Assistance Listings number and name: 21.027 COVID-19 Coronavirus State and Local Fiscal Recovery Funds Award number and year: None Federal agency: U.S. Department of the Treasury Compliance requirement: Subrecipient monitoring Questioned costs: Unknown Condition—Nine State grantees paid $163.1 million to 495 subrecipients during fiscal year 2022, or 8.6 percent of the State’s $1.9 billion total federal expenditures for this federal program, but 3 of the 5 State grantees we tested did not perform all the required monitoring of the subrecipients’ activities or compliance with the federal award terms and program requirements. Specifically, the 3 State grantees identified below performed some monitoring during the year, which consisted only of reviewing some interim and the final financial and activity reports; however, those monitoring procedures alone were not sufficient to evaluate whether subrecipients used program monies in accordance with the federal award terms and program requirements. State Grantee Amount awarded Number of subrecipients Arizona Governor’s Office of Strategic Planning and Budgeting (Office) $113,947,556 222 Arizona Office of Tourism (AOT) 13,094,509 80 Arizona Supreme Court—Administrative Office of the Courts (AOC) 71,927 6 Total $127,113,992 308 Effect—The 3 State grantees’ lack of required monitoring increased the risk that the $127.1 million of program monies they disbursed to 308 subrecipients may not have been spent in accordance with the award terms and program requirements. If monies are spent inconsistent with program requirements, those who were intended to benefit from the program may not receive all the services or other benefits they otherwise would have received. Cause—Despite subrecipient-monitoring requirements being included in the federal regulations, 2 State grantees did not follow its existing subrecipient-monitoring policies and procedures, and 2 State grantees did not develop and implement subrecipient-monitoring policies and procedures to comply with these federal requirements. Specifically, Office management reported that its staffing levels were not sufficient to perform all the required subrecipient-monitoring procedures in its established policies and procedures. In addition, AOT management reported that it misunderstood the State guidance received, and it performed only limited monitoring procedures for subrecipients who expended more than $750,000 of AOT awards during the year. Finally, AOC management reported that there was a misunderstanding on which State grantee was responsible for performing the subrecipient-monitoring of the monies they passed through to a subrecipient and consequently did not develop all the necessary subrecipient monitoring policies and procedures. Criteria—Federal regulation requires State grantees to monitor subrecipients, which includes required monitoring procedures for assessing the risk of each subrecipient’s noncompliance and monitoring activities based on those risk assessments; verifying single audits were conducted timely; following up on and ensuring corrective action is taken on audit findings that could potentially affect the program; and issuing a management decision for audit findings pertaining to the federal award. Those federal regulations also provide that monitoring procedures may include reviewing financial and performance reports, providing training or technical assistance on program-related matters, and performing on-site reviews, selective audits, and/or other monitoring procedures (2 CFR §§200.332[b] and [d – e]). Further, the Office established subrecipient-monitoring policies and procedures, including how it should consider and assess risk of each subrecipient and carry out required and various other monitoring procedures based on those risk assessments (Grants Management Manual – Grantor, Chapter 8 – Award Monitoring). Lastly, federal regulation requires State grantees to establish and maintain effective internal control over federal awards that provides reasonable assurance that the federal program is being managed in compliance with all applicable laws, regulations, and award terms (2 CFR §200.303). Recommendations— 1. The Office and AOT should ensure they perform required monitoring of their subrecipients and their compliance with the award terms and program requirements by following their established policies and procedures to: a. Assess the risk of each subrecipient’s noncompliance and carry out monitoring activities based on those risk assessments such as reviewing financial and performance reports, providing training or technical assistance on program-related matters, and performing on-site reviews, selective audits, and/or other monitoring procedures. b. Verify subrecipients receive timely single audits, follow up on and ensure that corrective action is taken on audit findings that could potentially affect the program, and issue management decisions for audit findings pertaining to the federal award. c. Maintain documentation of monitoring procedures demonstrating they were performed, including the monitoring procedures’ results and any Office actions taken, if appropriate. 2. The Office should allocate sufficient resources, such as staffing, to comply with the award terms and program requirements, and designate an individual to perform necessary subrecipient-monitoring procedures. 3. AOC should develop and implement policies and procedures and perform required monitoring of their subrecipients to ensure their compliance with award terms and program requirements. Specifically, AOC should: a. Assess the risk of each subrecipient’s noncompliance and carry out monitoring activities based on those risk assessments such as reviewing financial and performance reports, providing training or technical assistance on program-related matters, and performing on site reviews, selective audits, and/or other monitoring procedures. b. Verify subrecipients receive timely single audits, follow up on and ensure that corrective action is taken on audit findings that could potentially affect the program, and issue management decisions for audit findings pertaining to the federal award. c. Maintain documentation of monitoring procedures demonstrating they were performed, including the monitoring procedures’ results and any actions taken, if appropriate. The State’s corrective action plan at the end of this report includes the views and planned corrective action of its responsible officials. We are not required to and have not audited these responses and planned corrective actions and therefore provide no assurances as to their accuracy.
Assistance Listings number and name: 21.027 COVID-19 Coronavirus State and Local Fiscal Recovery Funds Award number and year: None Federal agency: U.S. Department of the Treasury Compliance requirement: Subrecipient monitoring Questioned costs: Unknown Condition—Nine State grantees paid $163.1 million to 495 subrecipients during fiscal year 2022, or 8.6 percent of the State’s $1.9 billion total federal expenditures for this federal program, but 3 of the 5 State grantees we tested did not perform all the required monitoring of the subrecipients’ activities or compliance with the federal award terms and program requirements. Specifically, the 3 State grantees identified below performed some monitoring during the year, which consisted only of reviewing some interim and the final financial and activity reports; however, those monitoring procedures alone were not sufficient to evaluate whether subrecipients used program monies in accordance with the federal award terms and program requirements. State Grantee Amount awarded Number of subrecipients Arizona Governor’s Office of Strategic Planning and Budgeting (Office) $113,947,556 222 Arizona Office of Tourism (AOT) 13,094,509 80 Arizona Supreme Court—Administrative Office of the Courts (AOC) 71,927 6 Total $127,113,992 308 Effect—The 3 State grantees’ lack of required monitoring increased the risk that the $127.1 million of program monies they disbursed to 308 subrecipients may not have been spent in accordance with the award terms and program requirements. If monies are spent inconsistent with program requirements, those who were intended to benefit from the program may not receive all the services or other benefits they otherwise would have received. Cause—Despite subrecipient-monitoring requirements being included in the federal regulations, 2 State grantees did not follow its existing subrecipient-monitoring policies and procedures, and 2 State grantees did not develop and implement subrecipient-monitoring policies and procedures to comply with these federal requirements. Specifically, Office management reported that its staffing levels were not sufficient to perform all the required subrecipient-monitoring procedures in its established policies and procedures. In addition, AOT management reported that it misunderstood the State guidance received, and it performed only limited monitoring procedures for subrecipients who expended more than $750,000 of AOT awards during the year. Finally, AOC management reported that there was a misunderstanding on which State grantee was responsible for performing the subrecipient-monitoring of the monies they passed through to a subrecipient and consequently did not develop all the necessary subrecipient monitoring policies and procedures. Criteria—Federal regulation requires State grantees to monitor subrecipients, which includes required monitoring procedures for assessing the risk of each subrecipient’s noncompliance and monitoring activities based on those risk assessments; verifying single audits were conducted timely; following up on and ensuring corrective action is taken on audit findings that could potentially affect the program; and issuing a management decision for audit findings pertaining to the federal award. Those federal regulations also provide that monitoring procedures may include reviewing financial and performance reports, providing training or technical assistance on program-related matters, and performing on-site reviews, selective audits, and/or other monitoring procedures (2 CFR §§200.332[b] and [d – e]). Further, the Office established subrecipient-monitoring policies and procedures, including how it should consider and assess risk of each subrecipient and carry out required and various other monitoring procedures based on those risk assessments (Grants Management Manual – Grantor, Chapter 8 – Award Monitoring). Lastly, federal regulation requires State grantees to establish and maintain effective internal control over federal awards that provides reasonable assurance that the federal program is being managed in compliance with all applicable laws, regulations, and award terms (2 CFR §200.303). Recommendations— 1. The Office and AOT should ensure they perform required monitoring of their subrecipients and their compliance with the award terms and program requirements by following their established policies and procedures to: a. Assess the risk of each subrecipient’s noncompliance and carry out monitoring activities based on those risk assessments such as reviewing financial and performance reports, providing training or technical assistance on program-related matters, and performing on-site reviews, selective audits, and/or other monitoring procedures. b. Verify subrecipients receive timely single audits, follow up on and ensure that corrective action is taken on audit findings that could potentially affect the program, and issue management decisions for audit findings pertaining to the federal award. c. Maintain documentation of monitoring procedures demonstrating they were performed, including the monitoring procedures’ results and any Office actions taken, if appropriate. 2. The Office should allocate sufficient resources, such as staffing, to comply with the award terms and program requirements, and designate an individual to perform necessary subrecipient-monitoring procedures. 3. AOC should develop and implement policies and procedures and perform required monitoring of their subrecipients to ensure their compliance with award terms and program requirements. Specifically, AOC should: a. Assess the risk of each subrecipient’s noncompliance and carry out monitoring activities based on those risk assessments such as reviewing financial and performance reports, providing training or technical assistance on program-related matters, and performing on site reviews, selective audits, and/or other monitoring procedures. b. Verify subrecipients receive timely single audits, follow up on and ensure that corrective action is taken on audit findings that could potentially affect the program, and issue management decisions for audit findings pertaining to the federal award. c. Maintain documentation of monitoring procedures demonstrating they were performed, including the monitoring procedures’ results and any actions taken, if appropriate. The State’s corrective action plan at the end of this report includes the views and planned corrective action of its responsible officials. We are not required to and have not audited these responses and planned corrective actions and therefore provide no assurances as to their accuracy.
Assistance Listings number and name: 21.027 COVID-19 Coronavirus State and Local Fiscal Recovery Funds Award number and year: None Federal agency: U.S. Department of the Treasury Compliance requirement: Subrecipient monitoring Questioned costs: Unknown Condition—Nine State grantees paid $163.1 million to 495 subrecipients during fiscal year 2022, or 8.6 percent of the State’s $1.9 billion total federal expenditures for this federal program, but 3 of the 5 State grantees we tested did not perform all the required monitoring of the subrecipients’ activities or compliance with the federal award terms and program requirements. Specifically, the 3 State grantees identified below performed some monitoring during the year, which consisted only of reviewing some interim and the final financial and activity reports; however, those monitoring procedures alone were not sufficient to evaluate whether subrecipients used program monies in accordance with the federal award terms and program requirements. State Grantee Amount awarded Number of subrecipients Arizona Governor’s Office of Strategic Planning and Budgeting (Office) $113,947,556 222 Arizona Office of Tourism (AOT) 13,094,509 80 Arizona Supreme Court—Administrative Office of the Courts (AOC) 71,927 6 Total $127,113,992 308 Effect—The 3 State grantees’ lack of required monitoring increased the risk that the $127.1 million of program monies they disbursed to 308 subrecipients may not have been spent in accordance with the award terms and program requirements. If monies are spent inconsistent with program requirements, those who were intended to benefit from the program may not receive all the services or other benefits they otherwise would have received. Cause—Despite subrecipient-monitoring requirements being included in the federal regulations, 2 State grantees did not follow its existing subrecipient-monitoring policies and procedures, and 2 State grantees did not develop and implement subrecipient-monitoring policies and procedures to comply with these federal requirements. Specifically, Office management reported that its staffing levels were not sufficient to perform all the required subrecipient-monitoring procedures in its established policies and procedures. In addition, AOT management reported that it misunderstood the State guidance received, and it performed only limited monitoring procedures for subrecipients who expended more than $750,000 of AOT awards during the year. Finally, AOC management reported that there was a misunderstanding on which State grantee was responsible for performing the subrecipient-monitoring of the monies they passed through to a subrecipient and consequently did not develop all the necessary subrecipient monitoring policies and procedures. Criteria—Federal regulation requires State grantees to monitor subrecipients, which includes required monitoring procedures for assessing the risk of each subrecipient’s noncompliance and monitoring activities based on those risk assessments; verifying single audits were conducted timely; following up on and ensuring corrective action is taken on audit findings that could potentially affect the program; and issuing a management decision for audit findings pertaining to the federal award. Those federal regulations also provide that monitoring procedures may include reviewing financial and performance reports, providing training or technical assistance on program-related matters, and performing on-site reviews, selective audits, and/or other monitoring procedures (2 CFR §§200.332[b] and [d – e]). Further, the Office established subrecipient-monitoring policies and procedures, including how it should consider and assess risk of each subrecipient and carry out required and various other monitoring procedures based on those risk assessments (Grants Management Manual – Grantor, Chapter 8 – Award Monitoring). Lastly, federal regulation requires State grantees to establish and maintain effective internal control over federal awards that provides reasonable assurance that the federal program is being managed in compliance with all applicable laws, regulations, and award terms (2 CFR §200.303). Recommendations— 1. The Office and AOT should ensure they perform required monitoring of their subrecipients and their compliance with the award terms and program requirements by following their established policies and procedures to: a. Assess the risk of each subrecipient’s noncompliance and carry out monitoring activities based on those risk assessments such as reviewing financial and performance reports, providing training or technical assistance on program-related matters, and performing on-site reviews, selective audits, and/or other monitoring procedures. b. Verify subrecipients receive timely single audits, follow up on and ensure that corrective action is taken on audit findings that could potentially affect the program, and issue management decisions for audit findings pertaining to the federal award. c. Maintain documentation of monitoring procedures demonstrating they were performed, including the monitoring procedures’ results and any Office actions taken, if appropriate. 2. The Office should allocate sufficient resources, such as staffing, to comply with the award terms and program requirements, and designate an individual to perform necessary subrecipient-monitoring procedures. 3. AOC should develop and implement policies and procedures and perform required monitoring of their subrecipients to ensure their compliance with award terms and program requirements. Specifically, AOC should: a. Assess the risk of each subrecipient’s noncompliance and carry out monitoring activities based on those risk assessments such as reviewing financial and performance reports, providing training or technical assistance on program-related matters, and performing on site reviews, selective audits, and/or other monitoring procedures. b. Verify subrecipients receive timely single audits, follow up on and ensure that corrective action is taken on audit findings that could potentially affect the program, and issue management decisions for audit findings pertaining to the federal award. c. Maintain documentation of monitoring procedures demonstrating they were performed, including the monitoring procedures’ results and any actions taken, if appropriate. The State’s corrective action plan at the end of this report includes the views and planned corrective action of its responsible officials. We are not required to and have not audited these responses and planned corrective actions and therefore provide no assurances as to their accuracy.
Assistance Listings number and name: 21.027 COVID-19 Coronavirus State and Local Fiscal Recovery Funds Award number and year: None Federal agency: U.S. Department of the Treasury Compliance requirement: Subrecipient monitoring Questioned costs: Unknown Condition—Nine State grantees paid $163.1 million to 495 subrecipients during fiscal year 2022, or 8.6 percent of the State’s $1.9 billion total federal expenditures for this federal program, but 3 of the 5 State grantees we tested did not perform all the required monitoring of the subrecipients’ activities or compliance with the federal award terms and program requirements. Specifically, the 3 State grantees identified below performed some monitoring during the year, which consisted only of reviewing some interim and the final financial and activity reports; however, those monitoring procedures alone were not sufficient to evaluate whether subrecipients used program monies in accordance with the federal award terms and program requirements. State Grantee Amount awarded Number of subrecipients Arizona Governor’s Office of Strategic Planning and Budgeting (Office) $113,947,556 222 Arizona Office of Tourism (AOT) 13,094,509 80 Arizona Supreme Court—Administrative Office of the Courts (AOC) 71,927 6 Total $127,113,992 308 Effect—The 3 State grantees’ lack of required monitoring increased the risk that the $127.1 million of program monies they disbursed to 308 subrecipients may not have been spent in accordance with the award terms and program requirements. If monies are spent inconsistent with program requirements, those who were intended to benefit from the program may not receive all the services or other benefits they otherwise would have received. Cause—Despite subrecipient-monitoring requirements being included in the federal regulations, 2 State grantees did not follow its existing subrecipient-monitoring policies and procedures, and 2 State grantees did not develop and implement subrecipient-monitoring policies and procedures to comply with these federal requirements. Specifically, Office management reported that its staffing levels were not sufficient to perform all the required subrecipient-monitoring procedures in its established policies and procedures. In addition, AOT management reported that it misunderstood the State guidance received, and it performed only limited monitoring procedures for subrecipients who expended more than $750,000 of AOT awards during the year. Finally, AOC management reported that there was a misunderstanding on which State grantee was responsible for performing the subrecipient-monitoring of the monies they passed through to a subrecipient and consequently did not develop all the necessary subrecipient monitoring policies and procedures. Criteria—Federal regulation requires State grantees to monitor subrecipients, which includes required monitoring procedures for assessing the risk of each subrecipient’s noncompliance and monitoring activities based on those risk assessments; verifying single audits were conducted timely; following up on and ensuring corrective action is taken on audit findings that could potentially affect the program; and issuing a management decision for audit findings pertaining to the federal award. Those federal regulations also provide that monitoring procedures may include reviewing financial and performance reports, providing training or technical assistance on program-related matters, and performing on-site reviews, selective audits, and/or other monitoring procedures (2 CFR §§200.332[b] and [d – e]). Further, the Office established subrecipient-monitoring policies and procedures, including how it should consider and assess risk of each subrecipient and carry out required and various other monitoring procedures based on those risk assessments (Grants Management Manual – Grantor, Chapter 8 – Award Monitoring). Lastly, federal regulation requires State grantees to establish and maintain effective internal control over federal awards that provides reasonable assurance that the federal program is being managed in compliance with all applicable laws, regulations, and award terms (2 CFR §200.303). Recommendations— 1. The Office and AOT should ensure they perform required monitoring of their subrecipients and their compliance with the award terms and program requirements by following their established policies and procedures to: a. Assess the risk of each subrecipient’s noncompliance and carry out monitoring activities based on those risk assessments such as reviewing financial and performance reports, providing training or technical assistance on program-related matters, and performing on-site reviews, selective audits, and/or other monitoring procedures. b. Verify subrecipients receive timely single audits, follow up on and ensure that corrective action is taken on audit findings that could potentially affect the program, and issue management decisions for audit findings pertaining to the federal award. c. Maintain documentation of monitoring procedures demonstrating they were performed, including the monitoring procedures’ results and any Office actions taken, if appropriate. 2. The Office should allocate sufficient resources, such as staffing, to comply with the award terms and program requirements, and designate an individual to perform necessary subrecipient-monitoring procedures. 3. AOC should develop and implement policies and procedures and perform required monitoring of their subrecipients to ensure their compliance with award terms and program requirements. Specifically, AOC should: a. Assess the risk of each subrecipient’s noncompliance and carry out monitoring activities based on those risk assessments such as reviewing financial and performance reports, providing training or technical assistance on program-related matters, and performing on site reviews, selective audits, and/or other monitoring procedures. b. Verify subrecipients receive timely single audits, follow up on and ensure that corrective action is taken on audit findings that could potentially affect the program, and issue management decisions for audit findings pertaining to the federal award. c. Maintain documentation of monitoring procedures demonstrating they were performed, including the monitoring procedures’ results and any actions taken, if appropriate. The State’s corrective action plan at the end of this report includes the views and planned corrective action of its responsible officials. We are not required to and have not audited these responses and planned corrective actions and therefore provide no assurances as to their accuracy.
Assistance Listings number and name: 21.027 COVID-19 Coronavirus State and Local Fiscal Recovery Funds Award number and year: None Federal agency: U.S. Department of the Treasury Compliance requirement: Subrecipient monitoring Questioned costs: Unknown Condition—Nine State grantees paid $163.1 million to 495 subrecipients during fiscal year 2022, or 8.6 percent of the State’s $1.9 billion total federal expenditures for this federal program, but 3 of the 5 State grantees we tested did not perform all the required monitoring of the subrecipients’ activities or compliance with the federal award terms and program requirements. Specifically, the 3 State grantees identified below performed some monitoring during the year, which consisted only of reviewing some interim and the final financial and activity reports; however, those monitoring procedures alone were not sufficient to evaluate whether subrecipients used program monies in accordance with the federal award terms and program requirements. State Grantee Amount awarded Number of subrecipients Arizona Governor’s Office of Strategic Planning and Budgeting (Office) $113,947,556 222 Arizona Office of Tourism (AOT) 13,094,509 80 Arizona Supreme Court—Administrative Office of the Courts (AOC) 71,927 6 Total $127,113,992 308 Effect—The 3 State grantees’ lack of required monitoring increased the risk that the $127.1 million of program monies they disbursed to 308 subrecipients may not have been spent in accordance with the award terms and program requirements. If monies are spent inconsistent with program requirements, those who were intended to benefit from the program may not receive all the services or other benefits they otherwise would have received. Cause—Despite subrecipient-monitoring requirements being included in the federal regulations, 2 State grantees did not follow its existing subrecipient-monitoring policies and procedures, and 2 State grantees did not develop and implement subrecipient-monitoring policies and procedures to comply with these federal requirements. Specifically, Office management reported that its staffing levels were not sufficient to perform all the required subrecipient-monitoring procedures in its established policies and procedures. In addition, AOT management reported that it misunderstood the State guidance received, and it performed only limited monitoring procedures for subrecipients who expended more than $750,000 of AOT awards during the year. Finally, AOC management reported that there was a misunderstanding on which State grantee was responsible for performing the subrecipient-monitoring of the monies they passed through to a subrecipient and consequently did not develop all the necessary subrecipient monitoring policies and procedures. Criteria—Federal regulation requires State grantees to monitor subrecipients, which includes required monitoring procedures for assessing the risk of each subrecipient’s noncompliance and monitoring activities based on those risk assessments; verifying single audits were conducted timely; following up on and ensuring corrective action is taken on audit findings that could potentially affect the program; and issuing a management decision for audit findings pertaining to the federal award. Those federal regulations also provide that monitoring procedures may include reviewing financial and performance reports, providing training or technical assistance on program-related matters, and performing on-site reviews, selective audits, and/or other monitoring procedures (2 CFR §§200.332[b] and [d – e]). Further, the Office established subrecipient-monitoring policies and procedures, including how it should consider and assess risk of each subrecipient and carry out required and various other monitoring procedures based on those risk assessments (Grants Management Manual – Grantor, Chapter 8 – Award Monitoring). Lastly, federal regulation requires State grantees to establish and maintain effective internal control over federal awards that provides reasonable assurance that the federal program is being managed in compliance with all applicable laws, regulations, and award terms (2 CFR §200.303). Recommendations— 1. The Office and AOT should ensure they perform required monitoring of their subrecipients and their compliance with the award terms and program requirements by following their established policies and procedures to: a. Assess the risk of each subrecipient’s noncompliance and carry out monitoring activities based on those risk assessments such as reviewing financial and performance reports, providing training or technical assistance on program-related matters, and performing on-site reviews, selective audits, and/or other monitoring procedures. b. Verify subrecipients receive timely single audits, follow up on and ensure that corrective action is taken on audit findings that could potentially affect the program, and issue management decisions for audit findings pertaining to the federal award. c. Maintain documentation of monitoring procedures demonstrating they were performed, including the monitoring procedures’ results and any Office actions taken, if appropriate. 2. The Office should allocate sufficient resources, such as staffing, to comply with the award terms and program requirements, and designate an individual to perform necessary subrecipient-monitoring procedures. 3. AOC should develop and implement policies and procedures and perform required monitoring of their subrecipients to ensure their compliance with award terms and program requirements. Specifically, AOC should: a. Assess the risk of each subrecipient’s noncompliance and carry out monitoring activities based on those risk assessments such as reviewing financial and performance reports, providing training or technical assistance on program-related matters, and performing on site reviews, selective audits, and/or other monitoring procedures. b. Verify subrecipients receive timely single audits, follow up on and ensure that corrective action is taken on audit findings that could potentially affect the program, and issue management decisions for audit findings pertaining to the federal award. c. Maintain documentation of monitoring procedures demonstrating they were performed, including the monitoring procedures’ results and any actions taken, if appropriate. The State’s corrective action plan at the end of this report includes the views and planned corrective action of its responsible officials. We are not required to and have not audited these responses and planned corrective actions and therefore provide no assurances as to their accuracy.
Assistance Listings number and name: 21.027 COVID-19 Coronavirus State and Local Fiscal Recovery Funds Award number and year: None Federal agency: U.S. Department of the Treasury Compliance requirement: Subrecipient monitoring Questioned costs: Unknown Condition—Nine State grantees paid $163.1 million to 495 subrecipients during fiscal year 2022, or 8.6 percent of the State’s $1.9 billion total federal expenditures for this federal program, but 3 of the 5 State grantees we tested did not perform all the required monitoring of the subrecipients’ activities or compliance with the federal award terms and program requirements. Specifically, the 3 State grantees identified below performed some monitoring during the year, which consisted only of reviewing some interim and the final financial and activity reports; however, those monitoring procedures alone were not sufficient to evaluate whether subrecipients used program monies in accordance with the federal award terms and program requirements. State Grantee Amount awarded Number of subrecipients Arizona Governor’s Office of Strategic Planning and Budgeting (Office) $113,947,556 222 Arizona Office of Tourism (AOT) 13,094,509 80 Arizona Supreme Court—Administrative Office of the Courts (AOC) 71,927 6 Total $127,113,992 308 Effect—The 3 State grantees’ lack of required monitoring increased the risk that the $127.1 million of program monies they disbursed to 308 subrecipients may not have been spent in accordance with the award terms and program requirements. If monies are spent inconsistent with program requirements, those who were intended to benefit from the program may not receive all the services or other benefits they otherwise would have received. Cause—Despite subrecipient-monitoring requirements being included in the federal regulations, 2 State grantees did not follow its existing subrecipient-monitoring policies and procedures, and 2 State grantees did not develop and implement subrecipient-monitoring policies and procedures to comply with these federal requirements. Specifically, Office management reported that its staffing levels were not sufficient to perform all the required subrecipient-monitoring procedures in its established policies and procedures. In addition, AOT management reported that it misunderstood the State guidance received, and it performed only limited monitoring procedures for subrecipients who expended more than $750,000 of AOT awards during the year. Finally, AOC management reported that there was a misunderstanding on which State grantee was responsible for performing the subrecipient-monitoring of the monies they passed through to a subrecipient and consequently did not develop all the necessary subrecipient monitoring policies and procedures. Criteria—Federal regulation requires State grantees to monitor subrecipients, which includes required monitoring procedures for assessing the risk of each subrecipient’s noncompliance and monitoring activities based on those risk assessments; verifying single audits were conducted timely; following up on and ensuring corrective action is taken on audit findings that could potentially affect the program; and issuing a management decision for audit findings pertaining to the federal award. Those federal regulations also provide that monitoring procedures may include reviewing financial and performance reports, providing training or technical assistance on program-related matters, and performing on-site reviews, selective audits, and/or other monitoring procedures (2 CFR §§200.332[b] and [d – e]). Further, the Office established subrecipient-monitoring policies and procedures, including how it should consider and assess risk of each subrecipient and carry out required and various other monitoring procedures based on those risk assessments (Grants Management Manual – Grantor, Chapter 8 – Award Monitoring). Lastly, federal regulation requires State grantees to establish and maintain effective internal control over federal awards that provides reasonable assurance that the federal program is being managed in compliance with all applicable laws, regulations, and award terms (2 CFR §200.303). Recommendations— 1. The Office and AOT should ensure they perform required monitoring of their subrecipients and their compliance with the award terms and program requirements by following their established policies and procedures to: a. Assess the risk of each subrecipient’s noncompliance and carry out monitoring activities based on those risk assessments such as reviewing financial and performance reports, providing training or technical assistance on program-related matters, and performing on-site reviews, selective audits, and/or other monitoring procedures. b. Verify subrecipients receive timely single audits, follow up on and ensure that corrective action is taken on audit findings that could potentially affect the program, and issue management decisions for audit findings pertaining to the federal award. c. Maintain documentation of monitoring procedures demonstrating they were performed, including the monitoring procedures’ results and any Office actions taken, if appropriate. 2. The Office should allocate sufficient resources, such as staffing, to comply with the award terms and program requirements, and designate an individual to perform necessary subrecipient-monitoring procedures. 3. AOC should develop and implement policies and procedures and perform required monitoring of their subrecipients to ensure their compliance with award terms and program requirements. Specifically, AOC should: a. Assess the risk of each subrecipient’s noncompliance and carry out monitoring activities based on those risk assessments such as reviewing financial and performance reports, providing training or technical assistance on program-related matters, and performing on site reviews, selective audits, and/or other monitoring procedures. b. Verify subrecipients receive timely single audits, follow up on and ensure that corrective action is taken on audit findings that could potentially affect the program, and issue management decisions for audit findings pertaining to the federal award. c. Maintain documentation of monitoring procedures demonstrating they were performed, including the monitoring procedures’ results and any actions taken, if appropriate. The State’s corrective action plan at the end of this report includes the views and planned corrective action of its responsible officials. We are not required to and have not audited these responses and planned corrective actions and therefore provide no assurances as to their accuracy.
Assistance Listings number and name: 84.425C COVID-19 Education Stabilization Fund—Governor’s Emergency Education Relief (GEER) Fund Award numbers and years: S425C200052, June 2, 2020 through September 30, 2021; S425C210052, January 8, 2021 through September 30, 2022 Federal agency: U.S. Department of Education Compliance requirement: Subrecipient monitoring Questioned costs: Unknown Condition—The Arizona Governor’s Office of Strategic Planning and Budgeting (Office) awarded $12.3 million to 13 subrecipients during fiscal year 2022, or 38 percent of the Office’s $32.5 million total federal expenditures for this federal program, but did not perform all the required monitoring of the subrecipients’ activities or compliance with the award terms and program requirements. Specifically, the Office performed some monitoring during the year, which consisted only of reviewing financial and activity reports if submitted by the subrecipient; however, those monitoring procedures alone were not sufficient to evaluate whether subrecipients used program monies in accordance with the award terms and program requirements. Effect—The Office’s lack of required monitoring increased the risk that the $12.3 million of program monies the Office awarded to subrecipients may not have been spent in accordance with the award terms and program requirements. If monies are spent inconsistent with program requirements, those who were intended to benefit from the program may not receive all the services or other benefits they otherwise would have received. Cause—Office management reported that it did not have enough staff to perform its various monitoring procedures, and instead, the Office performed only limited monitoring procedures. Specifically, the Office had policies and procedures to follow for performing the various monitoring procedures for its subrecipients, including how it should consider and assess risk of each subrecipient and carry out required and various other monitoring procedures based on those risk assessments. However, Office management reported that its staffing levels were not sufficient to perform all the required procedures. Criteria—Federal regulations require the Office to monitor subrecipients, which includes required monitoring procedures for assessing the risk of each subrecipient’s noncompliance and monitoring activities based on those risk assessments; verifying single audits were conducted timely; following up on and ensuring corrective action is taken on audit findings that could potentially affect the program; and issuing a management decision for audit findings pertaining to the federal award. Those federal regulations also provide that monitoring procedures may include reviewing financial and performance reports, providing training or technical assistance on program-related matters, and performing on site reviews, selective audits, and/or other monitoring procedures (2 CFR §§200.332[b] and [d – e]). Further, federal regulation requires the Office to establish and maintain effective internal control over federal awards that provides reasonable assurance that the federal program is being managed in compliance with all applicable laws, regulations, and award terms (2 CFR §200.303). Recommendations—The Office should: 1. Ensure it performs required monitoring of its subrecipients and their compliance with the award terms and program requirements by following their established policies and procedures to: a. Assess the risk of each subrecipient’s noncompliance and carry out monitoring activities based on those risk assessments such as reviewing financial and performance reports, providing training or technical assistance on program-related matters, and performing on site reviews, selective audits, and/or other monitoring procedures. b. Verify subrecipients receive timely single audits, follow up on and ensure that corrective action is taken on audit findings that could potentially affect the program, and issue management decisions for audit findings pertaining to the federal award. c. Maintain documentation of monitoring procedures demonstrating they were performed, including the monitoring procedures’ results and any Office actions taken, if appropriate. 2. Allocate sufficient resources, such as staffing, to comply with the award terms and program requirements, and designate an individual to perform necessary subrecipient-monitoring procedures. The State’s corrective action plan at the end of this report includes the views and planned corrective action of its responsible officials. We are not required to audit and have not audited these responses and planned corrective actions and therefore provide no assurances as to their accuracy. This finding is similar to prior-year finding 2021-105 and was initially reported in fiscal year 2021.
Assistance Listings number and name: 84.425C COVID-19 Education Stabilization Fund—Governor’s Emergency Education Relief (GEER) Fund Award numbers and years: S425C200052, June 2, 2020 through September 30, 2021; S425C210052, January 8, 2021 through September 30, 2022 Federal agency: U.S. Department of Education Compliance requirement: Subrecipient monitoring Questioned costs: Unknown Condition—The Arizona Governor’s Office of Strategic Planning and Budgeting (Office) awarded $12.3 million to 13 subrecipients during fiscal year 2022, or 38 percent of the Office’s $32.5 million total federal expenditures for this federal program, but did not perform all the required monitoring of the subrecipients’ activities or compliance with the award terms and program requirements. Specifically, the Office performed some monitoring during the year, which consisted only of reviewing financial and activity reports if submitted by the subrecipient; however, those monitoring procedures alone were not sufficient to evaluate whether subrecipients used program monies in accordance with the award terms and program requirements. Effect—The Office’s lack of required monitoring increased the risk that the $12.3 million of program monies the Office awarded to subrecipients may not have been spent in accordance with the award terms and program requirements. If monies are spent inconsistent with program requirements, those who were intended to benefit from the program may not receive all the services or other benefits they otherwise would have received. Cause—Office management reported that it did not have enough staff to perform its various monitoring procedures, and instead, the Office performed only limited monitoring procedures. Specifically, the Office had policies and procedures to follow for performing the various monitoring procedures for its subrecipients, including how it should consider and assess risk of each subrecipient and carry out required and various other monitoring procedures based on those risk assessments. However, Office management reported that its staffing levels were not sufficient to perform all the required procedures. Criteria—Federal regulations require the Office to monitor subrecipients, which includes required monitoring procedures for assessing the risk of each subrecipient’s noncompliance and monitoring activities based on those risk assessments; verifying single audits were conducted timely; following up on and ensuring corrective action is taken on audit findings that could potentially affect the program; and issuing a management decision for audit findings pertaining to the federal award. Those federal regulations also provide that monitoring procedures may include reviewing financial and performance reports, providing training or technical assistance on program-related matters, and performing on site reviews, selective audits, and/or other monitoring procedures (2 CFR §§200.332[b] and [d – e]). Further, federal regulation requires the Office to establish and maintain effective internal control over federal awards that provides reasonable assurance that the federal program is being managed in compliance with all applicable laws, regulations, and award terms (2 CFR §200.303). Recommendations—The Office should: 1. Ensure it performs required monitoring of its subrecipients and their compliance with the award terms and program requirements by following their established policies and procedures to: a. Assess the risk of each subrecipient’s noncompliance and carry out monitoring activities based on those risk assessments such as reviewing financial and performance reports, providing training or technical assistance on program-related matters, and performing on site reviews, selective audits, and/or other monitoring procedures. b. Verify subrecipients receive timely single audits, follow up on and ensure that corrective action is taken on audit findings that could potentially affect the program, and issue management decisions for audit findings pertaining to the federal award. c. Maintain documentation of monitoring procedures demonstrating they were performed, including the monitoring procedures’ results and any Office actions taken, if appropriate. 2. Allocate sufficient resources, such as staffing, to comply with the award terms and program requirements, and designate an individual to perform necessary subrecipient-monitoring procedures. The State’s corrective action plan at the end of this report includes the views and planned corrective action of its responsible officials. We are not required to audit and have not audited these responses and planned corrective actions and therefore provide no assurances as to their accuracy. This finding is similar to prior-year finding 2021-105 and was initially reported in fiscal year 2021.
Assistance Listings number and name: 84.425C COVID-19 Education Stabilization Fund—Governor’s Emergency Education Relief (GEER) Fund Award numbers and years: S425C200052, June 2, 2020 through September 30, 2021; S425C210052, January 8, 2021 through September 30, 2022 Federal agency: U.S. Department of Education Compliance requirement: Subrecipient monitoring Questioned costs: Unknown Condition—The Arizona Governor’s Office of Strategic Planning and Budgeting (Office) awarded $12.3 million to 13 subrecipients during fiscal year 2022, or 38 percent of the Office’s $32.5 million total federal expenditures for this federal program, but did not perform all the required monitoring of the subrecipients’ activities or compliance with the award terms and program requirements. Specifically, the Office performed some monitoring during the year, which consisted only of reviewing financial and activity reports if submitted by the subrecipient; however, those monitoring procedures alone were not sufficient to evaluate whether subrecipients used program monies in accordance with the award terms and program requirements. Effect—The Office’s lack of required monitoring increased the risk that the $12.3 million of program monies the Office awarded to subrecipients may not have been spent in accordance with the award terms and program requirements. If monies are spent inconsistent with program requirements, those who were intended to benefit from the program may not receive all the services or other benefits they otherwise would have received. Cause—Office management reported that it did not have enough staff to perform its various monitoring procedures, and instead, the Office performed only limited monitoring procedures. Specifically, the Office had policies and procedures to follow for performing the various monitoring procedures for its subrecipients, including how it should consider and assess risk of each subrecipient and carry out required and various other monitoring procedures based on those risk assessments. However, Office management reported that its staffing levels were not sufficient to perform all the required procedures. Criteria—Federal regulations require the Office to monitor subrecipients, which includes required monitoring procedures for assessing the risk of each subrecipient’s noncompliance and monitoring activities based on those risk assessments; verifying single audits were conducted timely; following up on and ensuring corrective action is taken on audit findings that could potentially affect the program; and issuing a management decision for audit findings pertaining to the federal award. Those federal regulations also provide that monitoring procedures may include reviewing financial and performance reports, providing training or technical assistance on program-related matters, and performing on site reviews, selective audits, and/or other monitoring procedures (2 CFR §§200.332[b] and [d – e]). Further, federal regulation requires the Office to establish and maintain effective internal control over federal awards that provides reasonable assurance that the federal program is being managed in compliance with all applicable laws, regulations, and award terms (2 CFR §200.303). Recommendations—The Office should: 1. Ensure it performs required monitoring of its subrecipients and their compliance with the award terms and program requirements by following their established policies and procedures to: a. Assess the risk of each subrecipient’s noncompliance and carry out monitoring activities based on those risk assessments such as reviewing financial and performance reports, providing training or technical assistance on program-related matters, and performing on site reviews, selective audits, and/or other monitoring procedures. b. Verify subrecipients receive timely single audits, follow up on and ensure that corrective action is taken on audit findings that could potentially affect the program, and issue management decisions for audit findings pertaining to the federal award. c. Maintain documentation of monitoring procedures demonstrating they were performed, including the monitoring procedures’ results and any Office actions taken, if appropriate. 2. Allocate sufficient resources, such as staffing, to comply with the award terms and program requirements, and designate an individual to perform necessary subrecipient-monitoring procedures. The State’s corrective action plan at the end of this report includes the views and planned corrective action of its responsible officials. We are not required to audit and have not audited these responses and planned corrective actions and therefore provide no assurances as to their accuracy. This finding is similar to prior-year finding 2021-105 and was initially reported in fiscal year 2021.
Assistance Listings number and name: 84.425C COVID-19 Education Stabilization Fund—Governor’s Emergency Education Relief (GEER) Fund Award numbers and years: S425C200052, June 2, 2020 through September 30, 2021; S425C210052, January 8, 2021 through September 30, 2022 Federal agency: U.S. Department of Education Compliance requirement: Subrecipient monitoring Questioned costs: Unknown Condition—The Arizona Governor’s Office of Strategic Planning and Budgeting (Office) awarded $12.3 million to 13 subrecipients during fiscal year 2022, or 38 percent of the Office’s $32.5 million total federal expenditures for this federal program, but did not perform all the required monitoring of the subrecipients’ activities or compliance with the award terms and program requirements. Specifically, the Office performed some monitoring during the year, which consisted only of reviewing financial and activity reports if submitted by the subrecipient; however, those monitoring procedures alone were not sufficient to evaluate whether subrecipients used program monies in accordance with the award terms and program requirements. Effect—The Office’s lack of required monitoring increased the risk that the $12.3 million of program monies the Office awarded to subrecipients may not have been spent in accordance with the award terms and program requirements. If monies are spent inconsistent with program requirements, those who were intended to benefit from the program may not receive all the services or other benefits they otherwise would have received. Cause—Office management reported that it did not have enough staff to perform its various monitoring procedures, and instead, the Office performed only limited monitoring procedures. Specifically, the Office had policies and procedures to follow for performing the various monitoring procedures for its subrecipients, including how it should consider and assess risk of each subrecipient and carry out required and various other monitoring procedures based on those risk assessments. However, Office management reported that its staffing levels were not sufficient to perform all the required procedures. Criteria—Federal regulations require the Office to monitor subrecipients, which includes required monitoring procedures for assessing the risk of each subrecipient’s noncompliance and monitoring activities based on those risk assessments; verifying single audits were conducted timely; following up on and ensuring corrective action is taken on audit findings that could potentially affect the program; and issuing a management decision for audit findings pertaining to the federal award. Those federal regulations also provide that monitoring procedures may include reviewing financial and performance reports, providing training or technical assistance on program-related matters, and performing on site reviews, selective audits, and/or other monitoring procedures (2 CFR §§200.332[b] and [d – e]). Further, federal regulation requires the Office to establish and maintain effective internal control over federal awards that provides reasonable assurance that the federal program is being managed in compliance with all applicable laws, regulations, and award terms (2 CFR §200.303). Recommendations—The Office should: 1. Ensure it performs required monitoring of its subrecipients and their compliance with the award terms and program requirements by following their established policies and procedures to: a. Assess the risk of each subrecipient’s noncompliance and carry out monitoring activities based on those risk assessments such as reviewing financial and performance reports, providing training or technical assistance on program-related matters, and performing on site reviews, selective audits, and/or other monitoring procedures. b. Verify subrecipients receive timely single audits, follow up on and ensure that corrective action is taken on audit findings that could potentially affect the program, and issue management decisions for audit findings pertaining to the federal award. c. Maintain documentation of monitoring procedures demonstrating they were performed, including the monitoring procedures’ results and any Office actions taken, if appropriate. 2. Allocate sufficient resources, such as staffing, to comply with the award terms and program requirements, and designate an individual to perform necessary subrecipient-monitoring procedures. The State’s corrective action plan at the end of this report includes the views and planned corrective action of its responsible officials. We are not required to audit and have not audited these responses and planned corrective actions and therefore provide no assurances as to their accuracy. This finding is similar to prior-year finding 2021-105 and was initially reported in fiscal year 2021.
Assistance Listings number and name: 84.425C COVID-19 Education Stabilization Fund—Governor’s Emergency Education Relief (GEER) Fund Award numbers and years: S425C200052, June 2, 2020 through September 30, 2021; S425C210052, January 8, 2021 through September 30, 2022 Federal agency: U.S. Department of Education Compliance requirement: Subrecipient monitoring Questioned costs: Unknown Condition—The Arizona Governor’s Office of Strategic Planning and Budgeting (Office) awarded $12.3 million to 13 subrecipients during fiscal year 2022, or 38 percent of the Office’s $32.5 million total federal expenditures for this federal program, but did not perform all the required monitoring of the subrecipients’ activities or compliance with the award terms and program requirements. Specifically, the Office performed some monitoring during the year, which consisted only of reviewing financial and activity reports if submitted by the subrecipient; however, those monitoring procedures alone were not sufficient to evaluate whether subrecipients used program monies in accordance with the award terms and program requirements. Effect—The Office’s lack of required monitoring increased the risk that the $12.3 million of program monies the Office awarded to subrecipients may not have been spent in accordance with the award terms and program requirements. If monies are spent inconsistent with program requirements, those who were intended to benefit from the program may not receive all the services or other benefits they otherwise would have received. Cause—Office management reported that it did not have enough staff to perform its various monitoring procedures, and instead, the Office performed only limited monitoring procedures. Specifically, the Office had policies and procedures to follow for performing the various monitoring procedures for its subrecipients, including how it should consider and assess risk of each subrecipient and carry out required and various other monitoring procedures based on those risk assessments. However, Office management reported that its staffing levels were not sufficient to perform all the required procedures. Criteria—Federal regulations require the Office to monitor subrecipients, which includes required monitoring procedures for assessing the risk of each subrecipient’s noncompliance and monitoring activities based on those risk assessments; verifying single audits were conducted timely; following up on and ensuring corrective action is taken on audit findings that could potentially affect the program; and issuing a management decision for audit findings pertaining to the federal award. Those federal regulations also provide that monitoring procedures may include reviewing financial and performance reports, providing training or technical assistance on program-related matters, and performing on site reviews, selective audits, and/or other monitoring procedures (2 CFR §§200.332[b] and [d – e]). Further, federal regulation requires the Office to establish and maintain effective internal control over federal awards that provides reasonable assurance that the federal program is being managed in compliance with all applicable laws, regulations, and award terms (2 CFR §200.303). Recommendations—The Office should: 1. Ensure it performs required monitoring of its subrecipients and their compliance with the award terms and program requirements by following their established policies and procedures to: a. Assess the risk of each subrecipient’s noncompliance and carry out monitoring activities based on those risk assessments such as reviewing financial and performance reports, providing training or technical assistance on program-related matters, and performing on site reviews, selective audits, and/or other monitoring procedures. b. Verify subrecipients receive timely single audits, follow up on and ensure that corrective action is taken on audit findings that could potentially affect the program, and issue management decisions for audit findings pertaining to the federal award. c. Maintain documentation of monitoring procedures demonstrating they were performed, including the monitoring procedures’ results and any Office actions taken, if appropriate. 2. Allocate sufficient resources, such as staffing, to comply with the award terms and program requirements, and designate an individual to perform necessary subrecipient-monitoring procedures. The State’s corrective action plan at the end of this report includes the views and planned corrective action of its responsible officials. We are not required to audit and have not audited these responses and planned corrective actions and therefore provide no assurances as to their accuracy. This finding is similar to prior-year finding 2021-105 and was initially reported in fiscal year 2021.
Assistance Listings numbers and names: 93.558 Temporary Assistance for Needy Families 93.558 COVID-19 Temporary Assistance for Needy Families Award numbers and years: 2101AZTANF, October 1, 2020 through September 30, 2021; 2201AZTANF, October 1, 2021 through September 30, 2022 Federal agency: U.S. Department of Health and Human Services Compliance requirement: Subrecipient monitoring Questioned costs: $6,754 Condition—Contrary to federal regulations and its federal award terms, the Department of Economic Security—Division of Community Assistance and Development (Division) reimbursed 1 nonprofit organization subrecipient for federal program costs totaling $6,754 during fiscal year 2022 that were unsupported, unallowable, and/or paid to 1 of the nonprofit organization’s principal officers or their immediate family member in violation of conflict-of-interest disclosure requirements. Specifically, we reviewed 12 reimbursements that included Temporary Assistance for Needy Family program costs totaling $72,800 for the year and found that the Division reimbursed the subrecipient for: • $4,973 for financial and accounting services that were paid to 1 of the nonprofit organization’s principal officers, who served as the Treasurer, and their company, which was not disclosed as a conflict of interest to the Division as required by the Division’s contract with the subrecipient and federal regulations. Also, the subrecipient allocated these costs to other federal programs and nonfederal activities; however, the Division did not verify that the allocation method the subrecipient used was reasonable or that the costs, as allocated, were allowed by the program’s requirements. We noted that the allocation method used may have resulted in multiple programs being overbilled for these services by up to $5,087. • $1,474 for bookkeeping services that were not adequately supported by sufficiently detailed invoices and a signed, written contract having a specified price rate for the services and terms; therefore, we were unable to verify if the amounts paid were appropriate. Further, the Division reimbursed the Treasurer’s family member, whose bookkeeping services company was not disclosed as a conflict of interest to the Division as required by the Division’s contract with the subrecipient and federal regulations. Also, the subrecipient allocated these costs to other federal programs and nonfederal activities; however, the Division did not verify that the allocation method the subrecipient used was reasonable or that the costs, as allocated, were allowed by the program’s requirements. • $307 for incentive payments to the subrecipient’s Executive Director without documentation to support that it was authorized by an agreement, reasonable for the services performed as provided in the subrecipient’s policies, and consistent with compensation paid for similar work in other activities; therefore, we were unable to verify if the amounts reimbursed by the Division were allowable. Additionally, contrary to federal regulations, the Division had not ensured that the subrecipient implemented its competitive purchasing procedures when procuring the professional services described above, and the subrecipient was unable to provide documentation that it had competitively procured the services. The Temporary Assistance for Needy Family program was audited as a major federal program for the State’s fiscal year 2022 single audit. During the audit, we became aware of the potentially noncompliant 12 reimbursements involving 1 of the Division’s nonprofit subrecipients with which it partners to carry out federal programs, including the Emergency Solutions Grants Program, which was not audited as a major federal program for the State’s fiscal year 2022 single audit. Our review of select reimbursements to this subrecipient resulted in similar findings for the Emergency Solutions Grants Program, Continuum of Care Program, and the State Housing Trust Fund that are described in items 2022 115 and 2022-05, respectively. Effect—The Division’s lack of required monitoring increased the risk that the monies it awarded to a nonprofit organization may not have been spent in accordance with the award terms and program requirements. Further, the Division’s reimbursing the subrecipient for $6,754 of unallowable or unsupported costs and/or costs paid to the nonprofit organization’s principal officer or their immediate family member in violation of conflict-of-interest disclosure requirements resulted in those monies being unavailable to be spent for their intended purpose to provide housing assistance to individuals in need. Consequently, the Division may be required to return these monies to the federal agency in accordance with federal requirements.1 Cause—Although the Division’s subrecipient-monitoring policies and procedures did not require it to obtain from subrecipients documentation supporting charges for personal and contracted professional services to verify allowability when subrecipients requested reimbursement, the policies and procedures required an on-site monitoring visit once every 3 years for each subrecipient in which it reviews a sample of the subrecipient’s personal and professional services charges. However, the Division had not performed an on-site monitoring visit of the nonprofit subrecipient since 2018 because it had not yet resumed all its subrecipient-monitoring activities, such as conducting on-site reviews and providing training and technical assistance, since suspending these activities during the COVID-19 pandemic during fiscal year 2020. In addition, the Division had not properly assessed the subrecipient’s risk of noncompliance with its award contract and program requirements to determine the level of monitoring procedures or training the subrecipient needed. For example, the Division was unaware that the subrecipient had not informed it of a principal officer’s conflicts of interest so that the Division could ensure that the principal officer or their immediate family member were not involved in decision-making related to those conflicts and selectively review the related costs and activities for compliance purposes. Criteria—Federal regulations require the Division to monitor subrecipients and include required procedures for assessing the risk of each subrecipient’s noncompliance and implementing appropriate monitoring procedures to address those risk assessments; verifying single audits were conducted timely, if required; reviewing financial and performance reports; following up on and ensuring corrective action is taken on deficiencies that could potentially affect the program; and issuing management decisions on the results of audit findings or monitoring (2 CFR §§200.332, .339, and .521). Federal regulations provide that monitoring procedures the Division may implement to address a subrecipient’s risk assessment include providing training or technical assistance on program-related matters and performing on-site reviews and selective audits of reimbursed costs (2 CFR §200.332[e]). Further, federal regulations require the Division’s subrecipients to allocate allowable costs using a reasonable basis, to use competitive purchasing standards when procuring goods and services, and to disclose in writing to the Division any potential conflicts of interest.2 Finally, federal regulation requires establishing and maintaining effective internal control over federal awards that provides reasonable assurance that federal programs are being managed in compliance with all applicable laws, regulations, and award terms (2 CFR §200.303). Recommendations—The Division should: 1. Immediately stop reimbursing the nonprofit subrecipient for costs that are unsupported, unallowable, and/or paid to the nonprofit subrecipient’s principal officer or their immediate family member in violation of conflict-of-interest disclosure requirements without obtaining documentation to support they comply with the program’s requirements and take appropriate enforcement actions with the subrecipient in accordance with its contract. 2. Update its written policies and procedures for reviewing and approving subrecipient reimbursement requests to include a process to ensure costs are adequately supported and allowable in accordance with program requirements. 3. Train personnel responsible for reviewing and approving subrecipient reimbursement requests on how to identify costs that are unallowable under federal regulations. 4. Assess the risk of each subrecipient’s noncompliance and perform the appropriate monitoring procedures based on the assessed risk, such as providing training or technical assistance on program-related matters and performing on-site reviews and selective audits of reimbursed costs for allowability. 5. Ensure subrecipients allocate allowable costs using a reasonable basis, use competitive purchasing standards when procuring goods and services, and disclose in writing to the Division any potential conflicts of interest. The Division may need to provide training and technical assistance to subrecipients that address these compliance areas, including the Division’s obtaining conflict-of-interest disclosures from subrecipients as part of the subaward contract, as an example, or otherwise establishing a communication mechanism for subrecipients to use as such conflicts arise. 6. Continue to work with the nonprofit subrecipient to resolve the $6,754 of unallowable costs, including recovering these monies from the subrecipient and assessing the continued need to use this subrecipient for services. 7. Work with the federal agency to resolve the $6,754 of unallowable costs that it reimbursed, which may involve returning monies to the federal agency. The State’s corrective action plan at the end of this report includes the views and planned corrective action of its responsible officials. We are not required to and have not audited these responses and planned corrective actions and therefore provide no assurances as to their accuracy. 1 Federal Uniform Guidance requires federal awarding agencies to follow up on audit findings and issue a management decision to ensure the recipient takes appropriate and timely corrective action (2 CFR §200.513[c]). Further, it requires that federal awarding agencies’ management decisions clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action, as directed by the federal awarding agencies (2 CFR §200.521). 2 The applicable federal requirements related to allowable costs, competitive purchasing, and conflicts of interest can be found in the Code of Federal Regulations at 2 CFR §§200.112, .318-.327, and Subpart E, and 45 CFR §75.112.
Assistance Listings numbers and names: 93.558 Temporary Assistance for Needy Families 93.558 COVID-19 Temporary Assistance for Needy Families Award numbers and years: 2101AZTANF, October 1, 2020 through September 30, 2021; 2201AZTANF, October 1, 2021 through September 30, 2022 Federal agency: U.S. Department of Health and Human Services Compliance requirement: Subrecipient monitoring Questioned costs: $6,754 Condition—Contrary to federal regulations and its federal award terms, the Department of Economic Security—Division of Community Assistance and Development (Division) reimbursed 1 nonprofit organization subrecipient for federal program costs totaling $6,754 during fiscal year 2022 that were unsupported, unallowable, and/or paid to 1 of the nonprofit organization’s principal officers or their immediate family member in violation of conflict-of-interest disclosure requirements. Specifically, we reviewed 12 reimbursements that included Temporary Assistance for Needy Family program costs totaling $72,800 for the year and found that the Division reimbursed the subrecipient for: • $4,973 for financial and accounting services that were paid to 1 of the nonprofit organization’s principal officers, who served as the Treasurer, and their company, which was not disclosed as a conflict of interest to the Division as required by the Division’s contract with the subrecipient and federal regulations. Also, the subrecipient allocated these costs to other federal programs and nonfederal activities; however, the Division did not verify that the allocation method the subrecipient used was reasonable or that the costs, as allocated, were allowed by the program’s requirements. We noted that the allocation method used may have resulted in multiple programs being overbilled for these services by up to $5,087. • $1,474 for bookkeeping services that were not adequately supported by sufficiently detailed invoices and a signed, written contract having a specified price rate for the services and terms; therefore, we were unable to verify if the amounts paid were appropriate. Further, the Division reimbursed the Treasurer’s family member, whose bookkeeping services company was not disclosed as a conflict of interest to the Division as required by the Division’s contract with the subrecipient and federal regulations. Also, the subrecipient allocated these costs to other federal programs and nonfederal activities; however, the Division did not verify that the allocation method the subrecipient used was reasonable or that the costs, as allocated, were allowed by the program’s requirements. • $307 for incentive payments to the subrecipient’s Executive Director without documentation to support that it was authorized by an agreement, reasonable for the services performed as provided in the subrecipient’s policies, and consistent with compensation paid for similar work in other activities; therefore, we were unable to verify if the amounts reimbursed by the Division were allowable. Additionally, contrary to federal regulations, the Division had not ensured that the subrecipient implemented its competitive purchasing procedures when procuring the professional services described above, and the subrecipient was unable to provide documentation that it had competitively procured the services. The Temporary Assistance for Needy Family program was audited as a major federal program for the State’s fiscal year 2022 single audit. During the audit, we became aware of the potentially noncompliant 12 reimbursements involving 1 of the Division’s nonprofit subrecipients with which it partners to carry out federal programs, including the Emergency Solutions Grants Program, which was not audited as a major federal program for the State’s fiscal year 2022 single audit. Our review of select reimbursements to this subrecipient resulted in similar findings for the Emergency Solutions Grants Program, Continuum of Care Program, and the State Housing Trust Fund that are described in items 2022 115 and 2022-05, respectively. Effect—The Division’s lack of required monitoring increased the risk that the monies it awarded to a nonprofit organization may not have been spent in accordance with the award terms and program requirements. Further, the Division’s reimbursing the subrecipient for $6,754 of unallowable or unsupported costs and/or costs paid to the nonprofit organization’s principal officer or their immediate family member in violation of conflict-of-interest disclosure requirements resulted in those monies being unavailable to be spent for their intended purpose to provide housing assistance to individuals in need. Consequently, the Division may be required to return these monies to the federal agency in accordance with federal requirements.1 Cause—Although the Division’s subrecipient-monitoring policies and procedures did not require it to obtain from subrecipients documentation supporting charges for personal and contracted professional services to verify allowability when subrecipients requested reimbursement, the policies and procedures required an on-site monitoring visit once every 3 years for each subrecipient in which it reviews a sample of the subrecipient’s personal and professional services charges. However, the Division had not performed an on-site monitoring visit of the nonprofit subrecipient since 2018 because it had not yet resumed all its subrecipient-monitoring activities, such as conducting on-site reviews and providing training and technical assistance, since suspending these activities during the COVID-19 pandemic during fiscal year 2020. In addition, the Division had not properly assessed the subrecipient’s risk of noncompliance with its award contract and program requirements to determine the level of monitoring procedures or training the subrecipient needed. For example, the Division was unaware that the subrecipient had not informed it of a principal officer’s conflicts of interest so that the Division could ensure that the principal officer or their immediate family member were not involved in decision-making related to those conflicts and selectively review the related costs and activities for compliance purposes. Criteria—Federal regulations require the Division to monitor subrecipients and include required procedures for assessing the risk of each subrecipient’s noncompliance and implementing appropriate monitoring procedures to address those risk assessments; verifying single audits were conducted timely, if required; reviewing financial and performance reports; following up on and ensuring corrective action is taken on deficiencies that could potentially affect the program; and issuing management decisions on the results of audit findings or monitoring (2 CFR §§200.332, .339, and .521). Federal regulations provide that monitoring procedures the Division may implement to address a subrecipient’s risk assessment include providing training or technical assistance on program-related matters and performing on-site reviews and selective audits of reimbursed costs (2 CFR §200.332[e]). Further, federal regulations require the Division’s subrecipients to allocate allowable costs using a reasonable basis, to use competitive purchasing standards when procuring goods and services, and to disclose in writing to the Division any potential conflicts of interest.2 Finally, federal regulation requires establishing and maintaining effective internal control over federal awards that provides reasonable assurance that federal programs are being managed in compliance with all applicable laws, regulations, and award terms (2 CFR §200.303). Recommendations—The Division should: 1. Immediately stop reimbursing the nonprofit subrecipient for costs that are unsupported, unallowable, and/or paid to the nonprofit subrecipient’s principal officer or their immediate family member in violation of conflict-of-interest disclosure requirements without obtaining documentation to support they comply with the program’s requirements and take appropriate enforcement actions with the subrecipient in accordance with its contract. 2. Update its written policies and procedures for reviewing and approving subrecipient reimbursement requests to include a process to ensure costs are adequately supported and allowable in accordance with program requirements. 3. Train personnel responsible for reviewing and approving subrecipient reimbursement requests on how to identify costs that are unallowable under federal regulations. 4. Assess the risk of each subrecipient’s noncompliance and perform the appropriate monitoring procedures based on the assessed risk, such as providing training or technical assistance on program-related matters and performing on-site reviews and selective audits of reimbursed costs for allowability. 5. Ensure subrecipients allocate allowable costs using a reasonable basis, use competitive purchasing standards when procuring goods and services, and disclose in writing to the Division any potential conflicts of interest. The Division may need to provide training and technical assistance to subrecipients that address these compliance areas, including the Division’s obtaining conflict-of-interest disclosures from subrecipients as part of the subaward contract, as an example, or otherwise establishing a communication mechanism for subrecipients to use as such conflicts arise. 6. Continue to work with the nonprofit subrecipient to resolve the $6,754 of unallowable costs, including recovering these monies from the subrecipient and assessing the continued need to use this subrecipient for services. 7. Work with the federal agency to resolve the $6,754 of unallowable costs that it reimbursed, which may involve returning monies to the federal agency. The State’s corrective action plan at the end of this report includes the views and planned corrective action of its responsible officials. We are not required to and have not audited these responses and planned corrective actions and therefore provide no assurances as to their accuracy. 1 Federal Uniform Guidance requires federal awarding agencies to follow up on audit findings and issue a management decision to ensure the recipient takes appropriate and timely corrective action (2 CFR §200.513[c]). Further, it requires that federal awarding agencies’ management decisions clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action, as directed by the federal awarding agencies (2 CFR §200.521). 2 The applicable federal requirements related to allowable costs, competitive purchasing, and conflicts of interest can be found in the Code of Federal Regulations at 2 CFR §§200.112, .318-.327, and Subpart E, and 45 CFR §75.112.
Assistance Listings numbers and names: 93.558 Temporary Assistance for Needy Families 93.558 COVID-19 Temporary Assistance for Needy Families Award numbers and years: 2101AZTANF, October 1, 2020 through September 30, 2021; 2201AZTANF, October 1, 2021 through September 30, 2022 Federal agency: U.S. Department of Health and Human Services Compliance requirement: Subrecipient monitoring Questioned costs: $6,754 Condition—Contrary to federal regulations and its federal award terms, the Department of Economic Security—Division of Community Assistance and Development (Division) reimbursed 1 nonprofit organization subrecipient for federal program costs totaling $6,754 during fiscal year 2022 that were unsupported, unallowable, and/or paid to 1 of the nonprofit organization’s principal officers or their immediate family member in violation of conflict-of-interest disclosure requirements. Specifically, we reviewed 12 reimbursements that included Temporary Assistance for Needy Family program costs totaling $72,800 for the year and found that the Division reimbursed the subrecipient for: • $4,973 for financial and accounting services that were paid to 1 of the nonprofit organization’s principal officers, who served as the Treasurer, and their company, which was not disclosed as a conflict of interest to the Division as required by the Division’s contract with the subrecipient and federal regulations. Also, the subrecipient allocated these costs to other federal programs and nonfederal activities; however, the Division did not verify that the allocation method the subrecipient used was reasonable or that the costs, as allocated, were allowed by the program’s requirements. We noted that the allocation method used may have resulted in multiple programs being overbilled for these services by up to $5,087. • $1,474 for bookkeeping services that were not adequately supported by sufficiently detailed invoices and a signed, written contract having a specified price rate for the services and terms; therefore, we were unable to verify if the amounts paid were appropriate. Further, the Division reimbursed the Treasurer’s family member, whose bookkeeping services company was not disclosed as a conflict of interest to the Division as required by the Division’s contract with the subrecipient and federal regulations. Also, the subrecipient allocated these costs to other federal programs and nonfederal activities; however, the Division did not verify that the allocation method the subrecipient used was reasonable or that the costs, as allocated, were allowed by the program’s requirements. • $307 for incentive payments to the subrecipient’s Executive Director without documentation to support that it was authorized by an agreement, reasonable for the services performed as provided in the subrecipient’s policies, and consistent with compensation paid for similar work in other activities; therefore, we were unable to verify if the amounts reimbursed by the Division were allowable. Additionally, contrary to federal regulations, the Division had not ensured that the subrecipient implemented its competitive purchasing procedures when procuring the professional services described above, and the subrecipient was unable to provide documentation that it had competitively procured the services. The Temporary Assistance for Needy Family program was audited as a major federal program for the State’s fiscal year 2022 single audit. During the audit, we became aware of the potentially noncompliant 12 reimbursements involving 1 of the Division’s nonprofit subrecipients with which it partners to carry out federal programs, including the Emergency Solutions Grants Program, which was not audited as a major federal program for the State’s fiscal year 2022 single audit. Our review of select reimbursements to this subrecipient resulted in similar findings for the Emergency Solutions Grants Program, Continuum of Care Program, and the State Housing Trust Fund that are described in items 2022 115 and 2022-05, respectively. Effect—The Division’s lack of required monitoring increased the risk that the monies it awarded to a nonprofit organization may not have been spent in accordance with the award terms and program requirements. Further, the Division’s reimbursing the subrecipient for $6,754 of unallowable or unsupported costs and/or costs paid to the nonprofit organization’s principal officer or their immediate family member in violation of conflict-of-interest disclosure requirements resulted in those monies being unavailable to be spent for their intended purpose to provide housing assistance to individuals in need. Consequently, the Division may be required to return these monies to the federal agency in accordance with federal requirements.1 Cause—Although the Division’s subrecipient-monitoring policies and procedures did not require it to obtain from subrecipients documentation supporting charges for personal and contracted professional services to verify allowability when subrecipients requested reimbursement, the policies and procedures required an on-site monitoring visit once every 3 years for each subrecipient in which it reviews a sample of the subrecipient’s personal and professional services charges. However, the Division had not performed an on-site monitoring visit of the nonprofit subrecipient since 2018 because it had not yet resumed all its subrecipient-monitoring activities, such as conducting on-site reviews and providing training and technical assistance, since suspending these activities during the COVID-19 pandemic during fiscal year 2020. In addition, the Division had not properly assessed the subrecipient’s risk of noncompliance with its award contract and program requirements to determine the level of monitoring procedures or training the subrecipient needed. For example, the Division was unaware that the subrecipient had not informed it of a principal officer’s conflicts of interest so that the Division could ensure that the principal officer or their immediate family member were not involved in decision-making related to those conflicts and selectively review the related costs and activities for compliance purposes. Criteria—Federal regulations require the Division to monitor subrecipients and include required procedures for assessing the risk of each subrecipient’s noncompliance and implementing appropriate monitoring procedures to address those risk assessments; verifying single audits were conducted timely, if required; reviewing financial and performance reports; following up on and ensuring corrective action is taken on deficiencies that could potentially affect the program; and issuing management decisions on the results of audit findings or monitoring (2 CFR §§200.332, .339, and .521). Federal regulations provide that monitoring procedures the Division may implement to address a subrecipient’s risk assessment include providing training or technical assistance on program-related matters and performing on-site reviews and selective audits of reimbursed costs (2 CFR §200.332[e]). Further, federal regulations require the Division’s subrecipients to allocate allowable costs using a reasonable basis, to use competitive purchasing standards when procuring goods and services, and to disclose in writing to the Division any potential conflicts of interest.2 Finally, federal regulation requires establishing and maintaining effective internal control over federal awards that provides reasonable assurance that federal programs are being managed in compliance with all applicable laws, regulations, and award terms (2 CFR §200.303). Recommendations—The Division should: 1. Immediately stop reimbursing the nonprofit subrecipient for costs that are unsupported, unallowable, and/or paid to the nonprofit subrecipient’s principal officer or their immediate family member in violation of conflict-of-interest disclosure requirements without obtaining documentation to support they comply with the program’s requirements and take appropriate enforcement actions with the subrecipient in accordance with its contract. 2. Update its written policies and procedures for reviewing and approving subrecipient reimbursement requests to include a process to ensure costs are adequately supported and allowable in accordance with program requirements. 3. Train personnel responsible for reviewing and approving subrecipient reimbursement requests on how to identify costs that are unallowable under federal regulations. 4. Assess the risk of each subrecipient’s noncompliance and perform the appropriate monitoring procedures based on the assessed risk, such as providing training or technical assistance on program-related matters and performing on-site reviews and selective audits of reimbursed costs for allowability. 5. Ensure subrecipients allocate allowable costs using a reasonable basis, use competitive purchasing standards when procuring goods and services, and disclose in writing to the Division any potential conflicts of interest. The Division may need to provide training and technical assistance to subrecipients that address these compliance areas, including the Division’s obtaining conflict-of-interest disclosures from subrecipients as part of the subaward contract, as an example, or otherwise establishing a communication mechanism for subrecipients to use as such conflicts arise. 6. Continue to work with the nonprofit subrecipient to resolve the $6,754 of unallowable costs, including recovering these monies from the subrecipient and assessing the continued need to use this subrecipient for services. 7. Work with the federal agency to resolve the $6,754 of unallowable costs that it reimbursed, which may involve returning monies to the federal agency. The State’s corrective action plan at the end of this report includes the views and planned corrective action of its responsible officials. We are not required to and have not audited these responses and planned corrective actions and therefore provide no assurances as to their accuracy. 1 Federal Uniform Guidance requires federal awarding agencies to follow up on audit findings and issue a management decision to ensure the recipient takes appropriate and timely corrective action (2 CFR §200.513[c]). Further, it requires that federal awarding agencies’ management decisions clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action, as directed by the federal awarding agencies (2 CFR §200.521). 2 The applicable federal requirements related to allowable costs, competitive purchasing, and conflicts of interest can be found in the Code of Federal Regulations at 2 CFR §§200.112, .318-.327, and Subpart E, and 45 CFR §75.112.
CRITERIA/SPECIFIC REQUIREMENT: The Code of Federal Regulations (Code) (2 CFR § 200.332 (a)) requires the Regional Office of Education No. 39 (ROE) to ensure that every subaward is clearly identified to the subrecipient as a subaward and include information to comply with federal statutes, regulations, and the terms and conditions of the award. The required information includes the subrecipient’s name and unique entity identifier, assistance listing number, federal award date, federal awarding agency, etc. When some of this information is not available, the pass-through entity shall provide the best information available to describe the Federal award. The Code (2 CFR § 200.332 (f)) requires the ROE to verify every subrecipient is audited as required by Subpart F when it is expected that the subrecipient's Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in 2 CFR § 200.501. The Code (2 CFR § 200.332 (d)) requires the ROE to monitor the activities of the subrecipient to ensure the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. The Code (2 CFR §200.303 (a)) requires the ROE to establish and maintain effective internal control over the federal award to provide reasonable assurance the ROE is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Effective internal controls should include procedures over subrecipient monitoring. CONDITION: The ROE did not have adequate controls over subrecipient monitoring in compliance with the Code. CONTEXT: During our testing of four subrecipients, we noted the following: • The ROE did not communicate the required federal award information to all (100%) subrecipients to comply with federal statutes, regulations, and the terms and conditions at the start of the award. All the subaward agreements were signed and became effective after the start date of the grant. • The ROE did not verify whether subrecipients were required to be audited or not. • The ROE did not have written policies and procedures for subrecipient monitoring and could not provide evidence the ROE monitored its subrecipients during the audit period. EFFECT: Lack of controls over subrecipient monitoring may result in subrecipients not properly administering the federal programs in accordance with federal regulations. CAUSE: ROE management indicated this was due to oversight and staffing limitations. RECOMMENDATION: We recommend the ROE establish and implement procedures over subrecipient monitoring. MANAGEMENT’S RESPONSE: The ROE agrees with this finding. The ROE did communicate federal award information to all subrecipients but failed to get the signature of Regional Office of Education No. 17 documenting their decline of the federal award and preference for ROE to manage the funds and services for their area.
State Agency: Illinois Department of Human Services (IDHS) Federal Agency: U.S. Department of the Treasury (Treasury) Program Name: COVID-19 – Homeowner Assistance Fund ALN and Program Expenditures: 21.026 ($209,795,189) Award Numbers: Various – see table of award numbers Federal Award Year: Various – see table of award numbers Questioned Costs: Cannot be determined Compliance Requirement: Subrecipient Monitoring Finding 2022-004: Failure to Establish Subrecipient Monitoring Procedures Type of Finding: Adverse opinion and material weaknessCondition Found: IDHS did not perform a risk assessment or subrecipient monitoring procedures for the subrecipient of the COVID-19 – Homeowner Assistance Fund (HAF) program for the year ended June 30, 2022. The State designated IDHS as the State agency responsible for monitoring of the HAF program subrecipient, Illinois Housing Development Authority (IHDA), a discretely presented component unit of the State. As a pass-through entity, IDHS was responsible for: • Identifying the award and applicable requirements, • Evaluating IHDA’s risk of noncompliance for purposes of determining the appropriate monitoring procedures related to the subaward, • Monitoring the activities of IHDA as necessary to ensure the subaward is used for authorized purposes, IHDA complies with the terms and conditions of the subaward, and IHDA achieves performance goals, and • Issuing a management decision for audit findings pertaining to the federal award provided to IHDA, if applicable. During our testing, we noted IDHS did not perform any subrecipient monitoring procedures over IHDA with respect to the HAF program during the year ended June 30, 2022. Amounts passed through to IHDA totaled $209,795,189 for the year ended June 30, 2022. Criteria or Requirement: According to 2 CFR 200.332(b), a pass-through entity must evaluate each subrecipient's risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward. According to 2 CFR 200.332(d), a pass-through entity is required to monitor the activities of subrecipients as necessary to ensure that federal awards are used for authorized purposes in compliance with laws, regulations, and the provisions of contracts or grant agreements and that performance goals are achieved. 2 CFR 200.332(d)(3) requires pass-through entities to issue management decisions for applicableaudit findings pertaining to the federal awards provided to the subrecipient and 2 CFR 200.332(d)(4) requires pass through entities to resolve audit findings through corrective action plans (CAP). In addition, 2 CFR 200.303 requires non-Federal entities receiving Federal awards to establish and maintain internal controls designed to reasonably ensure compliance with Federal laws, regulations, and program compliance requirements. Effective internal controls should include establishing and performing monitoring procedures in accordance with Uniform Guidance and program requirements. Cause: In discussing these conditions with IDHS officials, management stated this program is administered in collaboration with the Illinois Department of Revenue, the Illinois Emergency Management Agency (IEMA), the Governor’s Office of Management and Budget, and the Illinois Housing Development Authority (a component unit of the State). Delays encountered in launching the program resulted in a delay in executing interagency agreements to establish roles and responsibilities for the program. Possible Asserted Effect: Failure to perform required risk assessments and to adequately monitor subrecipients may result in the subrecipient not properly administering the federal program in accordance with laws, regulations, and the grant agreement. Repeat Finding: A similar finding was not reported in the prior year audit. (Finding Code 2022-004) Statistical Sampling: The sample was not intended to be, and was not, a statistically valid sample. Recommendation: We recommend IDHS implement subrecipient monitoring procedures in accordance with federal regulations. Views of IDHS Officials: IDHS accepts the recommendation. IDHS has subrecipient monitoring procedures and has kicked off subrecipient monitoring with IHDA on the Homeowners Assistance Fund program.
State Agency: Illinois Department of Human Services (IDHS) Federal Agency: U.S. Department of Health and Human Services (USDHHS) Program Name: Temporary Assistance for Needy Families Cluster CCDF Cluster Block Grants for Prevention and Treatment of Substance Abuse ALN and Program Expenditures: 93.558 ($585,590,187) 93.575/93.596 ($910,712,554) 93.959 ($81,408,580) Award Numbers: Various – See schedule of award numbers Federal Award Year: Various – See schedule of award numbers Questioned Costs: Cannot be determined Compliance Requirement: Subrecipient Monitoring Finding 2022-008: Failure to Follow Established Program Subrecipient Monitoring Procedures Type of Finding: Material noncompliance and material weakness Condition Found: IDHS did not follow its established program monitoring policies and procedures for subrecipients of the Temporary Assistance for Needy Families (TANF) Cluster, CCDF Cluster (Child Care), and Block Grants for Prevention and Treatment of Substance Abuse (SAPT) programs. IDHS has implemented procedures whereby program staff perform periodic program on-site and desk reviews of IDHS subrecipient compliance with regulations applicable to the federal programs administered by IDHS. Generally, these reviews are formally documented and include the issuance of a report of the review results to the subrecipient summarizing the procedures performed, results of the procedures, and any findings or observations for improvement noted. IDHS’s policies require the subrecipient to respond to each finding by providing a written corrective action plan. Additionally, IDHS program staff perform reviews of expenditure reports submitted by subrecipients. IDHS subrecipient monitoring procedures are subject to the review and approval of a supervisor. During our test work over program on-site review procedures performed for 59 subrecipients of the TANF Cluster, CCDF Cluster, and SAPT programs, we noted IDHS did not follow its established program monitoring procedures as follows: IDHS did not provide timely notification (within 60 days) of the results of the programmatic onsite reviews. We noted the following exceptions: IDHS did not complete their quality review on a timely basis (within 60 days). We noted the following exceptions: Additionally, for 1 of 28 SAPT subrecipient expenditures sampled, IDHS could not provide supporting documentation that reconciled to the sampled amount. IDHS’s subrecipient expenditures under the federal programs for the year ended June 30, 2022 were approximately as follows: Criteria or Requirement: According to 2 CFR 200.332(d), a pass-through entity is required to monitor the activities of subrecipients as necessary to ensure that federal awards are used for authorized purposes in compliance with laws, regulations, and the provisions of contracts or grant agreements and that performance goals are achieved. According to 2 CFR 200.332(b), a pass-through entity must evaluate each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward. In addition, 2 CFR 200.303 requires nonfederal entities to, among other things, establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. Effective internal controls should include ensuring on-site program procedures and expenditure reviews are performed in a timely manner and adequate documentation is maintained. Cause: In discussing these conditions with IDHS officials, management stated that the program monitoring deficiencies noted are due to misplaced or misfiled documentation, untimely monitoring, inadequate staffing, and lack of consistent application in each program division. Possible Asserted Effect: Failure to adequately perform and document program on-site monitoring reviews of subrecipients and notify subrecipients of findings in a timely manner may result in subrecipients not properly administering the Federal programs in accordance with laws, regulations, and the grant agreement. Failure to properly review subrecipient expenditures may result in inaccurate payments or unallowable costs. Repeat Finding: A similar finding was reported in the prior year audit as finding number 2021-017. (Finding Code 2022- 008, 2021-017, 2020-015, 2019-013, 2018-012, 2017-013, 2016-012, 2015-011, 2014-008, 2013-009, 12- 07, 11-09) Statistical Sampling: The sample was not intended to be, and was not, a statistically valid sample. Recommendation: We recommend IDHS ensure programmatic on-site and expenditure report reviews are performed and documented for subrecipients in accordance with established policies and procedures. In addition, we recommend IDHS review its process for reporting and following up on program findings relative to subrecipient on-site reviews to ensure timely corrective action and quality control is taken. Views of IDHS Officials: IDHS accepts the recommendation. IDHS will seek to ensure programmatic monitoring reviews are performed and accurately documented for subrecipients in accordance with established policies and procedures.
State Agency: Illinois Department of Human Services (IDHS) Federal Agency: U.S. Department of Health and Human Services (USDHHS) Program Name: Temporary Assistance for Needy Families Cluster CCDF Cluster Block Grants for Prevention and Treatment of Substance Abuse ALN and Program Expenditures: 93.558 ($585,590,187) 93.575/93.596 ($910,712,554) 93.959 ($81,408,580) Award Numbers: Various – See schedule of award numbers Federal Award Year: Various – See schedule of award numbers Questioned Costs: Cannot be determined Compliance Requirement: Subrecipient Monitoring Finding 2022-008: Failure to Follow Established Program Subrecipient Monitoring Procedures Type of Finding: Material noncompliance and material weakness Condition Found: IDHS did not follow its established program monitoring policies and procedures for subrecipients of the Temporary Assistance for Needy Families (TANF) Cluster, CCDF Cluster (Child Care), and Block Grants for Prevention and Treatment of Substance Abuse (SAPT) programs. IDHS has implemented procedures whereby program staff perform periodic program on-site and desk reviews of IDHS subrecipient compliance with regulations applicable to the federal programs administered by IDHS. Generally, these reviews are formally documented and include the issuance of a report of the review results to the subrecipient summarizing the procedures performed, results of the procedures, and any findings or observations for improvement noted. IDHS’s policies require the subrecipient to respond to each finding by providing a written corrective action plan. Additionally, IDHS program staff perform reviews of expenditure reports submitted by subrecipients. IDHS subrecipient monitoring procedures are subject to the review and approval of a supervisor. During our test work over program on-site review procedures performed for 59 subrecipients of the TANF Cluster, CCDF Cluster, and SAPT programs, we noted IDHS did not follow its established program monitoring procedures as follows: IDHS did not provide timely notification (within 60 days) of the results of the programmatic onsite reviews. We noted the following exceptions: IDHS did not complete their quality review on a timely basis (within 60 days). We noted the following exceptions: Additionally, for 1 of 28 SAPT subrecipient expenditures sampled, IDHS could not provide supporting documentation that reconciled to the sampled amount. IDHS’s subrecipient expenditures under the federal programs for the year ended June 30, 2022 were approximately as follows: Criteria or Requirement: According to 2 CFR 200.332(d), a pass-through entity is required to monitor the activities of subrecipients as necessary to ensure that federal awards are used for authorized purposes in compliance with laws, regulations, and the provisions of contracts or grant agreements and that performance goals are achieved. According to 2 CFR 200.332(b), a pass-through entity must evaluate each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward. In addition, 2 CFR 200.303 requires nonfederal entities to, among other things, establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. Effective internal controls should include ensuring on-site program procedures and expenditure reviews are performed in a timely manner and adequate documentation is maintained. Cause: In discussing these conditions with IDHS officials, management stated that the program monitoring deficiencies noted are due to misplaced or misfiled documentation, untimely monitoring, inadequate staffing, and lack of consistent application in each program division. Possible Asserted Effect: Failure to adequately perform and document program on-site monitoring reviews of subrecipients and notify subrecipients of findings in a timely manner may result in subrecipients not properly administering the Federal programs in accordance with laws, regulations, and the grant agreement. Failure to properly review subrecipient expenditures may result in inaccurate payments or unallowable costs. Repeat Finding: A similar finding was reported in the prior year audit as finding number 2021-017. (Finding Code 2022- 008, 2021-017, 2020-015, 2019-013, 2018-012, 2017-013, 2016-012, 2015-011, 2014-008, 2013-009, 12- 07, 11-09) Statistical Sampling: The sample was not intended to be, and was not, a statistically valid sample. Recommendation: We recommend IDHS ensure programmatic on-site and expenditure report reviews are performed and documented for subrecipients in accordance with established policies and procedures. In addition, we recommend IDHS review its process for reporting and following up on program findings relative to subrecipient on-site reviews to ensure timely corrective action and quality control is taken. Views of IDHS Officials: IDHS accepts the recommendation. IDHS will seek to ensure programmatic monitoring reviews are performed and accurately documented for subrecipients in accordance with established policies and procedures.
State Agency: Illinois Department of Human Services (IDHS) Federal Agency: U.S. Department of Health and Human Services (USDHHS) Program Name: Temporary Assistance for Needy Families Cluster CCDF Cluster Block Grants for Prevention and Treatment of Substance Abuse ALN and Program Expenditures: 93.558 ($585,590,187) 93.575/93.596 ($910,712,554) 93.959 ($81,408,580) Award Numbers: Various – See schedule of award numbers Federal Award Year: Various – See schedule of award numbers Questioned Costs: Cannot be determined Compliance Requirement: Subrecipient Monitoring Finding 2022-008: Failure to Follow Established Program Subrecipient Monitoring Procedures Type of Finding: Material noncompliance and material weakness Condition Found: IDHS did not follow its established program monitoring policies and procedures for subrecipients of the Temporary Assistance for Needy Families (TANF) Cluster, CCDF Cluster (Child Care), and Block Grants for Prevention and Treatment of Substance Abuse (SAPT) programs. IDHS has implemented procedures whereby program staff perform periodic program on-site and desk reviews of IDHS subrecipient compliance with regulations applicable to the federal programs administered by IDHS. Generally, these reviews are formally documented and include the issuance of a report of the review results to the subrecipient summarizing the procedures performed, results of the procedures, and any findings or observations for improvement noted. IDHS’s policies require the subrecipient to respond to each finding by providing a written corrective action plan. Additionally, IDHS program staff perform reviews of expenditure reports submitted by subrecipients. IDHS subrecipient monitoring procedures are subject to the review and approval of a supervisor. During our test work over program on-site review procedures performed for 59 subrecipients of the TANF Cluster, CCDF Cluster, and SAPT programs, we noted IDHS did not follow its established program monitoring procedures as follows: IDHS did not provide timely notification (within 60 days) of the results of the programmatic onsite reviews. We noted the following exceptions: IDHS did not complete their quality review on a timely basis (within 60 days). We noted the following exceptions: Additionally, for 1 of 28 SAPT subrecipient expenditures sampled, IDHS could not provide supporting documentation that reconciled to the sampled amount. IDHS’s subrecipient expenditures under the federal programs for the year ended June 30, 2022 were approximately as follows: Criteria or Requirement: According to 2 CFR 200.332(d), a pass-through entity is required to monitor the activities of subrecipients as necessary to ensure that federal awards are used for authorized purposes in compliance with laws, regulations, and the provisions of contracts or grant agreements and that performance goals are achieved. According to 2 CFR 200.332(b), a pass-through entity must evaluate each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward. In addition, 2 CFR 200.303 requires nonfederal entities to, among other things, establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. Effective internal controls should include ensuring on-site program procedures and expenditure reviews are performed in a timely manner and adequate documentation is maintained. Cause: In discussing these conditions with IDHS officials, management stated that the program monitoring deficiencies noted are due to misplaced or misfiled documentation, untimely monitoring, inadequate staffing, and lack of consistent application in each program division. Possible Asserted Effect: Failure to adequately perform and document program on-site monitoring reviews of subrecipients and notify subrecipients of findings in a timely manner may result in subrecipients not properly administering the Federal programs in accordance with laws, regulations, and the grant agreement. Failure to properly review subrecipient expenditures may result in inaccurate payments or unallowable costs. Repeat Finding: A similar finding was reported in the prior year audit as finding number 2021-017. (Finding Code 2022- 008, 2021-017, 2020-015, 2019-013, 2018-012, 2017-013, 2016-012, 2015-011, 2014-008, 2013-009, 12- 07, 11-09) Statistical Sampling: The sample was not intended to be, and was not, a statistically valid sample. Recommendation: We recommend IDHS ensure programmatic on-site and expenditure report reviews are performed and documented for subrecipients in accordance with established policies and procedures. In addition, we recommend IDHS review its process for reporting and following up on program findings relative to subrecipient on-site reviews to ensure timely corrective action and quality control is taken. Views of IDHS Officials: IDHS accepts the recommendation. IDHS will seek to ensure programmatic monitoring reviews are performed and accurately documented for subrecipients in accordance with established policies and procedures.
State Agency: Illinois Department of Human Services (IDHS) Federal Agency: U.S. Department of Health and Human Services (USDHHS) Program Name: Temporary Assistance for Needy Families Cluster CCDF Cluster Block Grants for Prevention and Treatment of Substance Abuse ALN and Program Expenditures: 93.558 ($585,590,187) 93.575/93.596 ($910,712,554) 93.959 ($81,408,580) Award Numbers: Various – See schedule of award numbers Federal Award Year: Various – See schedule of award numbers Questioned Costs: Cannot be determined Compliance Requirement: Subrecipient Monitoring Finding 2022-008: Failure to Follow Established Program Subrecipient Monitoring Procedures Type of Finding: Material noncompliance and material weakness Condition Found: IDHS did not follow its established program monitoring policies and procedures for subrecipients of the Temporary Assistance for Needy Families (TANF) Cluster, CCDF Cluster (Child Care), and Block Grants for Prevention and Treatment of Substance Abuse (SAPT) programs. IDHS has implemented procedures whereby program staff perform periodic program on-site and desk reviews of IDHS subrecipient compliance with regulations applicable to the federal programs administered by IDHS. Generally, these reviews are formally documented and include the issuance of a report of the review results to the subrecipient summarizing the procedures performed, results of the procedures, and any findings or observations for improvement noted. IDHS’s policies require the subrecipient to respond to each finding by providing a written corrective action plan. Additionally, IDHS program staff perform reviews of expenditure reports submitted by subrecipients. IDHS subrecipient monitoring procedures are subject to the review and approval of a supervisor. During our test work over program on-site review procedures performed for 59 subrecipients of the TANF Cluster, CCDF Cluster, and SAPT programs, we noted IDHS did not follow its established program monitoring procedures as follows: IDHS did not provide timely notification (within 60 days) of the results of the programmatic onsite reviews. We noted the following exceptions: IDHS did not complete their quality review on a timely basis (within 60 days). We noted the following exceptions: Additionally, for 1 of 28 SAPT subrecipient expenditures sampled, IDHS could not provide supporting documentation that reconciled to the sampled amount. IDHS’s subrecipient expenditures under the federal programs for the year ended June 30, 2022 were approximately as follows: Criteria or Requirement: According to 2 CFR 200.332(d), a pass-through entity is required to monitor the activities of subrecipients as necessary to ensure that federal awards are used for authorized purposes in compliance with laws, regulations, and the provisions of contracts or grant agreements and that performance goals are achieved. According to 2 CFR 200.332(b), a pass-through entity must evaluate each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward. In addition, 2 CFR 200.303 requires nonfederal entities to, among other things, establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. Effective internal controls should include ensuring on-site program procedures and expenditure reviews are performed in a timely manner and adequate documentation is maintained. Cause: In discussing these conditions with IDHS officials, management stated that the program monitoring deficiencies noted are due to misplaced or misfiled documentation, untimely monitoring, inadequate staffing, and lack of consistent application in each program division. Possible Asserted Effect: Failure to adequately perform and document program on-site monitoring reviews of subrecipients and notify subrecipients of findings in a timely manner may result in subrecipients not properly administering the Federal programs in accordance with laws, regulations, and the grant agreement. Failure to properly review subrecipient expenditures may result in inaccurate payments or unallowable costs. Repeat Finding: A similar finding was reported in the prior year audit as finding number 2021-017. (Finding Code 2022- 008, 2021-017, 2020-015, 2019-013, 2018-012, 2017-013, 2016-012, 2015-011, 2014-008, 2013-009, 12- 07, 11-09) Statistical Sampling: The sample was not intended to be, and was not, a statistically valid sample. Recommendation: We recommend IDHS ensure programmatic on-site and expenditure report reviews are performed and documented for subrecipients in accordance with established policies and procedures. In addition, we recommend IDHS review its process for reporting and following up on program findings relative to subrecipient on-site reviews to ensure timely corrective action and quality control is taken. Views of IDHS Officials: IDHS accepts the recommendation. IDHS will seek to ensure programmatic monitoring reviews are performed and accurately documented for subrecipients in accordance with established policies and procedures.
State Agency: Illinois Department of Human Services (IDHS) Federal Agency: U.S. Department of Health and Human Services (USDHHS) Program Name: Temporary Assistance for Needy Families Cluster CCDF Cluster Block Grants for Prevention and Treatment of Substance Abuse ALN and Program Expenditures: 93.558 ($585,590,187) 93.575/93.596 ($910,712,554) 93.959 ($81,408,580) Award Numbers: Various – See schedule of award numbers Federal Award Year: Various – See schedule of award numbers Questioned Costs: Cannot be determined Compliance Requirement: Subrecipient Monitoring Finding 2022-008: Failure to Follow Established Program Subrecipient Monitoring Procedures Type of Finding: Material noncompliance and material weakness Condition Found: IDHS did not follow its established program monitoring policies and procedures for subrecipients of the Temporary Assistance for Needy Families (TANF) Cluster, CCDF Cluster (Child Care), and Block Grants for Prevention and Treatment of Substance Abuse (SAPT) programs. IDHS has implemented procedures whereby program staff perform periodic program on-site and desk reviews of IDHS subrecipient compliance with regulations applicable to the federal programs administered by IDHS. Generally, these reviews are formally documented and include the issuance of a report of the review results to the subrecipient summarizing the procedures performed, results of the procedures, and any findings or observations for improvement noted. IDHS’s policies require the subrecipient to respond to each finding by providing a written corrective action plan. Additionally, IDHS program staff perform reviews of expenditure reports submitted by subrecipients. IDHS subrecipient monitoring procedures are subject to the review and approval of a supervisor. During our test work over program on-site review procedures performed for 59 subrecipients of the TANF Cluster, CCDF Cluster, and SAPT programs, we noted IDHS did not follow its established program monitoring procedures as follows: IDHS did not provide timely notification (within 60 days) of the results of the programmatic onsite reviews. We noted the following exceptions: IDHS did not complete their quality review on a timely basis (within 60 days). We noted the following exceptions: Additionally, for 1 of 28 SAPT subrecipient expenditures sampled, IDHS could not provide supporting documentation that reconciled to the sampled amount. IDHS’s subrecipient expenditures under the federal programs for the year ended June 30, 2022 were approximately as follows: Criteria or Requirement: According to 2 CFR 200.332(d), a pass-through entity is required to monitor the activities of subrecipients as necessary to ensure that federal awards are used for authorized purposes in compliance with laws, regulations, and the provisions of contracts or grant agreements and that performance goals are achieved. According to 2 CFR 200.332(b), a pass-through entity must evaluate each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward. In addition, 2 CFR 200.303 requires nonfederal entities to, among other things, establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. Effective internal controls should include ensuring on-site program procedures and expenditure reviews are performed in a timely manner and adequate documentation is maintained. Cause: In discussing these conditions with IDHS officials, management stated that the program monitoring deficiencies noted are due to misplaced or misfiled documentation, untimely monitoring, inadequate staffing, and lack of consistent application in each program division. Possible Asserted Effect: Failure to adequately perform and document program on-site monitoring reviews of subrecipients and notify subrecipients of findings in a timely manner may result in subrecipients not properly administering the Federal programs in accordance with laws, regulations, and the grant agreement. Failure to properly review subrecipient expenditures may result in inaccurate payments or unallowable costs. Repeat Finding: A similar finding was reported in the prior year audit as finding number 2021-017. (Finding Code 2022- 008, 2021-017, 2020-015, 2019-013, 2018-012, 2017-013, 2016-012, 2015-011, 2014-008, 2013-009, 12- 07, 11-09) Statistical Sampling: The sample was not intended to be, and was not, a statistically valid sample. Recommendation: We recommend IDHS ensure programmatic on-site and expenditure report reviews are performed and documented for subrecipients in accordance with established policies and procedures. In addition, we recommend IDHS review its process for reporting and following up on program findings relative to subrecipient on-site reviews to ensure timely corrective action and quality control is taken. Views of IDHS Officials: IDHS accepts the recommendation. IDHS will seek to ensure programmatic monitoring reviews are performed and accurately documented for subrecipients in accordance with established policies and procedures.
State Agency: Illinois Department of Human Services (IDHS) Federal Agency: U.S. Department of Health and Human Services (USDHHS) Program Name: Temporary Assistance for Needy Families Cluster CCDF Cluster Block Grants for Prevention and Treatment of Substance Abuse ALN and Program Expenditures: 93.558 ($585,590,187) 93.575/93.596 ($910,712,554) 93.959 ($81,408,580) Award Numbers: Various – See schedule of award numbers Federal Award Year: Various – See schedule of award numbers Questioned Costs: Cannot be determined Compliance Requirement: Subrecipient Monitoring Finding 2022-008: Failure to Follow Established Program Subrecipient Monitoring Procedures Type of Finding: Material noncompliance and material weakness Condition Found: IDHS did not follow its established program monitoring policies and procedures for subrecipients of the Temporary Assistance for Needy Families (TANF) Cluster, CCDF Cluster (Child Care), and Block Grants for Prevention and Treatment of Substance Abuse (SAPT) programs. IDHS has implemented procedures whereby program staff perform periodic program on-site and desk reviews of IDHS subrecipient compliance with regulations applicable to the federal programs administered by IDHS. Generally, these reviews are formally documented and include the issuance of a report of the review results to the subrecipient summarizing the procedures performed, results of the procedures, and any findings or observations for improvement noted. IDHS’s policies require the subrecipient to respond to each finding by providing a written corrective action plan. Additionally, IDHS program staff perform reviews of expenditure reports submitted by subrecipients. IDHS subrecipient monitoring procedures are subject to the review and approval of a supervisor. During our test work over program on-site review procedures performed for 59 subrecipients of the TANF Cluster, CCDF Cluster, and SAPT programs, we noted IDHS did not follow its established program monitoring procedures as follows: IDHS did not provide timely notification (within 60 days) of the results of the programmatic onsite reviews. We noted the following exceptions: IDHS did not complete their quality review on a timely basis (within 60 days). We noted the following exceptions: Additionally, for 1 of 28 SAPT subrecipient expenditures sampled, IDHS could not provide supporting documentation that reconciled to the sampled amount. IDHS’s subrecipient expenditures under the federal programs for the year ended June 30, 2022 were approximately as follows: Criteria or Requirement: According to 2 CFR 200.332(d), a pass-through entity is required to monitor the activities of subrecipients as necessary to ensure that federal awards are used for authorized purposes in compliance with laws, regulations, and the provisions of contracts or grant agreements and that performance goals are achieved. According to 2 CFR 200.332(b), a pass-through entity must evaluate each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward. In addition, 2 CFR 200.303 requires nonfederal entities to, among other things, establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. Effective internal controls should include ensuring on-site program procedures and expenditure reviews are performed in a timely manner and adequate documentation is maintained. Cause: In discussing these conditions with IDHS officials, management stated that the program monitoring deficiencies noted are due to misplaced or misfiled documentation, untimely monitoring, inadequate staffing, and lack of consistent application in each program division. Possible Asserted Effect: Failure to adequately perform and document program on-site monitoring reviews of subrecipients and notify subrecipients of findings in a timely manner may result in subrecipients not properly administering the Federal programs in accordance with laws, regulations, and the grant agreement. Failure to properly review subrecipient expenditures may result in inaccurate payments or unallowable costs. Repeat Finding: A similar finding was reported in the prior year audit as finding number 2021-017. (Finding Code 2022- 008, 2021-017, 2020-015, 2019-013, 2018-012, 2017-013, 2016-012, 2015-011, 2014-008, 2013-009, 12- 07, 11-09) Statistical Sampling: The sample was not intended to be, and was not, a statistically valid sample. Recommendation: We recommend IDHS ensure programmatic on-site and expenditure report reviews are performed and documented for subrecipients in accordance with established policies and procedures. In addition, we recommend IDHS review its process for reporting and following up on program findings relative to subrecipient on-site reviews to ensure timely corrective action and quality control is taken. Views of IDHS Officials: IDHS accepts the recommendation. IDHS will seek to ensure programmatic monitoring reviews are performed and accurately documented for subrecipients in accordance with established policies and procedures.
State Agency: Illinois Department of Human Services (IDHS) Federal Agency: U.S. Treasury Department (TREAS) Program Name: COVID-19 – Coronavirus State and Local Fiscal Recovery Funds ALN and Program Expenditures: 21.027 ($4,895,262,395) Award Numbers: Various – See schedule of award numbers Federal Award Year: Various – See schedule of award numbers Questioned Costs: Cannot be determined Compliance Requirement: Subrecipient Monitoring Finding 2022-012: Failure to Notify Subrecipients of Federal Funding Type of Finding: Noncompliance and material weakness Condition Found: IDHS did not communicate required federal program information to subrecipients at the time of disbursement for the Coronavirus State and Local Fiscal Recovery Funds (SLFRF) program. During our testing of 43 SLFRF subrecipient payments, we noted IDHS did not communicate the Assistance Listing Number (ALN) at the time of disbursement for 15 of the subrecipients tested. Amounts passed through to subrecipients by IDHS under the SLFRF program totaled $60,364,704 during the year ended June 30, 2022. Amounts passed through to subrecipients by the State under the SLFRF program totaled $336,176,469 during the year ended June 30, 2022. Criteria or Requirement: Per 2 CFR 200.332(a)(1)(xii), all pass-through entities must identify the dollar amount made available under each Federal award and the ALN at the time of disbursement. Additionally, 2 CFR 200.303 requires non-Federal entities receiving Federal awards to establish and maintain internal control designed to reasonably ensure compliance with Federal laws, regulations, and program compliance requirements. Effective internal controls should include controls to ensure ALN notifications are made at the time of subrecipient disbursement. Cause: In discussing these conditions with IDHS officials, management stated some staff were not aware of the requirement to notify subrecipients of ALNs at the time of disbursement. Possible Asserted Effect: Failure to communicate ALNs at the time of disbursement can hamper the subrecipient’s ability to correctly prepare their schedule of expenditures of federal awards. Repeat Finding: A similar finding was not reported in the prior year audit. (Finding Code 2022-012) Statistical Sampling: The sample was not intended to be, and was not, a statistically valid sample. Recommendation: We recommend IDHS add to their warrant description the ALN for each disbursement made to subrecipients. Views of IDHS Officials: IDHS accepts the recommendation. IDHS will work to ensure that the description of the Assistance Listing Numbers (ALN) is properly communicated to subrecipients at the time of disbursement.
State Agency: Illinois Department of Human Services (IDHS) Federal Agency: U.S. Treasury Department (TREAS) Program Name: COVID-19 – Coronavirus State and Local Fiscal Recovery Funds ALN and Program Expenditures: 21.027 ($4,895,262,395) Award Numbers: Various – See schedule of award numbers Federal Award Year: Various – See schedule of award numbers Questioned Costs: Cannot be determined Compliance Requirement: Subrecipient Monitoring Finding 2022-012: Failure to Notify Subrecipients of Federal Funding Type of Finding: Noncompliance and material weakness Condition Found: IDHS did not communicate required federal program information to subrecipients at the time of disbursement for the Coronavirus State and Local Fiscal Recovery Funds (SLFRF) program. During our testing of 43 SLFRF subrecipient payments, we noted IDHS did not communicate the Assistance Listing Number (ALN) at the time of disbursement for 15 of the subrecipients tested. Amounts passed through to subrecipients by IDHS under the SLFRF program totaled $60,364,704 during the year ended June 30, 2022. Amounts passed through to subrecipients by the State under the SLFRF program totaled $336,176,469 during the year ended June 30, 2022. Criteria or Requirement: Per 2 CFR 200.332(a)(1)(xii), all pass-through entities must identify the dollar amount made available under each Federal award and the ALN at the time of disbursement. Additionally, 2 CFR 200.303 requires non-Federal entities receiving Federal awards to establish and maintain internal control designed to reasonably ensure compliance with Federal laws, regulations, and program compliance requirements. Effective internal controls should include controls to ensure ALN notifications are made at the time of subrecipient disbursement. Cause: In discussing these conditions with IDHS officials, management stated some staff were not aware of the requirement to notify subrecipients of ALNs at the time of disbursement. Possible Asserted Effect: Failure to communicate ALNs at the time of disbursement can hamper the subrecipient’s ability to correctly prepare their schedule of expenditures of federal awards. Repeat Finding: A similar finding was not reported in the prior year audit. (Finding Code 2022-012) Statistical Sampling: The sample was not intended to be, and was not, a statistically valid sample. Recommendation: We recommend IDHS add to their warrant description the ALN for each disbursement made to subrecipients. Views of IDHS Officials: IDHS accepts the recommendation. IDHS will work to ensure that the description of the Assistance Listing Numbers (ALN) is properly communicated to subrecipients at the time of disbursement.
State Agency: Illinois Department of Public Health (IDPH) Federal Agency: U.S. Department of Health and Human Services (USDHHS) Program Name: COVID-19 – Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) ALN and Program Expenditures: 93.323 ($248,405,971) Award Numbers: Various – see table of award numbers Federal Award Year: Various – see table of award numbers Questioned Costs: Cannot be determined Compliance Requirement: Subrecipient Monitoring Finding 2022-021: Failure to Notify Subrecipients of Federal Funding Type of Finding: Noncompliance and material weakness Condition Found: IDPH did not communicate required federal program information to subrecipients at the time of disbursement for the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) program. During our testing of 46 ELC subrecipient payments (totaling $18,040,567), we noted IDPH did not communicate the Assistance Listing Number (ALN) at the time of disbursement for 7 of the subrecipient payments tested (totaling $2,284,855). Further, we noted IDPH did not have effective controls to ensure the ALN number was communicated at the time of payment. Amounts passed through to subrecipients under the ELC program totaled $133,533,458 during the year ended June 30, 2022. Criteria or Requirement: Per 2 CFR 200.332(a)(1)(xii), all pass-through entities must identify the dollar amount made available under each Federal award and the ALN at the time of disbursement. Additionally, 2 CFR 200.303 requires non-Federal entities receiving Federal awards to establish and maintain internal control designed to reasonably ensure compliance with Federal laws, regulations, and program compliance requirements. Effective internal controls should include controls to ensure ALN notifications are made at the time of subrecipient disbursement. Cause: In discussing these conditions with IDPH officials, IDPH stated that once the deficiency was brought to their attention in November of 2021, the corrective action was implemented, but the payments noted above were before the deficiency was identified. Possible Asserted Effect: Failure to communicate ALNs at the time of disbursement may inhibit the subrecipient’s ability to correctly prepare their schedule of expenditures of federal awards. Repeat Finding: A similar finding was reported in the prior year audit as finding number 2021-022. (Finding Code 2022- 021, 2021-022) Statistical Sampling: The sample was not intended to be, and was not, a statistically valid sample. Recommendation: We recommend IDPH add the ALN to the warrant description for each subrecipient disbursement made. We also recommend IDPH implement additional control procedures necessary to ensure subrecipients are provided information in accordance with Uniform Guidance requirements. Views of IDPH Officials: We agree with the auditor’s recommendation and have implemented the recommendations during the audit period under review.
State Agency: Illinois Department of Public Health (IDPH) Federal Agency: U.S. Department of Health and Human Services (USDHHS) Program Name: COVID-19 – Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) ALN and Program Expenditures: 93.323 ($248,405,971) Award Numbers: Various – see table of award numbers Federal Award Year: Various – see table of award numbers Questioned Costs: Cannot be determined Compliance Requirement: Subrecipient Monitoring Finding 2022-021: Failure to Notify Subrecipients of Federal Funding Type of Finding: Noncompliance and material weakness Condition Found: IDPH did not communicate required federal program information to subrecipients at the time of disbursement for the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) program. During our testing of 46 ELC subrecipient payments (totaling $18,040,567), we noted IDPH did not communicate the Assistance Listing Number (ALN) at the time of disbursement for 7 of the subrecipient payments tested (totaling $2,284,855). Further, we noted IDPH did not have effective controls to ensure the ALN number was communicated at the time of payment. Amounts passed through to subrecipients under the ELC program totaled $133,533,458 during the year ended June 30, 2022. Criteria or Requirement: Per 2 CFR 200.332(a)(1)(xii), all pass-through entities must identify the dollar amount made available under each Federal award and the ALN at the time of disbursement. Additionally, 2 CFR 200.303 requires non-Federal entities receiving Federal awards to establish and maintain internal control designed to reasonably ensure compliance with Federal laws, regulations, and program compliance requirements. Effective internal controls should include controls to ensure ALN notifications are made at the time of subrecipient disbursement. Cause: In discussing these conditions with IDPH officials, IDPH stated that once the deficiency was brought to their attention in November of 2021, the corrective action was implemented, but the payments noted above were before the deficiency was identified. Possible Asserted Effect: Failure to communicate ALNs at the time of disbursement may inhibit the subrecipient’s ability to correctly prepare their schedule of expenditures of federal awards. Repeat Finding: A similar finding was reported in the prior year audit as finding number 2021-022. (Finding Code 2022- 021, 2021-022) Statistical Sampling: The sample was not intended to be, and was not, a statistically valid sample. Recommendation: We recommend IDPH add the ALN to the warrant description for each subrecipient disbursement made. We also recommend IDPH implement additional control procedures necessary to ensure subrecipients are provided information in accordance with Uniform Guidance requirements. Views of IDPH Officials: We agree with the auditor’s recommendation and have implemented the recommendations during the audit period under review.
State Agency: Illinois Department on Aging (IDOA) Federal Agency: U.S. Department of Health and Human Services (USDHHS) Program Name: Aging Cluster ALN and Program Expenditures: 93.044/93.045/93.053 ($59,868,648) Award Numbers: Various – see table of award numbers Federal Award Year: Various – see table of award numbers Questioned Costs: None Compliance Requirement: Subrecipient Monitoring Finding 2022-031: Inadequate Review of Subrecipient Single Audit Reports Type of Finding: Material noncompliance and material weakness Condition Found: IDOA did not adequately document review over single audit reports received from its subrecipients for the Aging Cluster program on a timely basis. The State of Illinois established the Grant Accountability Transparency Unit (GATU) to implement the provisions of the State's Grant Accountability and Transparency Act (GATA) on a centralized basis. GATU has established standardized reporting requirements for subrecipients of the various Federal programs administered by the State through its various departments. Subrecipients of the State are required to certify whether they expended more than $750,000 in federal awards during the fiscal year and submitted their single audit reporting packages to the Federal Audit Clearinghouse (if required). GATU is then responsible for obtaining the single audit reporting package, verifying the report meets the single audit requirements, and assigning, to the applicable state agency, any findings attributable to amounts passed through to the subrecipient(s) by the State. IDOA staff are responsible for reviewing the reports assigned to them by GATU and determining whether: (1) federal funds reported in the schedule of expenditures of federal awards (SEFA) reconcile to IDOA records and (2) issuing management decisions on findings reported within required time frames. During our testing of a sample of single audit desk review files for four subrecipients (with expenditures of $36,828,349 in the fiscal year), we noted IDOA did not document the reconciliation of the subrecipient SEFAs to IDOA records within the GATA Audit Report Review Management System (ARRMS) and did not issue management decision letters to each subrecipient as of the date of our testing (June 2023). IDOA's subrecipient expenditures under the Aging Cluster program for the year ended June 30, 2022 were $58,503,162. Criteria or Requirement According to 2 CFR 200.332(d), a pass-through entity must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations and the terms and conditions of the subaward, and that the subaward performance goals are achieved. Additionally, 2 CFR 200.332(d)(3) and 2 CFR 200.521 state that a pass-through entity is required to issue a management decision on federal awards audit findings within six months of the acceptance of the report by the Federal Audit Clearinghouse and ensure the subrecipient takes timely and appropriate corrective action on all audit findings. Additionally, 2 CFR 200.303 requires non-Federal entities receiving Federal awards to establish and maintain internal controls designed to reasonably ensure compliance with Federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure Single Audit reports are reviewed in a timely manner and management decisions are issued within required timeframes. Cause: In discussing these conditions with IDOA officials, they stated the area agency on aging (AAA) audit reviews are completed, however resolution of the reconciliation items and management decisions letters were not completed timely due to a lack of staffing. Possible Asserted Effect: Failure to complete and document reviews of subrecipient single audit reports in a timely manner may result in federal funds being expended for unallowable purposes and subrecipients not administering the federal programs in accordance with laws, regulations and the grant agreement. Repeat Finding: A similar finding was reported in the 2019 Single Audit as finding number 2019-039. (Finding Code 2022- 031) Statistical Sampling: The sample was not intended to be, and was not, a statistically valid sample. Recommendation: We recommend IDOA establish procedures to ensure subrecipient single audit report reviews are completed and documented in a timely manner. Additionally, IDOA should ensure procedures will permit issuance of management decisions within required timeframes. Views of IDOA Officials: Aging has posted and scheduled interviews for the vacant position that will oversee this process.
State Agency: Illinois Department on Aging (IDOA) Federal Agency: U.S. Department of Health and Human Services (USDHHS) Program Name: Aging Cluster ALN and Program Expenditures: 93.044/93.045/93.053 ($59,868,648) Award Numbers: Various – see table of award numbers Federal Award Year: Various – see table of award numbers Questioned Costs: None Compliance Requirement: Subrecipient Monitoring Finding 2022-031: Inadequate Review of Subrecipient Single Audit Reports Type of Finding: Material noncompliance and material weakness Condition Found: IDOA did not adequately document review over single audit reports received from its subrecipients for the Aging Cluster program on a timely basis. The State of Illinois established the Grant Accountability Transparency Unit (GATU) to implement the provisions of the State's Grant Accountability and Transparency Act (GATA) on a centralized basis. GATU has established standardized reporting requirements for subrecipients of the various Federal programs administered by the State through its various departments. Subrecipients of the State are required to certify whether they expended more than $750,000 in federal awards during the fiscal year and submitted their single audit reporting packages to the Federal Audit Clearinghouse (if required). GATU is then responsible for obtaining the single audit reporting package, verifying the report meets the single audit requirements, and assigning, to the applicable state agency, any findings attributable to amounts passed through to the subrecipient(s) by the State. IDOA staff are responsible for reviewing the reports assigned to them by GATU and determining whether: (1) federal funds reported in the schedule of expenditures of federal awards (SEFA) reconcile to IDOA records and (2) issuing management decisions on findings reported within required time frames. During our testing of a sample of single audit desk review files for four subrecipients (with expenditures of $36,828,349 in the fiscal year), we noted IDOA did not document the reconciliation of the subrecipient SEFAs to IDOA records within the GATA Audit Report Review Management System (ARRMS) and did not issue management decision letters to each subrecipient as of the date of our testing (June 2023). IDOA's subrecipient expenditures under the Aging Cluster program for the year ended June 30, 2022 were $58,503,162. Criteria or Requirement According to 2 CFR 200.332(d), a pass-through entity must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations and the terms and conditions of the subaward, and that the subaward performance goals are achieved. Additionally, 2 CFR 200.332(d)(3) and 2 CFR 200.521 state that a pass-through entity is required to issue a management decision on federal awards audit findings within six months of the acceptance of the report by the Federal Audit Clearinghouse and ensure the subrecipient takes timely and appropriate corrective action on all audit findings. Additionally, 2 CFR 200.303 requires non-Federal entities receiving Federal awards to establish and maintain internal controls designed to reasonably ensure compliance with Federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure Single Audit reports are reviewed in a timely manner and management decisions are issued within required timeframes. Cause: In discussing these conditions with IDOA officials, they stated the area agency on aging (AAA) audit reviews are completed, however resolution of the reconciliation items and management decisions letters were not completed timely due to a lack of staffing. Possible Asserted Effect: Failure to complete and document reviews of subrecipient single audit reports in a timely manner may result in federal funds being expended for unallowable purposes and subrecipients not administering the federal programs in accordance with laws, regulations and the grant agreement. Repeat Finding: A similar finding was reported in the 2019 Single Audit as finding number 2019-039. (Finding Code 2022- 031) Statistical Sampling: The sample was not intended to be, and was not, a statistically valid sample. Recommendation: We recommend IDOA establish procedures to ensure subrecipient single audit report reviews are completed and documented in a timely manner. Additionally, IDOA should ensure procedures will permit issuance of management decisions within required timeframes. Views of IDOA Officials: Aging has posted and scheduled interviews for the vacant position that will oversee this process.
State Agency: Illinois Department on Aging (IDOA) Federal Agency: U.S. Department of Health and Human Services (USDHHS) Program Name: Aging Cluster ALN and Program Expenditures: 93.044/93.045/93.053 ($59,868,648) Award Numbers: Various – see table of award numbers Federal Award Year: Various – see table of award numbers Questioned Costs: None Compliance Requirement: Subrecipient Monitoring Finding 2022-031: Inadequate Review of Subrecipient Single Audit Reports Type of Finding: Material noncompliance and material weakness Condition Found: IDOA did not adequately document review over single audit reports received from its subrecipients for the Aging Cluster program on a timely basis. The State of Illinois established the Grant Accountability Transparency Unit (GATU) to implement the provisions of the State's Grant Accountability and Transparency Act (GATA) on a centralized basis. GATU has established standardized reporting requirements for subrecipients of the various Federal programs administered by the State through its various departments. Subrecipients of the State are required to certify whether they expended more than $750,000 in federal awards during the fiscal year and submitted their single audit reporting packages to the Federal Audit Clearinghouse (if required). GATU is then responsible for obtaining the single audit reporting package, verifying the report meets the single audit requirements, and assigning, to the applicable state agency, any findings attributable to amounts passed through to the subrecipient(s) by the State. IDOA staff are responsible for reviewing the reports assigned to them by GATU and determining whether: (1) federal funds reported in the schedule of expenditures of federal awards (SEFA) reconcile to IDOA records and (2) issuing management decisions on findings reported within required time frames. During our testing of a sample of single audit desk review files for four subrecipients (with expenditures of $36,828,349 in the fiscal year), we noted IDOA did not document the reconciliation of the subrecipient SEFAs to IDOA records within the GATA Audit Report Review Management System (ARRMS) and did not issue management decision letters to each subrecipient as of the date of our testing (June 2023). IDOA's subrecipient expenditures under the Aging Cluster program for the year ended June 30, 2022 were $58,503,162. Criteria or Requirement According to 2 CFR 200.332(d), a pass-through entity must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations and the terms and conditions of the subaward, and that the subaward performance goals are achieved. Additionally, 2 CFR 200.332(d)(3) and 2 CFR 200.521 state that a pass-through entity is required to issue a management decision on federal awards audit findings within six months of the acceptance of the report by the Federal Audit Clearinghouse and ensure the subrecipient takes timely and appropriate corrective action on all audit findings. Additionally, 2 CFR 200.303 requires non-Federal entities receiving Federal awards to establish and maintain internal controls designed to reasonably ensure compliance with Federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure Single Audit reports are reviewed in a timely manner and management decisions are issued within required timeframes. Cause: In discussing these conditions with IDOA officials, they stated the area agency on aging (AAA) audit reviews are completed, however resolution of the reconciliation items and management decisions letters were not completed timely due to a lack of staffing. Possible Asserted Effect: Failure to complete and document reviews of subrecipient single audit reports in a timely manner may result in federal funds being expended for unallowable purposes and subrecipients not administering the federal programs in accordance with laws, regulations and the grant agreement. Repeat Finding: A similar finding was reported in the 2019 Single Audit as finding number 2019-039. (Finding Code 2022- 031) Statistical Sampling: The sample was not intended to be, and was not, a statistically valid sample. Recommendation: We recommend IDOA establish procedures to ensure subrecipient single audit report reviews are completed and documented in a timely manner. Additionally, IDOA should ensure procedures will permit issuance of management decisions within required timeframes. Views of IDOA Officials: Aging has posted and scheduled interviews for the vacant position that will oversee this process.
State Agency: Illinois Department on Aging (IDOA) Federal Agency: U.S. Department of Health and Human Services (USDHHS) Program Name: Aging Cluster ALN and Program Expenditures: 93.044/93.045/93.053 ($59,868,648) Award Numbers: Various – see table of award numbers Federal Award Year: Various – see table of award numbers Questioned Costs: None Compliance Requirement: Subrecipient Monitoring Finding 2022-031: Inadequate Review of Subrecipient Single Audit Reports Type of Finding: Material noncompliance and material weakness Condition Found: IDOA did not adequately document review over single audit reports received from its subrecipients for the Aging Cluster program on a timely basis. The State of Illinois established the Grant Accountability Transparency Unit (GATU) to implement the provisions of the State's Grant Accountability and Transparency Act (GATA) on a centralized basis. GATU has established standardized reporting requirements for subrecipients of the various Federal programs administered by the State through its various departments. Subrecipients of the State are required to certify whether they expended more than $750,000 in federal awards during the fiscal year and submitted their single audit reporting packages to the Federal Audit Clearinghouse (if required). GATU is then responsible for obtaining the single audit reporting package, verifying the report meets the single audit requirements, and assigning, to the applicable state agency, any findings attributable to amounts passed through to the subrecipient(s) by the State. IDOA staff are responsible for reviewing the reports assigned to them by GATU and determining whether: (1) federal funds reported in the schedule of expenditures of federal awards (SEFA) reconcile to IDOA records and (2) issuing management decisions on findings reported within required time frames. During our testing of a sample of single audit desk review files for four subrecipients (with expenditures of $36,828,349 in the fiscal year), we noted IDOA did not document the reconciliation of the subrecipient SEFAs to IDOA records within the GATA Audit Report Review Management System (ARRMS) and did not issue management decision letters to each subrecipient as of the date of our testing (June 2023). IDOA's subrecipient expenditures under the Aging Cluster program for the year ended June 30, 2022 were $58,503,162. Criteria or Requirement According to 2 CFR 200.332(d), a pass-through entity must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations and the terms and conditions of the subaward, and that the subaward performance goals are achieved. Additionally, 2 CFR 200.332(d)(3) and 2 CFR 200.521 state that a pass-through entity is required to issue a management decision on federal awards audit findings within six months of the acceptance of the report by the Federal Audit Clearinghouse and ensure the subrecipient takes timely and appropriate corrective action on all audit findings. Additionally, 2 CFR 200.303 requires non-Federal entities receiving Federal awards to establish and maintain internal controls designed to reasonably ensure compliance with Federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure Single Audit reports are reviewed in a timely manner and management decisions are issued within required timeframes. Cause: In discussing these conditions with IDOA officials, they stated the area agency on aging (AAA) audit reviews are completed, however resolution of the reconciliation items and management decisions letters were not completed timely due to a lack of staffing. Possible Asserted Effect: Failure to complete and document reviews of subrecipient single audit reports in a timely manner may result in federal funds being expended for unallowable purposes and subrecipients not administering the federal programs in accordance with laws, regulations and the grant agreement. Repeat Finding: A similar finding was reported in the 2019 Single Audit as finding number 2019-039. (Finding Code 2022- 031) Statistical Sampling: The sample was not intended to be, and was not, a statistically valid sample. Recommendation: We recommend IDOA establish procedures to ensure subrecipient single audit report reviews are completed and documented in a timely manner. Additionally, IDOA should ensure procedures will permit issuance of management decisions within required timeframes. Views of IDOA Officials: Aging has posted and scheduled interviews for the vacant position that will oversee this process.
State Agency: Illinois Department on Aging (IDOA) Federal Agency: U.S. Department of Health and Human Services (USDHHS) Program Name: Aging Cluster ALN and Program Expenditures: 93.044/93.045/93.053 ($59,868,648) Award Numbers: Various – see table of award numbers Federal Award Year: Various – see table of award numbers Questioned Costs: None Compliance Requirement: Subrecipient Monitoring Finding 2022-031: Inadequate Review of Subrecipient Single Audit Reports Type of Finding: Material noncompliance and material weakness Condition Found: IDOA did not adequately document review over single audit reports received from its subrecipients for the Aging Cluster program on a timely basis. The State of Illinois established the Grant Accountability Transparency Unit (GATU) to implement the provisions of the State's Grant Accountability and Transparency Act (GATA) on a centralized basis. GATU has established standardized reporting requirements for subrecipients of the various Federal programs administered by the State through its various departments. Subrecipients of the State are required to certify whether they expended more than $750,000 in federal awards during the fiscal year and submitted their single audit reporting packages to the Federal Audit Clearinghouse (if required). GATU is then responsible for obtaining the single audit reporting package, verifying the report meets the single audit requirements, and assigning, to the applicable state agency, any findings attributable to amounts passed through to the subrecipient(s) by the State. IDOA staff are responsible for reviewing the reports assigned to them by GATU and determining whether: (1) federal funds reported in the schedule of expenditures of federal awards (SEFA) reconcile to IDOA records and (2) issuing management decisions on findings reported within required time frames. During our testing of a sample of single audit desk review files for four subrecipients (with expenditures of $36,828,349 in the fiscal year), we noted IDOA did not document the reconciliation of the subrecipient SEFAs to IDOA records within the GATA Audit Report Review Management System (ARRMS) and did not issue management decision letters to each subrecipient as of the date of our testing (June 2023). IDOA's subrecipient expenditures under the Aging Cluster program for the year ended June 30, 2022 were $58,503,162. Criteria or Requirement According to 2 CFR 200.332(d), a pass-through entity must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations and the terms and conditions of the subaward, and that the subaward performance goals are achieved. Additionally, 2 CFR 200.332(d)(3) and 2 CFR 200.521 state that a pass-through entity is required to issue a management decision on federal awards audit findings within six months of the acceptance of the report by the Federal Audit Clearinghouse and ensure the subrecipient takes timely and appropriate corrective action on all audit findings. Additionally, 2 CFR 200.303 requires non-Federal entities receiving Federal awards to establish and maintain internal controls designed to reasonably ensure compliance with Federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure Single Audit reports are reviewed in a timely manner and management decisions are issued within required timeframes. Cause: In discussing these conditions with IDOA officials, they stated the area agency on aging (AAA) audit reviews are completed, however resolution of the reconciliation items and management decisions letters were not completed timely due to a lack of staffing. Possible Asserted Effect: Failure to complete and document reviews of subrecipient single audit reports in a timely manner may result in federal funds being expended for unallowable purposes and subrecipients not administering the federal programs in accordance with laws, regulations and the grant agreement. Repeat Finding: A similar finding was reported in the 2019 Single Audit as finding number 2019-039. (Finding Code 2022- 031) Statistical Sampling: The sample was not intended to be, and was not, a statistically valid sample. Recommendation: We recommend IDOA establish procedures to ensure subrecipient single audit report reviews are completed and documented in a timely manner. Additionally, IDOA should ensure procedures will permit issuance of management decisions within required timeframes. Views of IDOA Officials: Aging has posted and scheduled interviews for the vacant position that will oversee this process.
State Agency: Illinois Department of Commerce and Economic Opportunity (DCEO) Federal Agency: U.S. Treasury Department (TREAS) Program Name: COVID-19 – Coronavirus Relief Fund ALN and Program Expenditures: 21.019 ($190,168,889) Award Numbers: Various – see table of award numbers Federal Award Year: Various – see table of award numbers Questioned Costs: None Compliance Requirement: Subrecipient Monitoring Finding 2022-034: Inadequate Review of Subrecipient Single Audit Reports Type of Finding: Significant deficiency Condition Found: DCEO did not adequately review single audit reports received from its subrecipients for the Coronavirus Relief Fund (CRF) program on a timely basis. The State of Illinois established the Grant Accountability Transparency Unit (GATU) to implement the provisions of the State's Grant Accountability and Transparency Act (GATA) on a centralized basis. GATU has established standardized reporting requirements for subrecipients of the various Federal programs administered by the State through its various departments. Subrecipients of the State are required to certify whether they expended more than $750,000 in federal awards during the fiscal year and submit their single audit reporting packages to the Federal Audit Clearinghouse (if required). GATU is then responsible for obtaining the single audit reporting package, verifying the report meets the single audit requirements, and assigning, to the applicable state agency, any findings attributable to amounts passed through to the subrecipient(s) by the State. DCEO staff are responsible for reviewing the reports assigned to them by GATU and determining whether: (1) federal funds reported in the schedule of expenditures of federal awards (SEFA) reconcile to DCEO records and (2) issuing management decisions on findings reported within required time frames. During our testing of a sample of single audit desk review files for one subrecipient (with expenditures of $10,180 in the fiscal year) out of 60 tested (with expenditures of $8,356,958), we noted DCEO did not issue management decision letters to the subrecipient within the required time frame. The delay in issuing this management decision was 5 days beyond the required timeframe. Further, we noted DCEO has not established controls over subrecipient single audit reviews at an adequate level of precision to ensure management decision letters are issued within required timeframes. DCEO's subrecipient expenditures under the CRF program for the year ended June 30, 2022 were $18,502,818. Amounts passed through to subrecipients by the State under the CRF program totaled $24,432,342. Criteria or Requirement: According to 2 CFR 200.332(d), a pass-through entity must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations and the terms and conditions of the subaward, and that the subaward performance goals are achieved. Additionally, 2 CFR 200.332(d)(3) and 2 CFR 200.521 state that a pass-through entity is required to issue a management decision on federal awards audit findings within six months of the acceptance of the report by the Federal Audit Clearinghouse and ensure the subrecipient takes timely and appropriate corrective action on all audit findings. Additionally, 2 CFR 200.303 requires non-Federal entities receiving Federal awards to establish and maintain internal controls designed to reasonably ensure compliance with Federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure Single Audit reports are reviewed in a timely manner and management decisions are issued within required timeframes. Cause: In discussing these conditions with DCEO officials, they stated the 5 day delay (which includes two weekend days and a holiday) in issuing the management decision letter was caused by human error. Possible Asserted Effect: Failure to complete and document reviews of subrecipient single audit reports in a timely manner may result in federal funds being expended for unallowable purposes and subrecipients not administering the federal programs in accordance with laws, regulations and the grant agreement. Repeat Finding: A similar finding was not reported in the prior year audit. (Finding Code 2022-034) Statistical Sampling: The sample was not intended to be, and was not, a statistically valid sample. Recommendation: We recommend DCEO establish procedures to ensure subrecipient single audit report reviews are completed and documented in a timely manner. Additionally, DCEO should ensure procedures will permit issuance of management decisions within required timeframes. Views of DCEO Officials: DCEO agrees with the auditor’s recommendation. DCEO has a system and procedures in place to assist with the compliance of 2 CFR 200.332(d)(3) and 2 CFR 200.521. Unfortunately, due to human error, the automatic reminder for ensuring issuance of the MDL was missed. At the time, the position responsible for issuing MDLs was vacant and the unit supervisor was completing those responsibilities in addition to her other duties. The position responsible for issuing MDLs has since been filled (June 2023) and DCEO does not expect this issue to repeat as now there is a primary person responsible and a backup person (the supervisor).
Finding Number: 2022-002 ? Subrecipient Monitoring Evaluation of Finding: Material Weakness. Federal Program: Community Services Block Grant Federal Assistance No.: 93.569 Title: CSBG-CV Federal Grantor: U.S. Department of Health and Human Services Pass-Through Entity: State of California, Health and Human Services Agency Grant number: 20F-3684 Criteria or specified requirement: 2 CFR sections 200.332 requires that pass-through entities evaluate each subrecipients risk of noncompliance with federal awards and monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes in compliance with the conditions of the subaward; and that subaward performance goals are achieved. Condition: The Authority has procedures in place to comply with certain subrecipient monitoring requirements, however, the procedures do not include all requirements under 2 CFR sections 200.332. The Authority is required to evaluate risk, monitor the activities of the subrecipient and ensure accountability of subrecipients. The primary activity being performed is ensuring accountability of subrecipients whereby the Authority reviews reimbursement request details to ensure that the subrecipient?s expenditures are eligible under the federal program. However, the following activities are also required and are not being performed: ? Evaluate Risk?Evaluate each subrecipient?s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward (2 CFR section 200.332(b)). This evaluation of risk may include consideration of such factors as the following: o The subrecipient?s prior experience with the same or similar subawards; o The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with 2 CFR part 200, subpart F, and the extent to which the same or similar subaward has been audited as a major program; o Whether the subrecipient has new personnel or new or substantially changed systems; and o The extent and results of federal awarding agency monitoring (e.g., if the subrecipient also receives federal awards directly from a federal awarding agency). ? Monitor?Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, complies with the terms and conditions of the subaward, and achieves performance goals (2 CFR sections 200.332(d) through (f)). In addition to procedures identified as necessary based upon the evaluation of subrecipient risk or specifically required by the terms and conditions of the award, subaward monitoring must include the following: o Reviewing financial and programmatic (performance and special reports) required by the PTE. o Following up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award provided to the subrecipient from the PTE detected through audits, onsite reviews, and other means. o Issuing a management decision for audit findings pertaining to the federal award provided to the subrecipient from the PTE as required by 2 CFR section 200.521. In addition, in 2022 the Authority underwent a desk review by the State of California, Health and Human Services Agency who found that the Authority did not conduct onsite monitoring reviews of subrecipients for fiscal year 2021-22. While the deviation from the policy was due to the COVID-19 pandemic, the policy still required site visits and the COVID-19 restrictions were lifted prior to the end of the fiscal year. Cause: Not all of the requirements for subrecipient monitoring were known to the Authority, therefore some of the procedures were not built into their policy and therefore, were not performed. In person monitoring was paused during the COVID-19 pandemic and did not begin again once the restrictions were lifted. Effect: The subrecipients were not sufficiently monitored as required under Uniform Guidance. Questioned Costs: None Context: The Authority?s policy did not include all of the required monitoring activities resulting in a systemic deficiency in subrecipient monitoring. Recommendation: We recommends that the Authority update its policy to include all subrecipient monitoring activities and consider including alternative procedures for onsite reviews when in person monitoring cannot take place.
Reference Number: 2022-001 Assistance Listing Number: 84.425 Federal Program Title: Education Stabilization Fund Awarding Agency / Pass-Through Entity: U.S. Department of Education, Colorado Department of Education Compliance Requirement: Subrecipient Monitoring Criteria: Under 2 CFR section 200.332, Requirements for Pass-through Entities, all pass-through entities must: (b) Evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient's prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency). (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in section 200.501.?Condition: During procedures performed over the subrecipient monitoring compliance requirements, we noted that the District did not conduct an assessment/evaluation over the risk of noncompliance of all subrecipients in fiscal year 2022. Cause: The condition appears to be caused by an oversight by the District. Questioned Costs: None Recommendation: We recommend the District perform and document a risk assessment/evaluation of noncompliance on all subrecipents receiving federal funding. Views of Responsible Officials: The District agrees with the auditing finding. See separately prepared Corrective Action Letter.
Federal Agency: U.S. Department of Energy, Bonneville Power Administration Federal Program Name: Columbia Survival Study (CSS), Streamnet, Smolt Monitoring by Non-Federal Entities Assistance Listing Number: 81.999 Federal Award Identification Number and Year: 00078040 REL 17 ? 2019-2021; 00078040 REL 33 ? 2020-2021; 00078040 REL 37 ? 2021-2022 Award Period: July 1, 2021 through June 30, 2022 Type of Finding: ? Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: 2 CFR Part 200 Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Award requires compliance with the provisions of subrecipient monitoring. Specifically, per ?200.332(f), all pass-through entities must verify that every subrecipient is audited as required. The Commission should have internal controls designed to ensure compliance with those provisions. Condition: During our testing, we noted the Commission did not keep adequate documentation to verify the Commission had acquired and reviewed its subrecipients? most recent audit reports. Questioned costs: None. Context: In a statistically valid sample, all five of the subrecipient selections tested lacked sufficient documentation to verify the Commission had received, reviewed, and followed up on its subrecipients? most recent audit reports. Although review of a subrecipient?s audit is a required requirement under the Uniform Guidance, compensating procedures ensured that the Commission only made subrecipient agreements with entities that are eligible and valid. Additional documentation was provided to verify the Commission performs other ongoing monitoring procedures of its subrecipients. Cause: Internal controls and procedures were missed due to a turnover in the Fiscal Manger role. Effect: The Commission was not in compliance with Uniform Guidance monitoring of subrecipient requirements. Repeat Finding: No Recommendation: We recommend the Commission follow its internal controls and procedures over subrecipient monitoring to ensure subrecipient audits are received, reviewed, and followed up on and that documentation of those procedures is maintained. Views of responsible officials: There is no disagreement with the audit finding.
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward