Findings Citing § 200.334

FINDING 2025-001 DOCUMENT RETENTION SIGNIFICANT DEFICIENCY Federal Program: Title I, Part A Assistance Listing Number: 84.010A Criteria Per 7 CFR 200.334, “Financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.” Condition As part of its process to determine allocations of Title I program funds, the State of Indiana uses poverty level data submitted by the schools. The report used to determine Title I funding for the 2025 fiscal year was obtained from the School. A sample of 40 students were selected from the report for testing. Of those selected, the School was unable to provide the records that were used to determine the poverty level of 7 students. Cause The School did not have procedures in place to ensure it maintained this documentation for all reported students. Effect Determination of whether reporting was correct for these students could not be made. Recommendation We recommend the School develop internal controls requiring the maintenance of documentation for poverty level determination records. Views of Responsible Officials The School’s Corrective Action Plan is included on page 22.

FINDING 2024-002 Subject: Economic Development Cluster - Reporting Federal Agency: Department of Commerce Federal Program: Economic Adjustment Assistance Assistance Listings Number: 11.307 Federal Award Number and Year (or Other Identifying Number): 06-79-06420 Compliance Requirement: Reporting Audit Findings: Material Weakness, Other Matters Condition and Context An effective system of internal controls was not in place at the City in order to ensure compliance with the grant agreement and the reporting compliance requirement. The grant agreement for the City's construction project states that the City is to submit a Federal Financial Report (SF-425) on a semi-annual basis. The SF-425 report includes, among other line items: cash receipts, cash disbursements, cash on hand, total federal funds authorized, and total recipient share required. Both of the submitted SF-425 reports were tested. Additionally, the City was required to submit progress reports on a quarterly basis. Two of the quarterly reports were selected for testing. Both the SF-425 reports and the quarterly progress reports were prepared and submitted by one employee of the City. Evidence of an established internal control over the reports tested was not available for audit. The data submitted in the SF-425 report submitted by the City for the reporting period ending on September 30, 2024, contained the following errors:  Cash receipts were understated by $1,037,155. INDIANA STATE BOARD OF ACCOUNTS 19 CITY OF KOKOMO SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued)  Cash disbursements were understated by $1,037,155. The lack of internal controls and noncompliance was isolated to the award 06-79-06420, EDA-Davis Road construction project. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." 2 CFR 200.302(b) states in part: "The financial management system of each non-Federal entity must provide for the following (see §§ 200.334, 200.335, 200.336, and 200.337): (1) Identification, in its accounts, of all Federal awards received and expended and the Federal programs under which they were received. Federal program and Federal award identification must include, as applicable, the Assistance Listings title and number, Federal award identification number and year, name of the Federal agency, and name of the pass-through entity, if any. (2) Accurate, current, and complete disclosure of the financial results of each Federal award or program in accordance with the reporting requirements set forth in §§ 200.328 and 200.329. If a Federal awarding agency requires reporting on an accrual basis from a recipient that maintains its records on other than an accrual basis, the recipient must not be required to establish an accrual accounting system. This recipient may develop accrual data for its reports on the basis of an analysis of the documentation on hand. . . . (3) Records that identify adequately the source and application of funds for federallyfunded activities. These records must contain information pertaining to Federal awards, authorizations, financial obligations, unobligated balances, assets, expenditures, income and interest and be supported by source documentation. . . ." Cause Embedded within a properly designed and implemented internal control system should be internal controls consisting of policies and procedures. Policies reflect the City's management statements of what should be done to effect internal controls, and procedures should consist of actions that would implement these policies. The errors were due to federal reimbursements not being included as cash receipts and cash disbursements in the SF-425 reports. INDIANA STATE BOARD OF ACCOUNTS 20 CITY OF KOKOMO SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Effect Without the proper implementation of an effectively designed system of internal controls over reporting, the City could not ensure that the reports submitted were accurate. In addition, not meeting the Economic Development Cluster reporting requirements increases the likelihood that the public will not have access to transparent and accurate information regarding expenditures of federal awards. Noncompliance with the provisions of federal statutes, regulations, and the terms and conditions of the federal award could result in the loss of future federal funding to the City. Questioned Costs There were no questioned costs identified. Recommendation We recommended that management of the City design and implement a proper system of internal controls, including policies and procedures, to ensure that the City provides the Department of Commerce with complete and accurate information for the SF-425 and quarterly reports. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.

#2024-005 – Major Federal Award Finding – Reporting; Procurement and Suspension and Debarment Nature of Finding: Reporting and Procurement, Maintenance of Documentation/Records – Compliance Finding and Significant Deficiency in Internal Control over Compliance Criteria/Condition: Documentation was not maintained to support financial data provided in reports submitted to the funding source. Documentation was also not maintained to support certain procurement procedures. Per 2 CFR 200.334, financial records and supporting documentation must be maintained for three years from the date of the final financial report. Per 2 CFR 200.318(i), recipients must maintain records sufficient to detail the history of each procurement transaction, including (among other items) rationale for contractor selection or rejection. Cause/Context: The following activities did not have supporting documentation: • Expenditure balances reported to the State of Michigan in quarterly reports were not amended or reconciled to the final accounting records for each reporting period. The accounting periods were impacted by various transactions between the dates of the grant expenditure reports and the close of the respective period financial statement. • Performance of contractor/vendor suspension and debarment search on SAM.gov. Effect: Evidence to support a reconciliation between reports submitted to a funding source and the general ledger is not readily available. Evidence to support that the appropriate contractor/vendor vetting process was conducted is not available. Recommendation: The Organization should produce and maintain supporting documentation for all reports submitted to funding sources, including information to reconcile reports to the final financial statements for the respective period and resolution of any reporting differences with the funding agency. We also recommend that the Organization maintain all documentation to support the decision process associated with procurement. Views of Responsible Officials and Planned Corrective Actions: All procurement following the adoption of the procurement policy have been done in alignment with the policy. We also introduced procurement “kickoff meetings’ for new grants to review each budget line, determine the correct procurement method and plan documentation. All vendors now have debarment searches in their QuickBooks vendor information tab.

Support for Employee Reimbursement Transactions – Allowable Costs Criteria: 2 CFR Part 200.403(g) requires that costs should be adequately documented to support the nature and amount of a transaction for such charges to be allowable under federal awards. In addition, 2 CFR Part 200.334 requires recipients to maintain financial records sufficient to show compliance with federal statues, regulations, and terms and conditions of the award. Condition: During our audit we identified certain transactions without adequate documentation. Context: A review of 23 disbursements totaling $90,636 noted 2 requests for mileage reimbursement that were not supported. Cause: Supporting calculations and documents were not obtained from employees requesting mileage reimbursements. Effect: Costs could be deemed unallowable by the awarding agency if not properly substantiated. Questioned Costs: $141 of known costs charged to federal awards without adequate documentation. The estimation of possible additional questioned costs is $1,302. Recommendation: We recommend the Organization reiterate its policy to employees to provide supporting calculations and documents when requesting reimbursement for business expenses prior to making payment. View of Responsible Officials and Planned Corrective Action: We are in agreement with the finding and will reinforce our policies on reimbursements.

Finding number:2024-004 AL number:10.561 and 21.027 AL title:Supplemental Nutrition Assistance Program and Coronavirus State and Local Fiscal Recovery Funds Name of federal agency:U.S. Department of Agriculture and U.S. Department of Treasury Repeat Finding: No Criteria:The Code of Federal Regulations 2 CFR 200.344 states, "the recipient and subrecipient must retain all Federal award records for three years from the date of submission of their final financial report. For awards that are renewed quarterly or annually, the recipient and subrecipient must retain records for three years from the date of submission of their quarterly or annual financial report, respectively. Records to be retained include but are not limited to, financial records, supporting documentation, and statistical records. Condition:During audit testing, it was noted that the Organization had charged expenditures to a federal grant without obtaining or retaining the appropriate underlying support for the transactions. The absence of this documentation represents a failure to meet the record retention and documentation standards required under federal regulations. This gap in documentation undermines the audit trail and raises concerns about the eligibility and allowability of the expenditures. Cause:The deficiency was attributed to ineffective internal controls over the documentation and review process for grant-related disbursements. Specifically, the Organization's formalized procedure was not effectively operating to ensure all expenditures submitted for reimbursement were supported by current and complete documentation. This control lapse allowed unsupported expenditures to be processed without adequate scrutiny. Effect or potential effect:Without proper documentation, the expenditures submitted for reimbursement may be deemed ineligible under federal cost principles. This could result in: - Disallowed costs during audit or federal review, - Reimbursement delays or denials, and - Potential reputational risk or future funding implications.Although no questioned costs were identified, the lack of documentation exposes the Organization to future audit findings and financial risk. Questioned Cost: None Recommendation:We recommend the Organization strengthen its internal controls by implementing a formal documentation review protocol for all expenditures submitted for federal reimbursement. This protocol should include: - Verification that current and complete supporting documentation (e.g., lease agreements, contracts, signed affidavits from participants, etc.) is retained and reviewed prior to submission. - Integration of this review into the monthly and year-end close processes to ensure compliance with 2 CPR§ 200.334 and§ 200.403. - Staff training on federal documentation standards and the importance of maintaining a robust audit trail.By ensuring that all expenses are properly supported, the Organization will enhance compliance, reduce audit risk, and uphold the integrity of its financial reporting. Views of responsible officials:Management agrees with the finding. Management has reinforced the effective execution of existing controls around proper documentation of all expenditures and record retention for these expenditures. Monthly and year-end procedures have been updated to ensure compliance with these procedures.

Finding 2024-002 Lack of Supporting Documentation for Disbursements (Including Credit Card Transactions) Condition: During our testing of disbursements, including credit card transactions, we identified several instances where supporting invoices or receipts were missing or incomplete. In these cases, the organization was unable to provide sufficient documentation to substantiate the nature, purpose, or business justification of the expenditures charged to federal programs. Criteria: The Uniform Guidance requires that costs charged to federal awards be necessary, reasonable, allocable, and adequately documented. Specifically, §200.403(g) states that a cost is allowable only if it is adequately documented, and §200.302(b)(3) requires recipients to maintain records that identify the source and application of funds for federally funded activities.Questioned Costs: The total questioned costs cannot be determined due to lack of adequate supporting documentation.Cause: This issue occurred due to inadequate internal controls over the documentation and retention of support for disbursements. Management has not fully implemented procedures to ensure all expenditures are properly supported before being approved or charged to a federal program.Effect: Without proper supporting documentation, there is an increased risk that unallowable or unsupported costs were charged to the federal award. This condition could result in repayment of disallowed costs, noncompliance with the Uniform Guidance, and potential impact on future federal funding.Recommendation: We recommend that management: 1. Implement a formal written policy requiring original invoices or receipts to be obtained and reviewed for every disbursement, including credit card purchases, prior to payment or cost allocation to a federal award. 2. Ensure that documentation is reviewed and approved by an individual independent of the preparer or cardholder. 3. Maintain supporting documentation in accordance with the record retention requirements of 2 CFR §200.334. 4. Provide staff training on the documentation requirements for allowable costs under the Uniform Guidance.Views of Responsible Officials: We concur with this finding. The organization acknowledges that complete documentation is essential to substantiate the nature, purpose, and justification of all expenditures, particularly those funded by federal awards.

Condition and Context: During our audit of the Public Safety Partnership and Community Policing Grant (CFDA 16.710), we were unable to obtain a copy of the required SF-425 (Federal Financial Report) submitted by the County. Criteria: Per 2 CFR 200.334, Non-Federal entities other than States, including those operating Federal programs as subrecipients of States, must retain financial records, supporting documents, and reports pertinent to federal awards for a period of three years from the date of submission of the final expenditure report. In addition, 2 CFR 200.327 and 200.328 require recipients to submit required financial reports, including the SF-425, to demonstrate accountability for grant expenditures. Cause: The County does not have adequate recordkeeping procedures in place to ensure that copies of all submitted federal reports, including the SF-425, are retained and available for audit. Effect: The inability to provide the SF-425 limited our ability to verify compliance with federal reporting requirements. Lack of adequate documentation may result in questioned costs, affect the granting agency’s ability to monitor the use of federal funds, and may place the County at risk of administrative findings in future audits. Recommendation: We recommend that the County implement procedures to ensure that copies of all required federal reports are retained in accordance with federal record retention requirements and made available for audit purposes. Views of Responsible Officials and Planned Corrective Actions: Management agrees with the finding and will establish procedures to ensure that all required federal reports are retained and readily available for future monitoring and audits.

Cash Management Grantor: Department of Health and Human Services Pass Through Entity: Advanced Regenerative Manufacturing Institute, Inc. Award Name: Hospital Preparedness Program (HPP) Ebola Preparedness and Response Activities Award Number: IDSEP22005-003 Assistance Listing Number: 93.817 Award Year: June 1, 2023-September 30, 2023 Criteria In accordance with 2 CFR 200.305 (b)(3), reimbursement is the preferred method when the requirements in paragraph (b) cannot be met, when the Federal awarding agency sets a specific condition per 2 CFR 200.208, or when the non-Federal entity requests payment by reimbursement. In accordance with 2 CFR 200.334 (c) and (e), a subrecipient must liquidate all financial obligations incurred under a subaward no later than 90 calendar days after the conclusion of the period of performance of the subaward (or an earlier date as agreed upon by the pass-through entity and subrecipient). The subrecipient must promptly refund any unobligated funds that the pass-through entity paid and that are not authorized to be retained. Condition In testing the period of performance compliance requirement in accordance with the OMB Compliance Supplement, we requested support for the expenditures on the FY2024 Schedule of Federal Awards, as they were outside of the period of performance of the subaward, which ended September 30, 2023. The Company issued an invoice to Advanced Regenerative Manufacturing Institute, the Prime awardee, for $215,192 on September 14, 2023, but did not incur those expenses until after the period of performance of the subaward. Therefore, the Company requested and received the funds in advance of incurring the expenses. Further, the Company did not liquidate its obligations under the subaward within the required 90 calendar days after the conclusion of the performance of the subaward, as expenditures were recorded through August 2024. There were no terms in the award that allowed retention of unused funds. Cause The grant personnel were not aware of the invoicing requirements under the reimbursement method and invoiced the Prime awardee in advance of incurring the associated costs. Effect Federal funds were obtained in advance of incurring costs and outside of the period of performance of the subaward. Questioned Costs $215,192 Recommendation We recommend that the Company return the advance funds received to the Prime. Further, the Company should consider the need for clarifying and/or enhancing existing internal control procedures to ensure expenditures are paid in compliance with Federal reimbursement requirements and that requests for reimbursement are reviewed and validated against supporting documentation to identify any discrepancies prior to requesting reimbursement. Management’s Views and Corrective Action Plan Management’s Views and Corrective Action Plan are included at the end of this report after the summary schedule of prior audit findings and status.

FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.

FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.

FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.

FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.

FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.

FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.

FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.

FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.

FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.

FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.

FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.

FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.

FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.

FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.

FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.

Missing Required Moving to Work (MTW) Demonstration Program Documentation (ALN 14.881) Condition: During our review of the Authority's administration of the MTW Program, the Authority was unable to provide a copy of its Annual Contributions Contract (ACC), which serves as the foundational agreement between the Authority and HUD for the receipt and use of federal funds. Criteria: Under 2 CFR §200.302 and §200.334, non-Federal entities must maintain effective control over and access to records that support compliance with federal program requirements. The MTW Operations Notice (85 FR 10232) and the Authority's MTW ACC Amendment require that the PHA maintain and certify compliance with its MTW Plan and statutory objectives. The ACC establishes the legal basis for receiving and administering MTW-related federal funds. Cause: The Authority did not have adequate internal procedures to ensure that foundational program documents were retained, tracked, and made available for audit and oversight purposes. Effect: The absence of the Annual Contributions Contract (ACC) impairs verification of the Authority's legal authority to receive and administer HUD funds under the MTW program and may result in HUD compliance findings, delayed approvals, or other administrative sanctions. Questioned Costs: None Recommendation: The Authority should obtain and retain a copy of its executed ACC for audit and HUD monitoring purposes and establish or strengthen internal controls to track and retain all required MTW program records and certifications in accordance with HUD guidance and federal record retention requirements. Reply and Corrective Action Plan: The Authority will locate and archive its Annual Contributions Contract (ACC) to ensure compliance with HUD documentation requirements.

Missing Required Moving to Work (MTW) Demonstration Program Documentation (ALN 14.881) Condition: During our review of the Authority's administration of the MTW Program, the Authority was unable to provide a copy of its Annual Contributions Contract (ACC), which serves as the foundational agreement between the Authority and HUD for the receipt and use of federal funds. Criteria: Under 2 CFR §200.302 and §200.334, non-Federal entities must maintain effective control over and access to records that support compliance with federal program requirements. The MTW Operations Notice (85 FR 10232) and the Authority's MTW ACC Amendment require that the PHA maintain and certify compliance with its MTW Plan and statutory objectives. The ACC establishes the legal basis for receiving and administering MTW-related federal funds. Cause: The Authority did not have adequate internal procedures to ensure that foundational program documents were retained, tracked, and made available for audit and oversight purposes. Effect: The absence of the Annual Contributions Contract (ACC) impairs verification of the Authority's legal authority to receive and administer HUD funds under the MTW program and may result in HUD compliance findings, delayed approvals, or other administrative sanctions. Questioned Costs: None Recommendation: The Authority should obtain and retain a copy of its executed ACC for audit and HUD monitoring purposes and establish or strengthen internal controls to track and retain all required MTW program records and certifications in accordance with HUD guidance and federal record retention requirements. Reply and Corrective Action Plan: To address missing foundational documentation, the Authority will locate and archive its Annual Contributions Contract (ACC), the required supplement to the annual MTW Plan, the HUD-issued approval letter for the supplement, and complete the MTW Certification of Compliance for the most recent fiscal year.

U.S. Department of Health and Human Services - 93.432 Center for Independent Living 2024-007 Missing Supporting Documentation for Federal Reimbursement Claims Criteria: Per 2 CFR §200.333 (now §200.334), financial records, supporting documents, statistical records, and all other records pertinent to a federal award must be retained for a period of three years from the date of submission of the final expenditure report. Furthermore, 2 CFR §200.302(b)(3) requires recipients to maintain records that adequately identify the source and application of funds for federally funded activities. Condition: During our audit of the Centers for Independent Living funded by the U.S. Department of Health and Human Services, we noted that the League did not retain adequate supporting documentation for reimbursement claims submitted during the year. Specifically, for October - December 2023 reimbursement claims tested, the actual claim forms submitted to the funding agency were missing. Cause: The missing documentation appears to have resulted from an inadequate document retention process and a lack of oversight in ensuring that federal claim records were properly filed and stored. Effect: The absence of supporting documentation for submitted claims limits the League’s ability to demonstrate compliance with federal requirements and increases the risk of questioned costs. It also impairs transparency and accountability for federal funds. Questioned Costs: $118,023 for October – December 2023 claims. Recommendation: We recommend the League strengthen its grant management procedures by implementing a centralized tracking system for grant expenditures and claims. Staff responsible for managing grants should receive training on claiming procedures and grant deadlines, and a periodic review of unclaimed eligible expenditures should be performed to ensure timely reimbursement. Views of Responsible Officials and Planned Corrective Actions: See corrective action plan on page 50.

Cash Management Grantor: Department of Health and Human Services Pass Through Entity: Advanced Regenerative Manufacturing Institute, Inc. Award Name: Hospital Preparedness Program (HPP) Ebola Preparedness and Response Activities Award Number: IDSEP22005-003 Assistance Listing Number: 93.817 Award Year: June 1, 2023-September 30, 2023 Criteria In accordance with 2 CFR 200.305 (b)(3), reimbursement is the preferred method when the requirements in paragraph (b) cannot be met, when the Federal awarding agency sets a specific condition per 2 CFR 200.208, or when the non-Federal entity requests payment by reimbursement. In accordance with 2 CFR 200.334 (c) and (e), a subrecipient must liquidate all financial obligations incurred under a subaward no later than 90 calendar days after the conclusion of the period of performance of the subaward (or an earlier date as agreed upon by the pass-through entity and subrecipient). The subrecipient must promptly refund any unobligated funds that the pass-through entity paid and that are not authorized to be retained. Condition In testing the period of performance compliance requirement in accordance with the OMB Compliance Supplement, we requested support for the expenditures on the FY2024 Schedule of Federal Awards, as they were outside of the period of performance of the subaward, which ended September 30, 2023. The Company issued an invoice to Advanced Regenerative Manufacturing Institute, the Prime awardee, for $215,192 on September 14, 2023, but did not incur those expenses until after the period of performance of the subaward. Therefore, the Company requested and received the funds in advance of incurring the expenses. Further, the Company did not liquidate its obligations under the subaward within the required 90 calendar days after the conclusion of the performance of the subaward, as expenditures were recorded through August 2024. There were no terms in the award that allowed retention of unused funds. Cause The grant personnel were not aware of the invoicing requirements under the reimbursement method and invoiced the Prime awardee in advance of incurring the associated costs. Effect Federal funds were obtained in advance of incurring costs and outside of the period of performance of the subaward. Questioned Costs $215,192 Recommendation We recommend that the Company return the advance funds received to the Prime. Further, the Company should consider the need for clarifying and/or enhancing existing internal control procedures to ensure expenditures are paid in compliance with Federal reimbursement requirements and that requests for reimbursement are reviewed and validated against supporting documentation to identify any discrepancies prior to requesting reimbursement. Management’s Views and Corrective Action Plan Management’s Views and Corrective Action Plan are included at the end of this report after the summary schedule of prior audit findings and status.

FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.

FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.

FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.

FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.

FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.

FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.

FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.

FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.

FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.

FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.

FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.

FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.

FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.

FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.

FINDING 2024-002 Bridges Interface Controls See Schedule of Findings and Questioned Costs for chart/table. Background The Michigan Department of Health and Human Services (MDHHS) uses the Bridges Integrated Automated Eligibility Determination System* (Bridges) for determining eligibility and benefit amounts for food assistance, cash assistance, child care assistance, medical assistance, and emergency assistance programs. MDHHS and the Department of Technology, Management, and Budget (DTMB) are jointly responsible for maintenance and operation of Bridges. Condition DTMB did not always ensure its interface controls over the Bridges data exchanges were operating as prescribed. We noted DTMB did not ensure the file control and batch summary tables used to reconcile Bridges interfaces consistently represented control totals of information processed for 2 of the 8 interfaces sampled. For these 2 interfaces, we sampled 28 daily and monthly files and noted 7 (25%) files did not reconcile. Criteria Federal regulations 2 CFR 200.303 and 45 CFR 75.303 require the auditee to establish and maintain effective internal control over federal awards that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. According to State of Michigan Administrative Guide to State Government policy 1340.00, security controls must be implemented to protect State of Michigan information from modification to ensure confidentiality, integrity, and availability of State of Michigan information. In addition, the U.S. Government Accountability Office's (GAO's) Federal Information System Controls Audit Manual* (FISCAM) recommends interface controls be established and implemented to reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Also, effective interface reconciliation procedures should include the use of control totals, records, counts, and other logging techniques. Cause DTMB informed us because of a coding issue, record counts were either not logged or inappropriately duplicated and the exceptions were not caught during development. Effect DTMB's weakness in maintaining sufficient internal control over federal program compliance could result in noncompliance not being detected or corrected in a timely manner. Known Questioned Costs None. Recommendation We recommend DTMB ensure its interface controls over Bridges data exchanges are operating as prescribed. Management Views DTMB disagrees with the condition and the effect of the OAG's finding. The OAG sampled 85 total files across 8 interfaces. Of these, 7 appeared to present issues. For 5 of the sampled files, detailed exception results no longer existed. DTMB maintains summary tables for 10 years and purges detailed exception records at the beginning of each calendar year for anything older than 12 months. This purge process was communicated to the OAG during the fiscal year 2022 audit, and sampling was performed prior to purging for the fiscal year 2023 audit. When informed that the sample included files for which the detailed exception records had been purged, the OAG requested DTMB run a simulation processing of the original interface file in a testing environment to recreate detailed exception records. DTMB's technical teams informed the OAG that rerunning in the current test environment would likely differ from the original results due to code changes that occurred in the test environment subsequent to when the original interface files were run in production. The OAG requested DTMB to proceed with rerunning the files in the current test environment. As a result, the OAG identified 5 instances where the detailed exception records from the simulation in the test environment did not exactly match the summary table from the original production interface results. For the 2 remaining files out of 85 (2.4 percent) that were cited, it should be clarified that the reconciliation being discussed is not data that was lost or misplaced between systems, but reconciliation of 2 exceptions correctly logged and correctly not counted in a summary report because they were alerts during processing, not errors that would be forwarded for review. These results do not present a significant deficiency in the ability of MDHHS to review the detailed exceptions. Also, these 2 records are insignificant when compared to the 11.6 million records processed in the 85 sampled files (0.000001 percent). Therefore, the current controls are reasonable to ensure that data processed from the source system to the receiving system is processed accurately, completely, and timely. Auditor's Comments to Management Views* Contrary to DTMB's views, it would not be appropriate to combine the results of all the subsampled interface files to determine if the auditee appropriately reconciled the 8 sampled interfaces because the frequency of interfaces occurs at different intervals. Doing so would minimize the errors noted in less frequent interface intervals when compared with more frequent interface intervals. Also, the significance of an interface is not dependent on the frequency of the interface's interval but the purpose for the interface regardless of the frequency interval. Federal regulations 2 CFR 200.334 and 45 CFR 75.361 require the auditee to retain records pertinent to a federal award for a period of three years from the submission date of the respective financial report as reported to the awarding agency. The sampled interfaces included subsampled dates throughout the audit period which falls within the required three-year retention period. Therefore, DTMB should have maintained sufficient documentation or maintained it in a manner to allow for replication of the purged files to support controls operated effectively throughout the audit period. DTMB was not able to provide documentation to support the 2 files cited in its response were alerts and not reconciling errors. Also, DTMB did not provide documentation it timely reviewed the interface exceptions. In addition, we determined the errors occurred on multiple daily and monthly files. Contrary to DTMB's views, interface controls are established at a specific data file level and not based on the total number of records or errors identified over a series of data file transfers. Therefore, the percentage of records in error does not prove the interface controls reasonably ensure data transferred from a source system to a receiving system is processed accurately, completely, and timely. Therefore, the finding stands as written.

Missing Required Moving to Work (MTW) Demonstration Program Documentation (ALN 14.881) Condition: During our review of the Authority's administration of the MTW Program, the Authority was unable to provide a copy of its Annual Contributions Contract (ACC), which serves as the foundational agreement between the Authority and HUD for the receipt and use of federal funds. Criteria: Under 2 CFR §200.302 and §200.334, non-Federal entities must maintain effective control over and access to records that support compliance with federal program requirements. The MTW Operations Notice (85 FR 10232) and the Authority's MTW ACC Amendment require that the PHA maintain and certify compliance with its MTW Plan and statutory objectives. The ACC establishes the legal basis for receiving and administering MTW-related federal funds. Cause: The Authority did not have adequate internal procedures to ensure that foundational program documents were retained, tracked, and made available for audit and oversight purposes. Effect: The absence of the Annual Contributions Contract (ACC) impairs verification of the Authority's legal authority to receive and administer HUD funds under the MTW program and may result in HUD compliance findings, delayed approvals, or other administrative sanctions. Questioned Costs: None Recommendation: The Authority should obtain and retain a copy of its executed ACC for audit and HUD monitoring purposes and establish or strengthen internal controls to track and retain all required MTW program records and certifications in accordance with HUD guidance and federal record retention requirements. Reply and Corrective Action Plan: The Authority will locate and archive its Annual Contributions Contract (ACC) to ensure compliance with HUD documentation requirements.

Missing Required Moving to Work (MTW) Demonstration Program Documentation (ALN 14.881) Condition: During our review of the Authority's administration of the MTW Program, the Authority was unable to provide a copy of its Annual Contributions Contract (ACC), which serves as the foundational agreement between the Authority and HUD for the receipt and use of federal funds. Criteria: Under 2 CFR §200.302 and §200.334, non-Federal entities must maintain effective control over and access to records that support compliance with federal program requirements. The MTW Operations Notice (85 FR 10232) and the Authority's MTW ACC Amendment require that the PHA maintain and certify compliance with its MTW Plan and statutory objectives. The ACC establishes the legal basis for receiving and administering MTW-related federal funds. Cause: The Authority did not have adequate internal procedures to ensure that foundational program documents were retained, tracked, and made available for audit and oversight purposes. Effect: The absence of the Annual Contributions Contract (ACC) impairs verification of the Authority's legal authority to receive and administer HUD funds under the MTW program and may result in HUD compliance findings, delayed approvals, or other administrative sanctions. Questioned Costs: None Recommendation: The Authority should obtain and retain a copy of its executed ACC for audit and HUD monitoring purposes and establish or strengthen internal controls to track and retain all required MTW program records and certifications in accordance with HUD guidance and federal record retention requirements. Reply and Corrective Action Plan: To address missing foundational documentation, the Authority will locate and archive its Annual Contributions Contract (ACC), the required supplement to the annual MTW Plan, the HUD-issued approval letter for the supplement, and complete the MTW Certification of Compliance for the most recent fiscal year.

U.S. Department of Health and Human Services - 93.432 Center for Independent Living 2024-007 Missing Supporting Documentation for Federal Reimbursement Claims Criteria: Per 2 CFR §200.333 (now §200.334), financial records, supporting documents, statistical records, and all other records pertinent to a federal award must be retained for a period of three years from the date of submission of the final expenditure report. Furthermore, 2 CFR §200.302(b)(3) requires recipients to maintain records that adequately identify the source and application of funds for federally funded activities. Condition: During our audit of the Centers for Independent Living funded by the U.S. Department of Health and Human Services, we noted that the League did not retain adequate supporting documentation for reimbursement claims submitted during the year. Specifically, for October - December 2023 reimbursement claims tested, the actual claim forms submitted to the funding agency were missing. Cause: The missing documentation appears to have resulted from an inadequate document retention process and a lack of oversight in ensuring that federal claim records were properly filed and stored. Effect: The absence of supporting documentation for submitted claims limits the League’s ability to demonstrate compliance with federal requirements and increases the risk of questioned costs. It also impairs transparency and accountability for federal funds. Questioned Costs: $118,023 for October – December 2023 claims. Recommendation: We recommend the League strengthen its grant management procedures by implementing a centralized tracking system for grant expenditures and claims. Staff responsible for managing grants should receive training on claiming procedures and grant deadlines, and a periodic review of unclaimed eligible expenditures should be performed to ensure timely reimbursement. Views of Responsible Officials and Planned Corrective Actions: See corrective action plan on page 50.

U.S. Department of Health and Human Services Program Name: Maternal and Child Health Services Block Grant Federal Assistance Listing Number: 93.994 Significant Deficiency, Nonmaterial Noncompliance - Reporting Finding 2024-006 Criteria or Specific Requirement: Per Section 200.303 of the Uniform Grant Guidance, a non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Per 2 CFR 200.334 the recipient must retain all Federal award records for three years from the date of submission of their final financial report. Condition: During the audit we tested 13 reports and noted the following: a) There were four (4) instances out of 13 reports tested where the submitted reports were unable to be provided, including the date of submission for the reports. b) There were 10 instances out of 13 reports tested where the County was unable to provide evidence the report was reviewed prior to submission. Questioned Costs: None. Effect: By not having the required documentation and underlying support, the County is not able to demonstrate compliance with the applicable requirements. Cause: The County did not have a formal policy to ensure documentation was retained to evidence review and submission of all reports. Recommendation: The County should consider creating a formalized policy to require all submitted reports and underlying data are retained in accordance with the Uniform Grant Guidance requirements. Views of Responsible Officials: Management agrees with the finding and is implementing procedures to correct this which is further discussed in the Corrective Action Plan. Corrective Action Plan: See Corrective Action Plan prepared by the County.

Federal Agency: U.S. Department of Education Federal Program Name: Elementary and Secondary School Relief Fund Assistance Listing Number: 84.425D, 84.425U Federal Award Identification Number and Year: S425D210044 Federal Award Date 1/6/2021, S425U210044 Federal Award Date 12/6/2021 and 3/13/2020 Pass-Through Agency: Wisconsin Department of Public Instruction Pass-Through Number(s): 2022-714508-DPI-ESSERFII-163, 2022-714508-DPI-ESSERFIII-165, 2024-714508-DPI-LETRS-165 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Material Weakness in Internal Control over Compliance and Other Matter Criteria or Specific Requirement: 2 CFR 200.334 states that "The recipient and subrecipient must retain all Federal award records for three years from the date of submission of their final financial report. For awards that are renewed quarterly or annually, the recipient and subrecipient must retain records for three years from the date of submission of their quarterly or annual financial report, respectively. Records to be retained include but are not limited to, financial records, supporting documentation, and statistical records." Segregation of duties is an internal control intended to prevent or decrease the occurrence of errors or intentional fraud. Segregation of duties ensures that no single employee has control over all phases of a transaction. Condition: The District is required to file an annual report for ESSER. The supporting documentation used to enter the data into the reporting portal was not maintained and there was no review of the data entered into the form by someone other than the preparer. Accordingly, this does not allow for a proper segregation of duties for internal control purposes. Questioned Costs: None. Context: While performing audit procedures, it was noted that there was no review of the report completed by the finance director by someone else. The supporting documents used to complete the report was not retained by the District. Cause: The lack of segregation of duties is due to the limited number of employees and the size of the District’s operations. Effect: Errors or intentional fraud could occur and not be detected timely by other employees in the normal course of their responsibilities as a result of the lack of segregation of duties. Repeat Finding: No. Recommendation: We recommend the District review its grant reporting processes and implement internal controls to help ensure that there is adequate segregation of duties in regards to grant reporting including special reports and that all supporting documentation is maintained with the filed copy of the report. Views of Responsible Officials: There is no disagreement with the audit finding.

Federal Agency: U.S. Department of Education Federal Program Name: Elementary and Secondary School Relief Fund Assistance Listing Number: 84.425D, 84.425U Federal Award Identification Number and Year: S425D210044 Federal Award Date 1/6/2021, S425U210044 Federal Award Date 12/6/2021 and 3/13/2020 Pass-Through Agency: Wisconsin Department of Public Instruction Pass-Through Number(s): 2022-714508-DPI-ESSERFII-163, 2022-714508-DPI-ESSERFIII-165, 2024-714508-DPI-LETRS-165 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Material Weakness in Internal Control over Compliance and Other Matter Criteria or Specific Requirement: 2 CFR 200.334 states that "The recipient and subrecipient must retain all Federal award records for three years from the date of submission of their final financial report. For awards that are renewed quarterly or annually, the recipient and subrecipient must retain records for three years from the date of submission of their quarterly or annual financial report, respectively. Records to be retained include but are not limited to, financial records, supporting documentation, and statistical records." Segregation of duties is an internal control intended to prevent or decrease the occurrence of errors or intentional fraud. Segregation of duties ensures that no single employee has control over all phases of a transaction. Condition: The District is required to file an annual report for ESSER. The supporting documentation used to enter the data into the reporting portal was not maintained and there was no review of the data entered into the form by someone other than the preparer. Accordingly, this does not allow for a proper segregation of duties for internal control purposes. Questioned Costs: None. Context: While performing audit procedures, it was noted that there was no review of the report completed by the finance director by someone else. The supporting documents used to complete the report was not retained by the District. Cause: The lack of segregation of duties is due to the limited number of employees and the size of the District’s operations. Effect: Errors or intentional fraud could occur and not be detected timely by other employees in the normal course of their responsibilities as a result of the lack of segregation of duties. Repeat Finding: No. Recommendation: We recommend the District review its grant reporting processes and implement internal controls to help ensure that there is adequate segregation of duties in regards to grant reporting including special reports and that all supporting documentation is maintained with the filed copy of the report. Views of Responsible Officials: There is no disagreement with the audit finding.

Federal Agency: U.S. Department of Education Federal Program Name: Elementary and Secondary School Relief Fund Assistance Listing Number: 84.425D, 84.425U Federal Award Identification Number and Year: S425D210044 Federal Award Date 1/6/2021, S425U210044 Federal Award Date 12/6/2021 and 3/13/2020 Pass-Through Agency: Wisconsin Department of Public Instruction Pass-Through Number(s): 2022-714508-DPI-ESSERFII-163, 2022-714508-DPI-ESSERFIII-165, 2024-714508-DPI-LETRS-165 Award Period: July 1, 2023 – June 30, 2024 Type of Finding: Material Weakness in Internal Control over Compliance and Other Matter Criteria or Specific Requirement: 2 CFR 200.334 states that "The recipient and subrecipient must retain all Federal award records for three years from the date of submission of their final financial report. For awards that are renewed quarterly or annually, the recipient and subrecipient must retain records for three years from the date of submission of their quarterly or annual financial report, respectively. Records to be retained include but are not limited to, financial records, supporting documentation, and statistical records." Segregation of duties is an internal control intended to prevent or decrease the occurrence of errors or intentional fraud. Segregation of duties ensures that no single employee has control over all phases of a transaction. Condition: The District is required to file an annual report for ESSER. The supporting documentation used to enter the data into the reporting portal was not maintained and there was no review of the data entered into the form by someone other than the preparer. Accordingly, this does not allow for a proper segregation of duties for internal control purposes. Questioned Costs: None. Context: While performing audit procedures, it was noted that there was no review of the report completed by the finance director by someone else. The supporting documents used to complete the report was not retained by the District. Cause: The lack of segregation of duties is due to the limited number of employees and the size of the District’s operations. Effect: Errors or intentional fraud could occur and not be detected timely by other employees in the normal course of their responsibilities as a result of the lack of segregation of duties. Repeat Finding: No. Recommendation: We recommend the District review its grant reporting processes and implement internal controls to help ensure that there is adequate segregation of duties in regards to grant reporting including special reports and that all supporting documentation is maintained with the filed copy of the report. Views of Responsible Officials: There is no disagreement with the audit finding.

FINDING 2024-001 DOCUMENT RETENTION SIGNIFICANT DEFICIENCY Federal Program: Child Nutrition Cluster Assistance Listing Number: 10.553 & 10.555 Criteria Per 7 CFR 200.334, “Financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.” Condition Two claims for meal reimbursement were selected for testing. The School was unable to provide records of meals served. The School qualified for the Community Eligibility Provision program and all students receive free meals. Meals claimed were below the maximum that could have been claimed had all students obtained school meals each day of the periods under review. No determination of questioned costs could be made. Cause The School did not maintain documentation for each individual claim. Effect Reconciliation of meals served data to individual claims was not possible. Recommendation We recommend the School develop internal controls requiring the maintenance of documentation of meals served for the individual claims submitted for the program. Views of Responsible Officials The School’s Corrective Action Plan is included on page 25.