Findings Citing § 200.332

U.S. Department of the Health and Human Services Assistance Listing Number 93.959 – Block Grants for Substance Use Prevention, Treatment, And Recovery Services Significant Deficiency over Subrecipient Monitoring Repeat Finding: No Criteria: A pass-through entity (PTE) must clearly identify to the subrecipient the award as a subaward at the time of subaward (or subsequent subaward modification) by providing the information described in 2 CFR section 200.332(a)(1); all requirements imposed by the PTE on the subrecipient so that the Federal award is used in accordance with Federal statutes, regulations, and the terms and conditions of the award (2 CFR section 200.332(a)(2)); and any additional requirements that the PTE imposes on the subrecipient in order for the PTE to meet its own responsibility for the Federal award (e.g., financial, performance, and special reports) (2 CFR section 200.332(a)(3)). Condition and Context: For 2 out of 2 selections, the agreement with the subrecipient did not clearly identify the Federal assistance listing. Cause: The County did not inform its subrecipients of Federal requirements included in Uniform Guidance related to procedures required for subrecipient monitoring. Effect or Potential Effect: The subrecipient may not be in compliance with Uniform Guidance, therefore causing the County not to be in compliance with Uniform Guidance. Questioned Costs: Unknown. Recommendation: We recommend that the County prepare and maintain a written plan to ensure subrecipients are aware of the Uniform Guidance requirements. Views of Responsible Officials: Management agrees with the finding. Refer to the Corrective Action Plan Section of this report

U.S. Department of the Health and Human Services Assistance Listing Number 93.959 – Block Grants for Substance Use Prevention, Treatment, And Recovery Services Significant Deficiency over Subrecipient Monitoring Repeat Finding: No Criteria: A pass-through entity (PTE) must clearly identify to the subrecipient the award as a subaward at the time of subaward (or subsequent subaward modification) by providing the information described in 2 CFR section 200.332(a)(1); all requirements imposed by the PTE on the subrecipient so that the Federal award is used in accordance with Federal statutes, regulations, and the terms and conditions of the award (2 CFR section 200.332(a)(2)); and any additional requirements that the PTE imposes on the subrecipient in order for the PTE to meet its own responsibility for the Federal award (e.g., financial, performance, and special reports) (2 CFR section 200.332(a)(3)). Condition and Context: For 2 out of 2 selections, the agreement with the subrecipient did not clearly identify the Federal assistance listing. Cause: The County did not inform its subrecipients of Federal requirements included in Uniform Guidance related to procedures required for subrecipient monitoring. Effect or Potential Effect: The subrecipient may not be in compliance with Uniform Guidance, therefore causing the County not to be in compliance with Uniform Guidance. Questioned Costs: Unknown. Recommendation: We recommend that the County prepare and maintain a written plan to ensure subrecipients are aware of the Uniform Guidance requirements. Views of Responsible Officials: Management agrees with the finding. Refer to the Corrective Action Plan Section of this report

U.S. Department of the Health and Human Services Assistance Listing Number 93.959 – Block Grants for Substance Use Prevention, Treatment, And Recovery Services Significant Deficiency over Subrecipient Monitoring Repeat Finding: No Criteria: A pass-through entity (PTE) must clearly identify to the subrecipient the award as a subaward at the time of subaward (or subsequent subaward modification) by providing the information described in 2 CFR section 200.332(a)(1); all requirements imposed by the PTE on the subrecipient so that the Federal award is used in accordance with Federal statutes, regulations, and the terms and conditions of the award (2 CFR section 200.332(a)(2)); and any additional requirements that the PTE imposes on the subrecipient in order for the PTE to meet its own responsibility for the Federal award (e.g., financial, performance, and special reports) (2 CFR section 200.332(a)(3)). Condition and Context: For 2 out of 2 selections, the agreement with the subrecipient did not clearly identify the Federal assistance listing. Cause: The County did not inform its subrecipients of Federal requirements included in Uniform Guidance related to procedures required for subrecipient monitoring. Effect or Potential Effect: The subrecipient may not be in compliance with Uniform Guidance, therefore causing the County not to be in compliance with Uniform Guidance. Questioned Costs: Unknown. Recommendation: We recommend that the County prepare and maintain a written plan to ensure subrecipients are aware of the Uniform Guidance requirements. Views of Responsible Officials: Management agrees with the finding. Refer to the Corrective Action Plan Section of this report

U.S. Department of the Health and Human Services Assistance Listing Number 93.959 – Block Grants for Substance Use Prevention, Treatment, And Recovery Services Significant Deficiency over Subrecipient Monitoring Repeat Finding: No Criteria: A pass-through entity (PTE) must clearly identify to the subrecipient the award as a subaward at the time of subaward (or subsequent subaward modification) by providing the information described in 2 CFR section 200.332(a)(1); all requirements imposed by the PTE on the subrecipient so that the Federal award is used in accordance with Federal statutes, regulations, and the terms and conditions of the award (2 CFR section 200.332(a)(2)); and any additional requirements that the PTE imposes on the subrecipient in order for the PTE to meet its own responsibility for the Federal award (e.g., financial, performance, and special reports) (2 CFR section 200.332(a)(3)). Condition and Context: For 2 out of 2 selections, the agreement with the subrecipient did not clearly identify the Federal assistance listing. Cause: The County did not inform its subrecipients of Federal requirements included in Uniform Guidance related to procedures required for subrecipient monitoring. Effect or Potential Effect: The subrecipient may not be in compliance with Uniform Guidance, therefore causing the County not to be in compliance with Uniform Guidance. Questioned Costs: Unknown. Recommendation: We recommend that the County prepare and maintain a written plan to ensure subrecipients are aware of the Uniform Guidance requirements. Views of Responsible Officials: Management agrees with the finding. Refer to the Corrective Action Plan Section of this report

Finding 2024-002: Subrecipient Monitoring - Risk Assessment Agency and award: U.S. Department of State - Education and Leadership Development for Young Afghan Women: CFDA No. 19.801 Questioned costs: None. Criteria: In accordance with 2 CFR 200.332(b), Asian University for Women (AUW) Support Foundation should evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraph (e) of this section, which may include consideration of such factors as: (1) the subrecipient’s prior experience with the same or similar subawards; (2) the results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F—Audit Requirements of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) whether the subrecipient has new personnel or new or substantially changed systems; and (4) the extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency). Condition: During the audit, we noted that Asian University for Women (AUW) Support Foundation has not documented its evaluation of the subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward. Subrecipient risk assessments are not being performed and the frequency and magnitude of monitoring procedures are not determined based on results of these risk assessments as required by Uniform Guidance 2 CFR 200. Context: Our testing of subrecipient grants awarded found no evidence that risk assessment had been performed. Cause: No risk assessment policies established with the requirements under the Uniform Guidance in accordance with 2 CFR 200.332(b). Effect: Absence of well-documented risk assessment and monitoring plans related to subrecipients may increase the risk of unallowable costs are claimed by the subrecipients and are not prevented or detected by internal controls. Recommendation: We recommend that the management implement procedures to comply with the Uniform Guidance’s requirements related to the documentation of subrecipients’ risk assessment and monitoring procedures. Views of Responsible Officials and Planned Corrective Actions: See Corrective Action Plan

Finding 2024-004: Identifying the Award and Applicable Requirements Agency and award: U.S. Department of State - Education and Leadership Development for Young Afghan Women: CFDA No. 19.801 Questioned costs: None. Criteria: As codified in 2 CFR Part 200.332, requires prime awardees awarded a federal grant to clearly identify to the subrecipient: (1) the award as a subaward at the time of subaward (2) all requirements imposed by the pass-through entity (PTE) on the subrecipient so that the federal award is used in accordance with federal statutes, regulations, and the terms and conditions of the award and (3) any additional requirements that the PTE imposes on the subrecipient in order for the PTE to meet its own responsibility for the federal award. Condition: We tested subrecipient awards and found that there were no official subrecipient grant letters identifying the award and its applicable requirements. Questioned Costs: No questioned costs identified. Context: This is a condition identified during our testing of the compliance requirements for subrecipient monitoring. This internal control matter could result in noncompliance with certain federal awards. Cause: Asian University for Women (AUW) identifying the award and applicable requirements and described in 2 CFR section 200.332 Effect: Failure to comply with the 2 CFR section 200.332 requirements may put the grant funding at risk due to noncompliance under the Uniform Guidance. Recommendation: We recommend management immediately update its procedures to provide subrecipients with official grant letters that include the requirements under 2 CFR section 200.332. Views of Responsible Officials and Planned Corrective Actions: See Corrective Action Plan

Finding No. 2024-007: Inadequate Internal Controls over Monitoring of Subrecipient Audits Type of Finding: Significant Deficiency and Non-Compliance Assistance Listing Title: Disaster Grants - Public Assistance (Presidentially Declared Disasters) Assistance Listing Number: 97.036 Federal Award Number: 4155DRSDP00000001,4440DRSDP00000001, 4463DRSDP00000001, 4467DRSDP00000001, 4469DRSDP00000001, 4527DRSDP00000001, 4656DRSDP00000001, 4664DRSDP00000001, 4689DRSDP00000001, and 4718DRSDP00000001 Federal Award Year: 2019, 2020, 2021, 2022, 2023, and 2024 Federal Agency: Department of Homeland Security Category of Finding: Subrecipient Monitoring Criteria: 2 CFR section 200.332 requires, among other things, that a pass-through entity verify that subrecipients receive Single Audits as required by 2 CFR 200.501(a), follow-up to ensure that the subrecipient takes timely and appropriate action on audit findings, and issue a management decision on applicable audit findings pertaining to the subaward. 2 CFR 200.521(d) requires this management decision to be issued within six months of acceptance of the audit report by the Federal Audit Clearinghouse (FAC). Condition: The Department of Public Safety (DPS) receives funding under ALN 97.036, Disaster Grants - Public Assistance (Presidentially Declared Disasters) (Public Assistance) and makes subawards to local governments and private nonprofit entities to respond to and recover from presidentially declared disasters. During FY24, DPS did not have adequate controls in place to ensure that Single Audits were obtained for all applicable subrecipients within the required time frame, that those audits were reviewed to ensure timely and appropriate action was taken on any findings, and that a management decision was issued by DPS within the six-month time frame required by federal regulations. Based on our review of funding amounts passed through by DPS, there were seven subrecipients receiving Federal grant payments that would require a Single Audit for the auditee’s fiscal year 2023. These subrecipients had received the required audits and their audit reports were accepted by the FAC, however, two of the audits were not reviewed timely by DPS. Of those two subrecipient audits, one had an audit finding pertaining to the Public Assistance program and DPS had not issued a management decision within the time frame required by 2 CFR 200.521. Cause: Controls were not adequate to identify when subrecipient audits were due and obtain all required audits off the FAC in a timely manner. While DPS personnel did track expenditures to determine which subrecipients were required to have audits under 2 CFR 200.501(a), failure to monitor subrecipient year-ends and the related audit deadlines resulted in some audits not being obtained and reviewed in a timely manner. Effect: This resulted in noncompliance with subrecipient monitoring requirements and increased the risk of subrecipient audit findings not being corrected in a timely manner. Questioned Costs: None. Repeat Finding from Prior Year: No. Recommendation: We recommend the Department implement controls to ensure that audits of subrecipients are obtained and followed up on in a timely manner and that management decisions are issued within the required time frame for all audit findings pertaining to DPS subawards. Views of Responsible Officials: The Department of Public Safety concurs with the audit finding.

Finding 2024-004 – Subrecipient Monitoring — Material Weakness Department of Health and Human Services Research and Development Cluster National Science Foundation, Assistance Listing No. 47.076 (STEM Education) Federal award year 2023-2024 Criteria: The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure that risk assessment and monitoring are formally documented over subrecipient monitoring. In accordance with 2 CFR 200.332(b) and 2 CFR 200.332(e), a pass-through entity is required to evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of each sub-award for purposes of determining appropriate subrecipient monitoring requirements. Depending on the risk assessment, the pass-through entity should identify monitoring procedures to be performed in order to ensure proper accountability and compliance with program requirements and achievements of performance goals. Condition: The University’s controls were not operating effectively to reasonably ensure the University performed risk assessment and monitoring procedures for its subrecipients. As a result, the University did not comply with the compliance requirements for subrecipient monitoring. Cause: The University does not have processes and procedures in place related to risk assessment and subrecipient monitoring. Effect or potential effect: The University is not in compliance with federal grant requirements over subrecipient monitoring. Lack of properly documented evidence of subrecipient monitoring policies and procedures performed, including required risk assessments, could result in actions taken by oversight agencies which could impact future funding. Questioned costs: None Context: The University has two active awards under the program with subrecipients with an aggregate award value of approximately $71,000. The University has two subrecipients and for both subrecipients tested in the major program, there was no evidence that a risk assessment or monitoring of those subrecipients was performed. Identification as a repeat finding, if applicable: Not applicable. Recommendation: We recommend the University develop processes and procedures to perform the required risk assessments and related monitoring, and maintain support that the risk assessments and related monitoring were performed as required. View of responsible officials: Management agrees with this finding. See corrective action plan.

Finding 2024-004 – Subrecipient Monitoring — Material Weakness Department of Health and Human Services Research and Development Cluster National Science Foundation, Assistance Listing No. 47.076 (STEM Education) Federal award year 2023-2024 Criteria: The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure that risk assessment and monitoring are formally documented over subrecipient monitoring. In accordance with 2 CFR 200.332(b) and 2 CFR 200.332(e), a pass-through entity is required to evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of each sub-award for purposes of determining appropriate subrecipient monitoring requirements. Depending on the risk assessment, the pass-through entity should identify monitoring procedures to be performed in order to ensure proper accountability and compliance with program requirements and achievements of performance goals. Condition: The University’s controls were not operating effectively to reasonably ensure the University performed risk assessment and monitoring procedures for its subrecipients. As a result, the University did not comply with the compliance requirements for subrecipient monitoring. Cause: The University does not have processes and procedures in place related to risk assessment and subrecipient monitoring. Effect or potential effect: The University is not in compliance with federal grant requirements over subrecipient monitoring. Lack of properly documented evidence of subrecipient monitoring policies and procedures performed, including required risk assessments, could result in actions taken by oversight agencies which could impact future funding. Questioned costs: None Context: The University has two active awards under the program with subrecipients with an aggregate award value of approximately $71,000. The University has two subrecipients and for both subrecipients tested in the major program, there was no evidence that a risk assessment or monitoring of those subrecipients was performed. Identification as a repeat finding, if applicable: Not applicable. Recommendation: We recommend the University develop processes and procedures to perform the required risk assessments and related monitoring, and maintain support that the risk assessments and related monitoring were performed as required. View of responsible officials: Management agrees with this finding. See corrective action plan.

Finding 2024-004 – Subrecipient Monitoring — Material Weakness Department of Health and Human Services Research and Development Cluster National Science Foundation, Assistance Listing No. 47.076 (STEM Education) Federal award year 2023-2024 Criteria: The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure that risk assessment and monitoring are formally documented over subrecipient monitoring. In accordance with 2 CFR 200.332(b) and 2 CFR 200.332(e), a pass-through entity is required to evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of each sub-award for purposes of determining appropriate subrecipient monitoring requirements. Depending on the risk assessment, the pass-through entity should identify monitoring procedures to be performed in order to ensure proper accountability and compliance with program requirements and achievements of performance goals. Condition: The University’s controls were not operating effectively to reasonably ensure the University performed risk assessment and monitoring procedures for its subrecipients. As a result, the University did not comply with the compliance requirements for subrecipient monitoring. Cause: The University does not have processes and procedures in place related to risk assessment and subrecipient monitoring. Effect or potential effect: The University is not in compliance with federal grant requirements over subrecipient monitoring. Lack of properly documented evidence of subrecipient monitoring policies and procedures performed, including required risk assessments, could result in actions taken by oversight agencies which could impact future funding. Questioned costs: None Context: The University has two active awards under the program with subrecipients with an aggregate award value of approximately $71,000. The University has two subrecipients and for both subrecipients tested in the major program, there was no evidence that a risk assessment or monitoring of those subrecipients was performed. Identification as a repeat finding, if applicable: Not applicable. Recommendation: We recommend the University develop processes and procedures to perform the required risk assessments and related monitoring, and maintain support that the risk assessments and related monitoring were performed as required. View of responsible officials: Management agrees with this finding. See corrective action plan.

Finding 2024-004 – Subrecipient Monitoring — Material Weakness Department of Health and Human Services Research and Development Cluster National Science Foundation, Assistance Listing No. 47.076 (STEM Education) Federal award year 2023-2024 Criteria: The Uniform Guidance (2 CFR 200.303) requires nonfederal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures to ensure that risk assessment and monitoring are formally documented over subrecipient monitoring. In accordance with 2 CFR 200.332(b) and 2 CFR 200.332(e), a pass-through entity is required to evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of each sub-award for purposes of determining appropriate subrecipient monitoring requirements. Depending on the risk assessment, the pass-through entity should identify monitoring procedures to be performed in order to ensure proper accountability and compliance with program requirements and achievements of performance goals. Condition: The University’s controls were not operating effectively to reasonably ensure the University performed risk assessment and monitoring procedures for its subrecipients. As a result, the University did not comply with the compliance requirements for subrecipient monitoring. Cause: The University does not have processes and procedures in place related to risk assessment and subrecipient monitoring. Effect or potential effect: The University is not in compliance with federal grant requirements over subrecipient monitoring. Lack of properly documented evidence of subrecipient monitoring policies and procedures performed, including required risk assessments, could result in actions taken by oversight agencies which could impact future funding. Questioned costs: None Context: The University has two active awards under the program with subrecipients with an aggregate award value of approximately $71,000. The University has two subrecipients and for both subrecipients tested in the major program, there was no evidence that a risk assessment or monitoring of those subrecipients was performed. Identification as a repeat finding, if applicable: Not applicable. Recommendation: We recommend the University develop processes and procedures to perform the required risk assessments and related monitoring, and maintain support that the risk assessments and related monitoring were performed as required. View of responsible officials: Management agrees with this finding. See corrective action plan.

Reference Number: 2024-002 Prior Year Finding: 2023-007 Federal Agency: U.S. Department of Treasury Federal Program: COVID-19 – Coronavirus State and Local Fiscal Recovery Funds Assistance Listing Number: 21.027 Award Number and Year: 2021 Compliance Requirement: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Controls over Compliance, Other Matters Criteria or Specific Requirement: Compliance - 2 CFR Section 200.332 – Requirements for Pass-Through Entities states in part, that all pass-through entities must: (a) Verify that every subrecipient is audited as required by Subpart F – Audit Requirements of this part when it is expected that the subrecipient’s Federal award expended during the respective fiscal year equaled or exceeded the threshold set forth in section 200.501 Audit requirements. Control - Per 2 CDF 200.303(a), a non-Federal entity must: Establish a maintain effective internal control over the federal award that provides reasonable assurance that the non-Federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal awards. These internal controls should comply with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The County was not able to provide documentation to show it ensured its subrecipients were audited as required by 2 CFR Part 200 Subpart F – Audit Requirements (Subpart F). Context: Exceptions were noted for 7 of 7 subrecipients selected for testing: • The County was unable to provide support that it ensured the subrecipient was audited as required by Subpart F. The County could not produce evidence of verification that the subrecipient’s Federal awards expended during the fiscal year were below the threshold set forth in section 200.501 Audit Requirements. Cause: The County did not establish effective internal controls and procedures over subrecipient monitoring. Effect: Without ensuring subrecipients have obtained audits as required by Subpart F, there is an increased risk that subrecipients could be inappropriately spending and/or inaccurately tracking and reporting federal funds over multiple years, and these discrepancies may not be properly monitored, detected, and corrected by the County personnel on a timely basis. Questioned Costs: Undetermined. Recommendation: The County should review and enhance internal controls and procedures to ensure that evaluation of independent audits is performed. Views of Responsible Officials: The County agrees with this finding. See separate Correction Action Plan related to this finding.

Reference Number: 2024-002 Prior Year Finding: 2023-007 Federal Agency: U.S. Department of Treasury Federal Program: COVID-19 – Coronavirus State and Local Fiscal Recovery Funds Assistance Listing Number: 21.027 Award Number and Year: 2021 Compliance Requirement: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Controls over Compliance, Other Matters Criteria or Specific Requirement: Compliance - 2 CFR Section 200.332 – Requirements for Pass-Through Entities states in part, that all pass-through entities must: (a) Verify that every subrecipient is audited as required by Subpart F – Audit Requirements of this part when it is expected that the subrecipient’s Federal award expended during the respective fiscal year equaled or exceeded the threshold set forth in section 200.501 Audit requirements. Control - Per 2 CDF 200.303(a), a non-Federal entity must: Establish a maintain effective internal control over the federal award that provides reasonable assurance that the non-Federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal awards. These internal controls should comply with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States or the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The County was not able to provide documentation to show it ensured its subrecipients were audited as required by 2 CFR Part 200 Subpart F – Audit Requirements (Subpart F). Context: Exceptions were noted for 7 of 7 subrecipients selected for testing: • The County was unable to provide support that it ensured the subrecipient was audited as required by Subpart F. The County could not produce evidence of verification that the subrecipient’s Federal awards expended during the fiscal year were below the threshold set forth in section 200.501 Audit Requirements. Cause: The County did not establish effective internal controls and procedures over subrecipient monitoring. Effect: Without ensuring subrecipients have obtained audits as required by Subpart F, there is an increased risk that subrecipients could be inappropriately spending and/or inaccurately tracking and reporting federal funds over multiple years, and these discrepancies may not be properly monitored, detected, and corrected by the County personnel on a timely basis. Questioned Costs: Undetermined. Recommendation: The County should review and enhance internal controls and procedures to ensure that evaluation of independent audits is performed. Views of Responsible Officials: The County agrees with this finding. See separate Correction Action Plan related to this finding.

Awards to Subrecipients Criteria – The Uniform Guidance, Part 200.332 states, “All pass-through entities must: ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward.” Required information includes identification of whether the award is research and development and the indirect cost rate for the Federal award (including if the de minimis rate is charged) per § 200.414. Condition – For five out of six subawards, the Department did not include identification of whether the award is research and development or indirect cost rate for the Federal award (including if the de minimis rate is charged) per § 200.414. These contracts also did not include the subrecipient’s Unique Entity Identifiers, nor the Federal Award Date. Cause – At the time the tested agreements were established, the Department had not established policies and procedures to ensure all required information is included in the subaward to the subrecipients. Effect – The information required in the subaward to subrecipients would result in grantee’s not being aware of their current indirect cost rate allowance, or if the award was for R&D purposes. Recommendation – The Department should establish policies and procedures to ensure all required information is included in the subaward to subrecipients as required by Uniform Guidance, Part 200.332. Response and Corrective Action Planned – Effective late fiscal year 2024; new sub-awards and pass thru grant agreements utilize a cover sheet to ensure all required elements listed in 2 CFR 200.332 are clearly included in the subaward agreements. Conclusion – Response accepted.

Awards to Subrecipients Criteria – The Uniform Guidance, Part 200.332 states, “All pass-through entities must: ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward.” Required information includes identification of whether the award is research and development and the indirect cost rate for the Federal award (including if the de minimis rate is charged) per § 200.414. Condition – For five out of six subawards, the Department did not include identification of whether the award is research and development or indirect cost rate for the Federal award (including if the de minimis rate is charged) per § 200.414. These contracts also did not include the subrecipient’s Unique Entity Identifiers, nor the Federal Award Date. Cause – At the time the tested agreements were established, the Department had not established policies and procedures to ensure all required information is included in the subaward to the subrecipients. Effect – The information required in the subaward to subrecipients would result in grantee’s not being aware of their current indirect cost rate allowance, or if the award was for R&D purposes. Recommendation – The Department should establish policies and procedures to ensure all required information is included in the subaward to subrecipients as required by Uniform Guidance, Part 200.332. Response and Corrective Action Planned – Effective late fiscal year 2024; new sub-awards and pass thru grant agreements utilize a cover sheet to ensure all required elements listed in 2 CFR 200.332 are clearly included in the subaward agreements. Conclusion – Response accepted.

Awards to Subrecipients Criteria – The Uniform Guidance, Part 200.332 states, “All pass-through entities must: ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward.” Required information includes identification of whether the award is research and development and the indirect cost rate for the Federal award (including if the de minimis rate is charged) per § 200.414. Condition – For five out of six subawards, the Department did not include identification of whether the award is research and development or indirect cost rate for the Federal award (including if the de minimis rate is charged) per § 200.414. These contracts also did not include the subrecipient’s Unique Entity Identifiers, nor the Federal Award Date. Cause – At the time the tested agreements were established, the Department had not established policies and procedures to ensure all required information is included in the subaward to the subrecipients. Effect – The information required in the subaward to subrecipients would result in grantee’s not being aware of their current indirect cost rate allowance, or if the award was for R&D purposes. Recommendation – The Department should establish policies and procedures to ensure all required information is included in the subaward to subrecipients as required by Uniform Guidance, Part 200.332. Response and Corrective Action Planned – Effective late fiscal year 2024; new sub-awards and pass thru grant agreements utilize a cover sheet to ensure all required elements listed in 2 CFR 200.332 are clearly included in the subaward agreements. Conclusion – Response accepted.

2024-009 Program: Aging Cluster Federal Financial Assistance Listing Number: 93.041, 93.042, 93.043, 93.044, 93.045, 93.052, 93.053 Federal Grantor: U.S. Department of Health and Human Services Passed-Through: California Department of Aging Award No. and Year: AP-2122-22 and 2022, AP-2324-22 and 2024 Compliance Requirements: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Control Over Compliance and Instance of Noncompliance Criteria: Per 2 CFR 200.332, a pass-through entity must monitor the activities of a subrecipient as necessary to ensure that the subrecipient complies with Federal statutes, regulations, and the terms and conditions of the subaward. The pass-through entity is responsible for monitoring the overall performance of a subrecipient to ensure that the goals and objectives of the subaward are achieved. In monitoring a subrecipient, a pass-through entity must include the information at 2 CFR 200.332(1) through (4). Condition: During our testing of the Orange County Community Resources (OCCR) department’s provisions for subrecipient monitoring requirements, we noted that for one (1) of four (4) subrecipients tested, onsite monitoring and follow-up on documented deficiencies was not performed timely. Cause: Established policies and procedures related to subrecipient monitoring do not specify the timeframe within which monitoring must be completed. Effect: There is an increased risk that the department’s monitoring procedure may not address the subrecipient’s risk of noncompliance. Question Costs: No questioned costs were identified as a result of our procedures. Context/Sampling: A non-statistical sample of four (4) out of (10) subrecipients were selected for testing. The condition above was identified during our procedures over subrecipient monitoring. Repeat Finding: No. Recommendation: We recommend the department review its established policies and procedures to ensure subrecipient monitoring is performed timely. Views of Responsible Officials: Management agrees. See separately issued Corrective Action Plan.

2024-009 Program: Aging Cluster Federal Financial Assistance Listing Number: 93.041, 93.042, 93.043, 93.044, 93.045, 93.052, 93.053 Federal Grantor: U.S. Department of Health and Human Services Passed-Through: California Department of Aging Award No. and Year: AP-2122-22 and 2022, AP-2324-22 and 2024 Compliance Requirements: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Control Over Compliance and Instance of Noncompliance Criteria: Per 2 CFR 200.332, a pass-through entity must monitor the activities of a subrecipient as necessary to ensure that the subrecipient complies with Federal statutes, regulations, and the terms and conditions of the subaward. The pass-through entity is responsible for monitoring the overall performance of a subrecipient to ensure that the goals and objectives of the subaward are achieved. In monitoring a subrecipient, a pass-through entity must include the information at 2 CFR 200.332(1) through (4). Condition: During our testing of the Orange County Community Resources (OCCR) department’s provisions for subrecipient monitoring requirements, we noted that for one (1) of four (4) subrecipients tested, onsite monitoring and follow-up on documented deficiencies was not performed timely. Cause: Established policies and procedures related to subrecipient monitoring do not specify the timeframe within which monitoring must be completed. Effect: There is an increased risk that the department’s monitoring procedure may not address the subrecipient’s risk of noncompliance. Question Costs: No questioned costs were identified as a result of our procedures. Context/Sampling: A non-statistical sample of four (4) out of (10) subrecipients were selected for testing. The condition above was identified during our procedures over subrecipient monitoring. Repeat Finding: No. Recommendation: We recommend the department review its established policies and procedures to ensure subrecipient monitoring is performed timely. Views of Responsible Officials: Management agrees. See separately issued Corrective Action Plan.

2024-009 Program: Aging Cluster Federal Financial Assistance Listing Number: 93.041, 93.042, 93.043, 93.044, 93.045, 93.052, 93.053 Federal Grantor: U.S. Department of Health and Human Services Passed-Through: California Department of Aging Award No. and Year: AP-2122-22 and 2022, AP-2324-22 and 2024 Compliance Requirements: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Control Over Compliance and Instance of Noncompliance Criteria: Per 2 CFR 200.332, a pass-through entity must monitor the activities of a subrecipient as necessary to ensure that the subrecipient complies with Federal statutes, regulations, and the terms and conditions of the subaward. The pass-through entity is responsible for monitoring the overall performance of a subrecipient to ensure that the goals and objectives of the subaward are achieved. In monitoring a subrecipient, a pass-through entity must include the information at 2 CFR 200.332(1) through (4). Condition: During our testing of the Orange County Community Resources (OCCR) department’s provisions for subrecipient monitoring requirements, we noted that for one (1) of four (4) subrecipients tested, onsite monitoring and follow-up on documented deficiencies was not performed timely. Cause: Established policies and procedures related to subrecipient monitoring do not specify the timeframe within which monitoring must be completed. Effect: There is an increased risk that the department’s monitoring procedure may not address the subrecipient’s risk of noncompliance. Question Costs: No questioned costs were identified as a result of our procedures. Context/Sampling: A non-statistical sample of four (4) out of (10) subrecipients were selected for testing. The condition above was identified during our procedures over subrecipient monitoring. Repeat Finding: No. Recommendation: We recommend the department review its established policies and procedures to ensure subrecipient monitoring is performed timely. Views of Responsible Officials: Management agrees. See separately issued Corrective Action Plan.

2024-009 Program: Aging Cluster Federal Financial Assistance Listing Number: 93.041, 93.042, 93.043, 93.044, 93.045, 93.052, 93.053 Federal Grantor: U.S. Department of Health and Human Services Passed-Through: California Department of Aging Award No. and Year: AP-2122-22 and 2022, AP-2324-22 and 2024 Compliance Requirements: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Control Over Compliance and Instance of Noncompliance Criteria: Per 2 CFR 200.332, a pass-through entity must monitor the activities of a subrecipient as necessary to ensure that the subrecipient complies with Federal statutes, regulations, and the terms and conditions of the subaward. The pass-through entity is responsible for monitoring the overall performance of a subrecipient to ensure that the goals and objectives of the subaward are achieved. In monitoring a subrecipient, a pass-through entity must include the information at 2 CFR 200.332(1) through (4). Condition: During our testing of the Orange County Community Resources (OCCR) department’s provisions for subrecipient monitoring requirements, we noted that for one (1) of four (4) subrecipients tested, onsite monitoring and follow-up on documented deficiencies was not performed timely. Cause: Established policies and procedures related to subrecipient monitoring do not specify the timeframe within which monitoring must be completed. Effect: There is an increased risk that the department’s monitoring procedure may not address the subrecipient’s risk of noncompliance. Question Costs: No questioned costs were identified as a result of our procedures. Context/Sampling: A non-statistical sample of four (4) out of (10) subrecipients were selected for testing. The condition above was identified during our procedures over subrecipient monitoring. Repeat Finding: No. Recommendation: We recommend the department review its established policies and procedures to ensure subrecipient monitoring is performed timely. Views of Responsible Officials: Management agrees. See separately issued Corrective Action Plan.

2024-009 Program: Aging Cluster Federal Financial Assistance Listing Number: 93.041, 93.042, 93.043, 93.044, 93.045, 93.052, 93.053 Federal Grantor: U.S. Department of Health and Human Services Passed-Through: California Department of Aging Award No. and Year: AP-2122-22 and 2022, AP-2324-22 and 2024 Compliance Requirements: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Control Over Compliance and Instance of Noncompliance Criteria: Per 2 CFR 200.332, a pass-through entity must monitor the activities of a subrecipient as necessary to ensure that the subrecipient complies with Federal statutes, regulations, and the terms and conditions of the subaward. The pass-through entity is responsible for monitoring the overall performance of a subrecipient to ensure that the goals and objectives of the subaward are achieved. In monitoring a subrecipient, a pass-through entity must include the information at 2 CFR 200.332(1) through (4). Condition: During our testing of the Orange County Community Resources (OCCR) department’s provisions for subrecipient monitoring requirements, we noted that for one (1) of four (4) subrecipients tested, onsite monitoring and follow-up on documented deficiencies was not performed timely. Cause: Established policies and procedures related to subrecipient monitoring do not specify the timeframe within which monitoring must be completed. Effect: There is an increased risk that the department’s monitoring procedure may not address the subrecipient’s risk of noncompliance. Question Costs: No questioned costs were identified as a result of our procedures. Context/Sampling: A non-statistical sample of four (4) out of (10) subrecipients were selected for testing. The condition above was identified during our procedures over subrecipient monitoring. Repeat Finding: No. Recommendation: We recommend the department review its established policies and procedures to ensure subrecipient monitoring is performed timely. Views of Responsible Officials: Management agrees. See separately issued Corrective Action Plan.

2024-009 Program: Aging Cluster Federal Financial Assistance Listing Number: 93.041, 93.042, 93.043, 93.044, 93.045, 93.052, 93.053 Federal Grantor: U.S. Department of Health and Human Services Passed-Through: California Department of Aging Award No. and Year: AP-2122-22 and 2022, AP-2324-22 and 2024 Compliance Requirements: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Control Over Compliance and Instance of Noncompliance Criteria: Per 2 CFR 200.332, a pass-through entity must monitor the activities of a subrecipient as necessary to ensure that the subrecipient complies with Federal statutes, regulations, and the terms and conditions of the subaward. The pass-through entity is responsible for monitoring the overall performance of a subrecipient to ensure that the goals and objectives of the subaward are achieved. In monitoring a subrecipient, a pass-through entity must include the information at 2 CFR 200.332(1) through (4). Condition: During our testing of the Orange County Community Resources (OCCR) department’s provisions for subrecipient monitoring requirements, we noted that for one (1) of four (4) subrecipients tested, onsite monitoring and follow-up on documented deficiencies was not performed timely. Cause: Established policies and procedures related to subrecipient monitoring do not specify the timeframe within which monitoring must be completed. Effect: There is an increased risk that the department’s monitoring procedure may not address the subrecipient’s risk of noncompliance. Question Costs: No questioned costs were identified as a result of our procedures. Context/Sampling: A non-statistical sample of four (4) out of (10) subrecipients were selected for testing. The condition above was identified during our procedures over subrecipient monitoring. Repeat Finding: No. Recommendation: We recommend the department review its established policies and procedures to ensure subrecipient monitoring is performed timely. Views of Responsible Officials: Management agrees. See separately issued Corrective Action Plan.

2024-009 Program: Aging Cluster Federal Financial Assistance Listing Number: 93.041, 93.042, 93.043, 93.044, 93.045, 93.052, 93.053 Federal Grantor: U.S. Department of Health and Human Services Passed-Through: California Department of Aging Award No. and Year: AP-2122-22 and 2022, AP-2324-22 and 2024 Compliance Requirements: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Control Over Compliance and Instance of Noncompliance Criteria: Per 2 CFR 200.332, a pass-through entity must monitor the activities of a subrecipient as necessary to ensure that the subrecipient complies with Federal statutes, regulations, and the terms and conditions of the subaward. The pass-through entity is responsible for monitoring the overall performance of a subrecipient to ensure that the goals and objectives of the subaward are achieved. In monitoring a subrecipient, a pass-through entity must include the information at 2 CFR 200.332(1) through (4). Condition: During our testing of the Orange County Community Resources (OCCR) department’s provisions for subrecipient monitoring requirements, we noted that for one (1) of four (4) subrecipients tested, onsite monitoring and follow-up on documented deficiencies was not performed timely. Cause: Established policies and procedures related to subrecipient monitoring do not specify the timeframe within which monitoring must be completed. Effect: There is an increased risk that the department’s monitoring procedure may not address the subrecipient’s risk of noncompliance. Question Costs: No questioned costs were identified as a result of our procedures. Context/Sampling: A non-statistical sample of four (4) out of (10) subrecipients were selected for testing. The condition above was identified during our procedures over subrecipient monitoring. Repeat Finding: No. Recommendation: We recommend the department review its established policies and procedures to ensure subrecipient monitoring is performed timely. Views of Responsible Officials: Management agrees. See separately issued Corrective Action Plan.

2024-009 Program: Aging Cluster Federal Financial Assistance Listing Number: 93.041, 93.042, 93.043, 93.044, 93.045, 93.052, 93.053 Federal Grantor: U.S. Department of Health and Human Services Passed-Through: California Department of Aging Award No. and Year: AP-2122-22 and 2022, AP-2324-22 and 2024 Compliance Requirements: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Control Over Compliance and Instance of Noncompliance Criteria: Per 2 CFR 200.332, a pass-through entity must monitor the activities of a subrecipient as necessary to ensure that the subrecipient complies with Federal statutes, regulations, and the terms and conditions of the subaward. The pass-through entity is responsible for monitoring the overall performance of a subrecipient to ensure that the goals and objectives of the subaward are achieved. In monitoring a subrecipient, a pass-through entity must include the information at 2 CFR 200.332(1) through (4). Condition: During our testing of the Orange County Community Resources (OCCR) department’s provisions for subrecipient monitoring requirements, we noted that for one (1) of four (4) subrecipients tested, onsite monitoring and follow-up on documented deficiencies was not performed timely. Cause: Established policies and procedures related to subrecipient monitoring do not specify the timeframe within which monitoring must be completed. Effect: There is an increased risk that the department’s monitoring procedure may not address the subrecipient’s risk of noncompliance. Question Costs: No questioned costs were identified as a result of our procedures. Context/Sampling: A non-statistical sample of four (4) out of (10) subrecipients were selected for testing. The condition above was identified during our procedures over subrecipient monitoring. Repeat Finding: No. Recommendation: We recommend the department review its established policies and procedures to ensure subrecipient monitoring is performed timely. Views of Responsible Officials: Management agrees. See separately issued Corrective Action Plan.

2024-009 Program: Aging Cluster Federal Financial Assistance Listing Number: 93.041, 93.042, 93.043, 93.044, 93.045, 93.052, 93.053 Federal Grantor: U.S. Department of Health and Human Services Passed-Through: California Department of Aging Award No. and Year: AP-2122-22 and 2022, AP-2324-22 and 2024 Compliance Requirements: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Control Over Compliance and Instance of Noncompliance Criteria: Per 2 CFR 200.332, a pass-through entity must monitor the activities of a subrecipient as necessary to ensure that the subrecipient complies with Federal statutes, regulations, and the terms and conditions of the subaward. The pass-through entity is responsible for monitoring the overall performance of a subrecipient to ensure that the goals and objectives of the subaward are achieved. In monitoring a subrecipient, a pass-through entity must include the information at 2 CFR 200.332(1) through (4). Condition: During our testing of the Orange County Community Resources (OCCR) department’s provisions for subrecipient monitoring requirements, we noted that for one (1) of four (4) subrecipients tested, onsite monitoring and follow-up on documented deficiencies was not performed timely. Cause: Established policies and procedures related to subrecipient monitoring do not specify the timeframe within which monitoring must be completed. Effect: There is an increased risk that the department’s monitoring procedure may not address the subrecipient’s risk of noncompliance. Question Costs: No questioned costs were identified as a result of our procedures. Context/Sampling: A non-statistical sample of four (4) out of (10) subrecipients were selected for testing. The condition above was identified during our procedures over subrecipient monitoring. Repeat Finding: No. Recommendation: We recommend the department review its established policies and procedures to ensure subrecipient monitoring is performed timely. Views of Responsible Officials: Management agrees. See separately issued Corrective Action Plan.

2024-009 Program: Aging Cluster Federal Financial Assistance Listing Number: 93.041, 93.042, 93.043, 93.044, 93.045, 93.052, 93.053 Federal Grantor: U.S. Department of Health and Human Services Passed-Through: California Department of Aging Award No. and Year: AP-2122-22 and 2022, AP-2324-22 and 2024 Compliance Requirements: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Control Over Compliance and Instance of Noncompliance Criteria: Per 2 CFR 200.332, a pass-through entity must monitor the activities of a subrecipient as necessary to ensure that the subrecipient complies with Federal statutes, regulations, and the terms and conditions of the subaward. The pass-through entity is responsible for monitoring the overall performance of a subrecipient to ensure that the goals and objectives of the subaward are achieved. In monitoring a subrecipient, a pass-through entity must include the information at 2 CFR 200.332(1) through (4). Condition: During our testing of the Orange County Community Resources (OCCR) department’s provisions for subrecipient monitoring requirements, we noted that for one (1) of four (4) subrecipients tested, onsite monitoring and follow-up on documented deficiencies was not performed timely. Cause: Established policies and procedures related to subrecipient monitoring do not specify the timeframe within which monitoring must be completed. Effect: There is an increased risk that the department’s monitoring procedure may not address the subrecipient’s risk of noncompliance. Question Costs: No questioned costs were identified as a result of our procedures. Context/Sampling: A non-statistical sample of four (4) out of (10) subrecipients were selected for testing. The condition above was identified during our procedures over subrecipient monitoring. Repeat Finding: No. Recommendation: We recommend the department review its established policies and procedures to ensure subrecipient monitoring is performed timely. Views of Responsible Officials: Management agrees. See separately issued Corrective Action Plan.

2024-009 Program: Aging Cluster Federal Financial Assistance Listing Number: 93.041, 93.042, 93.043, 93.044, 93.045, 93.052, 93.053 Federal Grantor: U.S. Department of Health and Human Services Passed-Through: California Department of Aging Award No. and Year: AP-2122-22 and 2022, AP-2324-22 and 2024 Compliance Requirements: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Control Over Compliance and Instance of Noncompliance Criteria: Per 2 CFR 200.332, a pass-through entity must monitor the activities of a subrecipient as necessary to ensure that the subrecipient complies with Federal statutes, regulations, and the terms and conditions of the subaward. The pass-through entity is responsible for monitoring the overall performance of a subrecipient to ensure that the goals and objectives of the subaward are achieved. In monitoring a subrecipient, a pass-through entity must include the information at 2 CFR 200.332(1) through (4). Condition: During our testing of the Orange County Community Resources (OCCR) department’s provisions for subrecipient monitoring requirements, we noted that for one (1) of four (4) subrecipients tested, onsite monitoring and follow-up on documented deficiencies was not performed timely. Cause: Established policies and procedures related to subrecipient monitoring do not specify the timeframe within which monitoring must be completed. Effect: There is an increased risk that the department’s monitoring procedure may not address the subrecipient’s risk of noncompliance. Question Costs: No questioned costs were identified as a result of our procedures. Context/Sampling: A non-statistical sample of four (4) out of (10) subrecipients were selected for testing. The condition above was identified during our procedures over subrecipient monitoring. Repeat Finding: No. Recommendation: We recommend the department review its established policies and procedures to ensure subrecipient monitoring is performed timely. Views of Responsible Officials: Management agrees. See separately issued Corrective Action Plan.

2024-009 Program: Aging Cluster Federal Financial Assistance Listing Number: 93.041, 93.042, 93.043, 93.044, 93.045, 93.052, 93.053 Federal Grantor: U.S. Department of Health and Human Services Passed-Through: California Department of Aging Award No. and Year: AP-2122-22 and 2022, AP-2324-22 and 2024 Compliance Requirements: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Control Over Compliance and Instance of Noncompliance Criteria: Per 2 CFR 200.332, a pass-through entity must monitor the activities of a subrecipient as necessary to ensure that the subrecipient complies with Federal statutes, regulations, and the terms and conditions of the subaward. The pass-through entity is responsible for monitoring the overall performance of a subrecipient to ensure that the goals and objectives of the subaward are achieved. In monitoring a subrecipient, a pass-through entity must include the information at 2 CFR 200.332(1) through (4). Condition: During our testing of the Orange County Community Resources (OCCR) department’s provisions for subrecipient monitoring requirements, we noted that for one (1) of four (4) subrecipients tested, onsite monitoring and follow-up on documented deficiencies was not performed timely. Cause: Established policies and procedures related to subrecipient monitoring do not specify the timeframe within which monitoring must be completed. Effect: There is an increased risk that the department’s monitoring procedure may not address the subrecipient’s risk of noncompliance. Question Costs: No questioned costs were identified as a result of our procedures. Context/Sampling: A non-statistical sample of four (4) out of (10) subrecipients were selected for testing. The condition above was identified during our procedures over subrecipient monitoring. Repeat Finding: No. Recommendation: We recommend the department review its established policies and procedures to ensure subrecipient monitoring is performed timely. Views of Responsible Officials: Management agrees. See separately issued Corrective Action Plan.

2024-009 Program: Aging Cluster Federal Financial Assistance Listing Number: 93.041, 93.042, 93.043, 93.044, 93.045, 93.052, 93.053 Federal Grantor: U.S. Department of Health and Human Services Passed-Through: California Department of Aging Award No. and Year: AP-2122-22 and 2022, AP-2324-22 and 2024 Compliance Requirements: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Control Over Compliance and Instance of Noncompliance Criteria: Per 2 CFR 200.332, a pass-through entity must monitor the activities of a subrecipient as necessary to ensure that the subrecipient complies with Federal statutes, regulations, and the terms and conditions of the subaward. The pass-through entity is responsible for monitoring the overall performance of a subrecipient to ensure that the goals and objectives of the subaward are achieved. In monitoring a subrecipient, a pass-through entity must include the information at 2 CFR 200.332(1) through (4). Condition: During our testing of the Orange County Community Resources (OCCR) department’s provisions for subrecipient monitoring requirements, we noted that for one (1) of four (4) subrecipients tested, onsite monitoring and follow-up on documented deficiencies was not performed timely. Cause: Established policies and procedures related to subrecipient monitoring do not specify the timeframe within which monitoring must be completed. Effect: There is an increased risk that the department’s monitoring procedure may not address the subrecipient’s risk of noncompliance. Question Costs: No questioned costs were identified as a result of our procedures. Context/Sampling: A non-statistical sample of four (4) out of (10) subrecipients were selected for testing. The condition above was identified during our procedures over subrecipient monitoring. Repeat Finding: No. Recommendation: We recommend the department review its established policies and procedures to ensure subrecipient monitoring is performed timely. Views of Responsible Officials: Management agrees. See separately issued Corrective Action Plan.

2024-009 Program: Aging Cluster Federal Financial Assistance Listing Number: 93.041, 93.042, 93.043, 93.044, 93.045, 93.052, 93.053 Federal Grantor: U.S. Department of Health and Human Services Passed-Through: California Department of Aging Award No. and Year: AP-2122-22 and 2022, AP-2324-22 and 2024 Compliance Requirements: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Control Over Compliance and Instance of Noncompliance Criteria: Per 2 CFR 200.332, a pass-through entity must monitor the activities of a subrecipient as necessary to ensure that the subrecipient complies with Federal statutes, regulations, and the terms and conditions of the subaward. The pass-through entity is responsible for monitoring the overall performance of a subrecipient to ensure that the goals and objectives of the subaward are achieved. In monitoring a subrecipient, a pass-through entity must include the information at 2 CFR 200.332(1) through (4). Condition: During our testing of the Orange County Community Resources (OCCR) department’s provisions for subrecipient monitoring requirements, we noted that for one (1) of four (4) subrecipients tested, onsite monitoring and follow-up on documented deficiencies was not performed timely. Cause: Established policies and procedures related to subrecipient monitoring do not specify the timeframe within which monitoring must be completed. Effect: There is an increased risk that the department’s monitoring procedure may not address the subrecipient’s risk of noncompliance. Question Costs: No questioned costs were identified as a result of our procedures. Context/Sampling: A non-statistical sample of four (4) out of (10) subrecipients were selected for testing. The condition above was identified during our procedures over subrecipient monitoring. Repeat Finding: No. Recommendation: We recommend the department review its established policies and procedures to ensure subrecipient monitoring is performed timely. Views of Responsible Officials: Management agrees. See separately issued Corrective Action Plan.

2024-009 Program: Aging Cluster Federal Financial Assistance Listing Number: 93.041, 93.042, 93.043, 93.044, 93.045, 93.052, 93.053 Federal Grantor: U.S. Department of Health and Human Services Passed-Through: California Department of Aging Award No. and Year: AP-2122-22 and 2022, AP-2324-22 and 2024 Compliance Requirements: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Control Over Compliance and Instance of Noncompliance Criteria: Per 2 CFR 200.332, a pass-through entity must monitor the activities of a subrecipient as necessary to ensure that the subrecipient complies with Federal statutes, regulations, and the terms and conditions of the subaward. The pass-through entity is responsible for monitoring the overall performance of a subrecipient to ensure that the goals and objectives of the subaward are achieved. In monitoring a subrecipient, a pass-through entity must include the information at 2 CFR 200.332(1) through (4). Condition: During our testing of the Orange County Community Resources (OCCR) department’s provisions for subrecipient monitoring requirements, we noted that for one (1) of four (4) subrecipients tested, onsite monitoring and follow-up on documented deficiencies was not performed timely. Cause: Established policies and procedures related to subrecipient monitoring do not specify the timeframe within which monitoring must be completed. Effect: There is an increased risk that the department’s monitoring procedure may not address the subrecipient’s risk of noncompliance. Question Costs: No questioned costs were identified as a result of our procedures. Context/Sampling: A non-statistical sample of four (4) out of (10) subrecipients were selected for testing. The condition above was identified during our procedures over subrecipient monitoring. Repeat Finding: No. Recommendation: We recommend the department review its established policies and procedures to ensure subrecipient monitoring is performed timely. Views of Responsible Officials: Management agrees. See separately issued Corrective Action Plan.

2024-004 Program: Foster Care Title IV-E Federal Financial Assistance Listing Number: 93.658 Federal Grantor: U.S. Department of Health and Human Services Pass-Through: California Department of Social Services Award No. and Year: 2401CAFOST and 2024, 2301CAFOST and 2023 Compliance Requirements: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Control Over Compliance Criteria: In accordance with Title 2 U.S. Code of Federal Regulations (CFR) 200.332, pass-through entities must comply with the following:  2 CFR 200.332(b) – Evaluate each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward. This evaluation of risk may include consideration of such factors listed in 2 CFR 200.332(b)(1) through (4).  2 CFR 200.332(d)- Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include the information at 2 CFR 200.332(d)(1) through (4). The California Department of Social Services further clarifies in its County Fiscal Letter No. 23/24- 80 that Foster Family Agency (FFA), Group Home, and Short Term Residential Therapeutic Programs (STRTP) are “considered subrecipients and subject to the same audit requirements and require the same degree of oversight as other subrecipients”. Further, while there are some licensing and oversight functions performed by the state over FFAs, group homes, and STRTPs, “counties are still ultimately responsible for review of these audits and their findings, any followup to ensure compliance, and any other form of monitoring and oversight required by federal and state laws and regulations.” 2 CFR Section 180.300a, Responsibilities of Participants Regarding Doing Business with Other Persons (and repeated in the California Department of Social Services - County Fiscal Letter No. 21/22 – 115) counties are required to verify that recipients or contracts have not been suspended or debarred by using the federal SAM (Systems for Award Management) Condition: The Social Services Agency (SSA) did not maintain documentation that the subrecipient risk assessment or the monitoring activity tracker was reviewed. Cause: The SSA department did not document its review of the subrecipient risk assessment or the monitoring activity tracker. Effect: The County’s control policies were not consistently followed and documented. Questioned Costs: No questioned costs were identified as a result of our procedures. Context/Sampling: A nonstatistical sample of twelve (12) out of fifty-eight (58) subrecipients were sampled, which included seven (7) Foster Family Agency, four (4) Short Term Residential Therapeutic Programs, and one (1) Transitional Housing Placement-Plus Foster Care types. The condition noted above was identified during our procedures related to subrecipient monitoring and was pervasive to the program. Repeat Findings from Prior Years: Yes, Finding 2023-001. Recommendation: We recommend that the County ensure the review over subrecipient monitoring activity is appropriately documented. Views of Responsible Officials: Management agrees. See separately issued Corrective Action Plan.

2024-004 Program: Foster Care Title IV-E Federal Financial Assistance Listing Number: 93.658 Federal Grantor: U.S. Department of Health and Human Services Pass-Through: California Department of Social Services Award No. and Year: 2401CAFOST and 2024, 2301CAFOST and 2023 Compliance Requirements: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Control Over Compliance Criteria: In accordance with Title 2 U.S. Code of Federal Regulations (CFR) 200.332, pass-through entities must comply with the following:  2 CFR 200.332(b) – Evaluate each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward. This evaluation of risk may include consideration of such factors listed in 2 CFR 200.332(b)(1) through (4).  2 CFR 200.332(d)- Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include the information at 2 CFR 200.332(d)(1) through (4). The California Department of Social Services further clarifies in its County Fiscal Letter No. 23/24- 80 that Foster Family Agency (FFA), Group Home, and Short Term Residential Therapeutic Programs (STRTP) are “considered subrecipients and subject to the same audit requirements and require the same degree of oversight as other subrecipients”. Further, while there are some licensing and oversight functions performed by the state over FFAs, group homes, and STRTPs, “counties are still ultimately responsible for review of these audits and their findings, any followup to ensure compliance, and any other form of monitoring and oversight required by federal and state laws and regulations.” 2 CFR Section 180.300a, Responsibilities of Participants Regarding Doing Business with Other Persons (and repeated in the California Department of Social Services - County Fiscal Letter No. 21/22 – 115) counties are required to verify that recipients or contracts have not been suspended or debarred by using the federal SAM (Systems for Award Management) Condition: The Social Services Agency (SSA) did not maintain documentation that the subrecipient risk assessment or the monitoring activity tracker was reviewed. Cause: The SSA department did not document its review of the subrecipient risk assessment or the monitoring activity tracker. Effect: The County’s control policies were not consistently followed and documented. Questioned Costs: No questioned costs were identified as a result of our procedures. Context/Sampling: A nonstatistical sample of twelve (12) out of fifty-eight (58) subrecipients were sampled, which included seven (7) Foster Family Agency, four (4) Short Term Residential Therapeutic Programs, and one (1) Transitional Housing Placement-Plus Foster Care types. The condition noted above was identified during our procedures related to subrecipient monitoring and was pervasive to the program. Repeat Findings from Prior Years: Yes, Finding 2023-001. Recommendation: We recommend that the County ensure the review over subrecipient monitoring activity is appropriately documented. Views of Responsible Officials: Management agrees. See separately issued Corrective Action Plan.

2024-004 Program: Foster Care Title IV-E Federal Financial Assistance Listing Number: 93.658 Federal Grantor: U.S. Department of Health and Human Services Pass-Through: California Department of Social Services Award No. and Year: 2401CAFOST and 2024, 2301CAFOST and 2023 Compliance Requirements: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Control Over Compliance Criteria: In accordance with Title 2 U.S. Code of Federal Regulations (CFR) 200.332, pass-through entities must comply with the following:  2 CFR 200.332(b) – Evaluate each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward. This evaluation of risk may include consideration of such factors listed in 2 CFR 200.332(b)(1) through (4).  2 CFR 200.332(d)- Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include the information at 2 CFR 200.332(d)(1) through (4). The California Department of Social Services further clarifies in its County Fiscal Letter No. 23/24- 80 that Foster Family Agency (FFA), Group Home, and Short Term Residential Therapeutic Programs (STRTP) are “considered subrecipients and subject to the same audit requirements and require the same degree of oversight as other subrecipients”. Further, while there are some licensing and oversight functions performed by the state over FFAs, group homes, and STRTPs, “counties are still ultimately responsible for review of these audits and their findings, any followup to ensure compliance, and any other form of monitoring and oversight required by federal and state laws and regulations.” 2 CFR Section 180.300a, Responsibilities of Participants Regarding Doing Business with Other Persons (and repeated in the California Department of Social Services - County Fiscal Letter No. 21/22 – 115) counties are required to verify that recipients or contracts have not been suspended or debarred by using the federal SAM (Systems for Award Management) Condition: The Social Services Agency (SSA) did not maintain documentation that the subrecipient risk assessment or the monitoring activity tracker was reviewed. Cause: The SSA department did not document its review of the subrecipient risk assessment or the monitoring activity tracker. Effect: The County’s control policies were not consistently followed and documented. Questioned Costs: No questioned costs were identified as a result of our procedures. Context/Sampling: A nonstatistical sample of twelve (12) out of fifty-eight (58) subrecipients were sampled, which included seven (7) Foster Family Agency, four (4) Short Term Residential Therapeutic Programs, and one (1) Transitional Housing Placement-Plus Foster Care types. The condition noted above was identified during our procedures related to subrecipient monitoring and was pervasive to the program. Repeat Findings from Prior Years: Yes, Finding 2023-001. Recommendation: We recommend that the County ensure the review over subrecipient monitoring activity is appropriately documented. Views of Responsible Officials: Management agrees. See separately issued Corrective Action Plan.

2024-004 Program: Foster Care Title IV-E Federal Financial Assistance Listing Number: 93.658 Federal Grantor: U.S. Department of Health and Human Services Pass-Through: California Department of Social Services Award No. and Year: 2401CAFOST and 2024, 2301CAFOST and 2023 Compliance Requirements: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Control Over Compliance Criteria: In accordance with Title 2 U.S. Code of Federal Regulations (CFR) 200.332, pass-through entities must comply with the following:  2 CFR 200.332(b) – Evaluate each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward. This evaluation of risk may include consideration of such factors listed in 2 CFR 200.332(b)(1) through (4).  2 CFR 200.332(d)- Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include the information at 2 CFR 200.332(d)(1) through (4). The California Department of Social Services further clarifies in its County Fiscal Letter No. 23/24- 80 that Foster Family Agency (FFA), Group Home, and Short Term Residential Therapeutic Programs (STRTP) are “considered subrecipients and subject to the same audit requirements and require the same degree of oversight as other subrecipients”. Further, while there are some licensing and oversight functions performed by the state over FFAs, group homes, and STRTPs, “counties are still ultimately responsible for review of these audits and their findings, any followup to ensure compliance, and any other form of monitoring and oversight required by federal and state laws and regulations.” 2 CFR Section 180.300a, Responsibilities of Participants Regarding Doing Business with Other Persons (and repeated in the California Department of Social Services - County Fiscal Letter No. 21/22 – 115) counties are required to verify that recipients or contracts have not been suspended or debarred by using the federal SAM (Systems for Award Management) Condition: The Social Services Agency (SSA) did not maintain documentation that the subrecipient risk assessment or the monitoring activity tracker was reviewed. Cause: The SSA department did not document its review of the subrecipient risk assessment or the monitoring activity tracker. Effect: The County’s control policies were not consistently followed and documented. Questioned Costs: No questioned costs were identified as a result of our procedures. Context/Sampling: A nonstatistical sample of twelve (12) out of fifty-eight (58) subrecipients were sampled, which included seven (7) Foster Family Agency, four (4) Short Term Residential Therapeutic Programs, and one (1) Transitional Housing Placement-Plus Foster Care types. The condition noted above was identified during our procedures related to subrecipient monitoring and was pervasive to the program. Repeat Findings from Prior Years: Yes, Finding 2023-001. Recommendation: We recommend that the County ensure the review over subrecipient monitoring activity is appropriately documented. Views of Responsible Officials: Management agrees. See separately issued Corrective Action Plan.

2024-004 Program: Foster Care Title IV-E Federal Financial Assistance Listing Number: 93.658 Federal Grantor: U.S. Department of Health and Human Services Pass-Through: California Department of Social Services Award No. and Year: 2401CAFOST and 2024, 2301CAFOST and 2023 Compliance Requirements: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Control Over Compliance Criteria: In accordance with Title 2 U.S. Code of Federal Regulations (CFR) 200.332, pass-through entities must comply with the following:  2 CFR 200.332(b) – Evaluate each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward. This evaluation of risk may include consideration of such factors listed in 2 CFR 200.332(b)(1) through (4).  2 CFR 200.332(d)- Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include the information at 2 CFR 200.332(d)(1) through (4). The California Department of Social Services further clarifies in its County Fiscal Letter No. 23/24- 80 that Foster Family Agency (FFA), Group Home, and Short Term Residential Therapeutic Programs (STRTP) are “considered subrecipients and subject to the same audit requirements and require the same degree of oversight as other subrecipients”. Further, while there are some licensing and oversight functions performed by the state over FFAs, group homes, and STRTPs, “counties are still ultimately responsible for review of these audits and their findings, any followup to ensure compliance, and any other form of monitoring and oversight required by federal and state laws and regulations.” 2 CFR Section 180.300a, Responsibilities of Participants Regarding Doing Business with Other Persons (and repeated in the California Department of Social Services - County Fiscal Letter No. 21/22 – 115) counties are required to verify that recipients or contracts have not been suspended or debarred by using the federal SAM (Systems for Award Management) Condition: The Social Services Agency (SSA) did not maintain documentation that the subrecipient risk assessment or the monitoring activity tracker was reviewed. Cause: The SSA department did not document its review of the subrecipient risk assessment or the monitoring activity tracker. Effect: The County’s control policies were not consistently followed and documented. Questioned Costs: No questioned costs were identified as a result of our procedures. Context/Sampling: A nonstatistical sample of twelve (12) out of fifty-eight (58) subrecipients were sampled, which included seven (7) Foster Family Agency, four (4) Short Term Residential Therapeutic Programs, and one (1) Transitional Housing Placement-Plus Foster Care types. The condition noted above was identified during our procedures related to subrecipient monitoring and was pervasive to the program. Repeat Findings from Prior Years: Yes, Finding 2023-001. Recommendation: We recommend that the County ensure the review over subrecipient monitoring activity is appropriately documented. Views of Responsible Officials: Management agrees. See separately issued Corrective Action Plan.

2024-012. Inadequate SLFRF Subrecipient Monitoring (Finding Type: Significant Deficiency, Reportable Noncompliance) Federal Agency: Department of the Treasury Assistance Listing Number and Title: 21.027 Coronavirus State and Local Fiscal Recovery Funds Federal Award Number: N/A Questioned Costs: $0 Pass-through Entity: N/A Prior Year Single Audit Report Finding Number: 2023-017 The Governor’s Office of Planning and Budget (GOPB), the prime recipient for the State and Local Fiscal Recovery Funds (SLFRF), and state agencies, including the Department of Natural Resources (DNR), and the Department of Environmental Quality (DEQ) did not adequately fulfill their subrecipient monitoring responsibilities. Communication of Key Federal Grant Information, Risk Evaluation, and Compliance Monitoring DNR and DEQ did not have adequate written policies and procedures, properly communicate key federal grant information, or evaluate subrecipient-risk for noncompliance to guide the monitoring for eight of the 11 selected subrecipients (two at DEQ and six at DNR), as required by 2 CFR 200.332(a) and 2 CFR 200.332(b) and (d). Subrecipient Single Audit Report Reviews For three of the four subrecipients selected (one at DEQ and two at DNR), DNR and DEQ did not adequately review their subrecipients’ Single Audit reports and findings to assess whether the subrecipients spent the funds appropriately. The agencies also did not have adequate controls to ensure their subrecipients’ Single Audit reports were monitored according to federal requirements. Uniform Guidance (2 CFR 200.332(d)(2)) requires a review of subrecipient Single Audit reports when they become available, as well as a follow-up to address any findings related to the applicable program. The errors noted above were a result of the agencies not fully understanding the nature of the funds they received, the extent of compliance requirements, and the nature of the subaward agreement relationships. DNR and DEQ have taken steps to implement controls over these areas but did not have the new procedures in place as of year-end. Failure to establish internal controls, adequately communicate key federal program information to subrecipients, and perform risk evaluation and monitoring procedures may result in the subrecipient’s noncompliance with federal fund requirements and potential misuse of federal funds. Recommendations: We recommend that GOPB, DNR, and DEQ do the following: 1. Gain an understanding of the subrecipient requirements and establish internal controls to ensure compliance with these requirements; 2. Establish written policies and procedures to ensure compliance with subrecipient monitoring requirements; 3. Communicate all required federal award information to sub-recipients, 4. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward; and, 5. Monitor subrecipients according to their assessed risk and as required by 2 CFR 200.332. DNR’s Response: The Department of Natural Resources agrees with this finding. We were originally audited by the State Auditor's Office in the summer of 2023 regarding our compliance with overseeing ARPA funding. In March 2024 we received findings from that audit. In May 2024 we were notified of an SLFRF audit. All of the new audit samples selected in the SLFRF audit were from before we received the results of the initial ARPA audit in March 2024. We have made improvements to our SLFRF subrecipient monitoring since receiving the initial audit recommendations in March 2024. We intend to make additional improvements based on these subsequent audit recommendations and our own internal reviews. DEQ’s Response: DEQ agrees with the finding. DEQ does have procedures for sub-recipient monitoring, including risk assessments and review of Single Audit reports; however, with the ARPA funds in question, improvements can be made to ensure that sub-recipient monitoring is performed timely, documented, and complies with federal requirements. GOPB’s Response: GOPB, DEQ and DNR agree with the finding. GOPB has proactively supported state agencies with their subrecipient monitoring responsibilities. On May 15, 2023, GOPB emailed the current version of its ARPA Reference Guide to all state agencies administering ARPA SLFRF funds. This guide provides a comprehensive overview of the necessary compliance documents, including the State Agency Checklist, guidelines for SLFRF administrative and indirect costs, Single Audit compliance standards, internal controls references, risk assessment protocols, and subrecipient monitoring checklists. Following this, GOPB hosted federal funds compliance training for agency financial management staff on May 31 and June 6, 2023, which covered key aspects of SLFRF oversight, such as the ARPA Reference Guide, Unique Entity ID (UEI) requirements, FINET ARPA coding, and compliance procedures. GOPB also reviewed ARPA SLFR frequently asked question 13.15 to document the requirements of 2 C.F.R. Part 200 that apply to non-revenue replacement projects and those that do not apply to revenue replacement projects. GOPB has also developed and implemented an APRA SLFRF Monitoring Plan to review agency compliance with policies, procedures, and subrecipient monitoring requirements.

2024-012. Inadequate SLFRF Subrecipient Monitoring (Finding Type: Significant Deficiency, Reportable Noncompliance) Federal Agency: Department of the Treasury Assistance Listing Number and Title: 21.027 Coronavirus State and Local Fiscal Recovery Funds Federal Award Number: N/A Questioned Costs: $0 Pass-through Entity: N/A Prior Year Single Audit Report Finding Number: 2023-017 The Governor’s Office of Planning and Budget (GOPB), the prime recipient for the State and Local Fiscal Recovery Funds (SLFRF), and state agencies, including the Department of Natural Resources (DNR), and the Department of Environmental Quality (DEQ) did not adequately fulfill their subrecipient monitoring responsibilities. Communication of Key Federal Grant Information, Risk Evaluation, and Compliance Monitoring DNR and DEQ did not have adequate written policies and procedures, properly communicate key federal grant information, or evaluate subrecipient-risk for noncompliance to guide the monitoring for eight of the 11 selected subrecipients (two at DEQ and six at DNR), as required by 2 CFR 200.332(a) and 2 CFR 200.332(b) and (d). Subrecipient Single Audit Report Reviews For three of the four subrecipients selected (one at DEQ and two at DNR), DNR and DEQ did not adequately review their subrecipients’ Single Audit reports and findings to assess whether the subrecipients spent the funds appropriately. The agencies also did not have adequate controls to ensure their subrecipients’ Single Audit reports were monitored according to federal requirements. Uniform Guidance (2 CFR 200.332(d)(2)) requires a review of subrecipient Single Audit reports when they become available, as well as a follow-up to address any findings related to the applicable program. The errors noted above were a result of the agencies not fully understanding the nature of the funds they received, the extent of compliance requirements, and the nature of the subaward agreement relationships. DNR and DEQ have taken steps to implement controls over these areas but did not have the new procedures in place as of year-end. Failure to establish internal controls, adequately communicate key federal program information to subrecipients, and perform risk evaluation and monitoring procedures may result in the subrecipient’s noncompliance with federal fund requirements and potential misuse of federal funds. Recommendations: We recommend that GOPB, DNR, and DEQ do the following: 1. Gain an understanding of the subrecipient requirements and establish internal controls to ensure compliance with these requirements; 2. Establish written policies and procedures to ensure compliance with subrecipient monitoring requirements; 3. Communicate all required federal award information to sub-recipients, 4. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward; and, 5. Monitor subrecipients according to their assessed risk and as required by 2 CFR 200.332. DNR’s Response: The Department of Natural Resources agrees with this finding. We were originally audited by the State Auditor's Office in the summer of 2023 regarding our compliance with overseeing ARPA funding. In March 2024 we received findings from that audit. In May 2024 we were notified of an SLFRF audit. All of the new audit samples selected in the SLFRF audit were from before we received the results of the initial ARPA audit in March 2024. We have made improvements to our SLFRF subrecipient monitoring since receiving the initial audit recommendations in March 2024. We intend to make additional improvements based on these subsequent audit recommendations and our own internal reviews. DEQ’s Response: DEQ agrees with the finding. DEQ does have procedures for sub-recipient monitoring, including risk assessments and review of Single Audit reports; however, with the ARPA funds in question, improvements can be made to ensure that sub-recipient monitoring is performed timely, documented, and complies with federal requirements. GOPB’s Response: GOPB, DEQ and DNR agree with the finding. GOPB has proactively supported state agencies with their subrecipient monitoring responsibilities. On May 15, 2023, GOPB emailed the current version of its ARPA Reference Guide to all state agencies administering ARPA SLFRF funds. This guide provides a comprehensive overview of the necessary compliance documents, including the State Agency Checklist, guidelines for SLFRF administrative and indirect costs, Single Audit compliance standards, internal controls references, risk assessment protocols, and subrecipient monitoring checklists. Following this, GOPB hosted federal funds compliance training for agency financial management staff on May 31 and June 6, 2023, which covered key aspects of SLFRF oversight, such as the ARPA Reference Guide, Unique Entity ID (UEI) requirements, FINET ARPA coding, and compliance procedures. GOPB also reviewed ARPA SLFR frequently asked question 13.15 to document the requirements of 2 C.F.R. Part 200 that apply to non-revenue replacement projects and those that do not apply to revenue replacement projects. GOPB has also developed and implemented an APRA SLFRF Monitoring Plan to review agency compliance with policies, procedures, and subrecipient monitoring requirements.

2024-012. Inadequate SLFRF Subrecipient Monitoring (Finding Type: Significant Deficiency, Reportable Noncompliance) Federal Agency: Department of the Treasury Assistance Listing Number and Title: 21.027 Coronavirus State and Local Fiscal Recovery Funds Federal Award Number: N/A Questioned Costs: $0 Pass-through Entity: N/A Prior Year Single Audit Report Finding Number: 2023-017 The Governor’s Office of Planning and Budget (GOPB), the prime recipient for the State and Local Fiscal Recovery Funds (SLFRF), and state agencies, including the Department of Natural Resources (DNR), and the Department of Environmental Quality (DEQ) did not adequately fulfill their subrecipient monitoring responsibilities. Communication of Key Federal Grant Information, Risk Evaluation, and Compliance Monitoring DNR and DEQ did not have adequate written policies and procedures, properly communicate key federal grant information, or evaluate subrecipient-risk for noncompliance to guide the monitoring for eight of the 11 selected subrecipients (two at DEQ and six at DNR), as required by 2 CFR 200.332(a) and 2 CFR 200.332(b) and (d). Subrecipient Single Audit Report Reviews For three of the four subrecipients selected (one at DEQ and two at DNR), DNR and DEQ did not adequately review their subrecipients’ Single Audit reports and findings to assess whether the subrecipients spent the funds appropriately. The agencies also did not have adequate controls to ensure their subrecipients’ Single Audit reports were monitored according to federal requirements. Uniform Guidance (2 CFR 200.332(d)(2)) requires a review of subrecipient Single Audit reports when they become available, as well as a follow-up to address any findings related to the applicable program. The errors noted above were a result of the agencies not fully understanding the nature of the funds they received, the extent of compliance requirements, and the nature of the subaward agreement relationships. DNR and DEQ have taken steps to implement controls over these areas but did not have the new procedures in place as of year-end. Failure to establish internal controls, adequately communicate key federal program information to subrecipients, and perform risk evaluation and monitoring procedures may result in the subrecipient’s noncompliance with federal fund requirements and potential misuse of federal funds. Recommendations: We recommend that GOPB, DNR, and DEQ do the following: 1. Gain an understanding of the subrecipient requirements and establish internal controls to ensure compliance with these requirements; 2. Establish written policies and procedures to ensure compliance with subrecipient monitoring requirements; 3. Communicate all required federal award information to sub-recipients, 4. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward; and, 5. Monitor subrecipients according to their assessed risk and as required by 2 CFR 200.332. DNR’s Response: The Department of Natural Resources agrees with this finding. We were originally audited by the State Auditor's Office in the summer of 2023 regarding our compliance with overseeing ARPA funding. In March 2024 we received findings from that audit. In May 2024 we were notified of an SLFRF audit. All of the new audit samples selected in the SLFRF audit were from before we received the results of the initial ARPA audit in March 2024. We have made improvements to our SLFRF subrecipient monitoring since receiving the initial audit recommendations in March 2024. We intend to make additional improvements based on these subsequent audit recommendations and our own internal reviews. DEQ’s Response: DEQ agrees with the finding. DEQ does have procedures for sub-recipient monitoring, including risk assessments and review of Single Audit reports; however, with the ARPA funds in question, improvements can be made to ensure that sub-recipient monitoring is performed timely, documented, and complies with federal requirements. GOPB’s Response: GOPB, DEQ and DNR agree with the finding. GOPB has proactively supported state agencies with their subrecipient monitoring responsibilities. On May 15, 2023, GOPB emailed the current version of its ARPA Reference Guide to all state agencies administering ARPA SLFRF funds. This guide provides a comprehensive overview of the necessary compliance documents, including the State Agency Checklist, guidelines for SLFRF administrative and indirect costs, Single Audit compliance standards, internal controls references, risk assessment protocols, and subrecipient monitoring checklists. Following this, GOPB hosted federal funds compliance training for agency financial management staff on May 31 and June 6, 2023, which covered key aspects of SLFRF oversight, such as the ARPA Reference Guide, Unique Entity ID (UEI) requirements, FINET ARPA coding, and compliance procedures. GOPB also reviewed ARPA SLFR frequently asked question 13.15 to document the requirements of 2 C.F.R. Part 200 that apply to non-revenue replacement projects and those that do not apply to revenue replacement projects. GOPB has also developed and implemented an APRA SLFRF Monitoring Plan to review agency compliance with policies, procedures, and subrecipient monitoring requirements.

2024-012. Inadequate SLFRF Subrecipient Monitoring (Finding Type: Significant Deficiency, Reportable Noncompliance) Federal Agency: Department of the Treasury Assistance Listing Number and Title: 21.027 Coronavirus State and Local Fiscal Recovery Funds Federal Award Number: N/A Questioned Costs: $0 Pass-through Entity: N/A Prior Year Single Audit Report Finding Number: 2023-017 The Governor’s Office of Planning and Budget (GOPB), the prime recipient for the State and Local Fiscal Recovery Funds (SLFRF), and state agencies, including the Department of Natural Resources (DNR), and the Department of Environmental Quality (DEQ) did not adequately fulfill their subrecipient monitoring responsibilities. Communication of Key Federal Grant Information, Risk Evaluation, and Compliance Monitoring DNR and DEQ did not have adequate written policies and procedures, properly communicate key federal grant information, or evaluate subrecipient-risk for noncompliance to guide the monitoring for eight of the 11 selected subrecipients (two at DEQ and six at DNR), as required by 2 CFR 200.332(a) and 2 CFR 200.332(b) and (d). Subrecipient Single Audit Report Reviews For three of the four subrecipients selected (one at DEQ and two at DNR), DNR and DEQ did not adequately review their subrecipients’ Single Audit reports and findings to assess whether the subrecipients spent the funds appropriately. The agencies also did not have adequate controls to ensure their subrecipients’ Single Audit reports were monitored according to federal requirements. Uniform Guidance (2 CFR 200.332(d)(2)) requires a review of subrecipient Single Audit reports when they become available, as well as a follow-up to address any findings related to the applicable program. The errors noted above were a result of the agencies not fully understanding the nature of the funds they received, the extent of compliance requirements, and the nature of the subaward agreement relationships. DNR and DEQ have taken steps to implement controls over these areas but did not have the new procedures in place as of year-end. Failure to establish internal controls, adequately communicate key federal program information to subrecipients, and perform risk evaluation and monitoring procedures may result in the subrecipient’s noncompliance with federal fund requirements and potential misuse of federal funds. Recommendations: We recommend that GOPB, DNR, and DEQ do the following: 1. Gain an understanding of the subrecipient requirements and establish internal controls to ensure compliance with these requirements; 2. Establish written policies and procedures to ensure compliance with subrecipient monitoring requirements; 3. Communicate all required federal award information to sub-recipients, 4. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward; and, 5. Monitor subrecipients according to their assessed risk and as required by 2 CFR 200.332. DNR’s Response: The Department of Natural Resources agrees with this finding. We were originally audited by the State Auditor's Office in the summer of 2023 regarding our compliance with overseeing ARPA funding. In March 2024 we received findings from that audit. In May 2024 we were notified of an SLFRF audit. All of the new audit samples selected in the SLFRF audit were from before we received the results of the initial ARPA audit in March 2024. We have made improvements to our SLFRF subrecipient monitoring since receiving the initial audit recommendations in March 2024. We intend to make additional improvements based on these subsequent audit recommendations and our own internal reviews. DEQ’s Response: DEQ agrees with the finding. DEQ does have procedures for sub-recipient monitoring, including risk assessments and review of Single Audit reports; however, with the ARPA funds in question, improvements can be made to ensure that sub-recipient monitoring is performed timely, documented, and complies with federal requirements. GOPB’s Response: GOPB, DEQ and DNR agree with the finding. GOPB has proactively supported state agencies with their subrecipient monitoring responsibilities. On May 15, 2023, GOPB emailed the current version of its ARPA Reference Guide to all state agencies administering ARPA SLFRF funds. This guide provides a comprehensive overview of the necessary compliance documents, including the State Agency Checklist, guidelines for SLFRF administrative and indirect costs, Single Audit compliance standards, internal controls references, risk assessment protocols, and subrecipient monitoring checklists. Following this, GOPB hosted federal funds compliance training for agency financial management staff on May 31 and June 6, 2023, which covered key aspects of SLFRF oversight, such as the ARPA Reference Guide, Unique Entity ID (UEI) requirements, FINET ARPA coding, and compliance procedures. GOPB also reviewed ARPA SLFR frequently asked question 13.15 to document the requirements of 2 C.F.R. Part 200 that apply to non-revenue replacement projects and those that do not apply to revenue replacement projects. GOPB has also developed and implemented an APRA SLFRF Monitoring Plan to review agency compliance with policies, procedures, and subrecipient monitoring requirements.

2024-012. Inadequate SLFRF Subrecipient Monitoring (Finding Type: Significant Deficiency, Reportable Noncompliance) Federal Agency: Department of the Treasury Assistance Listing Number and Title: 21.027 Coronavirus State and Local Fiscal Recovery Funds Federal Award Number: N/A Questioned Costs: $0 Pass-through Entity: N/A Prior Year Single Audit Report Finding Number: 2023-017 The Governor’s Office of Planning and Budget (GOPB), the prime recipient for the State and Local Fiscal Recovery Funds (SLFRF), and state agencies, including the Department of Natural Resources (DNR), and the Department of Environmental Quality (DEQ) did not adequately fulfill their subrecipient monitoring responsibilities. Communication of Key Federal Grant Information, Risk Evaluation, and Compliance Monitoring DNR and DEQ did not have adequate written policies and procedures, properly communicate key federal grant information, or evaluate subrecipient-risk for noncompliance to guide the monitoring for eight of the 11 selected subrecipients (two at DEQ and six at DNR), as required by 2 CFR 200.332(a) and 2 CFR 200.332(b) and (d). Subrecipient Single Audit Report Reviews For three of the four subrecipients selected (one at DEQ and two at DNR), DNR and DEQ did not adequately review their subrecipients’ Single Audit reports and findings to assess whether the subrecipients spent the funds appropriately. The agencies also did not have adequate controls to ensure their subrecipients’ Single Audit reports were monitored according to federal requirements. Uniform Guidance (2 CFR 200.332(d)(2)) requires a review of subrecipient Single Audit reports when they become available, as well as a follow-up to address any findings related to the applicable program. The errors noted above were a result of the agencies not fully understanding the nature of the funds they received, the extent of compliance requirements, and the nature of the subaward agreement relationships. DNR and DEQ have taken steps to implement controls over these areas but did not have the new procedures in place as of year-end. Failure to establish internal controls, adequately communicate key federal program information to subrecipients, and perform risk evaluation and monitoring procedures may result in the subrecipient’s noncompliance with federal fund requirements and potential misuse of federal funds. Recommendations: We recommend that GOPB, DNR, and DEQ do the following: 1. Gain an understanding of the subrecipient requirements and establish internal controls to ensure compliance with these requirements; 2. Establish written policies and procedures to ensure compliance with subrecipient monitoring requirements; 3. Communicate all required federal award information to sub-recipients, 4. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward; and, 5. Monitor subrecipients according to their assessed risk and as required by 2 CFR 200.332. DNR’s Response: The Department of Natural Resources agrees with this finding. We were originally audited by the State Auditor's Office in the summer of 2023 regarding our compliance with overseeing ARPA funding. In March 2024 we received findings from that audit. In May 2024 we were notified of an SLFRF audit. All of the new audit samples selected in the SLFRF audit were from before we received the results of the initial ARPA audit in March 2024. We have made improvements to our SLFRF subrecipient monitoring since receiving the initial audit recommendations in March 2024. We intend to make additional improvements based on these subsequent audit recommendations and our own internal reviews. DEQ’s Response: DEQ agrees with the finding. DEQ does have procedures for sub-recipient monitoring, including risk assessments and review of Single Audit reports; however, with the ARPA funds in question, improvements can be made to ensure that sub-recipient monitoring is performed timely, documented, and complies with federal requirements. GOPB’s Response: GOPB, DEQ and DNR agree with the finding. GOPB has proactively supported state agencies with their subrecipient monitoring responsibilities. On May 15, 2023, GOPB emailed the current version of its ARPA Reference Guide to all state agencies administering ARPA SLFRF funds. This guide provides a comprehensive overview of the necessary compliance documents, including the State Agency Checklist, guidelines for SLFRF administrative and indirect costs, Single Audit compliance standards, internal controls references, risk assessment protocols, and subrecipient monitoring checklists. Following this, GOPB hosted federal funds compliance training for agency financial management staff on May 31 and June 6, 2023, which covered key aspects of SLFRF oversight, such as the ARPA Reference Guide, Unique Entity ID (UEI) requirements, FINET ARPA coding, and compliance procedures. GOPB also reviewed ARPA SLFR frequently asked question 13.15 to document the requirements of 2 C.F.R. Part 200 that apply to non-revenue replacement projects and those that do not apply to revenue replacement projects. GOPB has also developed and implemented an APRA SLFRF Monitoring Plan to review agency compliance with policies, procedures, and subrecipient monitoring requirements.

2024-012. Inadequate SLFRF Subrecipient Monitoring (Finding Type: Significant Deficiency, Reportable Noncompliance) Federal Agency: Department of the Treasury Assistance Listing Number and Title: 21.027 Coronavirus State and Local Fiscal Recovery Funds Federal Award Number: N/A Questioned Costs: $0 Pass-through Entity: N/A Prior Year Single Audit Report Finding Number: 2023-017 The Governor’s Office of Planning and Budget (GOPB), the prime recipient for the State and Local Fiscal Recovery Funds (SLFRF), and state agencies, including the Department of Natural Resources (DNR), and the Department of Environmental Quality (DEQ) did not adequately fulfill their subrecipient monitoring responsibilities. Communication of Key Federal Grant Information, Risk Evaluation, and Compliance Monitoring DNR and DEQ did not have adequate written policies and procedures, properly communicate key federal grant information, or evaluate subrecipient-risk for noncompliance to guide the monitoring for eight of the 11 selected subrecipients (two at DEQ and six at DNR), as required by 2 CFR 200.332(a) and 2 CFR 200.332(b) and (d). Subrecipient Single Audit Report Reviews For three of the four subrecipients selected (one at DEQ and two at DNR), DNR and DEQ did not adequately review their subrecipients’ Single Audit reports and findings to assess whether the subrecipients spent the funds appropriately. The agencies also did not have adequate controls to ensure their subrecipients’ Single Audit reports were monitored according to federal requirements. Uniform Guidance (2 CFR 200.332(d)(2)) requires a review of subrecipient Single Audit reports when they become available, as well as a follow-up to address any findings related to the applicable program. The errors noted above were a result of the agencies not fully understanding the nature of the funds they received, the extent of compliance requirements, and the nature of the subaward agreement relationships. DNR and DEQ have taken steps to implement controls over these areas but did not have the new procedures in place as of year-end. Failure to establish internal controls, adequately communicate key federal program information to subrecipients, and perform risk evaluation and monitoring procedures may result in the subrecipient’s noncompliance with federal fund requirements and potential misuse of federal funds. Recommendations: We recommend that GOPB, DNR, and DEQ do the following: 1. Gain an understanding of the subrecipient requirements and establish internal controls to ensure compliance with these requirements; 2. Establish written policies and procedures to ensure compliance with subrecipient monitoring requirements; 3. Communicate all required federal award information to sub-recipients, 4. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward; and, 5. Monitor subrecipients according to their assessed risk and as required by 2 CFR 200.332. DNR’s Response: The Department of Natural Resources agrees with this finding. We were originally audited by the State Auditor's Office in the summer of 2023 regarding our compliance with overseeing ARPA funding. In March 2024 we received findings from that audit. In May 2024 we were notified of an SLFRF audit. All of the new audit samples selected in the SLFRF audit were from before we received the results of the initial ARPA audit in March 2024. We have made improvements to our SLFRF subrecipient monitoring since receiving the initial audit recommendations in March 2024. We intend to make additional improvements based on these subsequent audit recommendations and our own internal reviews. DEQ’s Response: DEQ agrees with the finding. DEQ does have procedures for sub-recipient monitoring, including risk assessments and review of Single Audit reports; however, with the ARPA funds in question, improvements can be made to ensure that sub-recipient monitoring is performed timely, documented, and complies with federal requirements. GOPB’s Response: GOPB, DEQ and DNR agree with the finding. GOPB has proactively supported state agencies with their subrecipient monitoring responsibilities. On May 15, 2023, GOPB emailed the current version of its ARPA Reference Guide to all state agencies administering ARPA SLFRF funds. This guide provides a comprehensive overview of the necessary compliance documents, including the State Agency Checklist, guidelines for SLFRF administrative and indirect costs, Single Audit compliance standards, internal controls references, risk assessment protocols, and subrecipient monitoring checklists. Following this, GOPB hosted federal funds compliance training for agency financial management staff on May 31 and June 6, 2023, which covered key aspects of SLFRF oversight, such as the ARPA Reference Guide, Unique Entity ID (UEI) requirements, FINET ARPA coding, and compliance procedures. GOPB also reviewed ARPA SLFR frequently asked question 13.15 to document the requirements of 2 C.F.R. Part 200 that apply to non-revenue replacement projects and those that do not apply to revenue replacement projects. GOPB has also developed and implemented an APRA SLFRF Monitoring Plan to review agency compliance with policies, procedures, and subrecipient monitoring requirements.

2024-012. Inadequate SLFRF Subrecipient Monitoring (Finding Type: Significant Deficiency, Reportable Noncompliance) Federal Agency: Department of the Treasury Assistance Listing Number and Title: 21.027 Coronavirus State and Local Fiscal Recovery Funds Federal Award Number: N/A Questioned Costs: $0 Pass-through Entity: N/A Prior Year Single Audit Report Finding Number: 2023-017 The Governor’s Office of Planning and Budget (GOPB), the prime recipient for the State and Local Fiscal Recovery Funds (SLFRF), and state agencies, including the Department of Natural Resources (DNR), and the Department of Environmental Quality (DEQ) did not adequately fulfill their subrecipient monitoring responsibilities. Communication of Key Federal Grant Information, Risk Evaluation, and Compliance Monitoring DNR and DEQ did not have adequate written policies and procedures, properly communicate key federal grant information, or evaluate subrecipient-risk for noncompliance to guide the monitoring for eight of the 11 selected subrecipients (two at DEQ and six at DNR), as required by 2 CFR 200.332(a) and 2 CFR 200.332(b) and (d). Subrecipient Single Audit Report Reviews For three of the four subrecipients selected (one at DEQ and two at DNR), DNR and DEQ did not adequately review their subrecipients’ Single Audit reports and findings to assess whether the subrecipients spent the funds appropriately. The agencies also did not have adequate controls to ensure their subrecipients’ Single Audit reports were monitored according to federal requirements. Uniform Guidance (2 CFR 200.332(d)(2)) requires a review of subrecipient Single Audit reports when they become available, as well as a follow-up to address any findings related to the applicable program. The errors noted above were a result of the agencies not fully understanding the nature of the funds they received, the extent of compliance requirements, and the nature of the subaward agreement relationships. DNR and DEQ have taken steps to implement controls over these areas but did not have the new procedures in place as of year-end. Failure to establish internal controls, adequately communicate key federal program information to subrecipients, and perform risk evaluation and monitoring procedures may result in the subrecipient’s noncompliance with federal fund requirements and potential misuse of federal funds. Recommendations: We recommend that GOPB, DNR, and DEQ do the following: 1. Gain an understanding of the subrecipient requirements and establish internal controls to ensure compliance with these requirements; 2. Establish written policies and procedures to ensure compliance with subrecipient monitoring requirements; 3. Communicate all required federal award information to sub-recipients, 4. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward; and, 5. Monitor subrecipients according to their assessed risk and as required by 2 CFR 200.332. DNR’s Response: The Department of Natural Resources agrees with this finding. We were originally audited by the State Auditor's Office in the summer of 2023 regarding our compliance with overseeing ARPA funding. In March 2024 we received findings from that audit. In May 2024 we were notified of an SLFRF audit. All of the new audit samples selected in the SLFRF audit were from before we received the results of the initial ARPA audit in March 2024. We have made improvements to our SLFRF subrecipient monitoring since receiving the initial audit recommendations in March 2024. We intend to make additional improvements based on these subsequent audit recommendations and our own internal reviews. DEQ’s Response: DEQ agrees with the finding. DEQ does have procedures for sub-recipient monitoring, including risk assessments and review of Single Audit reports; however, with the ARPA funds in question, improvements can be made to ensure that sub-recipient monitoring is performed timely, documented, and complies with federal requirements. GOPB’s Response: GOPB, DEQ and DNR agree with the finding. GOPB has proactively supported state agencies with their subrecipient monitoring responsibilities. On May 15, 2023, GOPB emailed the current version of its ARPA Reference Guide to all state agencies administering ARPA SLFRF funds. This guide provides a comprehensive overview of the necessary compliance documents, including the State Agency Checklist, guidelines for SLFRF administrative and indirect costs, Single Audit compliance standards, internal controls references, risk assessment protocols, and subrecipient monitoring checklists. Following this, GOPB hosted federal funds compliance training for agency financial management staff on May 31 and June 6, 2023, which covered key aspects of SLFRF oversight, such as the ARPA Reference Guide, Unique Entity ID (UEI) requirements, FINET ARPA coding, and compliance procedures. GOPB also reviewed ARPA SLFR frequently asked question 13.15 to document the requirements of 2 C.F.R. Part 200 that apply to non-revenue replacement projects and those that do not apply to revenue replacement projects. GOPB has also developed and implemented an APRA SLFRF Monitoring Plan to review agency compliance with policies, procedures, and subrecipient monitoring requirements.

2024-012. Inadequate SLFRF Subrecipient Monitoring (Finding Type: Significant Deficiency, Reportable Noncompliance) Federal Agency: Department of the Treasury Assistance Listing Number and Title: 21.027 Coronavirus State and Local Fiscal Recovery Funds Federal Award Number: N/A Questioned Costs: $0 Pass-through Entity: N/A Prior Year Single Audit Report Finding Number: 2023-017 The Governor’s Office of Planning and Budget (GOPB), the prime recipient for the State and Local Fiscal Recovery Funds (SLFRF), and state agencies, including the Department of Natural Resources (DNR), and the Department of Environmental Quality (DEQ) did not adequately fulfill their subrecipient monitoring responsibilities. Communication of Key Federal Grant Information, Risk Evaluation, and Compliance Monitoring DNR and DEQ did not have adequate written policies and procedures, properly communicate key federal grant information, or evaluate subrecipient-risk for noncompliance to guide the monitoring for eight of the 11 selected subrecipients (two at DEQ and six at DNR), as required by 2 CFR 200.332(a) and 2 CFR 200.332(b) and (d). Subrecipient Single Audit Report Reviews For three of the four subrecipients selected (one at DEQ and two at DNR), DNR and DEQ did not adequately review their subrecipients’ Single Audit reports and findings to assess whether the subrecipients spent the funds appropriately. The agencies also did not have adequate controls to ensure their subrecipients’ Single Audit reports were monitored according to federal requirements. Uniform Guidance (2 CFR 200.332(d)(2)) requires a review of subrecipient Single Audit reports when they become available, as well as a follow-up to address any findings related to the applicable program. The errors noted above were a result of the agencies not fully understanding the nature of the funds they received, the extent of compliance requirements, and the nature of the subaward agreement relationships. DNR and DEQ have taken steps to implement controls over these areas but did not have the new procedures in place as of year-end. Failure to establish internal controls, adequately communicate key federal program information to subrecipients, and perform risk evaluation and monitoring procedures may result in the subrecipient’s noncompliance with federal fund requirements and potential misuse of federal funds. Recommendations: We recommend that GOPB, DNR, and DEQ do the following: 1. Gain an understanding of the subrecipient requirements and establish internal controls to ensure compliance with these requirements; 2. Establish written policies and procedures to ensure compliance with subrecipient monitoring requirements; 3. Communicate all required federal award information to sub-recipients, 4. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward; and, 5. Monitor subrecipients according to their assessed risk and as required by 2 CFR 200.332. DNR’s Response: The Department of Natural Resources agrees with this finding. We were originally audited by the State Auditor's Office in the summer of 2023 regarding our compliance with overseeing ARPA funding. In March 2024 we received findings from that audit. In May 2024 we were notified of an SLFRF audit. All of the new audit samples selected in the SLFRF audit were from before we received the results of the initial ARPA audit in March 2024. We have made improvements to our SLFRF subrecipient monitoring since receiving the initial audit recommendations in March 2024. We intend to make additional improvements based on these subsequent audit recommendations and our own internal reviews. DEQ’s Response: DEQ agrees with the finding. DEQ does have procedures for sub-recipient monitoring, including risk assessments and review of Single Audit reports; however, with the ARPA funds in question, improvements can be made to ensure that sub-recipient monitoring is performed timely, documented, and complies with federal requirements. GOPB’s Response: GOPB, DEQ and DNR agree with the finding. GOPB has proactively supported state agencies with their subrecipient monitoring responsibilities. On May 15, 2023, GOPB emailed the current version of its ARPA Reference Guide to all state agencies administering ARPA SLFRF funds. This guide provides a comprehensive overview of the necessary compliance documents, including the State Agency Checklist, guidelines for SLFRF administrative and indirect costs, Single Audit compliance standards, internal controls references, risk assessment protocols, and subrecipient monitoring checklists. Following this, GOPB hosted federal funds compliance training for agency financial management staff on May 31 and June 6, 2023, which covered key aspects of SLFRF oversight, such as the ARPA Reference Guide, Unique Entity ID (UEI) requirements, FINET ARPA coding, and compliance procedures. GOPB also reviewed ARPA SLFR frequently asked question 13.15 to document the requirements of 2 C.F.R. Part 200 that apply to non-revenue replacement projects and those that do not apply to revenue replacement projects. GOPB has also developed and implemented an APRA SLFRF Monitoring Plan to review agency compliance with policies, procedures, and subrecipient monitoring requirements.

2024-012. Inadequate SLFRF Subrecipient Monitoring (Finding Type: Significant Deficiency, Reportable Noncompliance) Federal Agency: Department of the Treasury Assistance Listing Number and Title: 21.027 Coronavirus State and Local Fiscal Recovery Funds Federal Award Number: N/A Questioned Costs: $0 Pass-through Entity: N/A Prior Year Single Audit Report Finding Number: 2023-017 The Governor’s Office of Planning and Budget (GOPB), the prime recipient for the State and Local Fiscal Recovery Funds (SLFRF), and state agencies, including the Department of Natural Resources (DNR), and the Department of Environmental Quality (DEQ) did not adequately fulfill their subrecipient monitoring responsibilities. Communication of Key Federal Grant Information, Risk Evaluation, and Compliance Monitoring DNR and DEQ did not have adequate written policies and procedures, properly communicate key federal grant information, or evaluate subrecipient-risk for noncompliance to guide the monitoring for eight of the 11 selected subrecipients (two at DEQ and six at DNR), as required by 2 CFR 200.332(a) and 2 CFR 200.332(b) and (d). Subrecipient Single Audit Report Reviews For three of the four subrecipients selected (one at DEQ and two at DNR), DNR and DEQ did not adequately review their subrecipients’ Single Audit reports and findings to assess whether the subrecipients spent the funds appropriately. The agencies also did not have adequate controls to ensure their subrecipients’ Single Audit reports were monitored according to federal requirements. Uniform Guidance (2 CFR 200.332(d)(2)) requires a review of subrecipient Single Audit reports when they become available, as well as a follow-up to address any findings related to the applicable program. The errors noted above were a result of the agencies not fully understanding the nature of the funds they received, the extent of compliance requirements, and the nature of the subaward agreement relationships. DNR and DEQ have taken steps to implement controls over these areas but did not have the new procedures in place as of year-end. Failure to establish internal controls, adequately communicate key federal program information to subrecipients, and perform risk evaluation and monitoring procedures may result in the subrecipient’s noncompliance with federal fund requirements and potential misuse of federal funds. Recommendations: We recommend that GOPB, DNR, and DEQ do the following: 1. Gain an understanding of the subrecipient requirements and establish internal controls to ensure compliance with these requirements; 2. Establish written policies and procedures to ensure compliance with subrecipient monitoring requirements; 3. Communicate all required federal award information to sub-recipients, 4. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward; and, 5. Monitor subrecipients according to their assessed risk and as required by 2 CFR 200.332. DNR’s Response: The Department of Natural Resources agrees with this finding. We were originally audited by the State Auditor's Office in the summer of 2023 regarding our compliance with overseeing ARPA funding. In March 2024 we received findings from that audit. In May 2024 we were notified of an SLFRF audit. All of the new audit samples selected in the SLFRF audit were from before we received the results of the initial ARPA audit in March 2024. We have made improvements to our SLFRF subrecipient monitoring since receiving the initial audit recommendations in March 2024. We intend to make additional improvements based on these subsequent audit recommendations and our own internal reviews. DEQ’s Response: DEQ agrees with the finding. DEQ does have procedures for sub-recipient monitoring, including risk assessments and review of Single Audit reports; however, with the ARPA funds in question, improvements can be made to ensure that sub-recipient monitoring is performed timely, documented, and complies with federal requirements. GOPB’s Response: GOPB, DEQ and DNR agree with the finding. GOPB has proactively supported state agencies with their subrecipient monitoring responsibilities. On May 15, 2023, GOPB emailed the current version of its ARPA Reference Guide to all state agencies administering ARPA SLFRF funds. This guide provides a comprehensive overview of the necessary compliance documents, including the State Agency Checklist, guidelines for SLFRF administrative and indirect costs, Single Audit compliance standards, internal controls references, risk assessment protocols, and subrecipient monitoring checklists. Following this, GOPB hosted federal funds compliance training for agency financial management staff on May 31 and June 6, 2023, which covered key aspects of SLFRF oversight, such as the ARPA Reference Guide, Unique Entity ID (UEI) requirements, FINET ARPA coding, and compliance procedures. GOPB also reviewed ARPA SLFR frequently asked question 13.15 to document the requirements of 2 C.F.R. Part 200 that apply to non-revenue replacement projects and those that do not apply to revenue replacement projects. GOPB has also developed and implemented an APRA SLFRF Monitoring Plan to review agency compliance with policies, procedures, and subrecipient monitoring requirements.

2024-012. Inadequate SLFRF Subrecipient Monitoring (Finding Type: Significant Deficiency, Reportable Noncompliance) Federal Agency: Department of the Treasury Assistance Listing Number and Title: 21.027 Coronavirus State and Local Fiscal Recovery Funds Federal Award Number: N/A Questioned Costs: $0 Pass-through Entity: N/A Prior Year Single Audit Report Finding Number: 2023-017 The Governor’s Office of Planning and Budget (GOPB), the prime recipient for the State and Local Fiscal Recovery Funds (SLFRF), and state agencies, including the Department of Natural Resources (DNR), and the Department of Environmental Quality (DEQ) did not adequately fulfill their subrecipient monitoring responsibilities. Communication of Key Federal Grant Information, Risk Evaluation, and Compliance Monitoring DNR and DEQ did not have adequate written policies and procedures, properly communicate key federal grant information, or evaluate subrecipient-risk for noncompliance to guide the monitoring for eight of the 11 selected subrecipients (two at DEQ and six at DNR), as required by 2 CFR 200.332(a) and 2 CFR 200.332(b) and (d). Subrecipient Single Audit Report Reviews For three of the four subrecipients selected (one at DEQ and two at DNR), DNR and DEQ did not adequately review their subrecipients’ Single Audit reports and findings to assess whether the subrecipients spent the funds appropriately. The agencies also did not have adequate controls to ensure their subrecipients’ Single Audit reports were monitored according to federal requirements. Uniform Guidance (2 CFR 200.332(d)(2)) requires a review of subrecipient Single Audit reports when they become available, as well as a follow-up to address any findings related to the applicable program. The errors noted above were a result of the agencies not fully understanding the nature of the funds they received, the extent of compliance requirements, and the nature of the subaward agreement relationships. DNR and DEQ have taken steps to implement controls over these areas but did not have the new procedures in place as of year-end. Failure to establish internal controls, adequately communicate key federal program information to subrecipients, and perform risk evaluation and monitoring procedures may result in the subrecipient’s noncompliance with federal fund requirements and potential misuse of federal funds. Recommendations: We recommend that GOPB, DNR, and DEQ do the following: 1. Gain an understanding of the subrecipient requirements and establish internal controls to ensure compliance with these requirements; 2. Establish written policies and procedures to ensure compliance with subrecipient monitoring requirements; 3. Communicate all required federal award information to sub-recipients, 4. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward; and, 5. Monitor subrecipients according to their assessed risk and as required by 2 CFR 200.332. DNR’s Response: The Department of Natural Resources agrees with this finding. We were originally audited by the State Auditor's Office in the summer of 2023 regarding our compliance with overseeing ARPA funding. In March 2024 we received findings from that audit. In May 2024 we were notified of an SLFRF audit. All of the new audit samples selected in the SLFRF audit were from before we received the results of the initial ARPA audit in March 2024. We have made improvements to our SLFRF subrecipient monitoring since receiving the initial audit recommendations in March 2024. We intend to make additional improvements based on these subsequent audit recommendations and our own internal reviews. DEQ’s Response: DEQ agrees with the finding. DEQ does have procedures for sub-recipient monitoring, including risk assessments and review of Single Audit reports; however, with the ARPA funds in question, improvements can be made to ensure that sub-recipient monitoring is performed timely, documented, and complies with federal requirements. GOPB’s Response: GOPB, DEQ and DNR agree with the finding. GOPB has proactively supported state agencies with their subrecipient monitoring responsibilities. On May 15, 2023, GOPB emailed the current version of its ARPA Reference Guide to all state agencies administering ARPA SLFRF funds. This guide provides a comprehensive overview of the necessary compliance documents, including the State Agency Checklist, guidelines for SLFRF administrative and indirect costs, Single Audit compliance standards, internal controls references, risk assessment protocols, and subrecipient monitoring checklists. Following this, GOPB hosted federal funds compliance training for agency financial management staff on May 31 and June 6, 2023, which covered key aspects of SLFRF oversight, such as the ARPA Reference Guide, Unique Entity ID (UEI) requirements, FINET ARPA coding, and compliance procedures. GOPB also reviewed ARPA SLFR frequently asked question 13.15 to document the requirements of 2 C.F.R. Part 200 that apply to non-revenue replacement projects and those that do not apply to revenue replacement projects. GOPB has also developed and implemented an APRA SLFRF Monitoring Plan to review agency compliance with policies, procedures, and subrecipient monitoring requirements.

2024-012. Inadequate SLFRF Subrecipient Monitoring (Finding Type: Significant Deficiency, Reportable Noncompliance) Federal Agency: Department of the Treasury Assistance Listing Number and Title: 21.027 Coronavirus State and Local Fiscal Recovery Funds Federal Award Number: N/A Questioned Costs: $0 Pass-through Entity: N/A Prior Year Single Audit Report Finding Number: 2023-017 The Governor’s Office of Planning and Budget (GOPB), the prime recipient for the State and Local Fiscal Recovery Funds (SLFRF), and state agencies, including the Department of Natural Resources (DNR), and the Department of Environmental Quality (DEQ) did not adequately fulfill their subrecipient monitoring responsibilities. Communication of Key Federal Grant Information, Risk Evaluation, and Compliance Monitoring DNR and DEQ did not have adequate written policies and procedures, properly communicate key federal grant information, or evaluate subrecipient-risk for noncompliance to guide the monitoring for eight of the 11 selected subrecipients (two at DEQ and six at DNR), as required by 2 CFR 200.332(a) and 2 CFR 200.332(b) and (d). Subrecipient Single Audit Report Reviews For three of the four subrecipients selected (one at DEQ and two at DNR), DNR and DEQ did not adequately review their subrecipients’ Single Audit reports and findings to assess whether the subrecipients spent the funds appropriately. The agencies also did not have adequate controls to ensure their subrecipients’ Single Audit reports were monitored according to federal requirements. Uniform Guidance (2 CFR 200.332(d)(2)) requires a review of subrecipient Single Audit reports when they become available, as well as a follow-up to address any findings related to the applicable program. The errors noted above were a result of the agencies not fully understanding the nature of the funds they received, the extent of compliance requirements, and the nature of the subaward agreement relationships. DNR and DEQ have taken steps to implement controls over these areas but did not have the new procedures in place as of year-end. Failure to establish internal controls, adequately communicate key federal program information to subrecipients, and perform risk evaluation and monitoring procedures may result in the subrecipient’s noncompliance with federal fund requirements and potential misuse of federal funds. Recommendations: We recommend that GOPB, DNR, and DEQ do the following: 1. Gain an understanding of the subrecipient requirements and establish internal controls to ensure compliance with these requirements; 2. Establish written policies and procedures to ensure compliance with subrecipient monitoring requirements; 3. Communicate all required federal award information to sub-recipients, 4. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward; and, 5. Monitor subrecipients according to their assessed risk and as required by 2 CFR 200.332. DNR’s Response: The Department of Natural Resources agrees with this finding. We were originally audited by the State Auditor's Office in the summer of 2023 regarding our compliance with overseeing ARPA funding. In March 2024 we received findings from that audit. In May 2024 we were notified of an SLFRF audit. All of the new audit samples selected in the SLFRF audit were from before we received the results of the initial ARPA audit in March 2024. We have made improvements to our SLFRF subrecipient monitoring since receiving the initial audit recommendations in March 2024. We intend to make additional improvements based on these subsequent audit recommendations and our own internal reviews. DEQ’s Response: DEQ agrees with the finding. DEQ does have procedures for sub-recipient monitoring, including risk assessments and review of Single Audit reports; however, with the ARPA funds in question, improvements can be made to ensure that sub-recipient monitoring is performed timely, documented, and complies with federal requirements. GOPB’s Response: GOPB, DEQ and DNR agree with the finding. GOPB has proactively supported state agencies with their subrecipient monitoring responsibilities. On May 15, 2023, GOPB emailed the current version of its ARPA Reference Guide to all state agencies administering ARPA SLFRF funds. This guide provides a comprehensive overview of the necessary compliance documents, including the State Agency Checklist, guidelines for SLFRF administrative and indirect costs, Single Audit compliance standards, internal controls references, risk assessment protocols, and subrecipient monitoring checklists. Following this, GOPB hosted federal funds compliance training for agency financial management staff on May 31 and June 6, 2023, which covered key aspects of SLFRF oversight, such as the ARPA Reference Guide, Unique Entity ID (UEI) requirements, FINET ARPA coding, and compliance procedures. GOPB also reviewed ARPA SLFR frequently asked question 13.15 to document the requirements of 2 C.F.R. Part 200 that apply to non-revenue replacement projects and those that do not apply to revenue replacement projects. GOPB has also developed and implemented an APRA SLFRF Monitoring Plan to review agency compliance with policies, procedures, and subrecipient monitoring requirements.

2024-012. Inadequate SLFRF Subrecipient Monitoring (Finding Type: Significant Deficiency, Reportable Noncompliance) Federal Agency: Department of the Treasury Assistance Listing Number and Title: 21.027 Coronavirus State and Local Fiscal Recovery Funds Federal Award Number: N/A Questioned Costs: $0 Pass-through Entity: N/A Prior Year Single Audit Report Finding Number: 2023-017 The Governor’s Office of Planning and Budget (GOPB), the prime recipient for the State and Local Fiscal Recovery Funds (SLFRF), and state agencies, including the Department of Natural Resources (DNR), and the Department of Environmental Quality (DEQ) did not adequately fulfill their subrecipient monitoring responsibilities. Communication of Key Federal Grant Information, Risk Evaluation, and Compliance Monitoring DNR and DEQ did not have adequate written policies and procedures, properly communicate key federal grant information, or evaluate subrecipient-risk for noncompliance to guide the monitoring for eight of the 11 selected subrecipients (two at DEQ and six at DNR), as required by 2 CFR 200.332(a) and 2 CFR 200.332(b) and (d). Subrecipient Single Audit Report Reviews For three of the four subrecipients selected (one at DEQ and two at DNR), DNR and DEQ did not adequately review their subrecipients’ Single Audit reports and findings to assess whether the subrecipients spent the funds appropriately. The agencies also did not have adequate controls to ensure their subrecipients’ Single Audit reports were monitored according to federal requirements. Uniform Guidance (2 CFR 200.332(d)(2)) requires a review of subrecipient Single Audit reports when they become available, as well as a follow-up to address any findings related to the applicable program. The errors noted above were a result of the agencies not fully understanding the nature of the funds they received, the extent of compliance requirements, and the nature of the subaward agreement relationships. DNR and DEQ have taken steps to implement controls over these areas but did not have the new procedures in place as of year-end. Failure to establish internal controls, adequately communicate key federal program information to subrecipients, and perform risk evaluation and monitoring procedures may result in the subrecipient’s noncompliance with federal fund requirements and potential misuse of federal funds. Recommendations: We recommend that GOPB, DNR, and DEQ do the following: 1. Gain an understanding of the subrecipient requirements and establish internal controls to ensure compliance with these requirements; 2. Establish written policies and procedures to ensure compliance with subrecipient monitoring requirements; 3. Communicate all required federal award information to sub-recipients, 4. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward; and, 5. Monitor subrecipients according to their assessed risk and as required by 2 CFR 200.332. DNR’s Response: The Department of Natural Resources agrees with this finding. We were originally audited by the State Auditor's Office in the summer of 2023 regarding our compliance with overseeing ARPA funding. In March 2024 we received findings from that audit. In May 2024 we were notified of an SLFRF audit. All of the new audit samples selected in the SLFRF audit were from before we received the results of the initial ARPA audit in March 2024. We have made improvements to our SLFRF subrecipient monitoring since receiving the initial audit recommendations in March 2024. We intend to make additional improvements based on these subsequent audit recommendations and our own internal reviews. DEQ’s Response: DEQ agrees with the finding. DEQ does have procedures for sub-recipient monitoring, including risk assessments and review of Single Audit reports; however, with the ARPA funds in question, improvements can be made to ensure that sub-recipient monitoring is performed timely, documented, and complies with federal requirements. GOPB’s Response: GOPB, DEQ and DNR agree with the finding. GOPB has proactively supported state agencies with their subrecipient monitoring responsibilities. On May 15, 2023, GOPB emailed the current version of its ARPA Reference Guide to all state agencies administering ARPA SLFRF funds. This guide provides a comprehensive overview of the necessary compliance documents, including the State Agency Checklist, guidelines for SLFRF administrative and indirect costs, Single Audit compliance standards, internal controls references, risk assessment protocols, and subrecipient monitoring checklists. Following this, GOPB hosted federal funds compliance training for agency financial management staff on May 31 and June 6, 2023, which covered key aspects of SLFRF oversight, such as the ARPA Reference Guide, Unique Entity ID (UEI) requirements, FINET ARPA coding, and compliance procedures. GOPB also reviewed ARPA SLFR frequently asked question 13.15 to document the requirements of 2 C.F.R. Part 200 that apply to non-revenue replacement projects and those that do not apply to revenue replacement projects. GOPB has also developed and implemented an APRA SLFRF Monitoring Plan to review agency compliance with policies, procedures, and subrecipient monitoring requirements.

2024-012. Inadequate SLFRF Subrecipient Monitoring (Finding Type: Significant Deficiency, Reportable Noncompliance) Federal Agency: Department of the Treasury Assistance Listing Number and Title: 21.027 Coronavirus State and Local Fiscal Recovery Funds Federal Award Number: N/A Questioned Costs: $0 Pass-through Entity: N/A Prior Year Single Audit Report Finding Number: 2023-017 The Governor’s Office of Planning and Budget (GOPB), the prime recipient for the State and Local Fiscal Recovery Funds (SLFRF), and state agencies, including the Department of Natural Resources (DNR), and the Department of Environmental Quality (DEQ) did not adequately fulfill their subrecipient monitoring responsibilities. Communication of Key Federal Grant Information, Risk Evaluation, and Compliance Monitoring DNR and DEQ did not have adequate written policies and procedures, properly communicate key federal grant information, or evaluate subrecipient-risk for noncompliance to guide the monitoring for eight of the 11 selected subrecipients (two at DEQ and six at DNR), as required by 2 CFR 200.332(a) and 2 CFR 200.332(b) and (d). Subrecipient Single Audit Report Reviews For three of the four subrecipients selected (one at DEQ and two at DNR), DNR and DEQ did not adequately review their subrecipients’ Single Audit reports and findings to assess whether the subrecipients spent the funds appropriately. The agencies also did not have adequate controls to ensure their subrecipients’ Single Audit reports were monitored according to federal requirements. Uniform Guidance (2 CFR 200.332(d)(2)) requires a review of subrecipient Single Audit reports when they become available, as well as a follow-up to address any findings related to the applicable program. The errors noted above were a result of the agencies not fully understanding the nature of the funds they received, the extent of compliance requirements, and the nature of the subaward agreement relationships. DNR and DEQ have taken steps to implement controls over these areas but did not have the new procedures in place as of year-end. Failure to establish internal controls, adequately communicate key federal program information to subrecipients, and perform risk evaluation and monitoring procedures may result in the subrecipient’s noncompliance with federal fund requirements and potential misuse of federal funds. Recommendations: We recommend that GOPB, DNR, and DEQ do the following: 1. Gain an understanding of the subrecipient requirements and establish internal controls to ensure compliance with these requirements; 2. Establish written policies and procedures to ensure compliance with subrecipient monitoring requirements; 3. Communicate all required federal award information to sub-recipients, 4. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward; and, 5. Monitor subrecipients according to their assessed risk and as required by 2 CFR 200.332. DNR’s Response: The Department of Natural Resources agrees with this finding. We were originally audited by the State Auditor's Office in the summer of 2023 regarding our compliance with overseeing ARPA funding. In March 2024 we received findings from that audit. In May 2024 we were notified of an SLFRF audit. All of the new audit samples selected in the SLFRF audit were from before we received the results of the initial ARPA audit in March 2024. We have made improvements to our SLFRF subrecipient monitoring since receiving the initial audit recommendations in March 2024. We intend to make additional improvements based on these subsequent audit recommendations and our own internal reviews. DEQ’s Response: DEQ agrees with the finding. DEQ does have procedures for sub-recipient monitoring, including risk assessments and review of Single Audit reports; however, with the ARPA funds in question, improvements can be made to ensure that sub-recipient monitoring is performed timely, documented, and complies with federal requirements. GOPB’s Response: GOPB, DEQ and DNR agree with the finding. GOPB has proactively supported state agencies with their subrecipient monitoring responsibilities. On May 15, 2023, GOPB emailed the current version of its ARPA Reference Guide to all state agencies administering ARPA SLFRF funds. This guide provides a comprehensive overview of the necessary compliance documents, including the State Agency Checklist, guidelines for SLFRF administrative and indirect costs, Single Audit compliance standards, internal controls references, risk assessment protocols, and subrecipient monitoring checklists. Following this, GOPB hosted federal funds compliance training for agency financial management staff on May 31 and June 6, 2023, which covered key aspects of SLFRF oversight, such as the ARPA Reference Guide, Unique Entity ID (UEI) requirements, FINET ARPA coding, and compliance procedures. GOPB also reviewed ARPA SLFR frequently asked question 13.15 to document the requirements of 2 C.F.R. Part 200 that apply to non-revenue replacement projects and those that do not apply to revenue replacement projects. GOPB has also developed and implemented an APRA SLFRF Monitoring Plan to review agency compliance with policies, procedures, and subrecipient monitoring requirements.

2024-012. Inadequate SLFRF Subrecipient Monitoring (Finding Type: Significant Deficiency, Reportable Noncompliance) Federal Agency: Department of the Treasury Assistance Listing Number and Title: 21.027 Coronavirus State and Local Fiscal Recovery Funds Federal Award Number: N/A Questioned Costs: $0 Pass-through Entity: N/A Prior Year Single Audit Report Finding Number: 2023-017 The Governor’s Office of Planning and Budget (GOPB), the prime recipient for the State and Local Fiscal Recovery Funds (SLFRF), and state agencies, including the Department of Natural Resources (DNR), and the Department of Environmental Quality (DEQ) did not adequately fulfill their subrecipient monitoring responsibilities. Communication of Key Federal Grant Information, Risk Evaluation, and Compliance Monitoring DNR and DEQ did not have adequate written policies and procedures, properly communicate key federal grant information, or evaluate subrecipient-risk for noncompliance to guide the monitoring for eight of the 11 selected subrecipients (two at DEQ and six at DNR), as required by 2 CFR 200.332(a) and 2 CFR 200.332(b) and (d). Subrecipient Single Audit Report Reviews For three of the four subrecipients selected (one at DEQ and two at DNR), DNR and DEQ did not adequately review their subrecipients’ Single Audit reports and findings to assess whether the subrecipients spent the funds appropriately. The agencies also did not have adequate controls to ensure their subrecipients’ Single Audit reports were monitored according to federal requirements. Uniform Guidance (2 CFR 200.332(d)(2)) requires a review of subrecipient Single Audit reports when they become available, as well as a follow-up to address any findings related to the applicable program. The errors noted above were a result of the agencies not fully understanding the nature of the funds they received, the extent of compliance requirements, and the nature of the subaward agreement relationships. DNR and DEQ have taken steps to implement controls over these areas but did not have the new procedures in place as of year-end. Failure to establish internal controls, adequately communicate key federal program information to subrecipients, and perform risk evaluation and monitoring procedures may result in the subrecipient’s noncompliance with federal fund requirements and potential misuse of federal funds. Recommendations: We recommend that GOPB, DNR, and DEQ do the following: 1. Gain an understanding of the subrecipient requirements and establish internal controls to ensure compliance with these requirements; 2. Establish written policies and procedures to ensure compliance with subrecipient monitoring requirements; 3. Communicate all required federal award information to sub-recipients, 4. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward; and, 5. Monitor subrecipients according to their assessed risk and as required by 2 CFR 200.332. DNR’s Response: The Department of Natural Resources agrees with this finding. We were originally audited by the State Auditor's Office in the summer of 2023 regarding our compliance with overseeing ARPA funding. In March 2024 we received findings from that audit. In May 2024 we were notified of an SLFRF audit. All of the new audit samples selected in the SLFRF audit were from before we received the results of the initial ARPA audit in March 2024. We have made improvements to our SLFRF subrecipient monitoring since receiving the initial audit recommendations in March 2024. We intend to make additional improvements based on these subsequent audit recommendations and our own internal reviews. DEQ’s Response: DEQ agrees with the finding. DEQ does have procedures for sub-recipient monitoring, including risk assessments and review of Single Audit reports; however, with the ARPA funds in question, improvements can be made to ensure that sub-recipient monitoring is performed timely, documented, and complies with federal requirements. GOPB’s Response: GOPB, DEQ and DNR agree with the finding. GOPB has proactively supported state agencies with their subrecipient monitoring responsibilities. On May 15, 2023, GOPB emailed the current version of its ARPA Reference Guide to all state agencies administering ARPA SLFRF funds. This guide provides a comprehensive overview of the necessary compliance documents, including the State Agency Checklist, guidelines for SLFRF administrative and indirect costs, Single Audit compliance standards, internal controls references, risk assessment protocols, and subrecipient monitoring checklists. Following this, GOPB hosted federal funds compliance training for agency financial management staff on May 31 and June 6, 2023, which covered key aspects of SLFRF oversight, such as the ARPA Reference Guide, Unique Entity ID (UEI) requirements, FINET ARPA coding, and compliance procedures. GOPB also reviewed ARPA SLFR frequently asked question 13.15 to document the requirements of 2 C.F.R. Part 200 that apply to non-revenue replacement projects and those that do not apply to revenue replacement projects. GOPB has also developed and implemented an APRA SLFRF Monitoring Plan to review agency compliance with policies, procedures, and subrecipient monitoring requirements.