sheriff-Coroner department for the Homeland Security Grant Program. Repeat Finding from Prior Years: No. Recommendation: We recommend that the Sheriff-Coroner department follow the implemented policies and procedures to ensure that the required evaluation of the subrecipient?s risk of noncompliance be documented in accordance with 2 CFR section 200.332(b). Views of Responsible Officials: Management agrees. See separately issued Corrective Action Plan.

Program: Homeland Security Grant Program Federal Financial Assistance Listing Number: 97.067 Federal Grantor: U.S. Department of Homeland Security Passed-Through: California Office of Emergency Services Award No. and Year: 2019-0035 and 2020; 2020-0095 and 2021 Compliance Requirements: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Control and Instance of Noncompliance Criteria: 2 CFR section 200.332(b), Requirements for Pass-Through Entities, states that all pass-through entities must evaluate each subrecipient?s risk of noncompliance with Federal statues, regulations and the terms and conditions of the subaward for purpose of determining the appropriate subrecipient monitoring. Condition: During our testing of Homeland Security Grant Program (HSGP) of the Sheriff-Coroner department?s provisions for evaluating subrecipient?s risk of noncompliance with Federal statutes, regulations and the terms and conditions of the subaward, we noted for two (2) of two (2) subrecipients selected, the required evaluation of the subrecipient?s risk of noncompliance was not documented. Further, onsite reviews were not performed. Cause: The Sheriff-Coroner department did not adhere to established policies and procedures relating to documentation of the risk assessment when a subrecipient contract is awarded. With respect to onsite reviews, these were not performed due to COVID restrictions. Effect: There is an increased risk that the monitoring procedures performed may not address the subrecipient?s risk of noncompliance. Questioned Costs: No questioned costs were identified as a result of our procedures. Context/Sampling: The entire population of two (2) subrecipients were selected for subrecipient monitoring testing from the Sheriff-Coroner department for the Homeland Security Grant Program. Repeat Finding from Prior Years: No. Recommendation: We recommend that the Sheriff-Coroner department follow the implemented policies and procedures to ensure that the required evaluation of the subrecipient?s risk of noncompliance be documented in accordance with 2 CFR section 200.332(b). Views of Responsible Officials: Management agrees. See separately issued Corrective Action Plan.

Program: Homeland Security Grant Program Federal Financial Assistance Listing Number: 97.067 Federal Grantor: U.S. Department of Homeland Security Passed-Through: California Office of Emergency Services Award No. and Year: 2019-0035 and 2020; 2020-0095 and 2021 Compliance Requirements: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Control and Instance of Noncompliance Criteria: 2 CFR section 200.332(b), Requirements for Pass-Through Entities, states that all pass-through entities must evaluate each subrecipient?s risk of noncompliance with Federal statues, regulations and the terms and conditions of the subaward for purpose of determining the appropriate subrecipient monitoring. Condition: During our testing of Homeland Security Grant Program (HSGP) of the Sheriff-Coroner department?s provisions for evaluating subrecipient?s risk of noncompliance with Federal statutes, regulations and the terms and conditions of the subaward, we noted for two (2) of two (2) subrecipients selected, the required evaluation of the subrecipient?s risk of noncompliance was not documented. Further, onsite reviews were not performed. Cause: The Sheriff-Coroner department did not adhere to established policies and procedures relating to documentation of the risk assessment when a subrecipient contract is awarded. With respect to onsite reviews, these were not performed due to COVID restrictions. Effect: There is an increased risk that the monitoring procedures performed may not address the subrecipient?s risk of noncompliance. Questioned Costs: No questioned costs were identified as a result of our procedures. Context/Sampling: The entire population of two (2) subrecipients were selected for subrecipient monitoring testing from the Sheriff-Coroner department for the Homeland Security Grant Program. Repeat Finding from Prior Years: No. Recommendation: We recommend that the Sheriff-Coroner department follow the implemented policies and procedures to ensure that the required evaluation of the subrecipient?s risk of noncompliance be documented in accordance with 2 CFR section 200.332(b). Views of Responsible Officials: Management agrees. See separately issued Corrective Action Plan.

Program: Homeland Security Grant Program Federal Financial Assistance Listing Number: 97.067 Federal Grantor: U.S. Department of Homeland Security Passed-Through: California Office of Emergency Services Award No. and Year: 2019-0035 and 2020; 2020-0095 and 2021 Compliance Requirements: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Control and Instance of Noncompliance Criteria: 2 CFR section 200.332(b), Requirements for Pass-Through Entities, states that all pass-through entities must evaluate each subrecipient?s risk of noncompliance with Federal statues, regulations and the terms and conditions of the subaward for purpose of determining the appropriate subrecipient monitoring. Condition: During our testing of Homeland Security Grant Program (HSGP) of the Sheriff-Coroner department?s provisions for evaluating subrecipient?s risk of noncompliance with Federal statutes, regulations and the terms and conditions of the subaward, we noted for two (2) of two (2) subrecipients selected, the required evaluation of the subrecipient?s risk of noncompliance was not documented. Further, onsite reviews were not performed. Cause: The Sheriff-Coroner department did not adhere to established policies and procedures relating to documentation of the risk assessment when a subrecipient contract is awarded. With respect to onsite reviews, these were not performed due to COVID restrictions. Effect: There is an increased risk that the monitoring procedures performed may not address the subrecipient?s risk of noncompliance. Questioned Costs: No questioned costs were identified as a result of our procedures. Context/Sampling: The entire population of two (2) subrecipients were selected for subrecipient monitoring testing from the Sheriff-Coroner department for the Homeland Security Grant Program. Repeat Finding from Prior Years: No. Recommendation: We recommend that the Sheriff-Coroner department follow the implemented policies and procedures to ensure that the required evaluation of the subrecipient?s risk of noncompliance be documented in accordance with 2 CFR section 200.332(b). Views of Responsible Officials: Management agrees. See separately issued Corrective Action Plan.

Finding Reference Number: 2022-018 NH Department of Health and Human Services Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) and COVID-19 Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) (Assistance Listing #93.323) Federal Award Numbers: NUK50CK000522 Federal Award Year: 2019 U.S. Department of Health and Human Services Compliance Requirement: Subrecipient Monitoring Type of Finding: Material Weakness and Material Noncompliance Prior Year Finding: 2021-021 Statistically Valid Sample: No Criteria A pass-through entity (PTE) must: 1. Identify the Award and Applicable Requirements ? Clearly identify to the subrecipient: (1) the award as a subaward at the time of subaward (or subsequent subaward modification) by providing the information described in 2 CFR section 200.332(a)(1); (2) all requirements imposed by the PTE on the subrecipient so that the federal award is used in accordance with federal statutes, regulations, and the terms and conditions of the award (2 CFR section 200.332(a)(2)); and (3) any additional requirements that the PTE imposes on the subrecipient in order for the PTE to meet its own responsibility for the federal award (e.g., financial, performance, and special reports) (2 CFR section 200.332(a)(3)). 2. Evaluate Risk ? Evaluate each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward (2 CFR section 200.332(b)). 3. Monitor ? Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, complies with the terms and conditions of the subaward, and achieves performance goals (2 CFR sections 200.332(d) through (f)). In addition to procedures identified as necessary based upon the evaluation of subrecipient risk or specifically required by the terms and conditions of the award, subaward monitoring must include the following: a. Reviewing financial and programmatic (performance and special reports) required by the PTE. b. Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award provided to the subrecipient from the PTE detected through audits, on-site reviews, and other means. c. Issuing a management decision for audit findings pertaining to the federal award provided to the subrecipient from the PTE as required by 2 CFR section 200.521. 4. Ensure Accountability of For-Profit Subrecipients ? Some federal awards may be passed through to for-profit entities. For-profit subrecipients are accountable to the PTE for the use of the federal funds provided. Because 2 CFR Part 200 does not make Subpart F applicable to for-profit subrecipients, the PTE is responsible for establishing requirements, as necessary, to ensure compliance by for-profit subrecipients for the subaward. The agreement with the for-profit subrecipient must describe applicable compliance requirements and the for-profit subrecipient's compliance responsibility. Methods to ensure compliance for federal awards made to for-profit subrecipients may include pre-award audits, monitoring during the agreement, and post-award audits (2 CFR section 200.501(h)). Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award Condition During the year ended June 30, 2022, the New Hampshire Department of Health and Human Services (the Department) passed through $5,070,789 of federal funding to 56 subrecipients, both for-profit and non-profit. As part of our testing related subrecipient monitoring, we noted the following: A. The Department communicates award information to subrecipients through the approved agreement. Per review of the agreement, for 14 of 14 subrecipients selected for testwork, the Department did not communicate all the required award information as outlined in 2 CFR section 200.332(a). Specifically, one or all of the following elements were not communicated: - Subrecipient unique entity identifier; - Federal award date; - Name of the federal awarding agency, pass-through entity, and contact information for the awarding official of the pass-through entity; - Identification of whether the award is R&D; and - Indirect cost rate for the federal award B. The Department was unable to provide documentation to support it had evaluated subrecipient risk of noncompliance for all subrecipients for purposes of determining the appropriate subrecipient monitoring related to subawards. C. The Department did not perform any during the award monitoring over the programs subrecipients. D. The Department passed through federal funding to for-profit subrecipients. These subrecipients are not subject to 2 CFR 200 Subpart F and as such, no review over the uniform guidance audit report is performed by the Department. The Department was unable to provide documentation to support it had performed procedures to ensure compliance with the subrecipient agreement in accordance with 2 CFR section 200.501(h). Cause The cause of the condition found was primarily due to a lack of formal policies and internal controls to ensure that all required subrecipient monitoring compliance procedures are being performed by the Department. Effect The effect of the condition found is that the Department did not comply with 2 CFR section 200.332(a - h) and 2 CFR section 200.501(h). Questioned Costs None. Recommendation We recommend the Department develop policies and procedures and implement internal controls to ensure that the Department complies with 2 CFR section 200.332(a-h) and 2 CFR section 200.501(h). View of Responsible Officials The Department will review its Sub-recipient Monitoring Policy and assess compliance across the Department. It is important to note that between April 2020 and June 2022 the Department was involved in the State?s strategic response to the COVID-19 pandemic. During this time, New Hampshire was under a state of emergency (Executive Order 2020-04), processes were rapidly converted to fully digital overnight, the State?s standard approval processes were suspended and non-standard templates were utilized to respond to the COVID-19 pandemic. The Department worked with other State Departments and the National Guard to create a record number of amendments, contracts, and other agreements (approximately 200% more than standard). The Department is in the process of instituting a new contract life cycle management solution that will utilize conditional logic to include the required notifications for agreements involving federal funds in order to ensure compliance. Implementation is anticipated to be complete in July 2023. As the COVID-19 pandemic strategic response has wound down, the Department has not suspended its regular standard approval or subrecipient risk assessment and monitoring processes and has not used non-standard templates to award federal funding. The Financial Compliance Unit (FCU) will continue to work with the Business System Analyst of the Cost Allocation Unit in determining the amount of Federal payments made to the vendors. The FCU receives a vendor payment list on a quarterly basis that includes the total amount of Federal funds that were paid to all contracted agencies. We will continue to closely monitor the FAC to obtain all copies of the Single Audits pertaining to the DHHS agencies. In addition, we will devise a spreadsheet that will list all contracts that have been awarded Federal funds and cross check these agencies to vendor payment list. The DHHS updated the policy on risk assessment on November 16, 2020 to ensure that all contracts have a risk assessment performed regardless of funding source. We also have added verbiage in the contracts effective for contracts that begin after November 2021. It states any Contractor that receives an amount equal to or greater than $250,000 from the Department during a single fiscal year, regardless of the funding source, may be required, at a minimum, to submit annual financial audits performed by an independent CPA if the Department?s risk assessment determination indicates the Contractor is high-risk. Finally, effective for any new procurement subsequent to March 2022, all back-up documentation must accompany the invoices and be submitted on a monthly basis. Anticipated Completion Date: July 2023 Contact Person: Melissa Kelleher, Grants Administrator, Ann Driscoll, Financial Compliance Unit

Finding Reference Number: 2022-018 NH Department of Health and Human Services Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) and COVID-19 Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) (Assistance Listing #93.323) Federal Award Numbers: NUK50CK000522 Federal Award Year: 2019 U.S. Department of Health and Human Services Compliance Requirement: Subrecipient Monitoring Type of Finding: Material Weakness and Material Noncompliance Prior Year Finding: 2021-021 Statistically Valid Sample: No Criteria A pass-through entity (PTE) must: 1. Identify the Award and Applicable Requirements ? Clearly identify to the subrecipient: (1) the award as a subaward at the time of subaward (or subsequent subaward modification) by providing the information described in 2 CFR section 200.332(a)(1); (2) all requirements imposed by the PTE on the subrecipient so that the federal award is used in accordance with federal statutes, regulations, and the terms and conditions of the award (2 CFR section 200.332(a)(2)); and (3) any additional requirements that the PTE imposes on the subrecipient in order for the PTE to meet its own responsibility for the federal award (e.g., financial, performance, and special reports) (2 CFR section 200.332(a)(3)). 2. Evaluate Risk ? Evaluate each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward (2 CFR section 200.332(b)). 3. Monitor ? Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, complies with the terms and conditions of the subaward, and achieves performance goals (2 CFR sections 200.332(d) through (f)). In addition to procedures identified as necessary based upon the evaluation of subrecipient risk or specifically required by the terms and conditions of the award, subaward monitoring must include the following: a. Reviewing financial and programmatic (performance and special reports) required by the PTE. b. Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award provided to the subrecipient from the PTE detected through audits, on-site reviews, and other means. c. Issuing a management decision for audit findings pertaining to the federal award provided to the subrecipient from the PTE as required by 2 CFR section 200.521. 4. Ensure Accountability of For-Profit Subrecipients ? Some federal awards may be passed through to for-profit entities. For-profit subrecipients are accountable to the PTE for the use of the federal funds provided. Because 2 CFR Part 200 does not make Subpart F applicable to for-profit subrecipients, the PTE is responsible for establishing requirements, as necessary, to ensure compliance by for-profit subrecipients for the subaward. The agreement with the for-profit subrecipient must describe applicable compliance requirements and the for-profit subrecipient's compliance responsibility. Methods to ensure compliance for federal awards made to for-profit subrecipients may include pre-award audits, monitoring during the agreement, and post-award audits (2 CFR section 200.501(h)). Additionally, 45 CFR section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award Condition During the year ended June 30, 2022, the New Hampshire Department of Health and Human Services (the Department) passed through $5,070,789 of federal funding to 56 subrecipients, both for-profit and non-profit. As part of our testing related subrecipient monitoring, we noted the following: A. The Department communicates award information to subrecipients through the approved agreement. Per review of the agreement, for 14 of 14 subrecipients selected for testwork, the Department did not communicate all the required award information as outlined in 2 CFR section 200.332(a). Specifically, one or all of the following elements were not communicated: - Subrecipient unique entity identifier; - Federal award date; - Name of the federal awarding agency, pass-through entity, and contact information for the awarding official of the pass-through entity; - Identification of whether the award is R&D; and - Indirect cost rate for the federal award B. The Department was unable to provide documentation to support it had evaluated subrecipient risk of noncompliance for all subrecipients for purposes of determining the appropriate subrecipient monitoring related to subawards. C. The Department did not perform any during the award monitoring over the programs subrecipients. D. The Department passed through federal funding to for-profit subrecipients. These subrecipients are not subject to 2 CFR 200 Subpart F and as such, no review over the uniform guidance audit report is performed by the Department. The Department was unable to provide documentation to support it had performed procedures to ensure compliance with the subrecipient agreement in accordance with 2 CFR section 200.501(h). Cause The cause of the condition found was primarily due to a lack of formal policies and internal controls to ensure that all required subrecipient monitoring compliance procedures are being performed by the Department. Effect The effect of the condition found is that the Department did not comply with 2 CFR section 200.332(a - h) and 2 CFR section 200.501(h). Questioned Costs None. Recommendation We recommend the Department develop policies and procedures and implement internal controls to ensure that the Department complies with 2 CFR section 200.332(a-h) and 2 CFR section 200.501(h). View of Responsible Officials The Department will review its Sub-recipient Monitoring Policy and assess compliance across the Department. It is important to note that between April 2020 and June 2022 the Department was involved in the State?s strategic response to the COVID-19 pandemic. During this time, New Hampshire was under a state of emergency (Executive Order 2020-04), processes were rapidly converted to fully digital overnight, the State?s standard approval processes were suspended and non-standard templates were utilized to respond to the COVID-19 pandemic. The Department worked with other State Departments and the National Guard to create a record number of amendments, contracts, and other agreements (approximately 200% more than standard). The Department is in the process of instituting a new contract life cycle management solution that will utilize conditional logic to include the required notifications for agreements involving federal funds in order to ensure compliance. Implementation is anticipated to be complete in July 2023. As the COVID-19 pandemic strategic response has wound down, the Department has not suspended its regular standard approval or subrecipient risk assessment and monitoring processes and has not used non-standard templates to award federal funding. The Financial Compliance Unit (FCU) will continue to work with the Business System Analyst of the Cost Allocation Unit in determining the amount of Federal payments made to the vendors. The FCU receives a vendor payment list on a quarterly basis that includes the total amount of Federal funds that were paid to all contracted agencies. We will continue to closely monitor the FAC to obtain all copies of the Single Audits pertaining to the DHHS agencies. In addition, we will devise a spreadsheet that will list all contracts that have been awarded Federal funds and cross check these agencies to vendor payment list. The DHHS updated the policy on risk assessment on November 16, 2020 to ensure that all contracts have a risk assessment performed regardless of funding source. We also have added verbiage in the contracts effective for contracts that begin after November 2021. It states any Contractor that receives an amount equal to or greater than $250,000 from the Department during a single fiscal year, regardless of the funding source, may be required, at a minimum, to submit annual financial audits performed by an independent CPA if the Department?s risk assessment determination indicates the Contractor is high-risk. Finally, effective for any new procurement subsequent to March 2022, all back-up documentation must accompany the invoices and be submitted on a monthly basis. Anticipated Completion Date: July 2023 Contact Person: Melissa Kelleher, Grants Administrator, Ann Driscoll, Financial Compliance Unit

Finding Reference Number: 2022-021 NH Department of Health and Human Services Temporary Assistance for Needy Families and COVID-19 Temporary Assistance for Needy Families (Assistance Listing #93.558) Federal Award Numbers: 2021G996115, 2021G990228, 2022G996115 Federal Award Year: 2021, 2022 U.S. Department of Health and Human Services Compliance Requirement: Subrecipient Monitoring Type of Finding: Material Weakness and Material Noncompliance Prior Year Finding: NA Statistically Valid Sample: No Criteria5 A pass-through entity must: 1. Clearly identify to the subrecipient required award information and applicable requirements described in 2 CFR section 200.332(a); 2. Evaluate each subrecipient?s risk of noncompliance for the purposes of determining the appropriate subrecipient monitoring related to the subaward (2 CFR section 300.332(b)); 3. Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, complies with the terms and conditions of the subaward, and achieves performance goals (2 CFR sections 200.332(d) through (f). In addition to procedures identified as necessary based upon the evaluation of subrecipient risk or specifically required through the terms and conditions of the award, subaward monitoring must include following up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means; and 4. Issuing a management decision for audit findings pertaining to federal award provided to the subrecipient from the subrecipient as required by 2 CFR section 200.521. Additionally, per 2 CFR section 200.303, non-federal entities must establish and maintain effective internal control over federal awards that provide reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Condition As part of the Temporary Assistance for Needy Families program (TANF), the New Hampshire Department of Health and Human Services (the Department) enters into grant agreements with local entities to provide services to support eligible participants. During the year ended June 30, 2022, the Department passed through $3,307,974 to subrecipients. As part of our testwork over the subrecipient monitoring process, we noted the following: A. For 1 of 7 subrecipients selected for testwork, per review of the grant agreement, we noted that the agreement did not contain any funding to be paid under the TANF program and should not have been identified as a TANF subrecipient. The total amount paid to the entity was $13,530. B. The Department communicates award information to subrecipients through the approved grant agreement. Per review of the grant agreement, for 4 of the remaining 6 subrecipients selected for testwork, the Department did not communicate all the required award information as outlined in 2 CFR section 200.332. Specifically, the following elements were not communicated: a. The subrecipient?s unique identifier was not communicated for 1 of the remaining 6 subrecipients selected for testwork b. Indirect cost rate for federal awards (including if the deminimus rate is charged per 2 CFR section 200.414) was not communicated for 2 of the remaining 6 subrecipients selected for testwork c. Identification of whether the award is R&D was not communicated for 4 of the remaining 6 subrecipients selected for testwork. C. The Department did not perform a risk assessment for all subrecipients selected for testwork. As a result, it is unclear if any additional targeted subrecipient monitoring should have been performed. D. For 1 of the remaining 6 subrecipients selected for testwork, there was no evidence that a programmatic monitoring review was completed for the subrecipient as required by their subrecipient monitoring policy. As there was no risk assessment performed for the subrecipient, it was unclear as to whether a programmatic monitoring visit should have been performed. Cause The cause of the condition found is primarily due to insufficient internal controls and procedures to ensure that federal reimbursement of expenditures are only disbursed to entities that have an approved subrecipient grant agreement. In addition, there are insufficient internal controls and procedures to ensure that award identification information is properly communicated with grant agreements and that risk assessments are performed to ensure sufficient during the awarded monitoring is performed over all subrecipients. Effect The effect of the condition found is that the Department did not comply with 2 CFR section 200.332(a), section 200.332(b), CFR section 200.521 and 2 CFR sections 200.332(d) through (f). Questioned Costs $13,530 ? the amount in bullet A above. Recommendation We recommend that the Department review its existing internal controls, policies, and procedures to ensure that the Department complies with the provisions of 2 CFR section 200.332(a), 2 CFR section 200.332(b), 2 CFR sections 200.332(d) through (f), and 2 CFR section 200.251. This would include ensuring that: 1. The Department has an approved subrecipient grant agreement prior to making any disbursements to an entity; 2. All required award information is communicated to subrecipients; 3. A documented risk assessment is performed over all subrecipients, and the results of that risk assessment is used to evaluate the types of monitoring procedures that will be performed over the subrecipient; and 4. As a result of the risk assessment performed, monitoring activities are performed over subrecipients to ensure compliance with the terms and conditions of its subrecipient grant agreement. View of Responsible Officials A. We concur with this finding. The Department utilized an internally available copy of the Management Log, which lists vendor?s determinations. This is a copy of the log, not the original, official copy. There is a delay in updating this copy from the original, and incorrect information had been initially entered. The Department is moving this log to software which allows all Department employees to view the same log, while limiting the number of individuals who have access to make changes. Implementation has been completed as of March 2023. B. We concur with this finding. However, we believe this was an isolated incident as the TANF CFDA number (93.558) used was very similar to correct CFDA number (93.778) that should have been documented. C. 200.332 requirements a. We do not concur with this finding. The contract for Mt Prospect became effective 8/4/21, prior to the 4/22 inception of the UEI. The DUNS number, as in effect at that time, is noticed in Exhibit J of the contract. b. We concur with three of the four findings. Two of the four contracts pre-date the template update requiring the notice an indirect cost rate. Indirect cost rate for federal awards (including if the de minimis rate is charged per 2 CFR section 200.414) were added to Exhibit C of the Department?s contracts in April 2020. One of the contracts did not indicate an indirect cost rate as required. One of the contracts notes the indirect cost rate in the Notes of their financial details. c. One of the two contracts pre-dates the template update requiring the notice the identification of R&D. R&D identifications for federal awards were added to Exhibit C of the Department?s contracts in April 2020 One of the two contracts did not identify whether the contract was R&D as required. D. Subrecipient Risk Assessment ? We concur with the finding. We consider the finding to be fully resolved through Department policy Department policy and Department wide implementation. However, it should be noted full compliance will not be achieved for one to two contact cycles due to timing. The Department began addressing the issue of Subrecipient Monitoring issue in June 2017 when the first Grants Administrator was hired. The Department finalized the Subrecipient Monitoring Policy, which encompasses the financial and programmatic risk assessments as well as the subrecipient monitoring, on June 1, 2018. The Department provided user training on the subject in February and September 2018, training over one hundred forty-six staff. However, only brand new procurements utilized this policy during the initial roll out of this policy. The Department hired a new Grants Administrator in May 2019. The full Subrecipient Monitoring policy rolled out to all procurements, including sole source, amendments, and renewals, effective August 1, 2020. The Contracts Unit received specialized subrecipient monitoring training on May 13 and October 28, 2020. Department wide training to all staff occurred weekly between September 8 and November 3, 2020. The Grants Office provided additional targeted training to Program staff through team meetings. Over one hundred fifty Program and Finance staff received training. Annual training will be held in September each year. Refresher training or training for new staff is available upon request from the Grants Office. The Grants Office website offers Program, Finance, and Contracts Bureau staff access to the subrecipient monitoring policy, as well as training modules, slides, and tools. The training has also been recorded and is available on this site. The Subrecipient Monitoring Policy requires Program to determine whether any vendor which receives funds in exchange for goods or services is a Contractor or Subrecipient. Determined subrecipients receive a Management Questionnaire, which includes a ten question questionnaire and requirements for submitting financial data. This information is used to populate the Risk Assessment Tool, which shows any risks pertinent to a subrecipient and the subaward. Based on the risks shown, Program chooses monitoring activities to mitigate the risks and the Contracts Bureau memorializes these choices in the contract. The Grants Office continues to work closely with the Contracts Bureau to ensure compliance with the Subrecipient Monitoring policy. C. and D. It is also important to note that between April 2020 and June 2022 the Department was involved in the State?s strategic response to the COVID-19 pandemic. During this time, New Hampshire was under a state of emergency (Executive Order 2020-04), processes were rapidly converted to fully digital overnight, the State?s standard approval processes were suspended and non-standard templates, which did not include the required notifications under 200.332, were utilized to respond to the COVID-19 pandemic. The Department worked with other State Departments and the National Guard to create a record number of amendments, contracts, and other agreements (approximately 200% more than standard). The Department is in the process of instituting a new contract life cycle management solution that will utilize conditional logic to include the required notifications for agreements involving federal funds in order to ensure compliance. Implementation is anticipated to be complete in July 2023. As the COVID-19 pandemic strategic response has wound down, the Department has not suspended its regular standard approval or subrecipient risk assessment and monitoring processes and has not used non-standard templates to award federal funding. E. We concur there was no formal documentation of any monitoring activity. Due to staff turnover a new administrator has been hired and unable to furnish the monitoring that took place during FY22. However, a program site review during FY23 was performed and financial monitoring of invoices has also taken place. Anticipated Completion Date: July, 2023 Contact Person: Melissa Kelleher, Administrator Rejoinder As documented above in Bullet B of the condition found, the Department did not properly communicate all required award information to the subrecipient. Once aware of the noncompliance, the Department should have timely communicated this information to its subrecipients.

Finding Reference Number: 2022-021 NH Department of Health and Human Services Temporary Assistance for Needy Families and COVID-19 Temporary Assistance for Needy Families (Assistance Listing #93.558) Federal Award Numbers: 2021G996115, 2021G990228, 2022G996115 Federal Award Year: 2021, 2022 U.S. Department of Health and Human Services Compliance Requirement: Subrecipient Monitoring Type of Finding: Material Weakness and Material Noncompliance Prior Year Finding: NA Statistically Valid Sample: No Criteria5 A pass-through entity must: 1. Clearly identify to the subrecipient required award information and applicable requirements described in 2 CFR section 200.332(a); 2. Evaluate each subrecipient?s risk of noncompliance for the purposes of determining the appropriate subrecipient monitoring related to the subaward (2 CFR section 300.332(b)); 3. Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, complies with the terms and conditions of the subaward, and achieves performance goals (2 CFR sections 200.332(d) through (f). In addition to procedures identified as necessary based upon the evaluation of subrecipient risk or specifically required through the terms and conditions of the award, subaward monitoring must include following up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means; and 4. Issuing a management decision for audit findings pertaining to federal award provided to the subrecipient from the subrecipient as required by 2 CFR section 200.521. Additionally, per 2 CFR section 200.303, non-federal entities must establish and maintain effective internal control over federal awards that provide reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Condition As part of the Temporary Assistance for Needy Families program (TANF), the New Hampshire Department of Health and Human Services (the Department) enters into grant agreements with local entities to provide services to support eligible participants. During the year ended June 30, 2022, the Department passed through $3,307,974 to subrecipients. As part of our testwork over the subrecipient monitoring process, we noted the following: A. For 1 of 7 subrecipients selected for testwork, per review of the grant agreement, we noted that the agreement did not contain any funding to be paid under the TANF program and should not have been identified as a TANF subrecipient. The total amount paid to the entity was $13,530. B. The Department communicates award information to subrecipients through the approved grant agreement. Per review of the grant agreement, for 4 of the remaining 6 subrecipients selected for testwork, the Department did not communicate all the required award information as outlined in 2 CFR section 200.332. Specifically, the following elements were not communicated: a. The subrecipient?s unique identifier was not communicated for 1 of the remaining 6 subrecipients selected for testwork b. Indirect cost rate for federal awards (including if the deminimus rate is charged per 2 CFR section 200.414) was not communicated for 2 of the remaining 6 subrecipients selected for testwork c. Identification of whether the award is R&D was not communicated for 4 of the remaining 6 subrecipients selected for testwork. C. The Department did not perform a risk assessment for all subrecipients selected for testwork. As a result, it is unclear if any additional targeted subrecipient monitoring should have been performed. D. For 1 of the remaining 6 subrecipients selected for testwork, there was no evidence that a programmatic monitoring review was completed for the subrecipient as required by their subrecipient monitoring policy. As there was no risk assessment performed for the subrecipient, it was unclear as to whether a programmatic monitoring visit should have been performed. Cause The cause of the condition found is primarily due to insufficient internal controls and procedures to ensure that federal reimbursement of expenditures are only disbursed to entities that have an approved subrecipient grant agreement. In addition, there are insufficient internal controls and procedures to ensure that award identification information is properly communicated with grant agreements and that risk assessments are performed to ensure sufficient during the awarded monitoring is performed over all subrecipients. Effect The effect of the condition found is that the Department did not comply with 2 CFR section 200.332(a), section 200.332(b), CFR section 200.521 and 2 CFR sections 200.332(d) through (f). Questioned Costs $13,530 ? the amount in bullet A above. Recommendation We recommend that the Department review its existing internal controls, policies, and procedures to ensure that the Department complies with the provisions of 2 CFR section 200.332(a), 2 CFR section 200.332(b), 2 CFR sections 200.332(d) through (f), and 2 CFR section 200.251. This would include ensuring that: 1. The Department has an approved subrecipient grant agreement prior to making any disbursements to an entity; 2. All required award information is communicated to subrecipients; 3. A documented risk assessment is performed over all subrecipients, and the results of that risk assessment is used to evaluate the types of monitoring procedures that will be performed over the subrecipient; and 4. As a result of the risk assessment performed, monitoring activities are performed over subrecipients to ensure compliance with the terms and conditions of its subrecipient grant agreement. View of Responsible Officials A. We concur with this finding. The Department utilized an internally available copy of the Management Log, which lists vendor?s determinations. This is a copy of the log, not the original, official copy. There is a delay in updating this copy from the original, and incorrect information had been initially entered. The Department is moving this log to software which allows all Department employees to view the same log, while limiting the number of individuals who have access to make changes. Implementation has been completed as of March 2023. B. We concur with this finding. However, we believe this was an isolated incident as the TANF CFDA number (93.558) used was very similar to correct CFDA number (93.778) that should have been documented. C. 200.332 requirements a. We do not concur with this finding. The contract for Mt Prospect became effective 8/4/21, prior to the 4/22 inception of the UEI. The DUNS number, as in effect at that time, is noticed in Exhibit J of the contract. b. We concur with three of the four findings. Two of the four contracts pre-date the template update requiring the notice an indirect cost rate. Indirect cost rate for federal awards (including if the de minimis rate is charged per 2 CFR section 200.414) were added to Exhibit C of the Department?s contracts in April 2020. One of the contracts did not indicate an indirect cost rate as required. One of the contracts notes the indirect cost rate in the Notes of their financial details. c. One of the two contracts pre-dates the template update requiring the notice the identification of R&D. R&D identifications for federal awards were added to Exhibit C of the Department?s contracts in April 2020 One of the two contracts did not identify whether the contract was R&D as required. D. Subrecipient Risk Assessment ? We concur with the finding. We consider the finding to be fully resolved through Department policy Department policy and Department wide implementation. However, it should be noted full compliance will not be achieved for one to two contact cycles due to timing. The Department began addressing the issue of Subrecipient Monitoring issue in June 2017 when the first Grants Administrator was hired. The Department finalized the Subrecipient Monitoring Policy, which encompasses the financial and programmatic risk assessments as well as the subrecipient monitoring, on June 1, 2018. The Department provided user training on the subject in February and September 2018, training over one hundred forty-six staff. However, only brand new procurements utilized this policy during the initial roll out of this policy. The Department hired a new Grants Administrator in May 2019. The full Subrecipient Monitoring policy rolled out to all procurements, including sole source, amendments, and renewals, effective August 1, 2020. The Contracts Unit received specialized subrecipient monitoring training on May 13 and October 28, 2020. Department wide training to all staff occurred weekly between September 8 and November 3, 2020. The Grants Office provided additional targeted training to Program staff through team meetings. Over one hundred fifty Program and Finance staff received training. Annual training will be held in September each year. Refresher training or training for new staff is available upon request from the Grants Office. The Grants Office website offers Program, Finance, and Contracts Bureau staff access to the subrecipient monitoring policy, as well as training modules, slides, and tools. The training has also been recorded and is available on this site. The Subrecipient Monitoring Policy requires Program to determine whether any vendor which receives funds in exchange for goods or services is a Contractor or Subrecipient. Determined subrecipients receive a Management Questionnaire, which includes a ten question questionnaire and requirements for submitting financial data. This information is used to populate the Risk Assessment Tool, which shows any risks pertinent to a subrecipient and the subaward. Based on the risks shown, Program chooses monitoring activities to mitigate the risks and the Contracts Bureau memorializes these choices in the contract. The Grants Office continues to work closely with the Contracts Bureau to ensure compliance with the Subrecipient Monitoring policy. C. and D. It is also important to note that between April 2020 and June 2022 the Department was involved in the State?s strategic response to the COVID-19 pandemic. During this time, New Hampshire was under a state of emergency (Executive Order 2020-04), processes were rapidly converted to fully digital overnight, the State?s standard approval processes were suspended and non-standard templates, which did not include the required notifications under 200.332, were utilized to respond to the COVID-19 pandemic. The Department worked with other State Departments and the National Guard to create a record number of amendments, contracts, and other agreements (approximately 200% more than standard). The Department is in the process of instituting a new contract life cycle management solution that will utilize conditional logic to include the required notifications for agreements involving federal funds in order to ensure compliance. Implementation is anticipated to be complete in July 2023. As the COVID-19 pandemic strategic response has wound down, the Department has not suspended its regular standard approval or subrecipient risk assessment and monitoring processes and has not used non-standard templates to award federal funding. E. We concur there was no formal documentation of any monitoring activity. Due to staff turnover a new administrator has been hired and unable to furnish the monitoring that took place during FY22. However, a program site review during FY23 was performed and financial monitoring of invoices has also taken place. Anticipated Completion Date: July, 2023 Contact Person: Melissa Kelleher, Administrator Rejoinder As documented above in Bullet B of the condition found, the Department did not properly communicate all required award information to the subrecipient. Once aware of the noncompliance, the Department should have timely communicated this information to its subrecipients.

Finding Reference Number: 2022-025 NH Department of Energy Low Income Home Energy Assistance and COVID-19 Low Income Home Energy Assistance (Assistance Listing #93.568) Federal Award Numbers: 2001NHLEA, 2001NHLIE4, 2001NH5C3, 2101NHLIEA, 2101NHE5C6, 2201NHLIEA, 2101NHLIE4 Federal Award Year: 2020, 2021, 2022 U.S. Department of Health and Human Services Compliance Requirement: Subrecipient Monitoring Type of Finding: Material Weakness and Material Noncompliance Prior Year Finding: 2021-027 Statistically Valid Sample: No Criteria A pass-through entity must: 1. Clearly identify to the subrecipient required award information and applicable requirements described in 2 CFR section 200.332(a); 2. Evaluate each subrecipient?s risk of noncompliance for the purposes of determining the appropriate subrecipient monitoring related to the subaward (2 CFR section 300.332(b)); 3. Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, complies with the terms and conditions of the subaward, and achieves performance goals (2 CFR sections 200.332(d) through (f). In addition to procedures identified as necessary based upon the evaluation of subrecipient risk or specifically required through the terms and conditions of the award, subaward monitoring must include following up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means; and 4. Issuing a management decision for audit findings pertaining to federal award provided to the subrecipient from the subrecipient as required by 2 CFR section 200.521. Additionally, Title 45 U.S. Code of Federal Regulation Part 75 (45 CFR section 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HS Awards, section 75.303(a), Internal Controls, states the non-Federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-Federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Condition As part of the Low-Income Home Energy Assistance program (LIHEAP), the New Hampshire Department of Energy (the Department) enters into grant agreements with local entities to provide services related to the eligibility determination process for the LIHEAP program (including the calculation of participant benefits) and payment of benefits to fuel providers. During the year ended June 30, 2022, $37,990,873 was passed through to subrecipients. As part of our testwork over the subrecipient monitoring process, we noted the following as of the year ending June 30, 2022: A. The Department communicates award information to subrecipients through the approved grant agreement. Per review of the grant agreement, for each of the 3 subrecipients selected for testwork, the Department did not communicate all the required award information as outlined in 2 CFR section 200.332. Specifically, the following elements were not communicated: a. Federal Award Identification Number (FAIN) b. Federal award date c. Indirect cost rate for federal awards (including if the deminimus rate is charged per 2 CFR section 200.414) d. Identification of whether the award is R&D B. The Department performed a risk assessment for each of the 3 subrecipients selected for testwork. As part of the risk assessment process, a score was given to each subrecipient with corresponded to a particular risk assessment, such as higher or average risk. The Department however does not have a formal risk assessment policy so it was unclear what additional monitoring procedures should have been performed for each subrecipient based upon their assigned risk. C. For 2 of 3 programmatic monitoring reviews selected for testwork, the Department did not tissue its programmatic monitoring reports to the subrecipient timely after the monitoring review was completed. As a result, there was a delay in the subrecipient implementing its corrective action plan to address the findings identified during the programmatic monitoring review. Specifically, we noted the following: a. For 1 of 2 programmatic monitoring reviews, the monitoring review took place on April 14, 2022, but the report to the subrecipient was not issued until September 2022. Per review of the report that was issued, there were findings identified by the Department that warranted corrective action. Due to the delay in issuing the report, a corrective action plan was not obtained from the subrecipient until 5 months after the date of that the monitoring review took place b. For 1 of 2 programmatic monitoring reviews, the monitoring review took place on April 12, 2022, but the report to the subrecipient was not issued until July 2022. Per review of the report that was issued, there were findings identified by the Department that warranted corrective action. Due to the delay in issuing the report, a corrective action plan was not obtained from the subrecipient until 3 months after the date that the monitoring review took place. D. For all 3 subrecipients selected for testwork, the Department did not complete its annual fiscal monitoring review during the audit period as required by their monitoring policy. E. During our testwork over the Department?s review of subrecipient uniform guidance reports, we noted the following: a. The Department does not track the receipt of uniform guidance reports. As a result, we were unable to determine when the uniform guidance reports were received by the Department to ensure they are reviewed timely. Specifically, we noted: i. For 1 of 3 subrecipients, the subrecipient?s uniform guidance appeared to have been reviewed, but as the Department does not track the receipt of uniform guidance reports, it was unclear if it was reviewed timely. We did note based on the date that the uniform guidance report was issued, the management decision letter was not issued within 6 months of the date of the report being issued as required by 2 CRF 200.521 (d). ii. For 2 of 3 subrecipients selected for testwork, we were unable to obtain evidence to support that the Department had obtained and reviewed the subrecipient?s uniform guidance report. F. The Annual Report on Households Assisted by LIHEAP contains data that is specific to benefits paid to eligible participants. The data that is used to compile the annual report is obtained from case data that is reported to the New Hampshire Department of Energy (the Department) from its subrecipients as the Department has entered into grant agreements with third parties who are responsible for the eligibility determination and benefit payment process. As part of our subrecipient monitoring testwork, we were unable to verify that the Department had performed any monitoring procedures over the data provided by each subrecipient to ensure that the data reported within the annual report was complete and accurate. Cause The cause of the condition found was primarily due to insufficient documented subrecipient policies and procedures to ensure that adequate monitoring is performed over subrecipients to align with the risk assessments performed. The monitoring procedures that are in place to not include the completeness and accuracy of the data submitted by the subrecipient utilized to compile federal reports. Further, the Department does not have sufficient internal controls and procedures to ensure results of monitoring visits are performed and results communicated timely to subrecipient or to ensure that subrecipient uniform guidance reports are obtained and reviewed timely. In addition, there are insufficient internal controls in place to review the grant agreements to ensure that all required data elements are communicated to the subrecipient in accordance with 2 CFR section 300.332(b). Effect The effect of the condition found is that the Department did not comply with 2 CFR section 200.332(a), section 200.332(b) and 2 CFR section 200.521. Questioned Costs None. Recommendation We recommend that the Department formalize, policies and procedures and implement the necessary internal controls to ensure that the Department complies with the provisions of 2 CFR section 200.332(a), 2 CFR section 200.332(b) and 2 CFR section 200.251. This would include ensuring that: 1. All required award information is communicated to subrecipients; 2. A documented risk assessment is performed over all subrecipients and the results of that risk assessment is used to evaluate the types of monitoring procedures that will be performed over the subrecipient including the review of data utilized by the Department to compile federal reports; 3. As a result of the risk assessment performed, monitoring activities are performed over subrecipients to ensure compliance with the terms and conditions of its subrecipient grant agreement. The results of all monitoring reviews should be timely communicated in accordance with the Department?s policies to the subrecipient and actions requiring corrective action plan should be followed up on to ensure that the matter is resolved; and 4. Ensure that all uniform guidance reports are collected and reviewed timely so that a management decision letter can be issued within the time period required by federal regulations. View of Responsible Officials The Department of Energy recognizes the need to include all required information to be communicated to sub-recipients, and that all sub-recipients? risk assessments are thoroughly completed. In addition, uniform guidance reports need to be collected and reviewed to ensure that management letters be issued within the required timeframe. Anticipated Completion Date: Ongoing Contact Person Eileen Smiglowski, NH LIHEAP Administrator

Finding Reference Number: 2022-025 NH Department of Energy Low Income Home Energy Assistance and COVID-19 Low Income Home Energy Assistance (Assistance Listing #93.568) Federal Award Numbers: 2001NHLEA, 2001NHLIE4, 2001NH5C3, 2101NHLIEA, 2101NHE5C6, 2201NHLIEA, 2101NHLIE4 Federal Award Year: 2020, 2021, 2022 U.S. Department of Health and Human Services Compliance Requirement: Subrecipient Monitoring Type of Finding: Material Weakness and Material Noncompliance Prior Year Finding: 2021-027 Statistically Valid Sample: No Criteria A pass-through entity must: 1. Clearly identify to the subrecipient required award information and applicable requirements described in 2 CFR section 200.332(a); 2. Evaluate each subrecipient?s risk of noncompliance for the purposes of determining the appropriate subrecipient monitoring related to the subaward (2 CFR section 300.332(b)); 3. Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, complies with the terms and conditions of the subaward, and achieves performance goals (2 CFR sections 200.332(d) through (f). In addition to procedures identified as necessary based upon the evaluation of subrecipient risk or specifically required through the terms and conditions of the award, subaward monitoring must include following up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means; and 4. Issuing a management decision for audit findings pertaining to federal award provided to the subrecipient from the subrecipient as required by 2 CFR section 200.521. Additionally, Title 45 U.S. Code of Federal Regulation Part 75 (45 CFR section 75), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for HS Awards, section 75.303(a), Internal Controls, states the non-Federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-Federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Condition As part of the Low-Income Home Energy Assistance program (LIHEAP), the New Hampshire Department of Energy (the Department) enters into grant agreements with local entities to provide services related to the eligibility determination process for the LIHEAP program (including the calculation of participant benefits) and payment of benefits to fuel providers. During the year ended June 30, 2022, $37,990,873 was passed through to subrecipients. As part of our testwork over the subrecipient monitoring process, we noted the following as of the year ending June 30, 2022: A. The Department communicates award information to subrecipients through the approved grant agreement. Per review of the grant agreement, for each of the 3 subrecipients selected for testwork, the Department did not communicate all the required award information as outlined in 2 CFR section 200.332. Specifically, the following elements were not communicated: a. Federal Award Identification Number (FAIN) b. Federal award date c. Indirect cost rate for federal awards (including if the deminimus rate is charged per 2 CFR section 200.414) d. Identification of whether the award is R&D B. The Department performed a risk assessment for each of the 3 subrecipients selected for testwork. As part of the risk assessment process, a score was given to each subrecipient with corresponded to a particular risk assessment, such as higher or average risk. The Department however does not have a formal risk assessment policy so it was unclear what additional monitoring procedures should have been performed for each subrecipient based upon their assigned risk. C. For 2 of 3 programmatic monitoring reviews selected for testwork, the Department did not tissue its programmatic monitoring reports to the subrecipient timely after the monitoring review was completed. As a result, there was a delay in the subrecipient implementing its corrective action plan to address the findings identified during the programmatic monitoring review. Specifically, we noted the following: a. For 1 of 2 programmatic monitoring reviews, the monitoring review took place on April 14, 2022, but the report to the subrecipient was not issued until September 2022. Per review of the report that was issued, there were findings identified by the Department that warranted corrective action. Due to the delay in issuing the report, a corrective action plan was not obtained from the subrecipient until 5 months after the date of that the monitoring review took place b. For 1 of 2 programmatic monitoring reviews, the monitoring review took place on April 12, 2022, but the report to the subrecipient was not issued until July 2022. Per review of the report that was issued, there were findings identified by the Department that warranted corrective action. Due to the delay in issuing the report, a corrective action plan was not obtained from the subrecipient until 3 months after the date that the monitoring review took place. D. For all 3 subrecipients selected for testwork, the Department did not complete its annual fiscal monitoring review during the audit period as required by their monitoring policy. E. During our testwork over the Department?s review of subrecipient uniform guidance reports, we noted the following: a. The Department does not track the receipt of uniform guidance reports. As a result, we were unable to determine when the uniform guidance reports were received by the Department to ensure they are reviewed timely. Specifically, we noted: i. For 1 of 3 subrecipients, the subrecipient?s uniform guidance appeared to have been reviewed, but as the Department does not track the receipt of uniform guidance reports, it was unclear if it was reviewed timely. We did note based on the date that the uniform guidance report was issued, the management decision letter was not issued within 6 months of the date of the report being issued as required by 2 CRF 200.521 (d). ii. For 2 of 3 subrecipients selected for testwork, we were unable to obtain evidence to support that the Department had obtained and reviewed the subrecipient?s uniform guidance report. F. The Annual Report on Households Assisted by LIHEAP contains data that is specific to benefits paid to eligible participants. The data that is used to compile the annual report is obtained from case data that is reported to the New Hampshire Department of Energy (the Department) from its subrecipients as the Department has entered into grant agreements with third parties who are responsible for the eligibility determination and benefit payment process. As part of our subrecipient monitoring testwork, we were unable to verify that the Department had performed any monitoring procedures over the data provided by each subrecipient to ensure that the data reported within the annual report was complete and accurate. Cause The cause of the condition found was primarily due to insufficient documented subrecipient policies and procedures to ensure that adequate monitoring is performed over subrecipients to align with the risk assessments performed. The monitoring procedures that are in place to not include the completeness and accuracy of the data submitted by the subrecipient utilized to compile federal reports. Further, the Department does not have sufficient internal controls and procedures to ensure results of monitoring visits are performed and results communicated timely to subrecipient or to ensure that subrecipient uniform guidance reports are obtained and reviewed timely. In addition, there are insufficient internal controls in place to review the grant agreements to ensure that all required data elements are communicated to the subrecipient in accordance with 2 CFR section 300.332(b). Effect The effect of the condition found is that the Department did not comply with 2 CFR section 200.332(a), section 200.332(b) and 2 CFR section 200.521. Questioned Costs None. Recommendation We recommend that the Department formalize, policies and procedures and implement the necessary internal controls to ensure that the Department complies with the provisions of 2 CFR section 200.332(a), 2 CFR section 200.332(b) and 2 CFR section 200.251. This would include ensuring that: 1. All required award information is communicated to subrecipients; 2. A documented risk assessment is performed over all subrecipients and the results of that risk assessment is used to evaluate the types of monitoring procedures that will be performed over the subrecipient including the review of data utilized by the Department to compile federal reports; 3. As a result of the risk assessment performed, monitoring activities are performed over subrecipients to ensure compliance with the terms and conditions of its subrecipient grant agreement. The results of all monitoring reviews should be timely communicated in accordance with the Department?s policies to the subrecipient and actions requiring corrective action plan should be followed up on to ensure that the matter is resolved; and 4. Ensure that all uniform guidance reports are collected and reviewed timely so that a management decision letter can be issued within the time period required by federal regulations. View of Responsible Officials The Department of Energy recognizes the need to include all required information to be communicated to sub-recipients, and that all sub-recipients? risk assessments are thoroughly completed. In addition, uniform guidance reports need to be collected and reviewed to ensure that management letters be issued within the required timeframe. Anticipated Completion Date: Ongoing Contact Person Eileen Smiglowski, NH LIHEAP Administrator

Criteria or specific requirement: According to ? 2 CFR 200.332 Requirements for Pass-through Entities, all pass-through entities must evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. In addition, the pass-through entity must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Condition: The Organization lacked a process to complete a risk assessment that would allow the Organization to evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Questioned costs: None. Context: We noted the Organization is not in compliance with the requirements defined within 2 CFR ?200.332(b). Cause: The Organization lacks established internal controls and procedures that ensure a risk assessment is performed on all Subrecipients. Effect: The lack of internal controls over this compliance requirement provides an opportunity for noncompliance. Appropriate subrecipient monitoring may not be determined as there are no risk assessments being performed. Repeat Finding: Yes: 2021-003 Recommendation: We recommend the Organization revise their Subrecipient Monitoring Policy to include performing subrecipient risk assessments on all subrecipient relationships that the Organization enters into. Views of responsible officials: Management concurs with the finding. While the Subrecipient Monitoring Policy was updated, Mental Health Partners did not have procedures in place to ensure risk assessments were performed on all subrecipients for each grant period. The Controller, Grants Manager, and Contracts Manager are currently updating the internal controls and procedures to ensure that risk assessments are performed for each subrecipient for each grant period in compliance with 2 CFR 200.332(b).

Criteria or specific requirement: According to ? 2 CFR 200.332 Requirements for Pass-through Entities, all pass-through entities must evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. In addition, the pass-through entity must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Condition: The Organization lacked a process to complete a risk assessment that would allow the Organization to evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Questioned costs: None. Context: We noted the Organization is not in compliance with the requirements defined within 2 CFR ?200.332(b). Cause: The Organization lacks established internal controls and procedures that ensure a risk assessment is performed on all Subrecipients. Effect: The lack of internal controls over this compliance requirement provides an opportunity for noncompliance. Appropriate subrecipient monitoring may not be determined as there are no risk assessments being performed. Repeat Finding: Yes: 2021-003 Recommendation: We recommend the Organization revise their Subrecipient Monitoring Policy to include performing subrecipient risk assessments on all subrecipient relationships that the Organization enters into. Views of responsible officials: Management concurs with the finding. While the Subrecipient Monitoring Policy was updated, Mental Health Partners did not have procedures in place to ensure risk assessments were performed on all subrecipients for each grant period. The Controller, Grants Manager, and Contracts Manager are currently updating the internal controls and procedures to ensure that risk assessments are performed for each subrecipient for each grant period in compliance with 2 CFR 200.332(b).

Criteria or specific requirement: According to ? 2 CFR 200.332 Requirements for Pass-through Entities, all pass-through entities must evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. In addition, the pass-through entity must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Condition: The Organization lacked a process to complete a risk assessment that would allow the Organization to evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Questioned costs: None. Context: We noted the Organization is not in compliance with the requirements defined within 2 CFR ?200.332(b). Cause: The Organization lacks established internal controls and procedures that ensure a risk assessment is performed on all Subrecipients. Effect: The lack of internal controls over this compliance requirement provides an opportunity for noncompliance. Appropriate subrecipient monitoring may not be determined as there are no risk assessments being performed. Repeat Finding: Yes: 2021-003 Recommendation: We recommend the Organization revise their Subrecipient Monitoring Policy to include performing subrecipient risk assessments on all subrecipient relationships that the Organization enters into. Views of responsible officials: Management concurs with the finding. While the Subrecipient Monitoring Policy was updated, Mental Health Partners did not have procedures in place to ensure risk assessments were performed on all subrecipients for each grant period. The Controller, Grants Manager, and Contracts Manager are currently updating the internal controls and procedures to ensure that risk assessments are performed for each subrecipient for each grant period in compliance with 2 CFR 200.332(b).

Assistance Listings number and name: 97.024 Emergency Food and Shelter National Board Program Award number and year: 0727200-056, April 1, 2021 through September 30, 2022 Federal agency: Federal Emergency Management Agency Pass-through grantor: United Way Compliance requirement: Subrecipient monitoring Questioned costs: Unknown Condition?The County?s Grants Management and Innovation Department awarded $1.6 million to 1 of 2 subrecipients during the year, or 15 percent of the Department?s $10.6 million total program expenditures, but did not perform all the required monitoring activities of the subrecipient?s activities or compliance with the award terms and program requirements. Specifically, the Department performed insufficient monitoring during the year, which consisted only of reviewing and approving the subrecipient?s invoices of program expenditures for reimbursement. However, those monitoring procedures alone were not sufficient to evaluate whether the subrecipient used program monies in accordance with the award terms and program requirements. Effect?The Department?s lack of required monitoring increased the risk that the $1.6 million of program monies the Department awarded to this subrecipient may not have been spent in accordance with the award terms and program requirements. Cause?Department management reported that it had a previous contractor relationship with the subrecipient and had not reevaluated the substance of its federal award agreement with it, as required by federal regulation, to properly identify the need to implement subrecipient monitoring procedures. Criteria?Federal regulations require the County to evaluate the substance of its federal award agreements with other parties to determine whether each of the other parties receiving the monies have the role of a subrecipient or contractor and whether they are required to comply with any of the federal program?s requirements that the County should monitor (2 Code of Federal Regulation [CFR] ?200.331). Additionally, federal regulations require the County to monitor subrecipients, which includes required monitoring procedures for assessing the risk of each subrecipient?s noncompliance and monitoring activities based on those risk assessments; verifying single audits were conducted timely; following up on and ensuring corrective action is taken on audit findings that could potentially affect the program; and issuing a management decision for audit findings pertaining to the federal award. Those federal regulations also provide that monitoring procedures may include reviewing financial and performance reports, providing training or technical assistance on program-related matters, and performing onsite reviews, selective audits, and/or other monitoring procedures (2 CFR ?200.332[b] and [d ? e]). Also, federal regulation requires establishing and maintaining effective internal control over federal awards that provides reasonable assurance that the federal program is being managed in compliance with all applicable laws, regulations, and award terms (2 CFR ?200.303). Recommendations?The Department should: 1. Evaluate the substance of its federal award agreements with other parties to determine whether each of the other parties receiving the monies have the role of a subrecipient or contractor and whether they are required to comply with any of the federal program?s requirements that the Department should monitor. 2. Ensure it performs required monitoring of its subrecipients and their compliance with the award terms and program requirements by following its existing policies and procedures that require the Department to: a. Assess the risk of each subrecipient?s noncompliance and carry out monitoring activities based on those risk assessments such as reviewing financial and performance reports, providing training or technical assistance on program-related matters, and performing on-site reviews, selective audits, and/or other monitoring procedures. b. Verify subrecipients receive timely single audits, follow up on and ensure that corrective action is taken on any audit findings that could potentially affect the program, and issue management decisions for any audit findings pertaining to the federal award. c. Maintain documentation of monitoring procedures demonstrating they were performed, including the monitoring procedures? results and any County actions taken, if appropriate. The County?s corrective action plan at the end of this report includes the views and planned corrective action of its responsible officials. We are not required to audit and have not audited these responses and planned corrective actions and therefore provide no assurances as to their accuracy.

Finding 2022-079 Minerals Leasing Act?Subrecipient Monitoring In 1920, the U.S. Congress passed the Minerals Leasing Act. This Act directs the federal Office of Natural Resources Revenue (ONRR) within the U.S. Department of the Interior to share 50 percent of mineral leasing revenue received by the ONRR with states that generate mineral lease revenue. Mineral lease revenue results from payments made to the federal government by companies that lease federal land for the right to extract minerals from that land. According to the Act, revenue is to be used by states as each individual state?s legislature directs, giving priority to those sections of the state that are socially or economically impacted by the extraction of minerals. For Colorado, ONRR distributes Program funds to Treasury, which subgrants?or passes through?Program funds to the Department of Local Affairs (DOLA), the Department of Natural Resources (DNR), the Department of Higher Education (DHE), and the Department of Education (DOE), as prescribed by Section 34-63-102, C.R.S. In turn, DOLA passes the majority of the Program funds it receives to local governments impacted by mineral leasing, such as cities and counties. These local governments are considered subrecipients of the Program, and may use Program monies for ??planning; construction and maintenance of public facilities; and provision of public services.? During Fiscal Year 2022, ONRR distributed approximately $124.9 million in Program revenue to Treasury. Treasury passed all of the Program funds to DOLA, DNR, DHE, and DOE. DOLA then passed approximately $49.2 million of the $52.2 million in Program funds it received to local government subrecipients. DOLA retained the remaining $3.0 million in Program funds to cover administrative costs. DNR, DOE, and DHE spent the Program funds at the state level and did not pass any of the funds through to subrecipients. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether Treasury had adequate internal controls in place over, and complied with, federal subrecipient monitoring and reporting requirements for the Program during Fiscal Year 2022. As part of our testing, we reviewed Treasury?s progress in implementing our Fiscal Year 2020 audit recommendation related to subrecipient monitoring and reporting requirements for the Program. During that audit, we recommended that Treasury strengthen its internal controls to ensure that it complies with federal requirements for subrecipient monitoring and reporting for the Program by developing an effective monitoring process to ensure that required federal award information is communicated to Program subrecipients, including the Assistance Listing Number, program name, federal awarding agency, name of the department awarding the Program monies, Treasury department contact information, and dollar amount. In addition, we recommended that Treasury implement procedures to accurately prepare and submit the Exhibit K1, Schedule of Federal Assistance, to the Office of the State Controller (OSC) for reporting federal assistance information each year and to ensure the Exhibit K1 accurately reflects Program expenditures. During our Fiscal Year 2022 audit, we inquired about Treasury?s monitoring procedures over its Program subrecipients, including its required communications. We also reviewed Treasury?s Exhibit K1 to verify the accuracy of the information reported to the OSC and to assess Treasury?s compliance with federal reporting requirements and the OSC?s instructions. How were the results of the audit work measured? We measured the results of our audit work against the following requirements: Federal regulations [2 CFR 200.303] require that Treasury, as a federal grant recipient, establish and maintain effective internal controls over federal awards that provide reasonable assurance that awards are being managed in compliance with federal statutes, regulation, and the terms and conditions of the federal award. Federal regulations [2 CFR 200.332] further require that Treasury, as the primary recipient of the Program monies, ensure that every subaward it makes is clearly identified to the subrecipient as a subaward, and that Treasury provides specific information about the Program to the subrecipients, including, but not limited to, the following: ? Assistance Listing Number ? Name of the program, name of the federal awarding agency, and name of the department awarding the Program monies ? Contact information for Treasury ? Dollar amount made available to the subrecipient ? Reporting requirements The State and any local governments receiving federal funds are required to present a Schedule of Expenditures of Federal Awards (SEFA) in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Federal regulations [2 CFR 200.501(b)] specifically require that the SEFA include information on each federal award expended during the year, including the total amount provided to subrecipients from each federal award. Any non-federal entity that expends $750,000 or more in total federal awards during the entity?s fiscal year must undergo a Single Audit or program-specific audit for that year. Federal regulations [2 CFR 200.332(f)] further require that Treasury, as the primary recipient of the Program funds, ensure that any non-state subrecipients receiving federal funds from the State during a given fiscal year report the funds on their respective SEFAs and, if applicable, undergo a Single Audit. The Exhibit K1 is used to report federal expenditure information to the OSC to aid the OSC in preparing the State?s SEFA, which reports the total federal awards expended by the State during the fiscal year. The instructions state that the OSC relies on the accuracy of amounts and other information reported on the Exhibit in preparing the SEFA. What problem did the audit work identify? We found that Treasury did not fully implement our prior audit recommendation related to federal subrecipient monitoring for the Program during Fiscal Year 2022. Specifically, we found that Treasury did not communicate, or ensure that DOLA communicated, the required award information and applicable federal compliance requirements to all Program subrecipients in accordance with federal regulations. In response to our prior audit recommendation, Treasury reported that they met with DOLA staff in June 2022 to discuss an interagency agreement that would establish expectations for DOLA to communicate required federal award information and applicable federal compliance requirements for this Program to subrecipients. However, as of the end of the fiscal year, this interagency agreement was not signed or in place. Further, Treasury, as the primary recipient of the Program funds, did not ensure that it or DOLA communicated and followed up with any non-state subrecipients receiving federal funds from the State during Fiscal Year 2022 to ensure the subrecipients reported the funds on their respective SEFAs and, if applicable, underwent a Single Audit. We determined that Treasury implemented part of our prior audit recommendation related to the preparation of its Exhibit K1 in accordance with federal requirements. Specifically, Treasury received information from pass-through departments in order to properly determine whether Program funds ultimately flowed through to subrecipients and reported these funds as ?Expenditures -Passed Through to Subrecipient? on Treasury?s Exhibit K1. Why did this problem occur? Treasury did not have adequate internal controls in place during Fiscal Year 2022 to ensure that it complied with federal subrecipient monitoring requirements for the Program. Specifically, Treasury staff did not effectively communicate with DOLA staff about their responsibility for subrecipient reporting or have a monitoring process in place to ensure that either Treasury or DOLA staff communicated required federal award information and related federal reporting requirements to all subrecipients of Program funds, including a communication that any subrecipients receiving Program funds from the State during Fiscal Year 2022 are required to report the funds on their respective SEFAs and, if applicable, undergo a Single Audit. Why does this problem matter? By not communicating required information to subrecipients, Treasury failed to comply with federal subrecipient monitoring requirements for the Program. This communication is necessary to ensure that subrecipients are aware of the federal requirements for the funds, including the requirement that local governments properly report federal expenditures on their SEFAs. Treasury?s insufficient monitoring of Program subrecipients could result in future federal funding being reduced. In addition, if Treasury does not appropriately communicate SEFA reporting requirements to other state agencies and non-state subrecipients in the future, it could ultimately result in local governments not undergoing Single Audits, as required. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-079 The Department of the Treasury (Treasury) should strengthen its internal controls to ensure that it complies with federal requirements for subrecipient monitoring and reporting for the Minerals Leasing Act program (Program). This should include developing effective processes to ensure that required federal award information, including the Assistance Listing Number, federal program name, and dollar amount made available to the subrecipient, and the related federal requirements are communicated to Program subrecipients, and that the subrecipients report the funds on their respective annual Schedules of Expenditures of Federal Awards and, if applicable, undergo a Single Audit. Response Department of The Treasury Agree Implementation Date: June 30, 2023 The Department of the Treasury (Treasury) strengthened its internal controls with DOLA?s agreement to disseminate the necessary information to the subrecipients in compliance with federal requirements for subrecipient monitoring and reporting for the Minerals Leasing Act program (Program) at the earliest possible opportunity following receipt of the recommendation in the previous FYE?s report as the monitoring and reporting for the Program could only be performed following the annual distribution of such funds which took place subsequent to FYE 2022. The Department will formalize an Interagency Agreement with DOLA and any other relevant parties, incorporating additional corrective action before the stated date above (June 30, 2023).

Finding 2022-076 Compliance with Federal Subrecipient Monitoring Requirements The Department receives federal grant funds directly from the federal government for the Highway Planning and Construction Program (Program) and then subgrants, or passes through, a portion of the funds to cities and counties and other organizations that are considered to be either a subrecipient or a contractor. A subrecipient is a non-federal entity that expends federal awards received from a pass-through entity to carry out a federal program, but does not include an individual that is a beneficiary receiving direct payments from such a program. A contractor is a dealer, distributor, merchant, or other seller providing goods or services that are required to conduct a federal program; these goods or services may be for an organization?s own use or for the use of beneficiaries of the federal program. The Department executes an Intergovemental Agreement (IGA) between the Department and the subrecipient. Under Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), the Department is responsible for evaluating each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward and for ultimately ensuring the subrecipient is determined eligible. In some instances, in coordination with the Federal Highway Association (FHWA), a Metropolitan Planning Organization (MPO)? rather than the primary recipient, such as the Department?is responsible for performing eligibility determinations. As such, in those instances, the Department does not perform risk-assessments on these contracts and only is responsible for on-going monitoring. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had effective internal controls in place and complied with subrecipient monitoring activities for the Program during Fiscal Year 2022. As part of our audit work, we reviewed the Department?s internal controls over compliance for subrecipient monitoring requirements for the Program, including the Department?s policies and procedures. We tested a random sample of 25 of the Department?s 92 subrecipients (27 percent) for the Program?for which the Department had an IGA in place during Fiscal Year 2022?to determine whether subrecipient monitoring procedures performed by Department staff during the year were compliant with federal regulations. Our testing included evaluating whether the Department performed risk assessments and determined the appropriate level of subrecipient monitoring for the entities, as required by federal Uniform Guidance. How were the results of the audit work measured? Our audit work was designed to measure the Department?s compliance with the following criteria: ? Federal regulations [2 CFR 200.303] state that the Department, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? ? Federal regulations [2 CFR 200.332(b)] also state that the Department must evaluate each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward and may include various factors. ? Federal regulations [2 CFR 200.332(d) through (f)] and [2 CFR 200.521] further require the Department to monitor the activities of its subrecipients, as necessary, to ensure that each subaward is used for authorized purposes, the subrecipient complies with the terms and conditions of the subaward, and that the subrecipient achieves performance goals. The Department?s monitoring must include: o Reviewing financial and programmatic reports submitted by the subrecipient o Following-up on and ensuring the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award o Issuing a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity What problems did the audit work identify? We determined that the Department did not comply with subrecipient monitoring requirements for the Highway Planning and Construction Program during Fiscal Year 2022, as noted below: ? The Department did not perform a risk assessment for 6 of the 25 subrecipients (24 percent) we tested, including subrecipients where eligibility was determined by a MPO. ? The Department improperly included one vendor in our population of subrecipients. The nature of services provided by the vendor was personal services, therefore, did not require the execution of an IGA. ? The Department did not provide supporting documentation for reviews of any Fiscal Year 2022 financial and programmatic reports. As a result, we were unable to determine if any reviews were conducted during the fiscal year, as required. Why did these problems occur? While the Department has created a subrecipient monitoring and risk assessment manual, the manual lacks clarity in a variety of areas, including the following: ? For contracts which extend over multiple fiscal years, the policies do not specify the frequency in which subrecipient risk-assessment should be reviewed or updated. ? There are multiple types of subrecipient contracts for which the full risk-assessment process may not be applicable, however, the current policies do not address acceptable exceptions to the policy. ? The Department?s current policies do not include guidance related to the review of financial and programmatic reports, including the extent to which required programmatic and financial reports should be obtained and reviewed. ? The Department?s policies and procedures do not clearly indicate that the Department is not required to complete a risk assessment when an MPO determines eligibility and therefore the nature of monitoring procedures to be performed is not defined. ? Requested audit documentation was not provided timely. Further, the Department did not provide sufficiently-detailed training to staff to ensure they were aware of and conducted required subrecipient monitoring responsibilities. Why do these problems matter? Performing timely and appropriate monitoring of subrecipients provides the Department with a method to ensure its subrecipients are complying with applicable federal grant requirements. By taking appropriate actions based on the results of its subrecipient monitoring activities, the Department can mitigate the risk of providing continuing funding to entities that may not be using funds in accordance with program requirements. Overall, the Department?s failure to comply with federal requirements could result in a loss of funding from the federal government. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-076 The Department of Transportation should strengthen internal controls over and ensure that it complies with federal subrecipient monitoring requirements for the Highway Planning and Construction program by: A. Updating its current subrecipient monitoring and risk assessment policy to clarify the frequency in which a risk assessment is required to be completed or updated, as applicable for contracts that span multiple fiscal years, as well as direction regarding when it is acceptable to forgo performing a risk assessment and updating the policy to address the nature in which subrecipient programmatic and financial reports are reviewed B. Providing training to staff responsible for subrecipient monitoring activities related to the policies updated in Part A of the finding. Response Department of Transportation A. Agree Implementation Date: November 2023 The Department will update the policy to clarify the frequency in which the risk assessment is required to be completed or updated as applicable for contracts that span multiple fiscal years, as well as identifying exceptions, outlining when it is acceptable to forgo risk assessments. The Department will also update the policy to address the nature in which the subrecipient programmatic and financial reports are reviewed. The updates will be completed by November 2023. B. Agree Implementation Date: November 2023 The Department will provide training on the subrecipient monitoring policy manual to outline roles, responsibilities and the frequency of risk assessments that span over multiple fiscal years. The training will also provide guidance on the programmatic and financial information review process.

Finding 2022-076 Compliance with Federal Subrecipient Monitoring Requirements The Department receives federal grant funds directly from the federal government for the Highway Planning and Construction Program (Program) and then subgrants, or passes through, a portion of the funds to cities and counties and other organizations that are considered to be either a subrecipient or a contractor. A subrecipient is a non-federal entity that expends federal awards received from a pass-through entity to carry out a federal program, but does not include an individual that is a beneficiary receiving direct payments from such a program. A contractor is a dealer, distributor, merchant, or other seller providing goods or services that are required to conduct a federal program; these goods or services may be for an organization?s own use or for the use of beneficiaries of the federal program. The Department executes an Intergovemental Agreement (IGA) between the Department and the subrecipient. Under Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), the Department is responsible for evaluating each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward and for ultimately ensuring the subrecipient is determined eligible. In some instances, in coordination with the Federal Highway Association (FHWA), a Metropolitan Planning Organization (MPO)? rather than the primary recipient, such as the Department?is responsible for performing eligibility determinations. As such, in those instances, the Department does not perform risk-assessments on these contracts and only is responsible for on-going monitoring. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had effective internal controls in place and complied with subrecipient monitoring activities for the Program during Fiscal Year 2022. As part of our audit work, we reviewed the Department?s internal controls over compliance for subrecipient monitoring requirements for the Program, including the Department?s policies and procedures. We tested a random sample of 25 of the Department?s 92 subrecipients (27 percent) for the Program?for which the Department had an IGA in place during Fiscal Year 2022?to determine whether subrecipient monitoring procedures performed by Department staff during the year were compliant with federal regulations. Our testing included evaluating whether the Department performed risk assessments and determined the appropriate level of subrecipient monitoring for the entities, as required by federal Uniform Guidance. How were the results of the audit work measured? Our audit work was designed to measure the Department?s compliance with the following criteria: ? Federal regulations [2 CFR 200.303] state that the Department, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? ? Federal regulations [2 CFR 200.332(b)] also state that the Department must evaluate each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward and may include various factors. ? Federal regulations [2 CFR 200.332(d) through (f)] and [2 CFR 200.521] further require the Department to monitor the activities of its subrecipients, as necessary, to ensure that each subaward is used for authorized purposes, the subrecipient complies with the terms and conditions of the subaward, and that the subrecipient achieves performance goals. The Department?s monitoring must include: o Reviewing financial and programmatic reports submitted by the subrecipient o Following-up on and ensuring the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award o Issuing a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity What problems did the audit work identify? We determined that the Department did not comply with subrecipient monitoring requirements for the Highway Planning and Construction Program during Fiscal Year 2022, as noted below: ? The Department did not perform a risk assessment for 6 of the 25 subrecipients (24 percent) we tested, including subrecipients where eligibility was determined by a MPO. ? The Department improperly included one vendor in our population of subrecipients. The nature of services provided by the vendor was personal services, therefore, did not require the execution of an IGA. ? The Department did not provide supporting documentation for reviews of any Fiscal Year 2022 financial and programmatic reports. As a result, we were unable to determine if any reviews were conducted during the fiscal year, as required. Why did these problems occur? While the Department has created a subrecipient monitoring and risk assessment manual, the manual lacks clarity in a variety of areas, including the following: ? For contracts which extend over multiple fiscal years, the policies do not specify the frequency in which subrecipient risk-assessment should be reviewed or updated. ? There are multiple types of subrecipient contracts for which the full risk-assessment process may not be applicable, however, the current policies do not address acceptable exceptions to the policy. ? The Department?s current policies do not include guidance related to the review of financial and programmatic reports, including the extent to which required programmatic and financial reports should be obtained and reviewed. ? The Department?s policies and procedures do not clearly indicate that the Department is not required to complete a risk assessment when an MPO determines eligibility and therefore the nature of monitoring procedures to be performed is not defined. ? Requested audit documentation was not provided timely. Further, the Department did not provide sufficiently-detailed training to staff to ensure they were aware of and conducted required subrecipient monitoring responsibilities. Why do these problems matter? Performing timely and appropriate monitoring of subrecipients provides the Department with a method to ensure its subrecipients are complying with applicable federal grant requirements. By taking appropriate actions based on the results of its subrecipient monitoring activities, the Department can mitigate the risk of providing continuing funding to entities that may not be using funds in accordance with program requirements. Overall, the Department?s failure to comply with federal requirements could result in a loss of funding from the federal government. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-076 The Department of Transportation should strengthen internal controls over and ensure that it complies with federal subrecipient monitoring requirements for the Highway Planning and Construction program by: A. Updating its current subrecipient monitoring and risk assessment policy to clarify the frequency in which a risk assessment is required to be completed or updated, as applicable for contracts that span multiple fiscal years, as well as direction regarding when it is acceptable to forgo performing a risk assessment and updating the policy to address the nature in which subrecipient programmatic and financial reports are reviewed B. Providing training to staff responsible for subrecipient monitoring activities related to the policies updated in Part A of the finding. Response Department of Transportation A. Agree Implementation Date: November 2023 The Department will update the policy to clarify the frequency in which the risk assessment is required to be completed or updated as applicable for contracts that span multiple fiscal years, as well as identifying exceptions, outlining when it is acceptable to forgo risk assessments. The Department will also update the policy to address the nature in which the subrecipient programmatic and financial reports are reviewed. The updates will be completed by November 2023. B. Agree Implementation Date: November 2023 The Department will provide training on the subrecipient monitoring policy manual to outline roles, responsibilities and the frequency of risk assessments that span over multiple fiscal years. The training will also provide guidance on the programmatic and financial information review process.

Finding 2022-076 Compliance with Federal Subrecipient Monitoring Requirements The Department receives federal grant funds directly from the federal government for the Highway Planning and Construction Program (Program) and then subgrants, or passes through, a portion of the funds to cities and counties and other organizations that are considered to be either a subrecipient or a contractor. A subrecipient is a non-federal entity that expends federal awards received from a pass-through entity to carry out a federal program, but does not include an individual that is a beneficiary receiving direct payments from such a program. A contractor is a dealer, distributor, merchant, or other seller providing goods or services that are required to conduct a federal program; these goods or services may be for an organization?s own use or for the use of beneficiaries of the federal program. The Department executes an Intergovemental Agreement (IGA) between the Department and the subrecipient. Under Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), the Department is responsible for evaluating each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward and for ultimately ensuring the subrecipient is determined eligible. In some instances, in coordination with the Federal Highway Association (FHWA), a Metropolitan Planning Organization (MPO)? rather than the primary recipient, such as the Department?is responsible for performing eligibility determinations. As such, in those instances, the Department does not perform risk-assessments on these contracts and only is responsible for on-going monitoring. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had effective internal controls in place and complied with subrecipient monitoring activities for the Program during Fiscal Year 2022. As part of our audit work, we reviewed the Department?s internal controls over compliance for subrecipient monitoring requirements for the Program, including the Department?s policies and procedures. We tested a random sample of 25 of the Department?s 92 subrecipients (27 percent) for the Program?for which the Department had an IGA in place during Fiscal Year 2022?to determine whether subrecipient monitoring procedures performed by Department staff during the year were compliant with federal regulations. Our testing included evaluating whether the Department performed risk assessments and determined the appropriate level of subrecipient monitoring for the entities, as required by federal Uniform Guidance. How were the results of the audit work measured? Our audit work was designed to measure the Department?s compliance with the following criteria: ? Federal regulations [2 CFR 200.303] state that the Department, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? ? Federal regulations [2 CFR 200.332(b)] also state that the Department must evaluate each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward and may include various factors. ? Federal regulations [2 CFR 200.332(d) through (f)] and [2 CFR 200.521] further require the Department to monitor the activities of its subrecipients, as necessary, to ensure that each subaward is used for authorized purposes, the subrecipient complies with the terms and conditions of the subaward, and that the subrecipient achieves performance goals. The Department?s monitoring must include: o Reviewing financial and programmatic reports submitted by the subrecipient o Following-up on and ensuring the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award o Issuing a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity What problems did the audit work identify? We determined that the Department did not comply with subrecipient monitoring requirements for the Highway Planning and Construction Program during Fiscal Year 2022, as noted below: ? The Department did not perform a risk assessment for 6 of the 25 subrecipients (24 percent) we tested, including subrecipients where eligibility was determined by a MPO. ? The Department improperly included one vendor in our population of subrecipients. The nature of services provided by the vendor was personal services, therefore, did not require the execution of an IGA. ? The Department did not provide supporting documentation for reviews of any Fiscal Year 2022 financial and programmatic reports. As a result, we were unable to determine if any reviews were conducted during the fiscal year, as required. Why did these problems occur? While the Department has created a subrecipient monitoring and risk assessment manual, the manual lacks clarity in a variety of areas, including the following: ? For contracts which extend over multiple fiscal years, the policies do not specify the frequency in which subrecipient risk-assessment should be reviewed or updated. ? There are multiple types of subrecipient contracts for which the full risk-assessment process may not be applicable, however, the current policies do not address acceptable exceptions to the policy. ? The Department?s current policies do not include guidance related to the review of financial and programmatic reports, including the extent to which required programmatic and financial reports should be obtained and reviewed. ? The Department?s policies and procedures do not clearly indicate that the Department is not required to complete a risk assessment when an MPO determines eligibility and therefore the nature of monitoring procedures to be performed is not defined. ? Requested audit documentation was not provided timely. Further, the Department did not provide sufficiently-detailed training to staff to ensure they were aware of and conducted required subrecipient monitoring responsibilities. Why do these problems matter? Performing timely and appropriate monitoring of subrecipients provides the Department with a method to ensure its subrecipients are complying with applicable federal grant requirements. By taking appropriate actions based on the results of its subrecipient monitoring activities, the Department can mitigate the risk of providing continuing funding to entities that may not be using funds in accordance with program requirements. Overall, the Department?s failure to comply with federal requirements could result in a loss of funding from the federal government. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-076 The Department of Transportation should strengthen internal controls over and ensure that it complies with federal subrecipient monitoring requirements for the Highway Planning and Construction program by: A. Updating its current subrecipient monitoring and risk assessment policy to clarify the frequency in which a risk assessment is required to be completed or updated, as applicable for contracts that span multiple fiscal years, as well as direction regarding when it is acceptable to forgo performing a risk assessment and updating the policy to address the nature in which subrecipient programmatic and financial reports are reviewed B. Providing training to staff responsible for subrecipient monitoring activities related to the policies updated in Part A of the finding. Response Department of Transportation A. Agree Implementation Date: November 2023 The Department will update the policy to clarify the frequency in which the risk assessment is required to be completed or updated as applicable for contracts that span multiple fiscal years, as well as identifying exceptions, outlining when it is acceptable to forgo risk assessments. The Department will also update the policy to address the nature in which the subrecipient programmatic and financial reports are reviewed. The updates will be completed by November 2023. B. Agree Implementation Date: November 2023 The Department will provide training on the subrecipient monitoring policy manual to outline roles, responsibilities and the frequency of risk assessments that span over multiple fiscal years. The training will also provide guidance on the programmatic and financial information review process.

Finding 2022-076 Compliance with Federal Subrecipient Monitoring Requirements The Department receives federal grant funds directly from the federal government for the Highway Planning and Construction Program (Program) and then subgrants, or passes through, a portion of the funds to cities and counties and other organizations that are considered to be either a subrecipient or a contractor. A subrecipient is a non-federal entity that expends federal awards received from a pass-through entity to carry out a federal program, but does not include an individual that is a beneficiary receiving direct payments from such a program. A contractor is a dealer, distributor, merchant, or other seller providing goods or services that are required to conduct a federal program; these goods or services may be for an organization?s own use or for the use of beneficiaries of the federal program. The Department executes an Intergovemental Agreement (IGA) between the Department and the subrecipient. Under Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), the Department is responsible for evaluating each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward and for ultimately ensuring the subrecipient is determined eligible. In some instances, in coordination with the Federal Highway Association (FHWA), a Metropolitan Planning Organization (MPO)? rather than the primary recipient, such as the Department?is responsible for performing eligibility determinations. As such, in those instances, the Department does not perform risk-assessments on these contracts and only is responsible for on-going monitoring. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had effective internal controls in place and complied with subrecipient monitoring activities for the Program during Fiscal Year 2022. As part of our audit work, we reviewed the Department?s internal controls over compliance for subrecipient monitoring requirements for the Program, including the Department?s policies and procedures. We tested a random sample of 25 of the Department?s 92 subrecipients (27 percent) for the Program?for which the Department had an IGA in place during Fiscal Year 2022?to determine whether subrecipient monitoring procedures performed by Department staff during the year were compliant with federal regulations. Our testing included evaluating whether the Department performed risk assessments and determined the appropriate level of subrecipient monitoring for the entities, as required by federal Uniform Guidance. How were the results of the audit work measured? Our audit work was designed to measure the Department?s compliance with the following criteria: ? Federal regulations [2 CFR 200.303] state that the Department, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? ? Federal regulations [2 CFR 200.332(b)] also state that the Department must evaluate each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward and may include various factors. ? Federal regulations [2 CFR 200.332(d) through (f)] and [2 CFR 200.521] further require the Department to monitor the activities of its subrecipients, as necessary, to ensure that each subaward is used for authorized purposes, the subrecipient complies with the terms and conditions of the subaward, and that the subrecipient achieves performance goals. The Department?s monitoring must include: o Reviewing financial and programmatic reports submitted by the subrecipient o Following-up on and ensuring the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award o Issuing a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity What problems did the audit work identify? We determined that the Department did not comply with subrecipient monitoring requirements for the Highway Planning and Construction Program during Fiscal Year 2022, as noted below: ? The Department did not perform a risk assessment for 6 of the 25 subrecipients (24 percent) we tested, including subrecipients where eligibility was determined by a MPO. ? The Department improperly included one vendor in our population of subrecipients. The nature of services provided by the vendor was personal services, therefore, did not require the execution of an IGA. ? The Department did not provide supporting documentation for reviews of any Fiscal Year 2022 financial and programmatic reports. As a result, we were unable to determine if any reviews were conducted during the fiscal year, as required. Why did these problems occur? While the Department has created a subrecipient monitoring and risk assessment manual, the manual lacks clarity in a variety of areas, including the following: ? For contracts which extend over multiple fiscal years, the policies do not specify the frequency in which subrecipient risk-assessment should be reviewed or updated. ? There are multiple types of subrecipient contracts for which the full risk-assessment process may not be applicable, however, the current policies do not address acceptable exceptions to the policy. ? The Department?s current policies do not include guidance related to the review of financial and programmatic reports, including the extent to which required programmatic and financial reports should be obtained and reviewed. ? The Department?s policies and procedures do not clearly indicate that the Department is not required to complete a risk assessment when an MPO determines eligibility and therefore the nature of monitoring procedures to be performed is not defined. ? Requested audit documentation was not provided timely. Further, the Department did not provide sufficiently-detailed training to staff to ensure they were aware of and conducted required subrecipient monitoring responsibilities. Why do these problems matter? Performing timely and appropriate monitoring of subrecipients provides the Department with a method to ensure its subrecipients are complying with applicable federal grant requirements. By taking appropriate actions based on the results of its subrecipient monitoring activities, the Department can mitigate the risk of providing continuing funding to entities that may not be using funds in accordance with program requirements. Overall, the Department?s failure to comply with federal requirements could result in a loss of funding from the federal government. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-076 The Department of Transportation should strengthen internal controls over and ensure that it complies with federal subrecipient monitoring requirements for the Highway Planning and Construction program by: A. Updating its current subrecipient monitoring and risk assessment policy to clarify the frequency in which a risk assessment is required to be completed or updated, as applicable for contracts that span multiple fiscal years, as well as direction regarding when it is acceptable to forgo performing a risk assessment and updating the policy to address the nature in which subrecipient programmatic and financial reports are reviewed B. Providing training to staff responsible for subrecipient monitoring activities related to the policies updated in Part A of the finding. Response Department of Transportation A. Agree Implementation Date: November 2023 The Department will update the policy to clarify the frequency in which the risk assessment is required to be completed or updated as applicable for contracts that span multiple fiscal years, as well as identifying exceptions, outlining when it is acceptable to forgo risk assessments. The Department will also update the policy to address the nature in which the subrecipient programmatic and financial reports are reviewed. The updates will be completed by November 2023. B. Agree Implementation Date: November 2023 The Department will provide training on the subrecipient monitoring policy manual to outline roles, responsibilities and the frequency of risk assessments that span over multiple fiscal years. The training will also provide guidance on the programmatic and financial information review process.

Finding 2022-076 Compliance with Federal Subrecipient Monitoring Requirements The Department receives federal grant funds directly from the federal government for the Highway Planning and Construction Program (Program) and then subgrants, or passes through, a portion of the funds to cities and counties and other organizations that are considered to be either a subrecipient or a contractor. A subrecipient is a non-federal entity that expends federal awards received from a pass-through entity to carry out a federal program, but does not include an individual that is a beneficiary receiving direct payments from such a program. A contractor is a dealer, distributor, merchant, or other seller providing goods or services that are required to conduct a federal program; these goods or services may be for an organization?s own use or for the use of beneficiaries of the federal program. The Department executes an Intergovemental Agreement (IGA) between the Department and the subrecipient. Under Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), the Department is responsible for evaluating each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward and for ultimately ensuring the subrecipient is determined eligible. In some instances, in coordination with the Federal Highway Association (FHWA), a Metropolitan Planning Organization (MPO)? rather than the primary recipient, such as the Department?is responsible for performing eligibility determinations. As such, in those instances, the Department does not perform risk-assessments on these contracts and only is responsible for on-going monitoring. What was the purpose of our audit work and what work was performed? The purpose of the audit work was to determine whether the Department had effective internal controls in place and complied with subrecipient monitoring activities for the Program during Fiscal Year 2022. As part of our audit work, we reviewed the Department?s internal controls over compliance for subrecipient monitoring requirements for the Program, including the Department?s policies and procedures. We tested a random sample of 25 of the Department?s 92 subrecipients (27 percent) for the Program?for which the Department had an IGA in place during Fiscal Year 2022?to determine whether subrecipient monitoring procedures performed by Department staff during the year were compliant with federal regulations. Our testing included evaluating whether the Department performed risk assessments and determined the appropriate level of subrecipient monitoring for the entities, as required by federal Uniform Guidance. How were the results of the audit work measured? Our audit work was designed to measure the Department?s compliance with the following criteria: ? Federal regulations [2 CFR 200.303] state that the Department, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? ? Federal regulations [2 CFR 200.332(b)] also state that the Department must evaluate each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward and may include various factors. ? Federal regulations [2 CFR 200.332(d) through (f)] and [2 CFR 200.521] further require the Department to monitor the activities of its subrecipients, as necessary, to ensure that each subaward is used for authorized purposes, the subrecipient complies with the terms and conditions of the subaward, and that the subrecipient achieves performance goals. The Department?s monitoring must include: o Reviewing financial and programmatic reports submitted by the subrecipient o Following-up on and ensuring the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award o Issuing a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity What problems did the audit work identify? We determined that the Department did not comply with subrecipient monitoring requirements for the Highway Planning and Construction Program during Fiscal Year 2022, as noted below: ? The Department did not perform a risk assessment for 6 of the 25 subrecipients (24 percent) we tested, including subrecipients where eligibility was determined by a MPO. ? The Department improperly included one vendor in our population of subrecipients. The nature of services provided by the vendor was personal services, therefore, did not require the execution of an IGA. ? The Department did not provide supporting documentation for reviews of any Fiscal Year 2022 financial and programmatic reports. As a result, we were unable to determine if any reviews were conducted during the fiscal year, as required. Why did these problems occur? While the Department has created a subrecipient monitoring and risk assessment manual, the manual lacks clarity in a variety of areas, including the following: ? For contracts which extend over multiple fiscal years, the policies do not specify the frequency in which subrecipient risk-assessment should be reviewed or updated. ? There are multiple types of subrecipient contracts for which the full risk-assessment process may not be applicable, however, the current policies do not address acceptable exceptions to the policy. ? The Department?s current policies do not include guidance related to the review of financial and programmatic reports, including the extent to which required programmatic and financial reports should be obtained and reviewed. ? The Department?s policies and procedures do not clearly indicate that the Department is not required to complete a risk assessment when an MPO determines eligibility and therefore the nature of monitoring procedures to be performed is not defined. ? Requested audit documentation was not provided timely. Further, the Department did not provide sufficiently-detailed training to staff to ensure they were aware of and conducted required subrecipient monitoring responsibilities. Why do these problems matter? Performing timely and appropriate monitoring of subrecipients provides the Department with a method to ensure its subrecipients are complying with applicable federal grant requirements. By taking appropriate actions based on the results of its subrecipient monitoring activities, the Department can mitigate the risk of providing continuing funding to entities that may not be using funds in accordance with program requirements. Overall, the Department?s failure to comply with federal requirements could result in a loss of funding from the federal government. See Schedule of Findings and Questioned Costs for chart/table Recommendation 2022-076 The Department of Transportation should strengthen internal controls over and ensure that it complies with federal subrecipient monitoring requirements for the Highway Planning and Construction program by: A. Updating its current subrecipient monitoring and risk assessment policy to clarify the frequency in which a risk assessment is required to be completed or updated, as applicable for contracts that span multiple fiscal years, as well as direction regarding when it is acceptable to forgo performing a risk assessment and updating the policy to address the nature in which subrecipient programmatic and financial reports are reviewed B. Providing training to staff responsible for subrecipient monitoring activities related to the policies updated in Part A of the finding. Response Department of Transportation A. Agree Implementation Date: November 2023 The Department will update the policy to clarify the frequency in which the risk assessment is required to be completed or updated as applicable for contracts that span multiple fiscal years, as well as identifying exceptions, outlining when it is acceptable to forgo risk assessments. The Department will also update the policy to address the nature in which the subrecipient programmatic and financial reports are reviewed. The updates will be completed by November 2023. B. Agree Implementation Date: November 2023 The Department will provide training on the subrecipient monitoring policy manual to outline roles, responsibilities and the frequency of risk assessments that span over multiple fiscal years. The training will also provide guidance on the programmatic and financial information review process.

The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department of Transportation (Department) in the previous year and has not been remediated as of June 30, 2022 because the original implementation date provided by the Department was in a subsequent fiscal year. This complete finding and recommendation can be found within the original report and the complete recommendation can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table Finding 2021-068 The following finding and recommendation relating to an internal control deficiency classified as a Significant Deficiency was communicated to the Department in the previous year and has not been remediated as of June 30, 2021, because the original implementation date provided by the Department is in a subsequent fiscal year. This complete finding and recommendation can be found in the original report and Section III: Prior Federal Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table. Finding 2020-075 FORMULA GRANTS FOR RURAL AREAS?INTERNAL CONTROLS AND COMPLIANCE WITH SUBRECIPIENT MONITORING The Department received funding from the Federal Transit Authority (FTA) for the Program during Fiscal Year 2020 and expended approximately $26.8 million under the Program; the expenditures included approximately $16.9 million from the Coronavirus Aid, Relief, and Economic Security Act (CARES Act). The objective of this Program is to initiate, improve, or continue public transportation services in rural areas. FTA provides financial and technical assistance to local public transit systems, including buses, subways, light rail, commuter rail, trolleys, and ferries. FTA also oversees safety measures and helps develop next-generation technology research. Approximately $26.0 million (97 percent) of the Program funds expended by the Department were passed through to subrecipients in order to carry out a portion of the Program. WHAT WAS THE PURPOSE OF OUR AUDIT WORK AND WHAT WORK WAS PERFORMED? The purpose of the audit work was to determine whether the Department had effective internal controls in place during Fiscal Year 2020 over the Program, and complied with the Program?s subrecipient monitoring activities. As part of our audit work, we reviewed the Department?s internal controls over compliance for the Program?s subrecipient monitoring. In addition, we tested a random sample of five of 45 Program subrecipients for Fiscal Year 2020 to determine whether the subrecipient monitoring procedures the Department performed during the year were compliant with federal requirements. HOW WERE THE RESULTS OF THE AUDIT WORK MEASURED? Our audit work was designed to measure the results of compliance with the following criteria: ? Federal regulations [2 CFR 200.332(b)] require that the Department evaluate each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward and may include various factors. Federal regulations [2 CFR 200.332(d)-(f)] also require the Department to monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, complies with the terms and conditions of the subaward, and achieves performance goals. Monitoring must include: ? Reviewing financial and programmatic reports. ? Following up and ensuring the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award. ? Issuing a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity, as required by 2 CFR 200.521. ? Federal regulation [2 CFR 200.303] states that the Department, as a federal grant recipient, must ?establish and maintain effective internal controls over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulation, and the terms and conditions of the Federal award.? The Department?s internal control policies and procedures require the Internal Audit Division to obtain and review single audit certification forms, whereby subrecipients are required to certify whether they are subject to a Single Audit. Internal Audit Division staff are required to review each certification and related Single Audit report, as applicable, and perform follow-up activities related to deficiencies and audit findings. ? Additionally, the Department is required to report the total amount of federal awards expended to the Office of the State Controller (OSC) via the Exhibit K1, Schedule of Federal Assistance. The Exhibit K1 is the document through which state departments report federal expenditure information to the OSC, including separate columns to indicate types of expenditures, for statewide compilation and reporting. WHAT PROBLEMS DID THE AUDIT WORK IDENTIFY? We identified issues related to two of the five (40 percent) Program subrecipients identified by the Department for Fiscal Year 2020 as follows: ? The Department did not take sufficient steps to address one subrecipient?s failure to obtain a 2019 Single Audit. Specifically, the subrecipient received approximately $78,500 in pass-through Program funding from the Department and communicated to the Department in its single audit certification for the year ending December 31, 2019, that it was subject to a Single Audit; however, that audit had not been conducted as of the completion of our Fiscal Year 2020 audit testwork in April 2021. While it appeared that the Department communicated various times with the subrecipient about the missing audit, the Department did not assess possible impacts from the missing audit or take any action to institute alternate monitoring procedures of the subrecipient. ? For the second subrecipient tested, the Department inappropriately considered the entity to be a subrecipient rather than a vendor and incorrectly reported $20,936 in funds paid to the entity as subrecipient expenditures on its Exhibit K1 submitted to the OSC. WHY DID THESE PROBLEMS OCCUR? The Department?s subrecipient policies and procedures are voluminous and performed throughout multiple divisions within the Department. Therefore, the results of monitoring procedures performed are documented in various areas and not contained in one central location. The Department also does not have policies and procedures in place to identify appropriate actions to be taken when issues are identified. In addition, the Department lacks a process for analyzing the types of entities it is contracting with for the Program in order to separately identify the entities as vendors or subrecipients; rather, staff indicated that, during the contracting process, all contract expenditures related to this Program are recorded as subrecipient expenditures, including service-related or vendor contracts. WHY DO THESE PROBLEMS MATTER? Performing timely and appropriate identification and monitoring of subrecipients, including ensuring that they undergo required Single Audits, provides the Department with a method to identify federal grant-related issues and to ensure its compliance with federal subrecipient monitoring requirements. By taking appropriate actions to address the results of its monitoring, the Department can mitigate the risk of providing continuing funding to entities that may not be using funds in accordance with Program requirements. This is particularly important because the Department passes 97 percent of these Program funds to subrecipients. The Department?s failure to comply with federal requirements could result in a loss of funding from the federal government. See Schedule of Findings and Questioned Costs for chart/table RECOMMENDATION 2020-075 The Department of Transportation (Department) should ensure that it improves its internal controls over, and complies with, federal Formula Grants for Rural Areas and Tribal Transit Program requirements for subrecipient monitoring by: A Ensuring that subrecipient monitoring policies and procedures are centralized, condensed, and available to all personnel who are responsible for performing subrecipient monitoring activities. The policies and procedures should clearly list responsibilities for each division within the Department and be inclusive of all monitoring activities performed and contain clear directives for acting on subrecipients? failure to comply with requirements, including providing its single audit report, by assessing possible impacts from the noncompliance and instituting appropriate alternative procedures. B Implementing a process for analyzing its contracted entities during the contracting and awarding process by reviewing the nature and terms of contracts, separately identifying the contracted entities as vendors or subrecipients, and recording the contract expenditures appropriately based on this assessment. RESPONSE DEPARTMENT OF TRANSPORTATION A AGREE. IMPLEMENTATION DATE: JULY 2022. CDOT will work with various divisions to devise a plan that will comply with this finding and the recommendations noted within. This plan shall include identifying a centralized location for all policies and procedures related to subrecipient monitoring. We will look at all policies and procedures to ensure they clearly identify responsibilities and requirements for non-compliance. B AGREE. IMPLEMENTATION DATE: JULY 2022. CDOT will work with various divisions to devise a plan that will comply with this finding and the recommendations noted within. This plan shall include establishing a process by which an analysis of contracted entities will be performed to identify and properly record entities as a vendor or subrecipient.