2024-087: Review Subrecipient Audit Reports Applicable to: Department of Health Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) - 93.323; Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises - 93.391 Federal Award Number and Year: Various - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.331(d) Known Questioned Costs: $0 Health does not monitor subrecipients in accordance with federal regulations for the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) and Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises federal grant programs. During our audit, we found that Health’s Office of Epidemiology (Epidemiology) and the Office of Health Equity (OHE) did not obtain and review a Single Audit or program-specific audit report for subrecipients who received $750,000 or more in subawards from ELC and STLT funds. During fiscal year 2024, Health disbursed approximately $11 million in ELC funds and $5.8 million in STLT funds to subrecipients. According to Title 2 U.S. Code of Federal Regulations (CFR) § 200.332(f), all pass-through entities must verify their subrecipients are audited if it is expected that the subrecipient’s federal awards expended during the respective fiscal year will equal or exceed $750,000. Additionally, in the case of any findings, 2 CFR § 200.332(d)(3) requires pass-through entities to issue a management decision within six months of acceptance of the audit report by the Federal Audit Clearinghouse (Clearinghouse). Due to significant turnover in contract administrators responsible for subrecipient monitoring, Epidemiology and OHE were unable to provide evidence that staff reviewed Single Audit or program-specific audit reports for all subrecipients expending $750,000 or more during fiscal year 2024. In addition, OFM did not have a current subrecipient monitoring policy and procedure in place to detect subrecipients that met the audit threshold. Health last updated its subrecipient monitoring policy in 2014. Without obtaining the appropriate reports, Health is unable to show it is meeting the requirements set forth in 2 CFR part 200, subpart F, which includes issuing a management decision on audit findings within six months after receipt of the subrecipient’s audit report and ensuring that the subrecipient takes timely and appropriate corrective action on all audit findings. OFM should update its subrecipient monitoring policy and communicate the policy to the applicable offices and districts. In addition, OFM should periodically review the Clearinghouse to determine whether subrecipients who meet the audit threshold obtain the required audits, and that the applicable offices or districts are reviewing the audit reports and considering the impact of any deficiencies identified in audit findings. Epidemiology and OHE should ensure staff review Single Audit or program-specific audit reports for subrecipients who meet the audit threshold and should adhere to all federal requirements when conducting monitoring over such subrecipients. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-087: Review Subrecipient Audit Reports Applicable to: Department of Health Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) - 93.323; Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises - 93.391 Federal Award Number and Year: Various - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.331(d) Known Questioned Costs: $0 Health does not monitor subrecipients in accordance with federal regulations for the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) and Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises federal grant programs. During our audit, we found that Health’s Office of Epidemiology (Epidemiology) and the Office of Health Equity (OHE) did not obtain and review a Single Audit or program-specific audit report for subrecipients who received $750,000 or more in subawards from ELC and STLT funds. During fiscal year 2024, Health disbursed approximately $11 million in ELC funds and $5.8 million in STLT funds to subrecipients. According to Title 2 U.S. Code of Federal Regulations (CFR) § 200.332(f), all pass-through entities must verify their subrecipients are audited if it is expected that the subrecipient’s federal awards expended during the respective fiscal year will equal or exceed $750,000. Additionally, in the case of any findings, 2 CFR § 200.332(d)(3) requires pass-through entities to issue a management decision within six months of acceptance of the audit report by the Federal Audit Clearinghouse (Clearinghouse). Due to significant turnover in contract administrators responsible for subrecipient monitoring, Epidemiology and OHE were unable to provide evidence that staff reviewed Single Audit or program-specific audit reports for all subrecipients expending $750,000 or more during fiscal year 2024. In addition, OFM did not have a current subrecipient monitoring policy and procedure in place to detect subrecipients that met the audit threshold. Health last updated its subrecipient monitoring policy in 2014. Without obtaining the appropriate reports, Health is unable to show it is meeting the requirements set forth in 2 CFR part 200, subpart F, which includes issuing a management decision on audit findings within six months after receipt of the subrecipient’s audit report and ensuring that the subrecipient takes timely and appropriate corrective action on all audit findings. OFM should update its subrecipient monitoring policy and communicate the policy to the applicable offices and districts. In addition, OFM should periodically review the Clearinghouse to determine whether subrecipients who meet the audit threshold obtain the required audits, and that the applicable offices or districts are reviewing the audit reports and considering the impact of any deficiencies identified in audit findings. Epidemiology and OHE should ensure staff review Single Audit or program-specific audit reports for subrecipients who meet the audit threshold and should adhere to all federal requirements when conducting monitoring over such subrecipients. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-087: Review Subrecipient Audit Reports Applicable to: Department of Health Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) - 93.323; Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises - 93.391 Federal Award Number and Year: Various - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.331(d) Known Questioned Costs: $0 Health does not monitor subrecipients in accordance with federal regulations for the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) and Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises federal grant programs. During our audit, we found that Health’s Office of Epidemiology (Epidemiology) and the Office of Health Equity (OHE) did not obtain and review a Single Audit or program-specific audit report for subrecipients who received $750,000 or more in subawards from ELC and STLT funds. During fiscal year 2024, Health disbursed approximately $11 million in ELC funds and $5.8 million in STLT funds to subrecipients. According to Title 2 U.S. Code of Federal Regulations (CFR) § 200.332(f), all pass-through entities must verify their subrecipients are audited if it is expected that the subrecipient’s federal awards expended during the respective fiscal year will equal or exceed $750,000. Additionally, in the case of any findings, 2 CFR § 200.332(d)(3) requires pass-through entities to issue a management decision within six months of acceptance of the audit report by the Federal Audit Clearinghouse (Clearinghouse). Due to significant turnover in contract administrators responsible for subrecipient monitoring, Epidemiology and OHE were unable to provide evidence that staff reviewed Single Audit or program-specific audit reports for all subrecipients expending $750,000 or more during fiscal year 2024. In addition, OFM did not have a current subrecipient monitoring policy and procedure in place to detect subrecipients that met the audit threshold. Health last updated its subrecipient monitoring policy in 2014. Without obtaining the appropriate reports, Health is unable to show it is meeting the requirements set forth in 2 CFR part 200, subpart F, which includes issuing a management decision on audit findings within six months after receipt of the subrecipient’s audit report and ensuring that the subrecipient takes timely and appropriate corrective action on all audit findings. OFM should update its subrecipient monitoring policy and communicate the policy to the applicable offices and districts. In addition, OFM should periodically review the Clearinghouse to determine whether subrecipients who meet the audit threshold obtain the required audits, and that the applicable offices or districts are reviewing the audit reports and considering the impact of any deficiencies identified in audit findings. Epidemiology and OHE should ensure staff review Single Audit or program-specific audit reports for subrecipients who meet the audit threshold and should adhere to all federal requirements when conducting monitoring over such subrecipients. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-087: Review Subrecipient Audit Reports Applicable to: Department of Health Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) - 93.323; Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises - 93.391 Federal Award Number and Year: Various - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.331(d) Known Questioned Costs: $0 Health does not monitor subrecipients in accordance with federal regulations for the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) and Activities to Support State, Tribal, Local and Territorial (STLT) Health Department Response to Public Health or Healthcare Crises federal grant programs. During our audit, we found that Health’s Office of Epidemiology (Epidemiology) and the Office of Health Equity (OHE) did not obtain and review a Single Audit or program-specific audit report for subrecipients who received $750,000 or more in subawards from ELC and STLT funds. During fiscal year 2024, Health disbursed approximately $11 million in ELC funds and $5.8 million in STLT funds to subrecipients. According to Title 2 U.S. Code of Federal Regulations (CFR) § 200.332(f), all pass-through entities must verify their subrecipients are audited if it is expected that the subrecipient’s federal awards expended during the respective fiscal year will equal or exceed $750,000. Additionally, in the case of any findings, 2 CFR § 200.332(d)(3) requires pass-through entities to issue a management decision within six months of acceptance of the audit report by the Federal Audit Clearinghouse (Clearinghouse). Due to significant turnover in contract administrators responsible for subrecipient monitoring, Epidemiology and OHE were unable to provide evidence that staff reviewed Single Audit or program-specific audit reports for all subrecipients expending $750,000 or more during fiscal year 2024. In addition, OFM did not have a current subrecipient monitoring policy and procedure in place to detect subrecipients that met the audit threshold. Health last updated its subrecipient monitoring policy in 2014. Without obtaining the appropriate reports, Health is unable to show it is meeting the requirements set forth in 2 CFR part 200, subpart F, which includes issuing a management decision on audit findings within six months after receipt of the subrecipient’s audit report and ensuring that the subrecipient takes timely and appropriate corrective action on all audit findings. OFM should update its subrecipient monitoring policy and communicate the policy to the applicable offices and districts. In addition, OFM should periodically review the Clearinghouse to determine whether subrecipients who meet the audit threshold obtain the required audits, and that the applicable offices or districts are reviewing the audit reports and considering the impact of any deficiencies identified in audit findings. Epidemiology and OHE should ensure staff review Single Audit or program-specific audit reports for subrecipients who meet the audit threshold and should adhere to all federal requirements when conducting monitoring over such subrecipients. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-083: Ensure Subaward Agreements Meet Federal Regulations Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558 Federal Award Number and Year: 2401VATANF - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(a)(1) Known Questioned Costs: $0 Social Services does not include all information required by federal regulations in its subaward renewal agreements. We tested 20 subaward renewal agreements and noted that all of them did not contain one or more of the elements required by 2 CFR § 200.332(a)(1). Specifically, we noted the following instances of non-compliance in these subaward renewal agreements: Social Services did not include the correct Federal Award Identification Number (FAIN) in 15 of the 20 (75%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(iii). Social Services did not include the federal award date in eight of the 20 (40%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(iv). Social Services did not update the federal award date in 12 of the 20 (60%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(iv). Social Services did not include the FAIN in five of the 20 (25%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(iii). Social Services did not include the amount of federal funds obligated in the subaward in four of the 20 (20%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(vii). Social Services did not include the subrecipient’s unique entity identifier in four of the 20 (20%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(ii). Social Services did not include the contact information for the awarding official of the pass-through entity in four of the 20 (20%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(xi). Social Services did not identify whether the federal award was for research and development in four of the 20 (20%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(xiii). Social Services did not include the federal award project description in two of the 20 (10%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(x). Social Services did not accurately report the name of the federal awarding agency in two of the 20 (10%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(xi). Social Services did not include the Assistance Listing Number in one of the 20 (5%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(xii). Social Services did not identify the indirect cost rate for the federal award in one of the 20 (5%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(xiv). During fiscal year 2024, Social Services disbursed approximately $46 million in federal funds from the TANF federal grant program through 238 subawards. While Social Services communicates federal award information to subgrantees, it does not consistently communicate all of the federal grant award information required in its subaward renewal agreements. The Contract and Procurement team within Social Services’ Division of General Services works collaboratively with grants administrators when preparing subaward agreements. However, the Contract and Procurement team has experienced turnover over the last several years and has lost institutional knowledge in some of its key positions as it pertains to federal grant requirements. Additionally, the Contract and Procurement team does not consistently retain all incorporated attachments in the subaward agreement. Compliance is responsible for ensuring that the agency adheres to federal regulations in 2 CFR § 200.332 through its Agency Monitoring Plan; however, Compliance was not aware of these instances of non-compliance because it was not involved in the preparation of the subaward agreements. According to Social Services’ Organizational Structure Report, Compliance is responsible for agency-wide compliance and risk mitigation that helps ensure adherence to state and federal legal and regulatory standards. Because of the lack of agency-wide collaboration, there were inconsistencies in the information included in the subaward agreements. Without communicating the required federal award information, Social Services increases the risk that subrecipients are unaware of the source of the funding and the applicable requirements, which increases the potential for unallowable costs and non-compliance with federal requirements. Compliance should work collaboratively with the Contract and Procurement team and grants administrators to ensure that subaward agreements include all information required by federal regulations. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-084: Review Non-Locality Subrecipient Single Audit Reports Applicable to: Department of Social Services Prior Year Finding Number: 2023-098; 2022-013; 2021-072; 2020-075; 2019-091; 2018-092 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558 Federal Award Number and Year: 2401VATANF - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(d)(3); 2 CFR § 200.332(f) Known Questioned Costs: $0 Compliance continues to not review non-locality subrecipient Single Audit reports as set forth within its Agency Monitoring Plan. Non-locality subrecipients are subrecipients who are not local governments and are mainly comprised of non-profit organizations. During fiscal year 2024, Social Services disbursed approximately $107 million in federal funds to 244 non-locality subrecipients. While reviewing the Single Audit reports submitted to the Federal Audit Clearinghouse (Clearinghouse) for the most recent audit period for the 27 non-locality subrecipients that received more than $750,000 in federal funds from Social Services during state fiscal year 2024, we noted the following: Six non-locality subrecipients (22%) did not have a Single Audit report available in the Clearinghouse for the most recent audit period. Of the six non-locality subrecipients, three appeared to have never submitted a Single Audit report to the Clearinghouse. Title 2 CFR § 200.332(f) requires pass-through entities to verify their subrecipients are audited if it is expected that the subrecipient’s federal awards expended during the respective fiscal year equaled or exceeded $750,000. Three non-locality subrecipients (11%) had audit findings that affected at least one of Social Services’ federal grant programs. One of the non-locality subrecipient auditors identified $82,253 in known questioned costs as the non-locality subrecipient did not maintain proper documentation to support payroll charges to the TANF federal grant program. Title 2 U.S. CFR § 200.332(d)(3) requires pass-through entities to issue a management decision within six months of acceptance of the audit report by the Clearinghouse. A management decision is Social Services’ written determination, provided to its subrecipient, of the adequacy of the subrecipient’s proposed corrective actions to address the audit findings, based on Social Services’ evaluation of the audit findings, including determining if the questioned costs are disallowed and need to be repaid to the federal awarding agency, and proposed corrective actions. As part of its planned corrective action, Compliance stated that it intends to procure a grants management system with subrecipient monitoring capabilities necessary to comply with federal requirements and has worked with Social Services’ Executive Team to secure funding. However, Compliance has yet to establish a timeline for when it intends for the solution to be fully functional. Additionally, Compliance has not evaluated what alternative corrective actions are available to become compliant. According to Social Services’ Organizational Structure Report, Compliance is responsible for agency-wide compliance and risk mitigation that helps ensure adherence to state and federal legal and regulatory standards. Additionally, Social Services’ Agency Monitoring Plan assigns the responsibility to Compliance for overseeing the agency’s subrecipient monitoring process. Without verifying whether non-locality subrecipients received a Single Audit, Compliance is unable to assure Social Services’ Executive Team that it is fulfilling the pass-through entity responsibilities in 2 CFR § 200.332. Not complying with federal regulations could result in federal awarding agencies temporarily withholding payments until it takes corrective action, disallowing costs for all or part of the activity associated with the noncompliance, suspending, or terminating the federal award in part or in its entirety, initiating initial suspension or debarment proceedings, and/or withholding further federal funds for the project or program. Further, Social Services may be unaware of a potential liability to the Commonwealth by not reviewing the non-locality Single Audit reports. Compliance should consider exploring alternative corrective actions as it continues to develop and implement its grants management system, such as obtaining a list of non-locality subrecipients from its internal accounting system and reviewing the Single Audit reports in the Clearinghouse. Evaluating alternative corrective actions to become compliant with federal regulations will help Social Services mitigate the risks of incurring federal sanctions. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-085: Evaluate Subrecipients’ Risk of Noncompliance in Accordance with Federal Regulations Applicable to: Department of Social Services Prior Year Finding Number: 2023-100; 2022-016; 2021-071 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568 Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(b) Known Questioned Costs: $0 Benefit Programs did not confirm that program consultants evaluated each subrecipient’s risk of noncompliance in accordance with federal regulations. Benefit Programs oversees the administration of the Medicaid, SNAP, TANF, and LIHEAP federal grant programs. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs. As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Additionally, Benefit Programs partnered with program consultants to perform risk assessment procedures. While auditing Benefit Programs’ fiscal year 2024 subrecipient monitoring activities, we noted the following deviations from its subrecipient monitoring plan: Program consultants did not complete non-locality programmatic risk assessments for 219 out of 251 (87%) subawards with payments during the fiscal year. Program consultants did not include adequate justification for why it would not perform a monitoring review during the monitoring period for 83 out of 274 (30%) locality programmatic risk assessments assessed as high or medium risk. Program consultants did not complete 50 out of 324 (15%) locality programmatic risk assessments. Program consultants assessed three of the non-locality subrecipients as moderate risk without an adequate justification of why a monitoring review would not be scheduled for these non-locality subrecipients. Program consultants improperly assessed two of the non-locality subrecipients as low risk even though they had never submitted a Single Audit report to the Clearinghouse. Program consultants did not include a locality programmatic risk assessment that was identified as requiring a targeted monitoring review in their schedule for the fiscal year. Title 2 CFR § 200.332(b) requires pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Without performing the proper risk assessment procedures, Benefit Programs cannot demonstrate that it monitored the activities of the subrecipients as necessary to ensure that the pass-through entities used the subawards for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Benefit Programs was not able to adequately oversee the implementation of its risk assessment processes due to turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants complete risk assessment procedures for all of its subrecipients in accordance with its subrecipient monitoring plan. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-086: Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan Applicable to: Department of Social Services Prior Year Finding Number: 2023-102; 2022-014 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568 Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(d) Known Questioned Costs: $0 Benefit Programs did not confirm that program consultants performed all required subrecipient monitoring activities in accordance with its subrecipient monitoring plan. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs. As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Further, Benefit Programs partnered with program consultants to execute its subrecipient monitoring activities. While auditing Benefit Programs’ fiscal year 2024 monitoring activities, we noted the following deviations from its subrecipient monitoring plan: Benefit Programs did not confirm program consultants notified the locality timely about the subrecipient monitoring review process. As a result, Benefit Programs did not identify that program consultants did not initiate timely communications for five out of 19 (26%) scheduled locality monitoring reviews. Benefit Programs did not confirm that program consultants fully documented corrective actions taken by its subrecipients in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide fully documented corrective action plans for four out of 19 (21%) scheduled locality monitoring reviews. Benefit Programs did not confirm that program consultants uploaded all fiscal year 2024 monitoring review records to its data repository in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide complete documentation for three out of 19 (16%) scheduled locality monitoring reviews. Benefit Programs did not confirm that program consultants included the appropriate sampling units, as outlined in its subrecipient monitoring plan. As a result, Benefit Programs did not identify that three out of 19 (16%) locality monitoring reviews had less sampling units than required by its subrecipient monitoring plan. Benefit Programs did not confirm that program consultants performed all scheduled monitoring reviews. As a result, Benefit Programs did not identify that program consultants did not perform a scheduled monitoring review for one out of 19 (5%) of its locality subrecipients. Based on Benefit Programs’ subrecipient monitoring risk assessments, this locality review was necessary due to the presence of risk factors which created a higher risk of non-compliance. Benefit Programs has not fully implemented its non-locality risk assessment and monitoring review processes which caused program consultants to perform only one monitoring review over approximately 251 non-locality subawards with payments during the fiscal year. Title 2 CFR § 200.332(e) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the subrecipient uses the subaward for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without confirming that program consultants conducted monitoring activities in accordance with the monitoring plan, Benefit Programs cannot provide assurance that it complied with federal regulations and potentially places Social Services at risk of disallowed expenditures and/or suspension or termination of its federal awards. Benefit Programs was not able to adequately oversee the execution of monitoring activities because of turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants are performing monitoring procedures in accordance with its subrecipient monitoring plan. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-083: Ensure Subaward Agreements Meet Federal Regulations Applicable to: Department of Social Services Prior Year Finding Number: N/A Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558 Federal Award Number and Year: 2401VATANF - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(a)(1) Known Questioned Costs: $0 Social Services does not include all information required by federal regulations in its subaward renewal agreements. We tested 20 subaward renewal agreements and noted that all of them did not contain one or more of the elements required by 2 CFR § 200.332(a)(1). Specifically, we noted the following instances of non-compliance in these subaward renewal agreements: Social Services did not include the correct Federal Award Identification Number (FAIN) in 15 of the 20 (75%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(iii). Social Services did not include the federal award date in eight of the 20 (40%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(iv). Social Services did not update the federal award date in 12 of the 20 (60%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(iv). Social Services did not include the FAIN in five of the 20 (25%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(iii). Social Services did not include the amount of federal funds obligated in the subaward in four of the 20 (20%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(vii). Social Services did not include the subrecipient’s unique entity identifier in four of the 20 (20%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(ii). Social Services did not include the contact information for the awarding official of the pass-through entity in four of the 20 (20%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(xi). Social Services did not identify whether the federal award was for research and development in four of the 20 (20%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(xiii). Social Services did not include the federal award project description in two of the 20 (10%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(x). Social Services did not accurately report the name of the federal awarding agency in two of the 20 (10%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(xi). Social Services did not include the Assistance Listing Number in one of the 20 (5%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(xii). Social Services did not identify the indirect cost rate for the federal award in one of the 20 (5%) subaward renewal agreements, as required by 2 CFR § 200.332(a)(1)(xiv). During fiscal year 2024, Social Services disbursed approximately $46 million in federal funds from the TANF federal grant program through 238 subawards. While Social Services communicates federal award information to subgrantees, it does not consistently communicate all of the federal grant award information required in its subaward renewal agreements. The Contract and Procurement team within Social Services’ Division of General Services works collaboratively with grants administrators when preparing subaward agreements. However, the Contract and Procurement team has experienced turnover over the last several years and has lost institutional knowledge in some of its key positions as it pertains to federal grant requirements. Additionally, the Contract and Procurement team does not consistently retain all incorporated attachments in the subaward agreement. Compliance is responsible for ensuring that the agency adheres to federal regulations in 2 CFR § 200.332 through its Agency Monitoring Plan; however, Compliance was not aware of these instances of non-compliance because it was not involved in the preparation of the subaward agreements. According to Social Services’ Organizational Structure Report, Compliance is responsible for agency-wide compliance and risk mitigation that helps ensure adherence to state and federal legal and regulatory standards. Because of the lack of agency-wide collaboration, there were inconsistencies in the information included in the subaward agreements. Without communicating the required federal award information, Social Services increases the risk that subrecipients are unaware of the source of the funding and the applicable requirements, which increases the potential for unallowable costs and non-compliance with federal requirements. Compliance should work collaboratively with the Contract and Procurement team and grants administrators to ensure that subaward agreements include all information required by federal regulations. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-084: Review Non-Locality Subrecipient Single Audit Reports Applicable to: Department of Social Services Prior Year Finding Number: 2023-098; 2022-013; 2021-072; 2020-075; 2019-091; 2018-092 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Temporary Assistance for Needy Families (TANF) - 93.558 Federal Award Number and Year: 2401VATANF - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(d)(3); 2 CFR § 200.332(f) Known Questioned Costs: $0 Compliance continues to not review non-locality subrecipient Single Audit reports as set forth within its Agency Monitoring Plan. Non-locality subrecipients are subrecipients who are not local governments and are mainly comprised of non-profit organizations. During fiscal year 2024, Social Services disbursed approximately $107 million in federal funds to 244 non-locality subrecipients. While reviewing the Single Audit reports submitted to the Federal Audit Clearinghouse (Clearinghouse) for the most recent audit period for the 27 non-locality subrecipients that received more than $750,000 in federal funds from Social Services during state fiscal year 2024, we noted the following: Six non-locality subrecipients (22%) did not have a Single Audit report available in the Clearinghouse for the most recent audit period. Of the six non-locality subrecipients, three appeared to have never submitted a Single Audit report to the Clearinghouse. Title 2 CFR § 200.332(f) requires pass-through entities to verify their subrecipients are audited if it is expected that the subrecipient’s federal awards expended during the respective fiscal year equaled or exceeded $750,000. Three non-locality subrecipients (11%) had audit findings that affected at least one of Social Services’ federal grant programs. One of the non-locality subrecipient auditors identified $82,253 in known questioned costs as the non-locality subrecipient did not maintain proper documentation to support payroll charges to the TANF federal grant program. Title 2 U.S. CFR § 200.332(d)(3) requires pass-through entities to issue a management decision within six months of acceptance of the audit report by the Clearinghouse. A management decision is Social Services’ written determination, provided to its subrecipient, of the adequacy of the subrecipient’s proposed corrective actions to address the audit findings, based on Social Services’ evaluation of the audit findings, including determining if the questioned costs are disallowed and need to be repaid to the federal awarding agency, and proposed corrective actions. As part of its planned corrective action, Compliance stated that it intends to procure a grants management system with subrecipient monitoring capabilities necessary to comply with federal requirements and has worked with Social Services’ Executive Team to secure funding. However, Compliance has yet to establish a timeline for when it intends for the solution to be fully functional. Additionally, Compliance has not evaluated what alternative corrective actions are available to become compliant. According to Social Services’ Organizational Structure Report, Compliance is responsible for agency-wide compliance and risk mitigation that helps ensure adherence to state and federal legal and regulatory standards. Additionally, Social Services’ Agency Monitoring Plan assigns the responsibility to Compliance for overseeing the agency’s subrecipient monitoring process. Without verifying whether non-locality subrecipients received a Single Audit, Compliance is unable to assure Social Services’ Executive Team that it is fulfilling the pass-through entity responsibilities in 2 CFR § 200.332. Not complying with federal regulations could result in federal awarding agencies temporarily withholding payments until it takes corrective action, disallowing costs for all or part of the activity associated with the noncompliance, suspending, or terminating the federal award in part or in its entirety, initiating initial suspension or debarment proceedings, and/or withholding further federal funds for the project or program. Further, Social Services may be unaware of a potential liability to the Commonwealth by not reviewing the non-locality Single Audit reports. Compliance should consider exploring alternative corrective actions as it continues to develop and implement its grants management system, such as obtaining a list of non-locality subrecipients from its internal accounting system and reviewing the Single Audit reports in the Clearinghouse. Evaluating alternative corrective actions to become compliant with federal regulations will help Social Services mitigate the risks of incurring federal sanctions. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-085: Evaluate Subrecipients’ Risk of Noncompliance in Accordance with Federal Regulations Applicable to: Department of Social Services Prior Year Finding Number: 2023-100; 2022-016; 2021-071 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568 Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(b) Known Questioned Costs: $0 Benefit Programs did not confirm that program consultants evaluated each subrecipient’s risk of noncompliance in accordance with federal regulations. Benefit Programs oversees the administration of the Medicaid, SNAP, TANF, and LIHEAP federal grant programs. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs. As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Additionally, Benefit Programs partnered with program consultants to perform risk assessment procedures. While auditing Benefit Programs’ fiscal year 2024 subrecipient monitoring activities, we noted the following deviations from its subrecipient monitoring plan: Program consultants did not complete non-locality programmatic risk assessments for 219 out of 251 (87%) subawards with payments during the fiscal year. Program consultants did not include adequate justification for why it would not perform a monitoring review during the monitoring period for 83 out of 274 (30%) locality programmatic risk assessments assessed as high or medium risk. Program consultants did not complete 50 out of 324 (15%) locality programmatic risk assessments. Program consultants assessed three of the non-locality subrecipients as moderate risk without an adequate justification of why a monitoring review would not be scheduled for these non-locality subrecipients. Program consultants improperly assessed two of the non-locality subrecipients as low risk even though they had never submitted a Single Audit report to the Clearinghouse. Program consultants did not include a locality programmatic risk assessment that was identified as requiring a targeted monitoring review in their schedule for the fiscal year. Title 2 CFR § 200.332(b) requires pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Without performing the proper risk assessment procedures, Benefit Programs cannot demonstrate that it monitored the activities of the subrecipients as necessary to ensure that the pass-through entities used the subawards for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Benefit Programs was not able to adequately oversee the implementation of its risk assessment processes due to turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants complete risk assessment procedures for all of its subrecipients in accordance with its subrecipient monitoring plan. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-086: Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan Applicable to: Department of Social Services Prior Year Finding Number: 2023-102; 2022-014 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568 Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(d) Known Questioned Costs: $0 Benefit Programs did not confirm that program consultants performed all required subrecipient monitoring activities in accordance with its subrecipient monitoring plan. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs. As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Further, Benefit Programs partnered with program consultants to execute its subrecipient monitoring activities. While auditing Benefit Programs’ fiscal year 2024 monitoring activities, we noted the following deviations from its subrecipient monitoring plan: Benefit Programs did not confirm program consultants notified the locality timely about the subrecipient monitoring review process. As a result, Benefit Programs did not identify that program consultants did not initiate timely communications for five out of 19 (26%) scheduled locality monitoring reviews. Benefit Programs did not confirm that program consultants fully documented corrective actions taken by its subrecipients in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide fully documented corrective action plans for four out of 19 (21%) scheduled locality monitoring reviews. Benefit Programs did not confirm that program consultants uploaded all fiscal year 2024 monitoring review records to its data repository in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide complete documentation for three out of 19 (16%) scheduled locality monitoring reviews. Benefit Programs did not confirm that program consultants included the appropriate sampling units, as outlined in its subrecipient monitoring plan. As a result, Benefit Programs did not identify that three out of 19 (16%) locality monitoring reviews had less sampling units than required by its subrecipient monitoring plan. Benefit Programs did not confirm that program consultants performed all scheduled monitoring reviews. As a result, Benefit Programs did not identify that program consultants did not perform a scheduled monitoring review for one out of 19 (5%) of its locality subrecipients. Based on Benefit Programs’ subrecipient monitoring risk assessments, this locality review was necessary due to the presence of risk factors which created a higher risk of non-compliance. Benefit Programs has not fully implemented its non-locality risk assessment and monitoring review processes which caused program consultants to perform only one monitoring review over approximately 251 non-locality subawards with payments during the fiscal year. Title 2 CFR § 200.332(e) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the subrecipient uses the subaward for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without confirming that program consultants conducted monitoring activities in accordance with the monitoring plan, Benefit Programs cannot provide assurance that it complied with federal regulations and potentially places Social Services at risk of disallowed expenditures and/or suspension or termination of its federal awards. Benefit Programs was not able to adequately oversee the execution of monitoring activities because of turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants are performing monitoring procedures in accordance with its subrecipient monitoring plan. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-085: Evaluate Subrecipients’ Risk of Noncompliance in Accordance with Federal Regulations Applicable to: Department of Social Services Prior Year Finding Number: 2023-100; 2022-016; 2021-071 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568 Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(b) Known Questioned Costs: $0 Benefit Programs did not confirm that program consultants evaluated each subrecipient’s risk of noncompliance in accordance with federal regulations. Benefit Programs oversees the administration of the Medicaid, SNAP, TANF, and LIHEAP federal grant programs. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs. As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Additionally, Benefit Programs partnered with program consultants to perform risk assessment procedures. While auditing Benefit Programs’ fiscal year 2024 subrecipient monitoring activities, we noted the following deviations from its subrecipient monitoring plan: Program consultants did not complete non-locality programmatic risk assessments for 219 out of 251 (87%) subawards with payments during the fiscal year. Program consultants did not include adequate justification for why it would not perform a monitoring review during the monitoring period for 83 out of 274 (30%) locality programmatic risk assessments assessed as high or medium risk. Program consultants did not complete 50 out of 324 (15%) locality programmatic risk assessments. Program consultants assessed three of the non-locality subrecipients as moderate risk without an adequate justification of why a monitoring review would not be scheduled for these non-locality subrecipients. Program consultants improperly assessed two of the non-locality subrecipients as low risk even though they had never submitted a Single Audit report to the Clearinghouse. Program consultants did not include a locality programmatic risk assessment that was identified as requiring a targeted monitoring review in their schedule for the fiscal year. Title 2 CFR § 200.332(b) requires pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Without performing the proper risk assessment procedures, Benefit Programs cannot demonstrate that it monitored the activities of the subrecipients as necessary to ensure that the pass-through entities used the subawards for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Benefit Programs was not able to adequately oversee the implementation of its risk assessment processes due to turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants complete risk assessment procedures for all of its subrecipients in accordance with its subrecipient monitoring plan. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-086: Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan Applicable to: Department of Social Services Prior Year Finding Number: 2023-102; 2022-014 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568 Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(d) Known Questioned Costs: $0 Benefit Programs did not confirm that program consultants performed all required subrecipient monitoring activities in accordance with its subrecipient monitoring plan. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs. As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Further, Benefit Programs partnered with program consultants to execute its subrecipient monitoring activities. While auditing Benefit Programs’ fiscal year 2024 monitoring activities, we noted the following deviations from its subrecipient monitoring plan: Benefit Programs did not confirm program consultants notified the locality timely about the subrecipient monitoring review process. As a result, Benefit Programs did not identify that program consultants did not initiate timely communications for five out of 19 (26%) scheduled locality monitoring reviews. Benefit Programs did not confirm that program consultants fully documented corrective actions taken by its subrecipients in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide fully documented corrective action plans for four out of 19 (21%) scheduled locality monitoring reviews. Benefit Programs did not confirm that program consultants uploaded all fiscal year 2024 monitoring review records to its data repository in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide complete documentation for three out of 19 (16%) scheduled locality monitoring reviews. Benefit Programs did not confirm that program consultants included the appropriate sampling units, as outlined in its subrecipient monitoring plan. As a result, Benefit Programs did not identify that three out of 19 (16%) locality monitoring reviews had less sampling units than required by its subrecipient monitoring plan. Benefit Programs did not confirm that program consultants performed all scheduled monitoring reviews. As a result, Benefit Programs did not identify that program consultants did not perform a scheduled monitoring review for one out of 19 (5%) of its locality subrecipients. Based on Benefit Programs’ subrecipient monitoring risk assessments, this locality review was necessary due to the presence of risk factors which created a higher risk of non-compliance. Benefit Programs has not fully implemented its non-locality risk assessment and monitoring review processes which caused program consultants to perform only one monitoring review over approximately 251 non-locality subawards with payments during the fiscal year. Title 2 CFR § 200.332(e) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the subrecipient uses the subaward for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without confirming that program consultants conducted monitoring activities in accordance with the monitoring plan, Benefit Programs cannot provide assurance that it complied with federal regulations and potentially places Social Services at risk of disallowed expenditures and/or suspension or termination of its federal awards. Benefit Programs was not able to adequately oversee the execution of monitoring activities because of turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants are performing monitoring procedures in accordance with its subrecipient monitoring plan. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-085: Evaluate Subrecipients’ Risk of Noncompliance in Accordance with Federal Regulations Applicable to: Department of Social Services Prior Year Finding Number: 2023-100; 2022-016; 2021-071 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568 Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(b) Known Questioned Costs: $0 Benefit Programs did not confirm that program consultants evaluated each subrecipient’s risk of noncompliance in accordance with federal regulations. Benefit Programs oversees the administration of the Medicaid, SNAP, TANF, and LIHEAP federal grant programs. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs. As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Additionally, Benefit Programs partnered with program consultants to perform risk assessment procedures. While auditing Benefit Programs’ fiscal year 2024 subrecipient monitoring activities, we noted the following deviations from its subrecipient monitoring plan: Program consultants did not complete non-locality programmatic risk assessments for 219 out of 251 (87%) subawards with payments during the fiscal year. Program consultants did not include adequate justification for why it would not perform a monitoring review during the monitoring period for 83 out of 274 (30%) locality programmatic risk assessments assessed as high or medium risk. Program consultants did not complete 50 out of 324 (15%) locality programmatic risk assessments. Program consultants assessed three of the non-locality subrecipients as moderate risk without an adequate justification of why a monitoring review would not be scheduled for these non-locality subrecipients. Program consultants improperly assessed two of the non-locality subrecipients as low risk even though they had never submitted a Single Audit report to the Clearinghouse. Program consultants did not include a locality programmatic risk assessment that was identified as requiring a targeted monitoring review in their schedule for the fiscal year. Title 2 CFR § 200.332(b) requires pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Without performing the proper risk assessment procedures, Benefit Programs cannot demonstrate that it monitored the activities of the subrecipients as necessary to ensure that the pass-through entities used the subawards for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Benefit Programs was not able to adequately oversee the implementation of its risk assessment processes due to turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants complete risk assessment procedures for all of its subrecipients in accordance with its subrecipient monitoring plan. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-086: Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan Applicable to: Department of Social Services Prior Year Finding Number: 2023-102; 2022-014 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568 Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(d) Known Questioned Costs: $0 Benefit Programs did not confirm that program consultants performed all required subrecipient monitoring activities in accordance with its subrecipient monitoring plan. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs. As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Further, Benefit Programs partnered with program consultants to execute its subrecipient monitoring activities. While auditing Benefit Programs’ fiscal year 2024 monitoring activities, we noted the following deviations from its subrecipient monitoring plan: Benefit Programs did not confirm program consultants notified the locality timely about the subrecipient monitoring review process. As a result, Benefit Programs did not identify that program consultants did not initiate timely communications for five out of 19 (26%) scheduled locality monitoring reviews. Benefit Programs did not confirm that program consultants fully documented corrective actions taken by its subrecipients in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide fully documented corrective action plans for four out of 19 (21%) scheduled locality monitoring reviews. Benefit Programs did not confirm that program consultants uploaded all fiscal year 2024 monitoring review records to its data repository in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide complete documentation for three out of 19 (16%) scheduled locality monitoring reviews. Benefit Programs did not confirm that program consultants included the appropriate sampling units, as outlined in its subrecipient monitoring plan. As a result, Benefit Programs did not identify that three out of 19 (16%) locality monitoring reviews had less sampling units than required by its subrecipient monitoring plan. Benefit Programs did not confirm that program consultants performed all scheduled monitoring reviews. As a result, Benefit Programs did not identify that program consultants did not perform a scheduled monitoring review for one out of 19 (5%) of its locality subrecipients. Based on Benefit Programs’ subrecipient monitoring risk assessments, this locality review was necessary due to the presence of risk factors which created a higher risk of non-compliance. Benefit Programs has not fully implemented its non-locality risk assessment and monitoring review processes which caused program consultants to perform only one monitoring review over approximately 251 non-locality subawards with payments during the fiscal year. Title 2 CFR § 200.332(e) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the subrecipient uses the subaward for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without confirming that program consultants conducted monitoring activities in accordance with the monitoring plan, Benefit Programs cannot provide assurance that it complied with federal regulations and potentially places Social Services at risk of disallowed expenditures and/or suspension or termination of its federal awards. Benefit Programs was not able to adequately oversee the execution of monitoring activities because of turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants are performing monitoring procedures in accordance with its subrecipient monitoring plan. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-082: Perform Responsibilities Outlined in the Agency Monitoring Plan Applicable to: Department of Social Services Prior Year Finding Number: 2023-097; 2022-011; 2021-070; 2020-074; 2019-090; 2018-093 Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.303(a); 2 CFR § 200.332 Known Questioned Costs: $0 Compliance continues to not adhere to its established approach to oversee the agency’s subrecipient monitoring activities, as outlined in its Agency Monitoring Plan. According to Social Services’ Organizational Structure Report, Compliance is responsible for agency-wide compliance and risk mitigation that helps to ensure adherence to state and federal legal and regulatory standards, including subrecipient monitoring. During fiscal year 2024, Social Services disbursed approximately $660 million to 342 subrecipients from 30 federal grant programs. During the audit, we noted the following deviations from the Agency Monitoring Plan: Compliance continues to not review programmatic division annual subrecipient monitoring plans to ensure they implement a risk-based approach. The Agency Monitoring Plan states that Compliance will use a Monitoring Plan Checklist to evaluate and determine if all the required elements for subrecipient monitoring are present in each division’s plan. Compliance does not hold monthly meetings with Subrecipient Monitoring Coordinators, as required by the Agency Monitoring Plan, where divisions can share information concerning risks and federal and/or grant-specific requirements, approaches to assessing risk, and changes that could affect subrecipients and the monitoring processes. Compliance has not reviewed each division’s monitoring activities nor provided quarterly reports of variances and noncompliance from the Agency Monitoring Plan to Social Services’ executive team. As a result, Compliance did not identify that the Division of Benefit Programs (Benefit Programs) did not complete risk assessments for 50 of its 324 (15%) locality subrecipients, properly document considerations for localities with elevated risks, nor perform adequate risk assessments for their non-locality subrecipients. Since the prior audit, Compliance has communicated the Agency Monitoring Plan to the Subrecipient Monitoring Coordinators. Additionally, Compliance has worked with Social Services’ Executive Team to secure funding for a grants management system and additional subrecipient monitor positions. However, Compliance has yet to establish a timeline for when it intends for the system to be fully functional and has not explored alternate options to comply with its Agency Monitoring Plan. Further, Compliance has not collaborated with Subrecipient Monitoring Coordinators to determine how the agency collectively plans to accomplish the goals and objectives set forth within the Agency Monitoring Plan. Collaboration between Compliance and Subrecipient Monitoring Coordinators is imperative to ensuring that Social Services complies with the pass-through entity requirements in 2 CFR § 200.332. Title 2 CFR § 200.303(a) requires pass-through entities to establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the non-Federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Without performing the responsibilities in the Agency Monitoring Plan, Compliance cannot assure that the agency’s subrecipient monitoring efforts are adequate to comply with the regulations at 2 CFR § 200.332. Additionally, Compliance places Social Services at risk of disallowed expenditures and/or suspension or termination of its federal awards by not monitoring the agency’s subrecipient monitoring activities. Because of the scope of this matter and the magnitude of Social Services’ subrecipient monitoring responsibilities, we consider these weaknesses collectively to create a material weakness in internal controls over compliance. Compliance should work collaboratively with Social Services’ Executive Team and the subrecipient monitoring coordinators to fulfil the agency’s responsibilities in the Agency Monitoring Plan. Further, Compliance should explore alternative solutions to track and monitor each division’s subrecipient monitoring activities and report the results to the Executive Team until it develops and implements its grants management system. Evaluating alternative solutions will help Social Services mitigate the risk of incurring federal sanctions because of non-compliance. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-085: Evaluate Subrecipients’ Risk of Noncompliance in Accordance with Federal Regulations Applicable to: Department of Social Services Prior Year Finding Number: 2023-100; 2022-016; 2021-071 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568 Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(b) Known Questioned Costs: $0 Benefit Programs did not confirm that program consultants evaluated each subrecipient’s risk of noncompliance in accordance with federal regulations. Benefit Programs oversees the administration of the Medicaid, SNAP, TANF, and LIHEAP federal grant programs. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs. As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Additionally, Benefit Programs partnered with program consultants to perform risk assessment procedures. While auditing Benefit Programs’ fiscal year 2024 subrecipient monitoring activities, we noted the following deviations from its subrecipient monitoring plan: Program consultants did not complete non-locality programmatic risk assessments for 219 out of 251 (87%) subawards with payments during the fiscal year. Program consultants did not include adequate justification for why it would not perform a monitoring review during the monitoring period for 83 out of 274 (30%) locality programmatic risk assessments assessed as high or medium risk. Program consultants did not complete 50 out of 324 (15%) locality programmatic risk assessments. Program consultants assessed three of the non-locality subrecipients as moderate risk without an adequate justification of why a monitoring review would not be scheduled for these non-locality subrecipients. Program consultants improperly assessed two of the non-locality subrecipients as low risk even though they had never submitted a Single Audit report to the Clearinghouse. Program consultants did not include a locality programmatic risk assessment that was identified as requiring a targeted monitoring review in their schedule for the fiscal year. Title 2 CFR § 200.332(b) requires pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Without performing the proper risk assessment procedures, Benefit Programs cannot demonstrate that it monitored the activities of the subrecipients as necessary to ensure that the pass-through entities used the subawards for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Benefit Programs was not able to adequately oversee the implementation of its risk assessment processes due to turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants complete risk assessment procedures for all of its subrecipients in accordance with its subrecipient monitoring plan. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-086: Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan Applicable to: Department of Social Services Prior Year Finding Number: 2023-102; 2022-014 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568 Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(d) Known Questioned Costs: $0 Benefit Programs did not confirm that program consultants performed all required subrecipient monitoring activities in accordance with its subrecipient monitoring plan. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs. As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Further, Benefit Programs partnered with program consultants to execute its subrecipient monitoring activities. While auditing Benefit Programs’ fiscal year 2024 monitoring activities, we noted the following deviations from its subrecipient monitoring plan: Benefit Programs did not confirm program consultants notified the locality timely about the subrecipient monitoring review process. As a result, Benefit Programs did not identify that program consultants did not initiate timely communications for five out of 19 (26%) scheduled locality monitoring reviews. Benefit Programs did not confirm that program consultants fully documented corrective actions taken by its subrecipients in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide fully documented corrective action plans for four out of 19 (21%) scheduled locality monitoring reviews. Benefit Programs did not confirm that program consultants uploaded all fiscal year 2024 monitoring review records to its data repository in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide complete documentation for three out of 19 (16%) scheduled locality monitoring reviews. Benefit Programs did not confirm that program consultants included the appropriate sampling units, as outlined in its subrecipient monitoring plan. As a result, Benefit Programs did not identify that three out of 19 (16%) locality monitoring reviews had less sampling units than required by its subrecipient monitoring plan. Benefit Programs did not confirm that program consultants performed all scheduled monitoring reviews. As a result, Benefit Programs did not identify that program consultants did not perform a scheduled monitoring review for one out of 19 (5%) of its locality subrecipients. Based on Benefit Programs’ subrecipient monitoring risk assessments, this locality review was necessary due to the presence of risk factors which created a higher risk of non-compliance. Benefit Programs has not fully implemented its non-locality risk assessment and monitoring review processes which caused program consultants to perform only one monitoring review over approximately 251 non-locality subawards with payments during the fiscal year. Title 2 CFR § 200.332(e) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the subrecipient uses the subaward for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without confirming that program consultants conducted monitoring activities in accordance with the monitoring plan, Benefit Programs cannot provide assurance that it complied with federal regulations and potentially places Social Services at risk of disallowed expenditures and/or suspension or termination of its federal awards. Benefit Programs was not able to adequately oversee the execution of monitoring activities because of turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants are performing monitoring procedures in accordance with its subrecipient monitoring plan. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-082: Perform Responsibilities Outlined in the Agency Monitoring Plan Applicable to: Department of Social Services Prior Year Finding Number: 2023-097; 2022-011; 2021-070; 2020-074; 2019-090; 2018-093 Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.303(a); 2 CFR § 200.332 Known Questioned Costs: $0 Compliance continues to not adhere to its established approach to oversee the agency’s subrecipient monitoring activities, as outlined in its Agency Monitoring Plan. According to Social Services’ Organizational Structure Report, Compliance is responsible for agency-wide compliance and risk mitigation that helps to ensure adherence to state and federal legal and regulatory standards, including subrecipient monitoring. During fiscal year 2024, Social Services disbursed approximately $660 million to 342 subrecipients from 30 federal grant programs. During the audit, we noted the following deviations from the Agency Monitoring Plan: Compliance continues to not review programmatic division annual subrecipient monitoring plans to ensure they implement a risk-based approach. The Agency Monitoring Plan states that Compliance will use a Monitoring Plan Checklist to evaluate and determine if all the required elements for subrecipient monitoring are present in each division’s plan. Compliance does not hold monthly meetings with Subrecipient Monitoring Coordinators, as required by the Agency Monitoring Plan, where divisions can share information concerning risks and federal and/or grant-specific requirements, approaches to assessing risk, and changes that could affect subrecipients and the monitoring processes. Compliance has not reviewed each division’s monitoring activities nor provided quarterly reports of variances and noncompliance from the Agency Monitoring Plan to Social Services’ executive team. As a result, Compliance did not identify that the Division of Benefit Programs (Benefit Programs) did not complete risk assessments for 50 of its 324 (15%) locality subrecipients, properly document considerations for localities with elevated risks, nor perform adequate risk assessments for their non-locality subrecipients. Since the prior audit, Compliance has communicated the Agency Monitoring Plan to the Subrecipient Monitoring Coordinators. Additionally, Compliance has worked with Social Services’ Executive Team to secure funding for a grants management system and additional subrecipient monitor positions. However, Compliance has yet to establish a timeline for when it intends for the system to be fully functional and has not explored alternate options to comply with its Agency Monitoring Plan. Further, Compliance has not collaborated with Subrecipient Monitoring Coordinators to determine how the agency collectively plans to accomplish the goals and objectives set forth within the Agency Monitoring Plan. Collaboration between Compliance and Subrecipient Monitoring Coordinators is imperative to ensuring that Social Services complies with the pass-through entity requirements in 2 CFR § 200.332. Title 2 CFR § 200.303(a) requires pass-through entities to establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the non-Federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Without performing the responsibilities in the Agency Monitoring Plan, Compliance cannot assure that the agency’s subrecipient monitoring efforts are adequate to comply with the regulations at 2 CFR § 200.332. Additionally, Compliance places Social Services at risk of disallowed expenditures and/or suspension or termination of its federal awards by not monitoring the agency’s subrecipient monitoring activities. Because of the scope of this matter and the magnitude of Social Services’ subrecipient monitoring responsibilities, we consider these weaknesses collectively to create a material weakness in internal controls over compliance. Compliance should work collaboratively with Social Services’ Executive Team and the subrecipient monitoring coordinators to fulfil the agency’s responsibilities in the Agency Monitoring Plan. Further, Compliance should explore alternative solutions to track and monitor each division’s subrecipient monitoring activities and report the results to the Executive Team until it develops and implements its grants management system. Evaluating alternative solutions will help Social Services mitigate the risk of incurring federal sanctions because of non-compliance. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-085: Evaluate Subrecipients’ Risk of Noncompliance in Accordance with Federal Regulations Applicable to: Department of Social Services Prior Year Finding Number: 2023-100; 2022-016; 2021-071 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568 Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(b) Known Questioned Costs: $0 Benefit Programs did not confirm that program consultants evaluated each subrecipient’s risk of noncompliance in accordance with federal regulations. Benefit Programs oversees the administration of the Medicaid, SNAP, TANF, and LIHEAP federal grant programs. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs. As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Additionally, Benefit Programs partnered with program consultants to perform risk assessment procedures. While auditing Benefit Programs’ fiscal year 2024 subrecipient monitoring activities, we noted the following deviations from its subrecipient monitoring plan: Program consultants did not complete non-locality programmatic risk assessments for 219 out of 251 (87%) subawards with payments during the fiscal year. Program consultants did not include adequate justification for why it would not perform a monitoring review during the monitoring period for 83 out of 274 (30%) locality programmatic risk assessments assessed as high or medium risk. Program consultants did not complete 50 out of 324 (15%) locality programmatic risk assessments. Program consultants assessed three of the non-locality subrecipients as moderate risk without an adequate justification of why a monitoring review would not be scheduled for these non-locality subrecipients. Program consultants improperly assessed two of the non-locality subrecipients as low risk even though they had never submitted a Single Audit report to the Clearinghouse. Program consultants did not include a locality programmatic risk assessment that was identified as requiring a targeted monitoring review in their schedule for the fiscal year. Title 2 CFR § 200.332(b) requires pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Without performing the proper risk assessment procedures, Benefit Programs cannot demonstrate that it monitored the activities of the subrecipients as necessary to ensure that the pass-through entities used the subawards for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Benefit Programs was not able to adequately oversee the implementation of its risk assessment processes due to turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants complete risk assessment procedures for all of its subrecipients in accordance with its subrecipient monitoring plan. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-086: Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan Applicable to: Department of Social Services Prior Year Finding Number: 2023-102; 2022-014 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568 Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(d) Known Questioned Costs: $0 Benefit Programs did not confirm that program consultants performed all required subrecipient monitoring activities in accordance with its subrecipient monitoring plan. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs. As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Further, Benefit Programs partnered with program consultants to execute its subrecipient monitoring activities. While auditing Benefit Programs’ fiscal year 2024 monitoring activities, we noted the following deviations from its subrecipient monitoring plan: Benefit Programs did not confirm program consultants notified the locality timely about the subrecipient monitoring review process. As a result, Benefit Programs did not identify that program consultants did not initiate timely communications for five out of 19 (26%) scheduled locality monitoring reviews. Benefit Programs did not confirm that program consultants fully documented corrective actions taken by its subrecipients in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide fully documented corrective action plans for four out of 19 (21%) scheduled locality monitoring reviews. Benefit Programs did not confirm that program consultants uploaded all fiscal year 2024 monitoring review records to its data repository in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide complete documentation for three out of 19 (16%) scheduled locality monitoring reviews. Benefit Programs did not confirm that program consultants included the appropriate sampling units, as outlined in its subrecipient monitoring plan. As a result, Benefit Programs did not identify that three out of 19 (16%) locality monitoring reviews had less sampling units than required by its subrecipient monitoring plan. Benefit Programs did not confirm that program consultants performed all scheduled monitoring reviews. As a result, Benefit Programs did not identify that program consultants did not perform a scheduled monitoring review for one out of 19 (5%) of its locality subrecipients. Based on Benefit Programs’ subrecipient monitoring risk assessments, this locality review was necessary due to the presence of risk factors which created a higher risk of non-compliance. Benefit Programs has not fully implemented its non-locality risk assessment and monitoring review processes which caused program consultants to perform only one monitoring review over approximately 251 non-locality subawards with payments during the fiscal year. Title 2 CFR § 200.332(e) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the subrecipient uses the subaward for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without confirming that program consultants conducted monitoring activities in accordance with the monitoring plan, Benefit Programs cannot provide assurance that it complied with federal regulations and potentially places Social Services at risk of disallowed expenditures and/or suspension or termination of its federal awards. Benefit Programs was not able to adequately oversee the execution of monitoring activities because of turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants are performing monitoring procedures in accordance with its subrecipient monitoring plan. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-082: Perform Responsibilities Outlined in the Agency Monitoring Plan Applicable to: Department of Social Services Prior Year Finding Number: 2023-097; 2022-011; 2021-070; 2020-074; 2019-090; 2018-093 Type of Finding: Internal Control and Compliance Severity of Deficiency: Material Weakness Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778 Federal Award Number and Year: 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.303(a); 2 CFR § 200.332 Known Questioned Costs: $0 Compliance continues to not adhere to its established approach to oversee the agency’s subrecipient monitoring activities, as outlined in its Agency Monitoring Plan. According to Social Services’ Organizational Structure Report, Compliance is responsible for agency-wide compliance and risk mitigation that helps to ensure adherence to state and federal legal and regulatory standards, including subrecipient monitoring. During fiscal year 2024, Social Services disbursed approximately $660 million to 342 subrecipients from 30 federal grant programs. During the audit, we noted the following deviations from the Agency Monitoring Plan: Compliance continues to not review programmatic division annual subrecipient monitoring plans to ensure they implement a risk-based approach. The Agency Monitoring Plan states that Compliance will use a Monitoring Plan Checklist to evaluate and determine if all the required elements for subrecipient monitoring are present in each division’s plan. Compliance does not hold monthly meetings with Subrecipient Monitoring Coordinators, as required by the Agency Monitoring Plan, where divisions can share information concerning risks and federal and/or grant-specific requirements, approaches to assessing risk, and changes that could affect subrecipients and the monitoring processes. Compliance has not reviewed each division’s monitoring activities nor provided quarterly reports of variances and noncompliance from the Agency Monitoring Plan to Social Services’ executive team. As a result, Compliance did not identify that the Division of Benefit Programs (Benefit Programs) did not complete risk assessments for 50 of its 324 (15%) locality subrecipients, properly document considerations for localities with elevated risks, nor perform adequate risk assessments for their non-locality subrecipients. Since the prior audit, Compliance has communicated the Agency Monitoring Plan to the Subrecipient Monitoring Coordinators. Additionally, Compliance has worked with Social Services’ Executive Team to secure funding for a grants management system and additional subrecipient monitor positions. However, Compliance has yet to establish a timeline for when it intends for the system to be fully functional and has not explored alternate options to comply with its Agency Monitoring Plan. Further, Compliance has not collaborated with Subrecipient Monitoring Coordinators to determine how the agency collectively plans to accomplish the goals and objectives set forth within the Agency Monitoring Plan. Collaboration between Compliance and Subrecipient Monitoring Coordinators is imperative to ensuring that Social Services complies with the pass-through entity requirements in 2 CFR § 200.332. Title 2 CFR § 200.303(a) requires pass-through entities to establish, document, and maintain effective internal control over the federal award that provides reasonable assurance that the non-Federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Without performing the responsibilities in the Agency Monitoring Plan, Compliance cannot assure that the agency’s subrecipient monitoring efforts are adequate to comply with the regulations at 2 CFR § 200.332. Additionally, Compliance places Social Services at risk of disallowed expenditures and/or suspension or termination of its federal awards by not monitoring the agency’s subrecipient monitoring activities. Because of the scope of this matter and the magnitude of Social Services’ subrecipient monitoring responsibilities, we consider these weaknesses collectively to create a material weakness in internal controls over compliance. Compliance should work collaboratively with Social Services’ Executive Team and the subrecipient monitoring coordinators to fulfil the agency’s responsibilities in the Agency Monitoring Plan. Further, Compliance should explore alternative solutions to track and monitor each division’s subrecipient monitoring activities and report the results to the Executive Team until it develops and implements its grants management system. Evaluating alternative solutions will help Social Services mitigate the risk of incurring federal sanctions because of non-compliance. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-085: Evaluate Subrecipients’ Risk of Noncompliance in Accordance with Federal Regulations Applicable to: Department of Social Services Prior Year Finding Number: 2023-100; 2022-016; 2021-071 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568 Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(b) Known Questioned Costs: $0 Benefit Programs did not confirm that program consultants evaluated each subrecipient’s risk of noncompliance in accordance with federal regulations. Benefit Programs oversees the administration of the Medicaid, SNAP, TANF, and LIHEAP federal grant programs. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs. As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Additionally, Benefit Programs partnered with program consultants to perform risk assessment procedures. While auditing Benefit Programs’ fiscal year 2024 subrecipient monitoring activities, we noted the following deviations from its subrecipient monitoring plan: Program consultants did not complete non-locality programmatic risk assessments for 219 out of 251 (87%) subawards with payments during the fiscal year. Program consultants did not include adequate justification for why it would not perform a monitoring review during the monitoring period for 83 out of 274 (30%) locality programmatic risk assessments assessed as high or medium risk. Program consultants did not complete 50 out of 324 (15%) locality programmatic risk assessments. Program consultants assessed three of the non-locality subrecipients as moderate risk without an adequate justification of why a monitoring review would not be scheduled for these non-locality subrecipients. Program consultants improperly assessed two of the non-locality subrecipients as low risk even though they had never submitted a Single Audit report to the Clearinghouse. Program consultants did not include a locality programmatic risk assessment that was identified as requiring a targeted monitoring review in their schedule for the fiscal year. Title 2 CFR § 200.332(b) requires pass-through entities to evaluate each subrecipient's risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring. Without performing the proper risk assessment procedures, Benefit Programs cannot demonstrate that it monitored the activities of the subrecipients as necessary to ensure that the pass-through entities used the subawards for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Benefit Programs was not able to adequately oversee the implementation of its risk assessment processes due to turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants complete risk assessment procedures for all of its subrecipients in accordance with its subrecipient monitoring plan. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
2024-086: Confirm Monitoring Activities are Conducted in Accordance with the Monitoring Plan Applicable to: Department of Social Services Prior Year Finding Number: 2023-102; 2022-014 Type of Finding: Internal Control and Compliance Severity of Deficiency: Significant Deficiency Information System Security Control Family: N/A ALPT or Cluster Name and ALN: Medicaid Cluster - 93.775, 93.777, 93.778; Temporary Assistance for Needy Families (TANF) - 93.558; Low-Income Home Energy Assistance Program (LIHEAP) - 93.568 Federal Award Number and Year: 2401VATANF; 2401VALIEA; 2405VA5MAP - 2024 Name of Federal Agency: U.S. Department of Health and Human Services Type of Compliance Requirement - Criteria: Subrecipient Monitoring - 2 CFR § 200.332(d) Known Questioned Costs: $0 Benefit Programs did not confirm that program consultants performed all required subrecipient monitoring activities in accordance with its subrecipient monitoring plan. During fiscal year 2024, Social Services disbursed approximately $660 million in federal funds to roughly 342 subrecipients from 30 federal grant programs. As part of its fiscal year 2024 corrective action efforts, Benefit Programs updated its monitoring plan to include risk assessment and monitoring reviews for both localities and non-localities subrecipients, began performing locality and non-locality risk assessments, and created tracking documents to better manage the subrecipient monitoring process. Further, Benefit Programs partnered with program consultants to execute its subrecipient monitoring activities. While auditing Benefit Programs’ fiscal year 2024 monitoring activities, we noted the following deviations from its subrecipient monitoring plan: Benefit Programs did not confirm program consultants notified the locality timely about the subrecipient monitoring review process. As a result, Benefit Programs did not identify that program consultants did not initiate timely communications for five out of 19 (26%) scheduled locality monitoring reviews. Benefit Programs did not confirm that program consultants fully documented corrective actions taken by its subrecipients in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide fully documented corrective action plans for four out of 19 (21%) scheduled locality monitoring reviews. Benefit Programs did not confirm that program consultants uploaded all fiscal year 2024 monitoring review records to its data repository in accordance with its subrecipient monitoring plan. As a result, Benefit Programs was not able to provide complete documentation for three out of 19 (16%) scheduled locality monitoring reviews. Benefit Programs did not confirm that program consultants included the appropriate sampling units, as outlined in its subrecipient monitoring plan. As a result, Benefit Programs did not identify that three out of 19 (16%) locality monitoring reviews had less sampling units than required by its subrecipient monitoring plan. Benefit Programs did not confirm that program consultants performed all scheduled monitoring reviews. As a result, Benefit Programs did not identify that program consultants did not perform a scheduled monitoring review for one out of 19 (5%) of its locality subrecipients. Based on Benefit Programs’ subrecipient monitoring risk assessments, this locality review was necessary due to the presence of risk factors which created a higher risk of non-compliance. Benefit Programs has not fully implemented its non-locality risk assessment and monitoring review processes which caused program consultants to perform only one monitoring review over approximately 251 non-locality subawards with payments during the fiscal year. Title 2 CFR § 200.332(e) requires the pass-through entity to monitor the activities of the subrecipient as necessary to ensure that the subrecipient uses the subaward for authorized purposes in compliance with federal statutes, regulations, and the terms and conditions of the subaward. Without confirming that program consultants conducted monitoring activities in accordance with the monitoring plan, Benefit Programs cannot provide assurance that it complied with federal regulations and potentially places Social Services at risk of disallowed expenditures and/or suspension or termination of its federal awards. Benefit Programs was not able to adequately oversee the execution of monitoring activities because of turnover in its subrecipient monitoring coordinator position. Additionally, Social Services’ Compliance Division was not aware of this non-compliance because it was not performing its monitoring responsibilities in accordance with its Agency Monitoring Plan. Benefit Programs should continue to evaluate its resource levels to ensure that it has adequate resources to effectively oversee the execution of its subrecipient monitoring plan. Additionally, Benefit Programs should dedicate the necessary resources to confirm that program consultants are performing monitoring procedures in accordance with its subrecipient monitoring plan. Views of Responsible Officials: The views of responsible officials are included in the report related to their applicable organization, which can be found at www.apa.virginia.gov and, in summary, do not express disagreement with the finding.
FINDING 2024-001 Subject: Child Nutrition Cluster - Activities Allowed or Unallowed, Allowable Costs/Cost Principles, Special Tests and Provisions - Non-Profit School Food Service Accounts Federal Agency: Department of Agriculture Federal Programs: School Breakfast Program, National School Lunch Program, Summer Food Service Program for Children Assistance Listings Numbers: 10.553, 10.555, 10.559 Federal Award Numbers and Years (or Other Identifying Numbers): SY 2022-2023, SY 2023-2024 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Special Tests and Provisions - Non-Profit School Food Service Accounts Audit Findings: Significant Deficiency, Other Matters Condition and Context The School Corporation had not properly designed or implemented a system of internal controls, which would include appropriate segregation of duties, that would likely be effective in preventing, or detecting and correcting, noncompliance related to expenditures charged to the food service program fund. Indirect costs are those expenditures that benefit multiple programs, including the Child Nutrition Cluster that can be partially allocated to the program. To charge indirect costs, the School Corporation must apply for an indirect cost rate from the Indiana Department of Education (IDOE) each year. Indirect cost rates are calculated by the IDOE Office of School Finance utilizing the School Corporation's semiannual School Financial Report referred to as the Form 9. The School Corporation performed transfers out of the School Lunch fund for the allocated portion of the food service's utility service costs through the process of an indirect cost calculation performed by the School Corporation for the year ended June 30, 2024. The School Corporation had not applied or received approval from the IDOE to utilize an indirect cost rate. The total amount charged to the School Lunch fund for these costs totaled $275,724 for the year ended June 30, 2024. This amount was considered questioned costs. The lack of internal controls and noncompliance was isolated to the year ended June 30, 2024, and indirect costs noted above. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." INDIANA STATE BOARD OF ACCOUNTS 16 SCHOOL CITY OF MISHAWAKA SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) 2 CFR 200.403 states in part: "Except where otherwise authorized by statute, costs must meet the following general criteria in order to be allowable under Federal awards: (a) Be necessary and reasonable for the performance of the Federal award and be allocable thereto under these principles. (b) Conform to any limitations or exclusions set forth in these principles or in the Federal award as to types or amount of cost items. . . . (g) Be adequately documented. . . ." 2 CFR 200.332(b)(4) states: "Indirect cost rate: (i) An approved indirect cost rate negotiated between the subrecipient and the Federal Government. If no approved rate exists, a pass-through entity must determine the appropriate rate in collaboration with the subrecipient. The indirect cost rate may be either: (A) An indirect cost rate negotiated between the pass-through entity and the subrecipient. These rates may be based on a prior negotiated rate between a different pass-through entity and the subrecipient, in which case the pass-through entity is not required to collect information justifying the rate but may elect to do so; or (B) The de minimis indirect cost rate." Cause A proper system of internal controls was not designed by management of the School Corporation. The School Corporation calculated and charged an indirect cost rate to the food service program but did not seek approval from the IDOE by completing an application to obtain and use an indirect cost rate. Effect Noncompliance with the grant agreement and the compliance requirement resulted in questioned costs and could result in the repayment of federal funds. Questioned Costs Known questioned costs of $275,724 were identified as detailed in the Condition and Context. Recommendation We recommended the School Corporation's management establish a proper system of internal controls to ensure that the disbursements are for the benefit of the school lunch program and comply with the Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Special Tests and Provisions - Non-Profit School Food Service Accounts compliance requirements. INDIANA STATE BOARD OF ACCOUNTS 17 SCHOOL CITY OF MISHAWAKA SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.
FINDING 2024-001 Subject: Child Nutrition Cluster - Activities Allowed or Unallowed, Allowable Costs/Cost Principles, Special Tests and Provisions - Non-Profit School Food Service Accounts Federal Agency: Department of Agriculture Federal Programs: School Breakfast Program, National School Lunch Program, Summer Food Service Program for Children Assistance Listings Numbers: 10.553, 10.555, 10.559 Federal Award Numbers and Years (or Other Identifying Numbers): SY 2022-2023, SY 2023-2024 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Special Tests and Provisions - Non-Profit School Food Service Accounts Audit Findings: Significant Deficiency, Other Matters Condition and Context The School Corporation had not properly designed or implemented a system of internal controls, which would include appropriate segregation of duties, that would likely be effective in preventing, or detecting and correcting, noncompliance related to expenditures charged to the food service program fund. Indirect costs are those expenditures that benefit multiple programs, including the Child Nutrition Cluster that can be partially allocated to the program. To charge indirect costs, the School Corporation must apply for an indirect cost rate from the Indiana Department of Education (IDOE) each year. Indirect cost rates are calculated by the IDOE Office of School Finance utilizing the School Corporation's semiannual School Financial Report referred to as the Form 9. The School Corporation performed transfers out of the School Lunch fund for the allocated portion of the food service's utility service costs through the process of an indirect cost calculation performed by the School Corporation for the year ended June 30, 2024. The School Corporation had not applied or received approval from the IDOE to utilize an indirect cost rate. The total amount charged to the School Lunch fund for these costs totaled $275,724 for the year ended June 30, 2024. This amount was considered questioned costs. The lack of internal controls and noncompliance was isolated to the year ended June 30, 2024, and indirect costs noted above. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." INDIANA STATE BOARD OF ACCOUNTS 16 SCHOOL CITY OF MISHAWAKA SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) 2 CFR 200.403 states in part: "Except where otherwise authorized by statute, costs must meet the following general criteria in order to be allowable under Federal awards: (a) Be necessary and reasonable for the performance of the Federal award and be allocable thereto under these principles. (b) Conform to any limitations or exclusions set forth in these principles or in the Federal award as to types or amount of cost items. . . . (g) Be adequately documented. . . ." 2 CFR 200.332(b)(4) states: "Indirect cost rate: (i) An approved indirect cost rate negotiated between the subrecipient and the Federal Government. If no approved rate exists, a pass-through entity must determine the appropriate rate in collaboration with the subrecipient. The indirect cost rate may be either: (A) An indirect cost rate negotiated between the pass-through entity and the subrecipient. These rates may be based on a prior negotiated rate between a different pass-through entity and the subrecipient, in which case the pass-through entity is not required to collect information justifying the rate but may elect to do so; or (B) The de minimis indirect cost rate." Cause A proper system of internal controls was not designed by management of the School Corporation. The School Corporation calculated and charged an indirect cost rate to the food service program but did not seek approval from the IDOE by completing an application to obtain and use an indirect cost rate. Effect Noncompliance with the grant agreement and the compliance requirement resulted in questioned costs and could result in the repayment of federal funds. Questioned Costs Known questioned costs of $275,724 were identified as detailed in the Condition and Context. Recommendation We recommended the School Corporation's management establish a proper system of internal controls to ensure that the disbursements are for the benefit of the school lunch program and comply with the Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Special Tests and Provisions - Non-Profit School Food Service Accounts compliance requirements. INDIANA STATE BOARD OF ACCOUNTS 17 SCHOOL CITY OF MISHAWAKA SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.
FINDING 2024-001 Subject: Child Nutrition Cluster - Activities Allowed or Unallowed, Allowable Costs/Cost Principles, Special Tests and Provisions - Non-Profit School Food Service Accounts Federal Agency: Department of Agriculture Federal Programs: School Breakfast Program, National School Lunch Program, Summer Food Service Program for Children Assistance Listings Numbers: 10.553, 10.555, 10.559 Federal Award Numbers and Years (or Other Identifying Numbers): SY 2022-2023, SY 2023-2024 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Special Tests and Provisions - Non-Profit School Food Service Accounts Audit Findings: Significant Deficiency, Other Matters Condition and Context The School Corporation had not properly designed or implemented a system of internal controls, which would include appropriate segregation of duties, that would likely be effective in preventing, or detecting and correcting, noncompliance related to expenditures charged to the food service program fund. Indirect costs are those expenditures that benefit multiple programs, including the Child Nutrition Cluster that can be partially allocated to the program. To charge indirect costs, the School Corporation must apply for an indirect cost rate from the Indiana Department of Education (IDOE) each year. Indirect cost rates are calculated by the IDOE Office of School Finance utilizing the School Corporation's semiannual School Financial Report referred to as the Form 9. The School Corporation performed transfers out of the School Lunch fund for the allocated portion of the food service's utility service costs through the process of an indirect cost calculation performed by the School Corporation for the year ended June 30, 2024. The School Corporation had not applied or received approval from the IDOE to utilize an indirect cost rate. The total amount charged to the School Lunch fund for these costs totaled $275,724 for the year ended June 30, 2024. This amount was considered questioned costs. The lack of internal controls and noncompliance was isolated to the year ended June 30, 2024, and indirect costs noted above. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." INDIANA STATE BOARD OF ACCOUNTS 16 SCHOOL CITY OF MISHAWAKA SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) 2 CFR 200.403 states in part: "Except where otherwise authorized by statute, costs must meet the following general criteria in order to be allowable under Federal awards: (a) Be necessary and reasonable for the performance of the Federal award and be allocable thereto under these principles. (b) Conform to any limitations or exclusions set forth in these principles or in the Federal award as to types or amount of cost items. . . . (g) Be adequately documented. . . ." 2 CFR 200.332(b)(4) states: "Indirect cost rate: (i) An approved indirect cost rate negotiated between the subrecipient and the Federal Government. If no approved rate exists, a pass-through entity must determine the appropriate rate in collaboration with the subrecipient. The indirect cost rate may be either: (A) An indirect cost rate negotiated between the pass-through entity and the subrecipient. These rates may be based on a prior negotiated rate between a different pass-through entity and the subrecipient, in which case the pass-through entity is not required to collect information justifying the rate but may elect to do so; or (B) The de minimis indirect cost rate." Cause A proper system of internal controls was not designed by management of the School Corporation. The School Corporation calculated and charged an indirect cost rate to the food service program but did not seek approval from the IDOE by completing an application to obtain and use an indirect cost rate. Effect Noncompliance with the grant agreement and the compliance requirement resulted in questioned costs and could result in the repayment of federal funds. Questioned Costs Known questioned costs of $275,724 were identified as detailed in the Condition and Context. Recommendation We recommended the School Corporation's management establish a proper system of internal controls to ensure that the disbursements are for the benefit of the school lunch program and comply with the Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Special Tests and Provisions - Non-Profit School Food Service Accounts compliance requirements. INDIANA STATE BOARD OF ACCOUNTS 17 SCHOOL CITY OF MISHAWAKA SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.
FINDING 2024-001 Subject: Child Nutrition Cluster - Activities Allowed or Unallowed, Allowable Costs/Cost Principles, Special Tests and Provisions - Non-Profit School Food Service Accounts Federal Agency: Department of Agriculture Federal Programs: School Breakfast Program, National School Lunch Program, Summer Food Service Program for Children Assistance Listings Numbers: 10.553, 10.555, 10.559 Federal Award Numbers and Years (or Other Identifying Numbers): SY 2022-2023, SY 2023-2024 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Special Tests and Provisions - Non-Profit School Food Service Accounts Audit Findings: Significant Deficiency, Other Matters Condition and Context The School Corporation had not properly designed or implemented a system of internal controls, which would include appropriate segregation of duties, that would likely be effective in preventing, or detecting and correcting, noncompliance related to expenditures charged to the food service program fund. Indirect costs are those expenditures that benefit multiple programs, including the Child Nutrition Cluster that can be partially allocated to the program. To charge indirect costs, the School Corporation must apply for an indirect cost rate from the Indiana Department of Education (IDOE) each year. Indirect cost rates are calculated by the IDOE Office of School Finance utilizing the School Corporation's semiannual School Financial Report referred to as the Form 9. The School Corporation performed transfers out of the School Lunch fund for the allocated portion of the food service's utility service costs through the process of an indirect cost calculation performed by the School Corporation for the year ended June 30, 2024. The School Corporation had not applied or received approval from the IDOE to utilize an indirect cost rate. The total amount charged to the School Lunch fund for these costs totaled $275,724 for the year ended June 30, 2024. This amount was considered questioned costs. The lack of internal controls and noncompliance was isolated to the year ended June 30, 2024, and indirect costs noted above. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." INDIANA STATE BOARD OF ACCOUNTS 16 SCHOOL CITY OF MISHAWAKA SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) 2 CFR 200.403 states in part: "Except where otherwise authorized by statute, costs must meet the following general criteria in order to be allowable under Federal awards: (a) Be necessary and reasonable for the performance of the Federal award and be allocable thereto under these principles. (b) Conform to any limitations or exclusions set forth in these principles or in the Federal award as to types or amount of cost items. . . . (g) Be adequately documented. . . ." 2 CFR 200.332(b)(4) states: "Indirect cost rate: (i) An approved indirect cost rate negotiated between the subrecipient and the Federal Government. If no approved rate exists, a pass-through entity must determine the appropriate rate in collaboration with the subrecipient. The indirect cost rate may be either: (A) An indirect cost rate negotiated between the pass-through entity and the subrecipient. These rates may be based on a prior negotiated rate between a different pass-through entity and the subrecipient, in which case the pass-through entity is not required to collect information justifying the rate but may elect to do so; or (B) The de minimis indirect cost rate." Cause A proper system of internal controls was not designed by management of the School Corporation. The School Corporation calculated and charged an indirect cost rate to the food service program but did not seek approval from the IDOE by completing an application to obtain and use an indirect cost rate. Effect Noncompliance with the grant agreement and the compliance requirement resulted in questioned costs and could result in the repayment of federal funds. Questioned Costs Known questioned costs of $275,724 were identified as detailed in the Condition and Context. Recommendation We recommended the School Corporation's management establish a proper system of internal controls to ensure that the disbursements are for the benefit of the school lunch program and comply with the Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Special Tests and Provisions - Non-Profit School Food Service Accounts compliance requirements. INDIANA STATE BOARD OF ACCOUNTS 17 SCHOOL CITY OF MISHAWAKA SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.
FINDING 2024-001 Subject: Child Nutrition Cluster - Activities Allowed or Unallowed, Allowable Costs/Cost Principles, Special Tests and Provisions - Non-Profit School Food Service Accounts Federal Agency: Department of Agriculture Federal Programs: School Breakfast Program, National School Lunch Program, Summer Food Service Program for Children Assistance Listings Numbers: 10.553, 10.555, 10.559 Federal Award Numbers and Years (or Other Identifying Numbers): SY 2022-2023, SY 2023-2024 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Special Tests and Provisions - Non-Profit School Food Service Accounts Audit Findings: Significant Deficiency, Other Matters Condition and Context The School Corporation had not properly designed or implemented a system of internal controls, which would include appropriate segregation of duties, that would likely be effective in preventing, or detecting and correcting, noncompliance related to expenditures charged to the food service program fund. Indirect costs are those expenditures that benefit multiple programs, including the Child Nutrition Cluster that can be partially allocated to the program. To charge indirect costs, the School Corporation must apply for an indirect cost rate from the Indiana Department of Education (IDOE) each year. Indirect cost rates are calculated by the IDOE Office of School Finance utilizing the School Corporation's semiannual School Financial Report referred to as the Form 9. The School Corporation performed transfers out of the School Lunch fund for the allocated portion of the food service's utility service costs through the process of an indirect cost calculation performed by the School Corporation for the year ended June 30, 2024. The School Corporation had not applied or received approval from the IDOE to utilize an indirect cost rate. The total amount charged to the School Lunch fund for these costs totaled $275,724 for the year ended June 30, 2024. This amount was considered questioned costs. The lack of internal controls and noncompliance was isolated to the year ended June 30, 2024, and indirect costs noted above. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." INDIANA STATE BOARD OF ACCOUNTS 16 SCHOOL CITY OF MISHAWAKA SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) 2 CFR 200.403 states in part: "Except where otherwise authorized by statute, costs must meet the following general criteria in order to be allowable under Federal awards: (a) Be necessary and reasonable for the performance of the Federal award and be allocable thereto under these principles. (b) Conform to any limitations or exclusions set forth in these principles or in the Federal award as to types or amount of cost items. . . . (g) Be adequately documented. . . ." 2 CFR 200.332(b)(4) states: "Indirect cost rate: (i) An approved indirect cost rate negotiated between the subrecipient and the Federal Government. If no approved rate exists, a pass-through entity must determine the appropriate rate in collaboration with the subrecipient. The indirect cost rate may be either: (A) An indirect cost rate negotiated between the pass-through entity and the subrecipient. These rates may be based on a prior negotiated rate between a different pass-through entity and the subrecipient, in which case the pass-through entity is not required to collect information justifying the rate but may elect to do so; or (B) The de minimis indirect cost rate." Cause A proper system of internal controls was not designed by management of the School Corporation. The School Corporation calculated and charged an indirect cost rate to the food service program but did not seek approval from the IDOE by completing an application to obtain and use an indirect cost rate. Effect Noncompliance with the grant agreement and the compliance requirement resulted in questioned costs and could result in the repayment of federal funds. Questioned Costs Known questioned costs of $275,724 were identified as detailed in the Condition and Context. Recommendation We recommended the School Corporation's management establish a proper system of internal controls to ensure that the disbursements are for the benefit of the school lunch program and comply with the Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Special Tests and Provisions - Non-Profit School Food Service Accounts compliance requirements. INDIANA STATE BOARD OF ACCOUNTS 17 SCHOOL CITY OF MISHAWAKA SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.
FINDING 2024-001 Subject: Child Nutrition Cluster - Activities Allowed or Unallowed, Allowable Costs/Cost Principles, Special Tests and Provisions - Non-Profit School Food Service Accounts Federal Agency: Department of Agriculture Federal Programs: School Breakfast Program, National School Lunch Program, Summer Food Service Program for Children Assistance Listings Numbers: 10.553, 10.555, 10.559 Federal Award Numbers and Years (or Other Identifying Numbers): SY 2022-2023, SY 2023-2024 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Special Tests and Provisions - Non-Profit School Food Service Accounts Audit Findings: Significant Deficiency, Other Matters Condition and Context The School Corporation had not properly designed or implemented a system of internal controls, which would include appropriate segregation of duties, that would likely be effective in preventing, or detecting and correcting, noncompliance related to expenditures charged to the food service program fund. Indirect costs are those expenditures that benefit multiple programs, including the Child Nutrition Cluster that can be partially allocated to the program. To charge indirect costs, the School Corporation must apply for an indirect cost rate from the Indiana Department of Education (IDOE) each year. Indirect cost rates are calculated by the IDOE Office of School Finance utilizing the School Corporation's semiannual School Financial Report referred to as the Form 9. The School Corporation performed transfers out of the School Lunch fund for the allocated portion of the food service's utility service costs through the process of an indirect cost calculation performed by the School Corporation for the year ended June 30, 2024. The School Corporation had not applied or received approval from the IDOE to utilize an indirect cost rate. The total amount charged to the School Lunch fund for these costs totaled $275,724 for the year ended June 30, 2024. This amount was considered questioned costs. The lack of internal controls and noncompliance was isolated to the year ended June 30, 2024, and indirect costs noted above. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." INDIANA STATE BOARD OF ACCOUNTS 16 SCHOOL CITY OF MISHAWAKA SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) 2 CFR 200.403 states in part: "Except where otherwise authorized by statute, costs must meet the following general criteria in order to be allowable under Federal awards: (a) Be necessary and reasonable for the performance of the Federal award and be allocable thereto under these principles. (b) Conform to any limitations or exclusions set forth in these principles or in the Federal award as to types or amount of cost items. . . . (g) Be adequately documented. . . ." 2 CFR 200.332(b)(4) states: "Indirect cost rate: (i) An approved indirect cost rate negotiated between the subrecipient and the Federal Government. If no approved rate exists, a pass-through entity must determine the appropriate rate in collaboration with the subrecipient. The indirect cost rate may be either: (A) An indirect cost rate negotiated between the pass-through entity and the subrecipient. These rates may be based on a prior negotiated rate between a different pass-through entity and the subrecipient, in which case the pass-through entity is not required to collect information justifying the rate but may elect to do so; or (B) The de minimis indirect cost rate." Cause A proper system of internal controls was not designed by management of the School Corporation. The School Corporation calculated and charged an indirect cost rate to the food service program but did not seek approval from the IDOE by completing an application to obtain and use an indirect cost rate. Effect Noncompliance with the grant agreement and the compliance requirement resulted in questioned costs and could result in the repayment of federal funds. Questioned Costs Known questioned costs of $275,724 were identified as detailed in the Condition and Context. Recommendation We recommended the School Corporation's management establish a proper system of internal controls to ensure that the disbursements are for the benefit of the school lunch program and comply with the Activities Allowed or Unallowed, Allowable Costs/Cost Principles, and Special Tests and Provisions - Non-Profit School Food Service Accounts compliance requirements. INDIANA STATE BOARD OF ACCOUNTS 17 SCHOOL CITY OF MISHAWAKA SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.
Finding 2024-001 – Procurements and Suspension and Debarment Program: Coronavirus State and Local Fiscal Recovery Funds Assistance Listing Number: 21.027 Federal Agency: U.S. Department of the Treasury Passed Through: N/A – Direct Program Award Year: Fiscal Year 2023-2024 Compliance Requirement: Procurement and Suspension and Debarment Questioned Costs: $0 Criteria Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) §200.303 states that the non- Federal entity (County) must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. Per § 200.332, recipients and subrecipients are subject to the procurement and debarment and suspension regulations implementing Executive Orders 12549 and 12689, as well as 2 CFR part 180. The regulations in 2 CFR part 180 restrict making Federal awards, subawards, and contracts with certain parties that are debarred, suspended, or otherwise excluded from receiving or participating in Federal awards. Condition During our testing of procurement and suspension and debarment, we noted six (6) instances where the County did not keep record for verifying that an entity with which it planned to enter into a covered transaction was not debarred, suspended, or otherwise excluded from receiving or participating in Federal awards. Cause of Condition The County’s existing internal control system is not operating effectively to provide reasonable assurance that procurement procedures in place comply with the procurement requirements related to the program. Repeat Finding No. Effect of Condition There is increased risk of noncompliance with the procurement requirement as set forth in the U.S. Office of Management and Budget (OMB) Compliance Supplement, which can jeopardize future federal funding as well as result in the payback of federal awards. Failure to conduct proper verifications before engaging in a covered transaction with an entity could result in fraud, waste, and abuse of federal funds.Recommendation We recommend the County design and implement internal control activities over the procurement and suspension and debarment compliance requirement under the Uniform Guidance. We also recommend the County keeps adequate records for verifying the contractors receiving federal grant funding were not debarred, suspended, or otherwise excluded from receiving or participating in Federal awards. Management Response and Corrective Action Plan The County has confirmed that the internal procurement process incorporates the verification that contractors are in possession of valid, applicable licenses and are not barred, suspended or otherwise excluded from receiving federal funds prior to engaging in contracted work. Reference to this process has not been regularly documented; going forward, verifications will be documented on the contract review cover sheet to further support the completion of the process. Copies of supporting documentation will be attached, when applicable, to demonstrate eligibility.
Criteria or specific requirement: Per 2 CFR 200.332, all pass-through entities must ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information listed in 2 CFR 200.332(a)(1) at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Per 2 CFR 200.331(b), all pass-through entities must ensure that every subaward is clearly identified to the subrecipient as a subaward and includes required award information. A pass-through entity must provide the best available information when some of the information below is unavailable. A pass-through entity must provide the unavailable information when it is obtained. Required information includes: Subrecipient's name, Subrecipient's unique entity identifier, Federal Award Identification Number (FAIN), Federal Award Date, Subaward Period of Performance Start and End Date, Subaward Budget Period Start and End Date, Amount of Federal Funds Obligated in the subaward, Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity, including the current financial obligation, Total Amount of the Federal Award committed to the subrecipient by the pass-through entity, Federal award project description, as required by the Federal Funding Accountability and Transparency Act (FFATA), Name of the Federal agency, pass-through entity, and contact information for awarding official of the pass-through entity, Assistance Listings title and number, Identification of whether the Federal award is for research and development, Indirect cost rate for the Federal award (including if the de minimis rate is used. Per 2 CFR 200.303, non-federal entities receiving federal awards must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should comply with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: Kansas Division of Emergency Management (Management) did not issue subawards to subrecipients until after the fiscal year ended. Questioned costs: None. Context: For 22 of 22 subrecipients selected for testing, Management did not issue subawards until after the fiscal year ended. Cause: 2 CFR 200.332(a) requires subawards to include certain required information to be communicated to subrecipients at the time of the subaward being awarded. The subaward information was not communicated to subrecipients under after the fiscal year ended June 30, 2024, and should have been communicated at the time the subawards were awarded during the fiscal year subject to audit. Effect: Failure to issue subawards timely and to include required federal award information could result in subrecipients not properly administering the federal program in accordance with federal regulations. Repeat Finding: No. Recommendation: We recommend that Management reviews and enhances its internal controls and procedures to ensure that subawards are issued timely to subrecipients, and that subawards that include all required federal award information is communicated at the time of the subaward. Views of responsible officials: Management partially agrees with this finding. Although the 2023 2 CFR § 200.332 does state that the award letters should be sent at the time of the award, there needs to be some reasonableness to the interpretation of this regulation. KDEM currently has 13 open disasters with over 100 open projects and more being written. It is not reasonable to interpret that the award letters be sent on the date that the award is granted. Auditor’s Concluding Remarks: Management’s response did not persuade the auditor to revise the finding. Evidence that the required information per 2 CFR 200.332 being provided to subrecipients at the time of the subawards was not provided.
Criteria or specific requirement: Per 2 CFR 200.332, all pass-through entities must ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information listed in 2 CFR 200.332(a)(1) at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Per 2 CFR 200.331(b), all pass-through entities must ensure that every subaward is clearly identified to the subrecipient as a subaward and includes required award information. A pass-through entity must provide the best available information when some of the information below is unavailable. A pass-through entity must provide the unavailable information when it is obtained. Required information includes: Subrecipient's name, Subrecipient's unique entity identifier, Federal Award Identification Number (FAIN), Federal Award Date, Subaward Period of Performance Start and End Date, Subaward Budget Period Start and End Date, Amount of Federal Funds Obligated in the subaward, Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity, including the current financial obligation, Total Amount of the Federal Award committed to the subrecipient by the pass-through entity, Federal award project description, as required by the Federal Funding Accountability and Transparency Act (FFATA), Name of the Federal agency, pass-through entity, and contact information for awarding official of the pass-through entity, Assistance Listings title and number, Identification of whether the Federal award is for research and development, Indirect cost rate for the Federal award (including if the de minimis rate is used. Per 2 CFR 200.303, non-federal entities receiving federal awards must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should comply with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: Kansas Division of Emergency Management (Management) did not issue subawards to subrecipients until after the fiscal year ended. Questioned costs: None. Context: For 22 of 22 subrecipients selected for testing, Management did not issue subawards until after the fiscal year ended. Cause: 2 CFR 200.332(a) requires subawards to include certain required information to be communicated to subrecipients at the time of the subaward being awarded. The subaward information was not communicated to subrecipients under after the fiscal year ended June 30, 2024, and should have been communicated at the time the subawards were awarded during the fiscal year subject to audit. Effect: Failure to issue subawards timely and to include required federal award information could result in subrecipients not properly administering the federal program in accordance with federal regulations. Repeat Finding: No. Recommendation: We recommend that Management reviews and enhances its internal controls and procedures to ensure that subawards are issued timely to subrecipients, and that subawards that include all required federal award information is communicated at the time of the subaward. Views of responsible officials: Management partially agrees with this finding. Although the 2023 2 CFR § 200.332 does state that the award letters should be sent at the time of the award, there needs to be some reasonableness to the interpretation of this regulation. KDEM currently has 13 open disasters with over 100 open projects and more being written. It is not reasonable to interpret that the award letters be sent on the date that the award is granted. Auditor’s Concluding Remarks: Management’s response did not persuade the auditor to revise the finding. Evidence that the required information per 2 CFR 200.332 being provided to subrecipients at the time of the subawards was not provided.
Various Agencies Finding 2024 –¬ 014: ALN 10.565, 10.568, 10.569 – Food Distribution Cluster ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families ALN 93.667 – Social Services Block Grant ALN 93.788 – Opioid STR State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2023-023) Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), NU50CK000527 (8/01/2019 – 7/31/2026), 2401PATANF (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021-9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), H79TI083297 (9/30/2021 – 9/29/2023), H79TI085783 (9/30/2022 – 9/29/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2024. Our testing disclosed that the Pennsylvania Department of Human Services (DHS), the Pennsylvania Department of Drug and Alcohol Programs (DDAP), and the Pennsylvania Department of Labor and Industry (L&I) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the Pennsylvania Department of Agriculture (PDA), Pennsylvania Department of Aging (PDOA), Pennsylvania Department of Health (DOH), and DHS did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance. Finding 2024 –¬ 014: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE (The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: Finding 2024 –¬ 014: (continued) (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (viii) Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity, including the current financial obligation; (ix) Total Amount of the Federal Award committed to the subrecipient by the pass-through entity; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS’s, L&I’s, and DDAP’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by PDA, PDOA, DOH, and DHS were not properly documented or not performed. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Finding 2024 –¬ 014: (continued) Recommendation: DHS, L&I, and DDAP should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS, DDAP, and L&I should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. PDA, PDOA, DOH, and DHS should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with the finding. DOH Response: DOH agrees with the finding. PDA Response: PDA agrees with the finding. PDOA Response: PDOA agrees with the finding. DDAP Response: DDAP agrees with the concern indicated in this finding regarding not identifying the federal award information and applicable requirements in subrecipient award documents. The Department contracts with 47 Single County Authorities (SCAs) through 5-year grant agreements. These grant agreements may not have all of the required federal award information pursuant to 2 CFR 200.332 when the agreement is executed. DDAP understands the need to develop policies to ensure all required federal award information is disseminated to all subrecipients. Going forward, the Department will send a separate notification to all subrecipients once all federal award information has been identified to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. L&I Response: L&I considered the required elements outlined in 2 CFR Section 200.332 when designing the template for its subaward documents. The template included a specific section to list the Federal Awarding Agency; however, upon execution of the TANF subaward documents, L&I inadvertently entered incorrect data into this field. The result was that while a Federal Agency was listed in the contract, it was not the Federal Awarding Agency that provided the TANF funding. Upon being made aware of the error, L&I immediately corrected and disseminated the corrected information to the sub-recipients through the Commonwealth Workforce Development System. L&I agrees that at the time of award the name of the Federal Awarding Agency that provided the TANF funding was not included in the subaward documents. Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies Finding 2024 ¬– 015: ALN 10.565, 10.568, 10.569 – Food Distribution Cluster ALN 15.252 – Abandoned Mine Land Reclamation (AMLR) ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families ALN 93.667 – Social Services Block Grant A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024) Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance Finding 2024 ¬– 015: (continued) audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings. • Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date. • Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date. Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: Finding 2024 ¬– 015: (continued) (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR §200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR §200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR §200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. 2 CFR §200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. Finding 2024 ¬– 015: (continued) (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Finding 2024 ¬– 015: (continued) Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. Finding 2024 ¬– 015: (continued) DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding. Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding. DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated. Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies Finding 2024 –¬ 014: ALN 10.565, 10.568, 10.569 – Food Distribution Cluster ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families ALN 93.667 – Social Services Block Grant ALN 93.788 – Opioid STR State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2023-023) Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), NU50CK000527 (8/01/2019 – 7/31/2026), 2401PATANF (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021-9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), H79TI083297 (9/30/2021 – 9/29/2023), H79TI085783 (9/30/2022 – 9/29/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2024. Our testing disclosed that the Pennsylvania Department of Human Services (DHS), the Pennsylvania Department of Drug and Alcohol Programs (DDAP), and the Pennsylvania Department of Labor and Industry (L&I) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the Pennsylvania Department of Agriculture (PDA), Pennsylvania Department of Aging (PDOA), Pennsylvania Department of Health (DOH), and DHS did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance. Finding 2024 –¬ 014: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE (The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: Finding 2024 –¬ 014: (continued) (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (viii) Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity, including the current financial obligation; (ix) Total Amount of the Federal Award committed to the subrecipient by the pass-through entity; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS’s, L&I’s, and DDAP’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by PDA, PDOA, DOH, and DHS were not properly documented or not performed. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Finding 2024 –¬ 014: (continued) Recommendation: DHS, L&I, and DDAP should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS, DDAP, and L&I should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. PDA, PDOA, DOH, and DHS should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with the finding. DOH Response: DOH agrees with the finding. PDA Response: PDA agrees with the finding. PDOA Response: PDOA agrees with the finding. DDAP Response: DDAP agrees with the concern indicated in this finding regarding not identifying the federal award information and applicable requirements in subrecipient award documents. The Department contracts with 47 Single County Authorities (SCAs) through 5-year grant agreements. These grant agreements may not have all of the required federal award information pursuant to 2 CFR 200.332 when the agreement is executed. DDAP understands the need to develop policies to ensure all required federal award information is disseminated to all subrecipients. Going forward, the Department will send a separate notification to all subrecipients once all federal award information has been identified to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. L&I Response: L&I considered the required elements outlined in 2 CFR Section 200.332 when designing the template for its subaward documents. The template included a specific section to list the Federal Awarding Agency; however, upon execution of the TANF subaward documents, L&I inadvertently entered incorrect data into this field. The result was that while a Federal Agency was listed in the contract, it was not the Federal Awarding Agency that provided the TANF funding. Upon being made aware of the error, L&I immediately corrected and disseminated the corrected information to the sub-recipients through the Commonwealth Workforce Development System. L&I agrees that at the time of award the name of the Federal Awarding Agency that provided the TANF funding was not included in the subaward documents. Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies Finding 2024 ¬– 015: ALN 10.565, 10.568, 10.569 – Food Distribution Cluster ALN 15.252 – Abandoned Mine Land Reclamation (AMLR) ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families ALN 93.667 – Social Services Block Grant A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024) Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance Finding 2024 ¬– 015: (continued) audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings. • Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date. • Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date. Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: Finding 2024 ¬– 015: (continued) (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR §200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR §200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR §200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. 2 CFR §200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. Finding 2024 ¬– 015: (continued) (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Finding 2024 ¬– 015: (continued) Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. Finding 2024 ¬– 015: (continued) DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding. Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding. DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated. Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies Finding 2024 –¬ 014: ALN 10.565, 10.568, 10.569 – Food Distribution Cluster ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families ALN 93.667 – Social Services Block Grant ALN 93.788 – Opioid STR State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2023-023) Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), NU50CK000527 (8/01/2019 – 7/31/2026), 2401PATANF (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021-9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), H79TI083297 (9/30/2021 – 9/29/2023), H79TI085783 (9/30/2022 – 9/29/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2024. Our testing disclosed that the Pennsylvania Department of Human Services (DHS), the Pennsylvania Department of Drug and Alcohol Programs (DDAP), and the Pennsylvania Department of Labor and Industry (L&I) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the Pennsylvania Department of Agriculture (PDA), Pennsylvania Department of Aging (PDOA), Pennsylvania Department of Health (DOH), and DHS did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance. Finding 2024 –¬ 014: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE (The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: Finding 2024 –¬ 014: (continued) (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (viii) Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity, including the current financial obligation; (ix) Total Amount of the Federal Award committed to the subrecipient by the pass-through entity; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS’s, L&I’s, and DDAP’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by PDA, PDOA, DOH, and DHS were not properly documented or not performed. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Finding 2024 –¬ 014: (continued) Recommendation: DHS, L&I, and DDAP should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS, DDAP, and L&I should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. PDA, PDOA, DOH, and DHS should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with the finding. DOH Response: DOH agrees with the finding. PDA Response: PDA agrees with the finding. PDOA Response: PDOA agrees with the finding. DDAP Response: DDAP agrees with the concern indicated in this finding regarding not identifying the federal award information and applicable requirements in subrecipient award documents. The Department contracts with 47 Single County Authorities (SCAs) through 5-year grant agreements. These grant agreements may not have all of the required federal award information pursuant to 2 CFR 200.332 when the agreement is executed. DDAP understands the need to develop policies to ensure all required federal award information is disseminated to all subrecipients. Going forward, the Department will send a separate notification to all subrecipients once all federal award information has been identified to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. L&I Response: L&I considered the required elements outlined in 2 CFR Section 200.332 when designing the template for its subaward documents. The template included a specific section to list the Federal Awarding Agency; however, upon execution of the TANF subaward documents, L&I inadvertently entered incorrect data into this field. The result was that while a Federal Agency was listed in the contract, it was not the Federal Awarding Agency that provided the TANF funding. Upon being made aware of the error, L&I immediately corrected and disseminated the corrected information to the sub-recipients through the Commonwealth Workforce Development System. L&I agrees that at the time of award the name of the Federal Awarding Agency that provided the TANF funding was not included in the subaward documents. Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies Finding 2024 ¬– 015: ALN 10.565, 10.568, 10.569 – Food Distribution Cluster ALN 15.252 – Abandoned Mine Land Reclamation (AMLR) ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families ALN 93.667 – Social Services Block Grant A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024) Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance Finding 2024 ¬– 015: (continued) audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings. • Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date. • Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date. Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: Finding 2024 ¬– 015: (continued) (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR §200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR §200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR §200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. 2 CFR §200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. Finding 2024 ¬– 015: (continued) (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Finding 2024 ¬– 015: (continued) Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. Finding 2024 ¬– 015: (continued) DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding. Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding. DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated. Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies Finding 2024 –¬ 014: ALN 10.565, 10.568, 10.569 – Food Distribution Cluster ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families ALN 93.667 – Social Services Block Grant ALN 93.788 – Opioid STR State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2023-023) Federal Grant Number(s) and Year(s): 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 231PA445Q2204 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), 228PA100I1003 (6/13/2022 – 6/30/2025), 238PA000I1003 (5/25/2023 – 6/30/2025), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), NU50CK000527 (8/01/2019 – 7/31/2026), 2401PATANF (10/01/2023 – 9/30/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021-9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), H79TI083297 (9/30/2021 – 9/29/2023), H79TI085783 (9/30/2022 – 9/29/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2024. Our testing disclosed that the Pennsylvania Department of Human Services (DHS), the Pennsylvania Department of Drug and Alcohol Programs (DDAP), and the Pennsylvania Department of Labor and Industry (L&I) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, the Pennsylvania Department of Agriculture (PDA), Pennsylvania Department of Aging (PDOA), Pennsylvania Department of Health (DOH), and DHS did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance. Finding 2024 –¬ 014: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE (The cells with a hyphen in the table indicate that the federal award information was included in the subrecipient award documents or was not applicable for the respective major program.) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: Finding 2024 –¬ 014: (continued) (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (viii) Total Amount of Federal Funds Obligated to the subrecipient by the pass-through entity, including the current financial obligation; (ix) Total Amount of the Federal Award committed to the subrecipient by the pass-through entity; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS’s, L&I’s, and DDAP’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by PDA, PDOA, DOH, and DHS were not properly documented or not performed. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Finding 2024 –¬ 014: (continued) Recommendation: DHS, L&I, and DDAP should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS, DDAP, and L&I should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. PDA, PDOA, DOH, and DHS should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with the finding. DOH Response: DOH agrees with the finding. PDA Response: PDA agrees with the finding. PDOA Response: PDOA agrees with the finding. DDAP Response: DDAP agrees with the concern indicated in this finding regarding not identifying the federal award information and applicable requirements in subrecipient award documents. The Department contracts with 47 Single County Authorities (SCAs) through 5-year grant agreements. These grant agreements may not have all of the required federal award information pursuant to 2 CFR 200.332 when the agreement is executed. DDAP understands the need to develop policies to ensure all required federal award information is disseminated to all subrecipients. Going forward, the Department will send a separate notification to all subrecipients once all federal award information has been identified to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. L&I Response: L&I considered the required elements outlined in 2 CFR Section 200.332 when designing the template for its subaward documents. The template included a specific section to list the Federal Awarding Agency; however, upon execution of the TANF subaward documents, L&I inadvertently entered incorrect data into this field. The result was that while a Federal Agency was listed in the contract, it was not the Federal Awarding Agency that provided the TANF funding. Upon being made aware of the error, L&I immediately corrected and disseminated the corrected information to the sub-recipients through the Commonwealth Workforce Development System. L&I agrees that at the time of award the name of the Federal Awarding Agency that provided the TANF funding was not included in the subaward documents. Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies Finding 2024 ¬– 015: ALN 10.565, 10.568, 10.569 – Food Distribution Cluster ALN 15.252 – Abandoned Mine Land Reclamation (AMLR) ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families ALN 93.667 – Social Services Block Grant A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024) Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance Finding 2024 ¬– 015: (continued) audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings. • Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date. • Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date. Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: Finding 2024 ¬– 015: (continued) (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR §200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR §200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR §200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. 2 CFR §200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. Finding 2024 ¬– 015: (continued) (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Finding 2024 ¬– 015: (continued) Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. Finding 2024 ¬– 015: (continued) DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding. Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding. DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated. Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies Finding 2024 ¬– 015: ALN 10.565, 10.568, 10.569 – Food Distribution Cluster ALN 15.252 – Abandoned Mine Land Reclamation (AMLR) ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families ALN 93.667 – Social Services Block Grant A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024) Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance Finding 2024 ¬– 015: (continued) audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings. • Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date. • Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date. Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: Finding 2024 ¬– 015: (continued) (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR §200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR §200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR §200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. 2 CFR §200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. Finding 2024 ¬– 015: (continued) (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Finding 2024 ¬– 015: (continued) Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. Finding 2024 ¬– 015: (continued) DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding. Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding. DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated. Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies Finding 2024 ¬– 015: ALN 10.565, 10.568, 10.569 – Food Distribution Cluster ALN 15.252 – Abandoned Mine Land Reclamation (AMLR) ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families ALN 93.667 – Social Services Block Grant A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024) Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance Finding 2024 ¬– 015: (continued) audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings. • Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date. • Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date. Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: Finding 2024 ¬– 015: (continued) (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR §200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR §200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR §200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. 2 CFR §200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. Finding 2024 ¬– 015: (continued) (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Finding 2024 ¬– 015: (continued) Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. Finding 2024 ¬– 015: (continued) DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding. Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding. DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated. Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies Finding 2024 ¬– 015: ALN 10.565, 10.568, 10.569 – Food Distribution Cluster ALN 15.252 – Abandoned Mine Land Reclamation (AMLR) ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families ALN 93.667 – Social Services Block Grant A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024) Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance Finding 2024 ¬– 015: (continued) audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings. • Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date. • Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date. Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: Finding 2024 ¬– 015: (continued) (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR §200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR §200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR §200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. 2 CFR §200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. Finding 2024 ¬– 015: (continued) (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Finding 2024 ¬– 015: (continued) Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. Finding 2024 ¬– 015: (continued) DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding. Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding. DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated. Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies Finding 2024 ¬– 015: ALN 10.565, 10.568, 10.569 – Food Distribution Cluster ALN 15.252 – Abandoned Mine Land Reclamation (AMLR) ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families ALN 93.667 – Social Services Block Grant A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024) Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance Finding 2024 ¬– 015: (continued) audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings. • Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date. • Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date. Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: Finding 2024 ¬– 015: (continued) (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR §200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR §200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR §200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. 2 CFR §200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. Finding 2024 ¬– 015: (continued) (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Finding 2024 ¬– 015: (continued) Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. Finding 2024 ¬– 015: (continued) DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding. Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding. DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated. Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies Finding 2024 ¬– 015: ALN 10.565, 10.568, 10.569 – Food Distribution Cluster ALN 15.252 – Abandoned Mine Land Reclamation (AMLR) ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families ALN 93.667 – Social Services Block Grant A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024) Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance Finding 2024 ¬– 015: (continued) audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings. • Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date. • Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date. Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: Finding 2024 ¬– 015: (continued) (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR §200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR §200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR §200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. 2 CFR §200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. Finding 2024 ¬– 015: (continued) (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Finding 2024 ¬– 015: (continued) Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. Finding 2024 ¬– 015: (continued) DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding. Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding. DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated. Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies Finding 2024 ¬– 015: ALN 10.565, 10.568, 10.569 – Food Distribution Cluster ALN 15.252 – Abandoned Mine Land Reclamation (AMLR) ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families ALN 93.667 – Social Services Block Grant A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024) Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance Finding 2024 ¬– 015: (continued) audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings. • Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date. • Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date. Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: Finding 2024 ¬– 015: (continued) (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR §200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR §200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR §200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. 2 CFR §200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. Finding 2024 ¬– 015: (continued) (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Finding 2024 ¬– 015: (continued) Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. Finding 2024 ¬– 015: (continued) DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding. Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding. DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated. Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies Finding 2024 ¬– 015: ALN 10.565, 10.568, 10.569 – Food Distribution Cluster ALN 15.252 – Abandoned Mine Land Reclamation (AMLR) ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families ALN 93.667 – Social Services Block Grant A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024) Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance Finding 2024 ¬– 015: (continued) audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings. • Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date. • Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date. Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: Finding 2024 ¬– 015: (continued) (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR §200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR §200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR §200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. 2 CFR §200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. Finding 2024 ¬– 015: (continued) (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Finding 2024 ¬– 015: (continued) Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. Finding 2024 ¬– 015: (continued) DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding. Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding. DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated. Questioned Costs: The amount of questioned costs cannot be determined.
Various Agencies Finding 2024 ¬– 015: ALN 10.565, 10.568, 10.569 – Food Distribution Cluster ALN 15.252 – Abandoned Mine Land Reclamation (AMLR) ALN 21.027 – COVID 19 – Coronavirus State and Local Fiscal Recovery Funds ALN 84.425C – COVID 19 – Education Stabilization Fund – GEER Fund ALN 84.425D – COVID 19 – Education Stabilization Fund – ESSER Fund ALN 84.425R – COVID 19 – Education Stabilization Fund – CRRSA EANS Program ALN 84.425U – COVID 19 – Education Stabilization Fund – ARP ESSER ALN 84.425V – COVID 19 – Education Stabilization Fund – ARP EANS Program ALN 84.425W – COVID 19 – Education Stabilization Fund – ARP ESSER HCY ALN 93.044, 93.045, 93.053 – Aging Cluster (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families ALN 93.667 – Social Services Block Grant A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2023-024) Federal Grant Number(s) and Year(s): 228PA100I1003 (6/13/2022 – 6/30/2025), 231PA445Q2204 (10/01/2022 – 9/30/2023), 231PA825Y8005 (10/01/2022 – 9/30/2023), 231PA825Y8105 (10/01/2022 – 9/30/2023), 241PA825Y8005 (10/01/2023 – 9/30/2024), 241PA825Y8105 (10/01/2023 – 9/30/2024), S18AF20004 (11/01/2017 – 10/31/2025), S19AF20004 (12/01/2018 – 11/30/2025), S21AF10015 (1/01/2021 – 12/31/2023), S22AF00017 (1/01/2022 – 12/31/2024), S23AF00002 (11/01/2022 – 10/31/2027), TN75GJE1S7G3 (3/03/2021 – 12/31/2024), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021– 9/30/2024), S425D210028 (1/05/2021 – 9/30/2024), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2024), S425V210037 (11/16/2021 – 9/30/2024), S425C210013 (3/13/2020 – 9/30/2024), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 2401PAOACM (10/01/2023 – 9/30/2025), 2401PAOAHD (10/01/2023 – 9/30/2025), 2401PAOANS (10/01/2023 – 9/30/2025), 2401PAOASS (10/01/2023 – 9/30/2025), 2101PATANF (10/01/2020 – 9/30/2021), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023), 2401PATANF (10/01/2023 – 9/30/2024), 2301PASOSR (10/01/2022 – 9/30/2024), 2401PASOSR (10/01/2023 – 9/30/2025), 2301PATANF (10/01/2022 – 9/30/2024), 2401PATANF (10/01/2023 – 9/30/2025) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters for Abandoned Mine Land Reclamation (AMLR), Temporary Assistance for Needy Families, Coronavirus State and Local Fiscal Recovery Funds, and Social Services Block Grant Material Weakness in Internal Control over Compliance, Material Noncompliance for Food Distribution Cluster, Education Stabilization Fund, and Aging Cluster Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Acceptance date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance Finding 2024 ¬– 015: (continued) audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2024 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2023 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2024. We also evaluated the Commonwealth’s review of 45 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2024 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 17.6 months to over 18 months after the FAC Acceptance date for two out of two audit reports with findings. There was also a delay in PDOA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 8.7 months to over 16 months after the FAC Acceptance date for four out of four audit reports with findings. • Department of Education (PDE): The time period for making a management decision on findings was approximately 7.8 months to over 12 months after the FAC Acceptance date for seven out of 22 audit reports with findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Environmental Protection (DEP): The time period for making a management decision on findings was approximately 11.6 months to over 12 months after the FAC Acceptance date for two out of two audit reports with findings. Our testing disclosed for the two late audit reports, DEP made management decisions timely. However, DEP did not notify the subrecipients of the management decisions within the required six month time period after the audit reports FAC Acceptance date. • Department of Human Services (DHS): The time period for making a management decision on findings was approximately 7.2 months after the FAC Acceptance date for one out of two audit reports with findings. Our testing disclosed for the one late audit report DHS made a management decision timely. However, DHS did not notify the subrecipient of the management decision within the required six month time period after the audit reports FAC Acceptance date. Criteria: 2 CFR §200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: Finding 2024 ¬– 015: (continued) (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR §200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR §200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR §200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. 2 CFR §200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. Finding 2024 ¬– 015: (continued) (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Finding 2024 ¬– 015: (continued) Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (6) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, and untimely review of the SEFA or alternate procedures be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding. PDE Response: PDE agrees with the finding. DEP Response: DEP agrees with the finding. Finding 2024 ¬– 015: (continued) DHS Response: DHS agrees that there was an exception where human error caused a management decision on one single audit report to be issued untimely; in this instance, the decision itself was made timely but was not communicated in a timely manner. DHS disagrees that an isolated incident due to human error signifies a weakness in internal controls. This was not a systemic issue and therefore should not have been considered a significant deficiency in internal controls, and DHS should not have been included in this finding. Auditors’ Conclusion: The agency responses from PDOA, PDA, PDE, and DEP indicate agreement with the finding. DHS agrees that an error occurred resulting in untimely submission of one management decision, DHS disagrees that the error represents a significant deficiency. We acknowledge the error occurred due to an oversight and is not a systemic error, however, the error resulted in noncompliance with one of two audit reports that required timely management decisions. We will evaluate corrective action in the subsequent audit. The finding remains as stated. Questioned Costs: The amount of questioned costs cannot be determined.