FINDING 2024-014 Subject: Title I Grants to Local Educational Agencies - Reporting Federal Agency: Department of Education Federal Program: Title I Grants to Local Educational Agencies Assistance Listings Number: 84.010 Federal Award Numbers and Years (or Other Identifying Numbers): S010A210014, S010A220014 Pass-Through Entity: Indiana Department of Education Compliance Requirement: Reporting Audit Findings: Material Weakness, Modified Opinion Repeat Finding This is a repeat finding from the immediately prior audit report. The prior audit finding number was 2022-014. Condition and Context The system of internal controls over the applicable reports, as established by the School Corporation, was not properly implemented nor was it operating effectively to ensure that sufficient audit evidence was maintained to support the requests for reimbursement, as well as the Final Expenditure Reports submitted by the School Corporation. The Title I Director approved the requests for reimbursement and the Final Expenditure Reports prior to submission; however, this review was not effective. The fiscal years 2021-2022 and 2022-2023 Final Expenditure Reports and the six reimbursement requests were selected for testing. The School Corporation was unable to provide for audit documentation to support the underlying data accumulated and summarized in each of the Financial Expenditure Reports or the six reimbursement requests. The reported data could not be traced to records that accumulate or summarize the data; therefore, the accuracy and completeness of the reports could not be verified. The lack of internal controls and noncompliance were systemic issues throughout the audit period. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." INDIANA STATE BOARD OF ACCOUNTS 47 NORTH LAWRENCE COMMUNITY SCHOOLS SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) 2 CFR 200.334 states in part: "Financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for the Federal awards that are renewed quarterly or annual, from the date of submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient. . . ." 2 CFR 200.302(b) states in part: "The financial management system of each non-Federal entity must provide for the following: . . . (2) Accurate, current, and complete disclosure of the financial results of each Federal award or program in accordance with the reporting requirements set forth in §§ 200.328 and 200.329. . . . (3) Records that identify adequately the source and application of funds for federallyfunded activities. These records must contain information pertaining to Federal awards, authorizations, financial obligations, unobligated balances, assets, expenditures, income and interest and be supported by source documentation. . . ." 34 CFR 76.722 states: "A State may require a subgrantee to submit reports in a manner and format that assists the State in complying with the requirements under 34 CFR 76.720 and in carrying out other responsibilities under the program." Cause Due to turnover of staffing in the School Corporation's administrative office, the School Corporation's management had not designed nor implemented a system of internal controls that would have ensured compliance or that supporting documentation would have been maintained and available for audit related to the Reporting compliance requirement. Effect Without a proper system of internal controls in place that operated effectively, the School Corporation did not retain and provide appropriate supporting documentation. This prevented the determination of the School Corporation's compliance with the Reporting compliance requirement. Questioned Costs There were no questioned costs identified. Recommendation We recommended that the School Corporation's management establish an effective system of internal controls to ensure documentation will be maintained and made available for audit as related to the grant agreement and the Reporting compliance requirement. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.
FINDING 2024-015 Subject: COVID-19 - Education Stabilization Fund - Activities Allowed or Unallowed, Allowable Costs/Cost Principles Federal Agency: Department of Education Federal Program: COVID-19 - Education Stabilization Fund Assistance Listings Number: 84.425D Federal Award Numbers and Years (or Other Identifying Numbers): S425D200013, S425D210013 Pass-Through Entity: Indiana Department of Education Compliance Requirements: Activities Allowed or Unallowed, Allowable Costs/Cost Principles Audit Findings: Material Weakness, Modified Opinion Repeat Finding This is a repeat finding from the immediately prior audit report. The prior audit finding number was 2022-018. Condition and Context The School Corporation had not properly implemented a system of internal controls that would likely be effective in preventing, or detecting and correcting, noncompliance. Vendor Disbursements Per inquiry with the School Corporation, one employee prepares the reimbursement requests, and another employee reviews the requests to ensure all costs are correct and allowable before giving their approval. A total of 60 claims were sampled for audit. Of the 30 vendor claims tested, there were 3 claims, totaling $2,563, that had no supporting documentation provided to determine if they were an allowable cost nor did they provide support of review and approval of the expenditure. Payroll Disbursements The School Corporation had established internal controls that all payroll is approved by the Treasurer and the School Board. However, during the audit, the School Corporation was unable to provide supporting documentation to show where the governing board approved the rate or pay or stipend amount for 2 of the payrolls selected for testing of $341 in order to determine if the costs were allowable. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." INDIANA STATE BOARD OF ACCOUNTS 49 NORTH LAWRENCE COMMUNITY SCHOOLS SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) 2 CFR 200.334 states in part: "Financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for the Federal awards that are renewed quarterly or annual, from the date of submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient. . . ." 2 CFR 200.403 states in part: "Except where otherwise authorized by statute, costs must meet the following general criteria in order to be allowable under Federal awards: (a) Be necessary and reasonable for the performance of the Federal award and be allocable thereto under these principles. (b) Conform to any limitations or exclusions set forth in these principles or in the Federal award as to types or amount of cost items. . . . (g) Be adequately documented. . . ." Cause Due to turnover in staff, supporting documentation could not be located to support for some expenditures paid from the COVID-19 - Education Stabilization Fund during the audit period. Effect The failure to establish an effective system of internal controls could have enabled noncompliance with the grant agreement and the Activities Allowed or Unallowed and the Allowable Costs/Cost Principles compliance requirements. Questioned Costs We identified $2,904 in known questioned costs as noted above in the Condition and Context. Recommendation We recommended that the School Corporation's management establish a system of internal controls to ensure supporting documentation is maintained and available for audit to ensure compliance with the grant agreement and the Activities Allowed or Unallowed and the Allowable Costs/Cost Principles compliance requirements. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.
Criteria - Uniform Guidance 2 CFR 200.334(a) states that The records must be retained until all litigation, claims, or audit findings involving the records have been resolved and final action taken if any litigation, claim, or audit is started before the expiration of the three-year period.Condition – Personnel records were not properly retained. Effect – Key controls were missing personnel data records. Cause – Closing of HVRP federal program Recommendation – Management should prepare a quality control assessment to ensure data retention of personnel records is properly retained in line with Uniform guidance requirements.
2024-008 Federal Agencies: U.S. Department of Agriculture Federal Program Names: The Child Nutrition Cluster: National School Lunch Program Summer Food Service Program Assistance Listing Numbers: 10.555 10.559 Pass-Through Agency: Commonwealth of Pennsylvania, Department of Education Pass-Through Number: 359-46-477-8 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Material Weakness in Internal Control over Compliance Criteria: Uniform Guidance requires recipients to submit accurate, complete, and timely financial and performance reports for federal awards (2 CFR 200.327 and 200.328). Program specific reporting instructions for the Child Nutrition Cluster require the FNS 10 and FNS 418 to be filed within 30 days after month end. Condition: As part of the reporting requirements for the CBS Food Program under the National School Lunch Program (NSLP) and Summer Food Service Program (SFSP), management is responsible for submitting the FNS 10 (NSLP) and FNS 418 (SFSP) reports within 30 days after month-end. However, management was unable to provide five (5) monthly NSLP reports and one (1) monthly SFSP report requested for audit testing. Questioned Costs: None Cause: Management did not maintain adequate internal controls to ensure that required monthly program reports were properly completed, retained, and available for audit. This may include weaknesses in recordkeeping processes, staff turnover, or insufficient monitoring of reporting deadlines. Effect: Failure to maintain and provide required federal reports results in noncompliance with federal reporting requirements. Because key source documents were unavailable, auditors were unable to verify the accuracy, completeness, and timeliness of reported program activity for those months. This increases the risk of misreporting or unsupported claims being submitted to the federal government. Recommendation: The Organization should establish and enforce strengthened internal controls over federal reporting to ensure that all required monthly reports (FNS 10 and FNS 418) are: (a) completed accurately, (b) submitted on time, and (c) retained in accordance with federal record retention requirements (2 CFR 200.334). Management should designate responsible personnel and implement a monitoring process to ensure compliance. Views of Responsible Officers and Corrective Action Plan: Please refer to Community Benefit Solutions dba CBS Food Program’s Corrective Action Plan
Finding 2024-006 – Compliance; Internal Control over Compliance, Reporting (Material Weakness) Name of Federal Agency: U.S. Environmental Protection Agency Federal Program Name: Nonpoint Source Implementation Grants Assistance Listing Numbers: 66.460 Pass-Through Entity: Oregon Department of Environmental Quality Name of Federal Agency: U.S. Department of Commerce – National Oceanic and Atmospheric Administration Federal Program Name: Pacific Coast Salmon Recovery Program Assistance Listing Numbers: 11.438, 15.015, 15.244 Pass-Through Entity: State of Oregon – Oregon Watershed Enhancement Board (OWEB) Name of Federal Agency: U.S. Department of Agriculture Federal Program Name: National Fish and Wildlife Foundation Assistance Listing Numbers: 10.665 Pass-Through Entity: U.S. Forest Service Name of Federal Agency: U.S. Department of AgricultureFederal Program Name: Natural Resources Conservation Service Assistance Listing Numbers: 10.905 Pass-Through Entity: U.S. Forest Service Name of Federal Agency: U.S. Department of the Interior Federal Program Name: Wildlife, Sport Fish and Restoration Program Assistance Listing Numbers: 15.244 Pass-Through Entity: Bureau of Land Management Name of Federal Agency: U.S. Department of the Interior Federal Program Name: Secure Rural Schools and community Self-Determination – Watershed and water-quality improvements Assistance Listing Numbers: 15.234 Pass-Through Entity: Bureau of Land Management Criteria: Under 2 CFR 200, recipients must submit performance and financial reports as required by the terms and conditions of the award and must retain records sufficient to demonstrate compliance (see (§200.301Monitoring and reporting program performance, and §200.328 Financial reporting, §200.329 Monitoring and reporting program performance, and §200.334 Retention requirements for records). The grant agreements for awards above require timely submission of performance / progress reports by specified due dates, with documentation maintained to support the submitted information. Condition: For the fiscal year ended June 30, 2024, the auditee could not provide sufficient evidence that required reports for the programs listed were prepared, reviewed, and submitted in accordance with grant terms. Specifically: No provided required financial reports, and Partnership for the Umpqua Rivers lacked copies or evidence of submission, and support for reported amounts requested. Auditors were not provided with performance/progress reports and were instructed that Partnership for the Umpqua Rivers had no retained copies, review sign-offs, or submission confirmation. Where payments were received, support for the required reports or metrics were not retained and could not be supplied to auditors for reconciling to underlying records. Cause: Management has not implemented formal reporting controls, including: A documented reporting calendar with due dates and responsible staff, Reconciliation of report amounts to the accounting records, Retention procedures for report copies, underlying support, and submission confirmations, and Supervisory review evidenced by signatures or workflow approvals. Effect or Potential Effect: Absent evidence of timely, accurate reporting and adequate record retention: The organization is at risk of noncompliance with federal award conditions, Inaccurate financial or performance information may be reported to the funding agency, and The entity may be subject to remedial actions, including heightened monitoring, repayment of questioned amounts, or potential suspension of funding. Questioned Cost: None directly noted, but potential risk if reports were incomplete or inaccurate.Context: During our audit, it was found that the Partnership for the Umpqua Rivers experienced complete staff turnover in Financial Management for the year being audited. No current finance employees had worked for the organization during the year being audited. Award files provided to auditors did not contain information related to reporting of activity, expenditures, or progress of the awards. Repeat of a Prior-Year Finding: No, Prior- year did not require a Single Audit. Recommendation: We recommend that Partnership for the Umpqua Rivers: Establish a formal reporting and retention policy aligned with 2 CFR 200 and grant terms. Implement a centralized reporting calendar that tracks due dates, preparers, reviewers, and submission methods. Require reconciliations of financial reports to the general ledger and supporting schedules, retain the reconciliation with the reporting package. Create standard workpapers for performance metrics for each award. Configure the grant portal or document management system to retain submission confirmations, reports, receipts, and version -controlled copies of all reports for awards. Document supervisory review through sign-offs prior to submission and with evidence retained. Provide training to staff on Uniform Guidance requirements and record retention (§200.334). District Response: Partnership for the Umpqua Rivers acknowledges the deficiencies. Corrective Action Plan: ____________ (To be completed by Partnership for the Umpqua Rivers) Planned Implementation Date: _____________ Responsible Person: Partnership for the Umpqua Rivers Finance Manager
Finding 2023-003: Reporting Federal Program: Economic Adjustment Assistance [AL #11.307]. Criteria: Per 2 CFR 200.334, financial records, supports documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient. Condition: The Bureau was unable to provide documentation that their annual report was submitted to the Kentucky Department of Tourism. As such, the report was unable to be tested. Cause: Controls were not in place to ensure records were maintained in accordance with the Uniform Guidance. Effect: The reporting requirements were unable to be tested. Questioned Costs: None Context: This is not a systemic problem. Repeat Finding: This is not a repeat finding. Recommendation: We recommend the Bureau maintain all records related to Federal awards, including making copies of reports submitted, to ensure compliance with the award. Management Response: The management team received limited guidance on the testing, reporting, and retention requirements of federal funds. In the future, copies of all reports and documentation of timely submission will be maintained by the management team.
#2023-010 – Major Federal Award Finding – Document Retention Nature of Finding: Compliance Finding – Uniform Guidance Administrative Requirements and Material Weakness in Internal Controls Over Compliance This is a repeat of prior year finding #2022-011. Criteria/Condition: Federal regulations 2 CFR 200.334 provides that a non-federal entity must retain all records pertinent to a federal award for a minimum period of three years from the date of submission of the annual financial report. We noted during testing that records were not consistently being maintained. Cause/Context: For 4 of the 40 expenditures selected for testing, the Organization was unable to provide appropriate invoice documentation supporting the amount charged to the grant. Effect: Federal expenditures could be charged to the grant at incorrect amounts or for unallowable costs. Recommendation: We recommend the Organization implement a document retention policy that is consistent with the federal document retention requirements. Views of Responsible Officials and Planned Corrective Actions: MARR will retain a CPA consultant to implement a document retention policy that is consistent with federal document retention requirements.
#2023-010 – Major Federal Award Finding – Document Retention Nature of Finding: Compliance Finding – Uniform Guidance Administrative Requirements and Material Weakness in Internal Controls Over Compliance This is a repeat of prior year finding #2022-011. Criteria/Condition: Federal regulations 2 CFR 200.334 provides that a non-federal entity must retain all records pertinent to a federal award for a minimum period of three years from the date of submission of the annual financial report. We noted during testing that records were not consistently being maintained. Cause/Context: For 4 of the 40 expenditures selected for testing, the Organization was unable to provide appropriate invoice documentation supporting the amount charged to the grant. Effect: Federal expenditures could be charged to the grant at incorrect amounts or for unallowable costs. Recommendation: We recommend the Organization implement a document retention policy that is consistent with the federal document retention requirements. Views of Responsible Officials and Planned Corrective Actions: MARR will retain a CPA consultant to implement a document retention policy that is consistent with federal document retention requirements.
FINDING 2023-006 Subject: COVID-19 - Community Development Block Grants/State's program and Non-Entitlement Grants in Hawaii- Reporting Federal Agency: Department of Housing and Urban Development Federal Programs: COVID-19 - Community Development Block Grants/State's program and Non-Entitlement Grants in Hawaii Assistance Listings Number: 14.228 Federal Award Number and Year (or Other Identifying Number): CV-CV1-233 Pass-Through Entity: Indiana Office of Community and Rural Affairs Compliance Requirement: Reporting Audit Findings: Material Weakness, Modified Opinion INDIANA STATE BOARD OF ACCOUNTS 25 JEFFERSON COUNTY SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Condition and Context An effective internal control system was not in place at the County in order to ensure compliance with requirements related to the grant agreement and the Reporting compliance requirement. The passthrough agency required the County to submit a CDBG-CV report on Jobs Retained. The County collected the required information via phone calls made by one individual who compiled the information and submitted the required CDBG-CV report on Jobs Retained for the grant program without a documented oversight or review process. Furthermore, supporting documentation for the report was not retained for audit. Due to the lack of supporting documentation, we were unable to determine the accuracy of the report submitted. The lack of internal controls and the failure to maintain adequate supporting documentation was isolated to the CDBG-CV Report on Jobs Retained report. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." 2 CFR 200.334 states in part: "Financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient. . . ." Cause Management had not established a system of internal controls that would have ensured that adequate supporting documentation would have been maintained and made available for audit. Effect Without the proper implementation of an effectively designed system of internal controls, including policies and procedures that provide segregation of duties and additional oversight as needed, the internal control system cannot be capable of effectively preventing, or detecting and correcting, material noncompliance. As such, we could not determine the County's compliance with the CDBG-CV Report on Jobs Retained report. Noncompliance with the provisions of federal statutes, regulations, and the terms and conditions of the federal award could result in the loss of future federal funding to the County. INDIANA STATE BOARD OF ACCOUNTS 26 JEFFERSON COUNTY SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Questioned Costs There were no questioned costs identified. Recommendation We recommended that management of the County strengthen its system of internal controls to provide for a segregation of duties in the preparation and review of federal reports to ensure appropriate reviews, approvals, and oversight are taking place. We also recommended strengthening its policies and procedures to ensure appropriate supporting documentation is retained to be presented for audit. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.
Finding 2023-003: Reporting Federal Program: Economic Adjustment Assistance [AL #11.307]. Criteria: Per 2 CFR 200.334, financial records, supports documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient. Condition: The Bureau was unable to provide documentation that their annual report was submitted to the Kentucky Department of Tourism. As such, the report was unable to be tested. Cause: Controls were not in place to ensure records were maintained in accordance with the Uniform Guidance. Effect: The reporting requirements were unable to be tested. Questioned Costs: None Context: This is not a systemic problem. Repeat Finding: This is not a repeat finding. Recommendation: We recommend the Bureau maintain all records related to Federal awards, including making copies of reports submitted, to ensure compliance with the award. Management Response: The management team received limited guidance on the testing, reporting, and retention requirements of federal funds. In the future, copies of all reports and documentation of timely submission will be maintained by the management team.
#2023-010 – Major Federal Award Finding – Document Retention Nature of Finding: Compliance Finding – Uniform Guidance Administrative Requirements and Material Weakness in Internal Controls Over Compliance This is a repeat of prior year finding #2022-011. Criteria/Condition: Federal regulations 2 CFR 200.334 provides that a non-federal entity must retain all records pertinent to a federal award for a minimum period of three years from the date of submission of the annual financial report. We noted during testing that records were not consistently being maintained. Cause/Context: For 4 of the 40 expenditures selected for testing, the Organization was unable to provide appropriate invoice documentation supporting the amount charged to the grant. Effect: Federal expenditures could be charged to the grant at incorrect amounts or for unallowable costs. Recommendation: We recommend the Organization implement a document retention policy that is consistent with the federal document retention requirements. Views of Responsible Officials and Planned Corrective Actions: MARR will retain a CPA consultant to implement a document retention policy that is consistent with federal document retention requirements.
#2023-010 – Major Federal Award Finding – Document Retention Nature of Finding: Compliance Finding – Uniform Guidance Administrative Requirements and Material Weakness in Internal Controls Over Compliance This is a repeat of prior year finding #2022-011. Criteria/Condition: Federal regulations 2 CFR 200.334 provides that a non-federal entity must retain all records pertinent to a federal award for a minimum period of three years from the date of submission of the annual financial report. We noted during testing that records were not consistently being maintained. Cause/Context: For 4 of the 40 expenditures selected for testing, the Organization was unable to provide appropriate invoice documentation supporting the amount charged to the grant. Effect: Federal expenditures could be charged to the grant at incorrect amounts or for unallowable costs. Recommendation: We recommend the Organization implement a document retention policy that is consistent with the federal document retention requirements. Views of Responsible Officials and Planned Corrective Actions: MARR will retain a CPA consultant to implement a document retention policy that is consistent with federal document retention requirements.
FINDING 2023-006 Subject: COVID-19 - Community Development Block Grants/State's program and Non-Entitlement Grants in Hawaii- Reporting Federal Agency: Department of Housing and Urban Development Federal Programs: COVID-19 - Community Development Block Grants/State's program and Non-Entitlement Grants in Hawaii Assistance Listings Number: 14.228 Federal Award Number and Year (or Other Identifying Number): CV-CV1-233 Pass-Through Entity: Indiana Office of Community and Rural Affairs Compliance Requirement: Reporting Audit Findings: Material Weakness, Modified Opinion INDIANA STATE BOARD OF ACCOUNTS 25 JEFFERSON COUNTY SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Condition and Context An effective internal control system was not in place at the County in order to ensure compliance with requirements related to the grant agreement and the Reporting compliance requirement. The passthrough agency required the County to submit a CDBG-CV report on Jobs Retained. The County collected the required information via phone calls made by one individual who compiled the information and submitted the required CDBG-CV report on Jobs Retained for the grant program without a documented oversight or review process. Furthermore, supporting documentation for the report was not retained for audit. Due to the lack of supporting documentation, we were unable to determine the accuracy of the report submitted. The lack of internal controls and the failure to maintain adequate supporting documentation was isolated to the CDBG-CV Report on Jobs Retained report. Criteria 2 CFR 200.303 states in part: "The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in 'Standards for Internal Control in the Federal Government' issued by the Comptroller General of the United States or the 'Internal Control Integrated Framework', issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). . . ." 2 CFR 200.334 states in part: "Financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient. . . ." Cause Management had not established a system of internal controls that would have ensured that adequate supporting documentation would have been maintained and made available for audit. Effect Without the proper implementation of an effectively designed system of internal controls, including policies and procedures that provide segregation of duties and additional oversight as needed, the internal control system cannot be capable of effectively preventing, or detecting and correcting, material noncompliance. As such, we could not determine the County's compliance with the CDBG-CV Report on Jobs Retained report. Noncompliance with the provisions of federal statutes, regulations, and the terms and conditions of the federal award could result in the loss of future federal funding to the County. INDIANA STATE BOARD OF ACCOUNTS 26 JEFFERSON COUNTY SCHEDULE OF FINDINGS AND QUESTIONED COSTS (Continued) Questioned Costs There were no questioned costs identified. Recommendation We recommended that management of the County strengthen its system of internal controls to provide for a segregation of duties in the preparation and review of federal reports to ensure appropriate reviews, approvals, and oversight are taking place. We also recommended strengthening its policies and procedures to ensure appropriate supporting documentation is retained to be presented for audit. Views of Responsible Officials For the views of responsible officials, refer to the Corrective Action Plan that is part of this report.
Finding 2023-005: Significant Deficiency – Documentation Retention Federal grantor: Department of Commerce Condition: The Chamber was unable to provide supporting documentation for one expense sample. Criteria: According to 2 CFR § 200.334, recipients of federal awards must retain financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a federal award for a period of three years from the date of submission of the final expenditure report. Cause: The lack of documentation appears to result from inadequate procedures or oversight in retaining and securely storing required financial records related to the federal program. Effect: Failure to retain supporting documentation compromises the Chamber's ability to demonstrate allowability of costs, may result in questioned costs, and exposes the Chamber to risk in audits or federal monitoring reviews. Recommendation: We recommend the Chamber enhance its record retention policies and internal controls to ensure that all documentation supporting federal program expenditures is retained in compliance with 2 CFR § 200.334. Staff responsible for federal grants should receive training on documentation and retention requirements. Views of Responsible Officials and Planned Corrective Actions: The Chamber agrees with the findings and will improve its record retention practices to ensure all supporting documentation is properly maintained in compliance with federal requirements.
Activities Allowed or Unallowed, Allowable Costs/Cost Principles Federal Agency: U.S. Department of the Treasury Federal Program Title: Coronavirus State and Local Fiscal Recovery Funds ALN: 21.027 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: SLT – 8809: Project Name: HHSC Section 33; HHSC Section 12: Rural Hospitals, HHSC Section 22: Sunrise Canyon Hospital November 8, 2021 – December 31, 2026 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance and Noncompliance Criteria or specific requirement: Per 2 CFR 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that it is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in the “Internal Control Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Per 2 CFR 200.334, financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass through entity in the case of a subrecipient. Federal awarding agencies and pass-through entities must not impose any other record retention requirements upon non-Federal entities. In the 2021 Texas Senate Bill 8, HHSC was appropriated money in various sections of the bill received by Texas from the Coronavirus State Fiscal Recovery Fund for the following purposes related to costs incurred during the period beginning October 8, 2021, and ending November 8, 2023, due to the coronavirus pandemic: Section 11(a) – funding for the construction of a state hospital in Dallas, Texas. Section 12 – funding for grants to support rural hospitals that have been affected by the COVID-19 pandemic. Section 13 – funding for the creation of a consolidated internet portal for Medicaid and the Children’s Health Insurance Program medical services provider data. Section 14 – funding for technology updates to the Medicaid eligibility computer system. Section 15 – funding for COVID-19 related expenses incurred by the Texas Civil Commitment Office related to consumable supplies and travel. Section 22 – funding for the expansion of capacity of Sunrise Canyon Hospital. Section 33 – funding to administer one-time grants related to providing critical staffing needs resulting from frontline healthcare workers affected by COVID-19, including recruitment and retention bonuses for staff. Condition: Audit procedures included a selection of 60 sampled expenditures totaling $143,092,786 incurred during the fiscal year to test allowability with the grant awards. We noted that for 48 out of the 60 samples totaling $9,600,062, the agency did not obtain supporting documentation from the vendor to verify that the amounts advanced to the vendor were expended on allowable costs. We were unable to substantiate the amounts expended by the vendor and allowability of those expenditures in accordance with the relevant Senate Bill 8 section and the Department of the Treasury Final Rule. Questioned costs: $9,600,062. Context: See “Condition.” Cause: HHSC is not fully monitoring the use of program funds through collection, review, and maintenance of invoices supporting the expenditures. Effect: Failure to maintain adequate documentation pertinent to a federal award may result in noncompliance with grant terms and conditions. Repeat finding: No Recommendation: HHSC should implement policies and procedures to ensure documentation is maintained for a period of at least three years from the date of submission of the final expenditure report for the grant in accordance with 2 CFR 200.334. Views of responsible officials: HHSC concurs with the finding.
Activities Allowed or Unallowed, Allowable Costs/Cost Principles Federal Agency: U.S. Department of the Treasury Federal Program Title: Coronavirus State and Local Fiscal Recovery Funds ALN: 21.027 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: SLT – 8809: Project Name: HHSC Section 33; HHSC Section 12: Rural Hospitals, HHSC Section 22: Sunrise Canyon Hospital November 8, 2021 – December 31, 2026 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance and Noncompliance Criteria or specific requirement: Per 2 CFR 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that it is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in the “Internal Control Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Per 2 CFR 200.334, financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass through entity in the case of a subrecipient. Federal awarding agencies and pass-through entities must not impose any other record retention requirements upon non-Federal entities. In the 2021 Texas Senate Bill 8, HHSC was appropriated money in various sections of the bill received by Texas from the Coronavirus State Fiscal Recovery Fund for the following purposes related to costs incurred during the period beginning October 8, 2021, and ending November 8, 2023, due to the coronavirus pandemic: Section 11(a) – funding for the construction of a state hospital in Dallas, Texas. Section 12 – funding for grants to support rural hospitals that have been affected by the COVID-19 pandemic. Section 13 – funding for the creation of a consolidated internet portal for Medicaid and the Children’s Health Insurance Program medical services provider data. Section 14 – funding for technology updates to the Medicaid eligibility computer system. Section 15 – funding for COVID-19 related expenses incurred by the Texas Civil Commitment Office related to consumable supplies and travel. Section 22 – funding for the expansion of capacity of Sunrise Canyon Hospital. Section 33 – funding to administer one-time grants related to providing critical staffing needs resulting from frontline healthcare workers affected by COVID-19, including recruitment and retention bonuses for staff. Condition: Audit procedures included a selection of 60 sampled expenditures totaling $143,092,786 incurred during the fiscal year to test allowability with the grant awards. We noted that for 48 out of the 60 samples totaling $9,600,062, the agency did not obtain supporting documentation from the vendor to verify that the amounts advanced to the vendor were expended on allowable costs. We were unable to substantiate the amounts expended by the vendor and allowability of those expenditures in accordance with the relevant Senate Bill 8 section and the Department of the Treasury Final Rule. Questioned costs: $9,600,062. Context: See “Condition.” Cause: HHSC is not fully monitoring the use of program funds through collection, review, and maintenance of invoices supporting the expenditures. Effect: Failure to maintain adequate documentation pertinent to a federal award may result in noncompliance with grant terms and conditions. Repeat finding: No Recommendation: HHSC should implement policies and procedures to ensure documentation is maintained for a period of at least three years from the date of submission of the final expenditure report for the grant in accordance with 2 CFR 200.334. Views of responsible officials: HHSC concurs with the finding.
Activities Allowed or Unallowed, Allowable Costs/Cost Principles Federal Agency: U.S. Department of the Treasury Federal Program Title: Coronavirus State and Local Fiscal Recovery Funds ALN: 21.027 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: SLT – 8809: Project Name: HHSC Section 33; HHSC Section 12: Rural Hospitals, HHSC Section 22: Sunrise Canyon Hospital November 8, 2021 – December 31, 2026 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance and Noncompliance Criteria or specific requirement: Per 2 CFR 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that it is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in the “Internal Control Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Per 2 CFR 200.334, financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass through entity in the case of a subrecipient. Federal awarding agencies and pass-through entities must not impose any other record retention requirements upon non-Federal entities. In the 2021 Texas Senate Bill 8, HHSC was appropriated money in various sections of the bill received by Texas from the Coronavirus State Fiscal Recovery Fund for the following purposes related to costs incurred during the period beginning October 8, 2021, and ending November 8, 2023, due to the coronavirus pandemic: Section 11(a) – funding for the construction of a state hospital in Dallas, Texas. Section 12 – funding for grants to support rural hospitals that have been affected by the COVID-19 pandemic. Section 13 – funding for the creation of a consolidated internet portal for Medicaid and the Children’s Health Insurance Program medical services provider data. Section 14 – funding for technology updates to the Medicaid eligibility computer system. Section 15 – funding for COVID-19 related expenses incurred by the Texas Civil Commitment Office related to consumable supplies and travel. Section 22 – funding for the expansion of capacity of Sunrise Canyon Hospital. Section 33 – funding to administer one-time grants related to providing critical staffing needs resulting from frontline healthcare workers affected by COVID-19, including recruitment and retention bonuses for staff. Condition: Audit procedures included a selection of 60 sampled expenditures totaling $143,092,786 incurred during the fiscal year to test allowability with the grant awards. We noted that for 48 out of the 60 samples totaling $9,600,062, the agency did not obtain supporting documentation from the vendor to verify that the amounts advanced to the vendor were expended on allowable costs. We were unable to substantiate the amounts expended by the vendor and allowability of those expenditures in accordance with the relevant Senate Bill 8 section and the Department of the Treasury Final Rule. Questioned costs: $9,600,062. Context: See “Condition.” Cause: HHSC is not fully monitoring the use of program funds through collection, review, and maintenance of invoices supporting the expenditures. Effect: Failure to maintain adequate documentation pertinent to a federal award may result in noncompliance with grant terms and conditions. Repeat finding: No Recommendation: HHSC should implement policies and procedures to ensure documentation is maintained for a period of at least three years from the date of submission of the final expenditure report for the grant in accordance with 2 CFR 200.334. Views of responsible officials: HHSC concurs with the finding.
Activities Allowed or Unallowed, Allowable Costs/Cost Principles Federal Agency: U.S. Department of the Treasury Federal Program Title: Coronavirus State and Local Fiscal Recovery Funds ALN: 21.027 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: SLT – 8809: Project Name: HHSC Section 33; HHSC Section 12: Rural Hospitals, HHSC Section 22: Sunrise Canyon Hospital November 8, 2021 – December 31, 2026 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance and Noncompliance Criteria or specific requirement: Per 2 CFR 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that it is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in the “Internal Control Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Per 2 CFR 200.334, financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass through entity in the case of a subrecipient. Federal awarding agencies and pass-through entities must not impose any other record retention requirements upon non-Federal entities. In the 2021 Texas Senate Bill 8, HHSC was appropriated money in various sections of the bill received by Texas from the Coronavirus State Fiscal Recovery Fund for the following purposes related to costs incurred during the period beginning October 8, 2021, and ending November 8, 2023, due to the coronavirus pandemic: Section 11(a) – funding for the construction of a state hospital in Dallas, Texas. Section 12 – funding for grants to support rural hospitals that have been affected by the COVID-19 pandemic. Section 13 – funding for the creation of a consolidated internet portal for Medicaid and the Children’s Health Insurance Program medical services provider data. Section 14 – funding for technology updates to the Medicaid eligibility computer system. Section 15 – funding for COVID-19 related expenses incurred by the Texas Civil Commitment Office related to consumable supplies and travel. Section 22 – funding for the expansion of capacity of Sunrise Canyon Hospital. Section 33 – funding to administer one-time grants related to providing critical staffing needs resulting from frontline healthcare workers affected by COVID-19, including recruitment and retention bonuses for staff. Condition: Audit procedures included a selection of 60 sampled expenditures totaling $143,092,786 incurred during the fiscal year to test allowability with the grant awards. We noted that for 48 out of the 60 samples totaling $9,600,062, the agency did not obtain supporting documentation from the vendor to verify that the amounts advanced to the vendor were expended on allowable costs. We were unable to substantiate the amounts expended by the vendor and allowability of those expenditures in accordance with the relevant Senate Bill 8 section and the Department of the Treasury Final Rule. Questioned costs: $9,600,062. Context: See “Condition.” Cause: HHSC is not fully monitoring the use of program funds through collection, review, and maintenance of invoices supporting the expenditures. Effect: Failure to maintain adequate documentation pertinent to a federal award may result in noncompliance with grant terms and conditions. Repeat finding: No Recommendation: HHSC should implement policies and procedures to ensure documentation is maintained for a period of at least three years from the date of submission of the final expenditure report for the grant in accordance with 2 CFR 200.334. Views of responsible officials: HHSC concurs with the finding.
Activities Allowed or Unallowed, Allowable Costs/Cost Principles Federal Agency: U.S. Department of the Treasury Federal Program Title: Coronavirus State and Local Fiscal Recovery Funds ALN: 21.027 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: SLT – 8809: Project Name: HHSC Section 33; HHSC Section 12: Rural Hospitals, HHSC Section 22: Sunrise Canyon Hospital November 8, 2021 – December 31, 2026 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance and Noncompliance Criteria or specific requirement: Per 2 CFR 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that it is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in the “Internal Control Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Per 2 CFR 200.334, financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass through entity in the case of a subrecipient. Federal awarding agencies and pass-through entities must not impose any other record retention requirements upon non-Federal entities. In the 2021 Texas Senate Bill 8, HHSC was appropriated money in various sections of the bill received by Texas from the Coronavirus State Fiscal Recovery Fund for the following purposes related to costs incurred during the period beginning October 8, 2021, and ending November 8, 2023, due to the coronavirus pandemic: Section 11(a) – funding for the construction of a state hospital in Dallas, Texas. Section 12 – funding for grants to support rural hospitals that have been affected by the COVID-19 pandemic. Section 13 – funding for the creation of a consolidated internet portal for Medicaid and the Children’s Health Insurance Program medical services provider data. Section 14 – funding for technology updates to the Medicaid eligibility computer system. Section 15 – funding for COVID-19 related expenses incurred by the Texas Civil Commitment Office related to consumable supplies and travel. Section 22 – funding for the expansion of capacity of Sunrise Canyon Hospital. Section 33 – funding to administer one-time grants related to providing critical staffing needs resulting from frontline healthcare workers affected by COVID-19, including recruitment and retention bonuses for staff. Condition: Audit procedures included a selection of 60 sampled expenditures totaling $143,092,786 incurred during the fiscal year to test allowability with the grant awards. We noted that for 48 out of the 60 samples totaling $9,600,062, the agency did not obtain supporting documentation from the vendor to verify that the amounts advanced to the vendor were expended on allowable costs. We were unable to substantiate the amounts expended by the vendor and allowability of those expenditures in accordance with the relevant Senate Bill 8 section and the Department of the Treasury Final Rule. Questioned costs: $9,600,062. Context: See “Condition.” Cause: HHSC is not fully monitoring the use of program funds through collection, review, and maintenance of invoices supporting the expenditures. Effect: Failure to maintain adequate documentation pertinent to a federal award may result in noncompliance with grant terms and conditions. Repeat finding: No Recommendation: HHSC should implement policies and procedures to ensure documentation is maintained for a period of at least three years from the date of submission of the final expenditure report for the grant in accordance with 2 CFR 200.334. Views of responsible officials: HHSC concurs with the finding.
Activities Allowed or Unallowed, Allowable Costs/Cost Principles Federal Agency: U.S. Department of the Treasury Federal Program Title: Coronavirus State and Local Fiscal Recovery Funds ALN: 21.027 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: SLT – 8809: Project Name: HHSC Section 33; HHSC Section 12: Rural Hospitals, HHSC Section 22: Sunrise Canyon Hospital November 8, 2021 – December 31, 2026 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance and Noncompliance Criteria or specific requirement: Per 2 CFR 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that it is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in the “Internal Control Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Per 2 CFR 200.334, financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass through entity in the case of a subrecipient. Federal awarding agencies and pass-through entities must not impose any other record retention requirements upon non-Federal entities. In the 2021 Texas Senate Bill 8, HHSC was appropriated money in various sections of the bill received by Texas from the Coronavirus State Fiscal Recovery Fund for the following purposes related to costs incurred during the period beginning October 8, 2021, and ending November 8, 2023, due to the coronavirus pandemic: Section 11(a) – funding for the construction of a state hospital in Dallas, Texas. Section 12 – funding for grants to support rural hospitals that have been affected by the COVID-19 pandemic. Section 13 – funding for the creation of a consolidated internet portal for Medicaid and the Children’s Health Insurance Program medical services provider data. Section 14 – funding for technology updates to the Medicaid eligibility computer system. Section 15 – funding for COVID-19 related expenses incurred by the Texas Civil Commitment Office related to consumable supplies and travel. Section 22 – funding for the expansion of capacity of Sunrise Canyon Hospital. Section 33 – funding to administer one-time grants related to providing critical staffing needs resulting from frontline healthcare workers affected by COVID-19, including recruitment and retention bonuses for staff. Condition: Audit procedures included a selection of 60 sampled expenditures totaling $143,092,786 incurred during the fiscal year to test allowability with the grant awards. We noted that for 48 out of the 60 samples totaling $9,600,062, the agency did not obtain supporting documentation from the vendor to verify that the amounts advanced to the vendor were expended on allowable costs. We were unable to substantiate the amounts expended by the vendor and allowability of those expenditures in accordance with the relevant Senate Bill 8 section and the Department of the Treasury Final Rule. Questioned costs: $9,600,062. Context: See “Condition.” Cause: HHSC is not fully monitoring the use of program funds through collection, review, and maintenance of invoices supporting the expenditures. Effect: Failure to maintain adequate documentation pertinent to a federal award may result in noncompliance with grant terms and conditions. Repeat finding: No Recommendation: HHSC should implement policies and procedures to ensure documentation is maintained for a period of at least three years from the date of submission of the final expenditure report for the grant in accordance with 2 CFR 200.334. Views of responsible officials: HHSC concurs with the finding.
Activities Allowed or Unallowed, Allowable Costs/Cost Principles Federal Agency: U.S. Department of the Treasury Federal Program Title: Coronavirus State and Local Fiscal Recovery Funds ALN: 21.027 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: SLT – 8809: Project Name: HHSC Section 33; HHSC Section 12: Rural Hospitals, HHSC Section 22: Sunrise Canyon Hospital November 8, 2021 – December 31, 2026 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance and Noncompliance Criteria or specific requirement: Per 2 CFR 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that it is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in the “Internal Control Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Per 2 CFR 200.334, financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass through entity in the case of a subrecipient. Federal awarding agencies and pass-through entities must not impose any other record retention requirements upon non-Federal entities. In the 2021 Texas Senate Bill 8, HHSC was appropriated money in various sections of the bill received by Texas from the Coronavirus State Fiscal Recovery Fund for the following purposes related to costs incurred during the period beginning October 8, 2021, and ending November 8, 2023, due to the coronavirus pandemic: Section 11(a) – funding for the construction of a state hospital in Dallas, Texas. Section 12 – funding for grants to support rural hospitals that have been affected by the COVID-19 pandemic. Section 13 – funding for the creation of a consolidated internet portal for Medicaid and the Children’s Health Insurance Program medical services provider data. Section 14 – funding for technology updates to the Medicaid eligibility computer system. Section 15 – funding for COVID-19 related expenses incurred by the Texas Civil Commitment Office related to consumable supplies and travel. Section 22 – funding for the expansion of capacity of Sunrise Canyon Hospital. Section 33 – funding to administer one-time grants related to providing critical staffing needs resulting from frontline healthcare workers affected by COVID-19, including recruitment and retention bonuses for staff. Condition: Audit procedures included a selection of 60 sampled expenditures totaling $143,092,786 incurred during the fiscal year to test allowability with the grant awards. We noted that for 48 out of the 60 samples totaling $9,600,062, the agency did not obtain supporting documentation from the vendor to verify that the amounts advanced to the vendor were expended on allowable costs. We were unable to substantiate the amounts expended by the vendor and allowability of those expenditures in accordance with the relevant Senate Bill 8 section and the Department of the Treasury Final Rule. Questioned costs: $9,600,062. Context: See “Condition.” Cause: HHSC is not fully monitoring the use of program funds through collection, review, and maintenance of invoices supporting the expenditures. Effect: Failure to maintain adequate documentation pertinent to a federal award may result in noncompliance with grant terms and conditions. Repeat finding: No Recommendation: HHSC should implement policies and procedures to ensure documentation is maintained for a period of at least three years from the date of submission of the final expenditure report for the grant in accordance with 2 CFR 200.334. Views of responsible officials: HHSC concurs with the finding.
Reporting Federal Agency: U.S. Department of Health and Human Services Federal Program Title: Social Services Block Grant ALN: 93.667 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: 2301TXSOSR, 2201TXSOSR and 2101TXSOSR October 1, 2022 – September 30, 2024, October 1, 2021 – September 30, 2023 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance and Noncompliance Criteria or specific requirement: Per 2 CFR 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that it is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in the “Internal Control Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Per 2 CFR 200.334, financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass_x0002_through entity in the case of a subrecipient. Federal awarding agencies and pass-through entities must not impose any other record retention requirements upon non-Federal entities. Title 42 USC 1397e requires states and territories to submit to the federal administering agency, the Office of Community Services, an annual Post Expenditure Report no later than six months following the close of the fiscal year. The report includes certain critical key line information including: 1. The number of eligible individuals who received services paid for in part or in whole with federal funds under the SSBG. 2. The amount of Social Services Block Grant funds spent in providing each service. Condition: During testing of key line items noted above in the FY2022 Annual Post Expenditure Report submitted in March 2023, we noted the following variances between the amounts reported and supporting documentation: Key Line Item 1 Children Family Planning Services – variance of 1,796 Prevention and Intervention – variance of 9,866 Protective Services – Children – variance of 13,511 Adults Age 59 Years and Younger Family Planning Services – variance of 107,476 Prevention and Intervention – variance of 19,398 Protective Services – Adults – variance of 21,973 Other Services – variance of 10,733 Adults Age 60 Years and Older Family Planning Services – variance of 4,549 Prevention and Intervention – variance of 868 Protective Services – Adults – variance of 71,969 Other Services – variance of 14,408 Adults of Unknown Age Prevention and Intervention – variance of 151 Key Line Item 2 SSBG Allocation Foster Care Services – Children – variance of ($77,124) Information & Referral – variance of $2,116 Protective Services – Adults – variance of ($59,467) Protective Services – Children – variance of ($114,243) Funds Transferred into SSBG Protective Services – Children – variance of ($6,948,063) Expenditures of All Other Federal, State, and Local Funds Family Planning Services – variance of $172,504,171 Foster Care Services – Children – variance of $674,230,152 Information & Referral – variance of $35,508,405 Protective Services – Adults – variance of $67,694,139 Protective Services – Children – variance of $1,145,408,512 Other Services – $171,788,478 Questioned costs: None. Context: See “Condition.” Cause: Current internal controls are not at the correct precision level to ensure the completeness and accuracy of the report. Additionally, HHSC did not follow current policies and procedures regarding record retention. More specifically, all variances listed for key line item 1 were due to lack of supporting documentation except for the Protective Services – Children variance of 13,511, which was the difference between amounts reported and supporting documentation provided. All variances for key line item 2 were due to lack of supporting documentation except the four amounts listed under SSBG Allocation, which are a result difference between amounts reported and supporting documentation provided. Effect: Improperly designed internal controls over reporting may result in a misstatement of amounts reported on federal reports. In addition, failure to maintain adequate documentation pertinent to a federal award may result in noncompliance with grant terms and conditions. Repeat Finding: No Recommendation: We recommend management revise its internal controls to reconcile expenditures reported on federal reports to federal expenditures in the general ledger. Additionally, HHSC should implement or revise policies and procedures to ensure documentation is maintained for a period of at least three years from the date of submission of the final expenditure report for the grant in accordance with 2 CFR 200.334. Views of responsible officials: HHSC concurs with the finding.
Special Tests and Provisions – Provider Eligibility – Lack of Documentation Federal Agency: U.S. Department of Health and Human Services Federal Program Title: Children’s Health Insurance Program ALN: 93.767 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: 2105TX5021, 2205TX5021, 2305TX3002, 2305TX5021 October 1, 2020 – September 30, 2022, October 1, 2021 – September 30, 2023, October 1, 2022 – September 30, 2024 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance and Noncompliance. Criteria or specific requirement: Per 2 CFR 200.303, a non-Federal entity must: Establish and maintain effective internal controls over federal awards that provide reasonable assurance they are managing federal awards in compliance with federal statutes, regulations, and the provisions of contracts or grant agreements that could have a material effect on each of its federal programs. Per 2 CFR 200.334, financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient. Federal awarding agencies and pass-through entities must not impose any other record retention requirements upon non-Federal entities. In order to comply with federal provider eligibility requirements, HHSC must adhere to various subsections of 42 CFR Section 455 including but not limited to: § 455.104 – HHSC must require that disclosing entities, fiscal agents, and managed care entities provide the following disclosures: The name and address of any person (individual or corporation) with an ownership or control interest in the disclosing entity, fiscal agent, or managed care entity. The address for corporate entities must include as applicable primary business address, every business location, and P.O. Box address. Date of birth and Social Security Number (in the case of an individual). Other tax identification number (in the case of a corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) or in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest. Whether the person (individual or corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling; or whether the person (individual or corporation) with an ownership or control interest in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling. The name of any other disclosing entity (or fiscal agent or managed care entity) in which an owner of the disclosing entity (or fiscal agent or managed care entity) has an ownership or control interest. The name, address, date of birth, and Social Security Number of any managing employee of the disclosing entity (or fiscal agent or managed care entity). § 455.105 – HHSC must enter into an agreement with each provider under which the provider agrees to furnish to it the following information related to business transactions within 35 days of request: The ownership of any subcontractor with whom the provider has had business transactions totaling more than $25,000 during the 12-month period ending on the date of the request; and Any significant business transactions between the provider and any wholly owned supplier, or between the provider and any subcontractor, during the 5-year period ending on the date of the request. § 455.106 – Before HHSC enters into or renews a provider agreement, or at any time upon written request by HHSC, the provider must disclose to HHSC the identity of any person who: Has ownership or control interest in the provider, or is an agent or managing employee of the provider; and Has been convicted of a criminal offense related to that person's involvement in any program under Medicare, Medicaid, or the title XX services program since the inception of those programs. § 455.410 – HHSC must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers. § 455.412 – HHSC must: Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State. Confirm that the provider's license has not expired and that there are no current limitations on the provider's license. § 455.414 – HHSC must revalidate the enrollment of all providers regardless of provider type at least every five years. § 455.432 – HHSC must: Conduct pre-enrollment and post-enrollment site visits of providers who are designated as “moderate” or “high” categorical risks to the Medicaid program. Require any enrolled provider to permit CMS, its agents, its designated contractors, or HHSC to conduct unannounced on-site inspections of any and all provider locations. § 455.434 – HHSC must: Require providers to consent to criminal background checks including fingerprinting when required to do so under State law or by the level of screening based on risk of fraud, waste or abuse as determined for that category of provider. Establish categorical risk levels for providers and provider categories who pose an increased financial risk of fraud, waste or abuse to the Medicaid program. o Upon HHSC determining that a provider, or a person with a 5 percent or more direct or indirect ownership interest in the provider, meets HHSC's criteria hereunder for criminal background checks as a “high” risk to the Medicaid program, HHSC will require that each such provider or person submit fingerprints, in a form and manner to be determined by HHSC, within 30 days upon request from CMS or HHSC. § 455.436 – HHSC must confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases. Upon enrollment and reenrollment, HHSC must check the Social Security Administration's Death Master File (SSADMF), the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe. During the period the provider is enrolled, HHSC must check the LEIE and EPLS no less frequently than monthly. § 455.434 – HHSC must screen all initial applications, including applications for a new practice location, and any applications received in response to a re-enrollment or revalidation of enrollment request based on a categorical risk level of “limited,” “moderate,” or “high.” If a provider could fit within more than one risk level described in this section, the highest level of screening is applicable. Condition: Various departments within and contractors of HHSC are responsible for ensuring medical providers are properly licensed, screened, and enrolled in the Medicaid Program including Contract Administration and Provider Monitoring (CAPM), Access and Eligibility Services (AES), Procurement and Contracting Services, and the Texas Medicaid and Healthcare Partnership. Audit procedures included a review of 60 providers for CHIP, which resulted in one exception for the following: A copy of the completed application was not included in the file. Enrollment of the provider was not completed within the last 5 years. Verification of the provider’s license was not included in the file. Required information on ownership and control was not disclosed. Supporting documentation was not included in the file indicating the SSADMF database was checked at the time of the most recent enrollment. Supporting documentation was not included in the file indicating the NPPES database was checked at the time of the most recent enrollment. Supporting documentation was not included in the file indicating the LEIE database was checked at the time of the most recent enrollment. Supporting documentation was not included in the file indicating the EPLS database was checked at the time of the most recent enrollment. Supporting documentation was not included in the file indicating the provider was categorized during screening as limited, moderate, or high risk. A copy of the provider agreement was not included in the files. Supporting documentation was not included indicating a pre- or post-enrollment site visit was conducted as required for providers designated as moderate or high risk. Supporting documentation was not included indicating the provider disclosed the identity of any person who had been convicted of a criminal offense related to that person's involvement in any program under Medicare, Medicaid, or the Title XX services program since the inception of those programs. Questioned costs: None. Context: See “Condition.” Cause: HHSC does not have adequate procedures in place to ensure required documentation is obtained and maintained to comply with federal provider eligibility requirements. Effect: Failure to obtain and maintain adequate documentation during the provider screening and enrollment process may result in otherwise ineligible or fraudulent providers receiving CHIP funds. Repeat Finding: No Recommendation: HHSC should implement controls to ensure: Documentation is maintained for at least the length of the providers’ current enrollment period or three years, whichever is greater in accordance with 2 CFR 200.334. Provider licenses are verified during enrollment. Providers are re-enrolled at least once every five years. Provider agreements are obtained, and the proper disclosures are made. Providers are categorized according to risk level and pre- and post-enrollment site visits are conducted as required for those deemed moderate or high risk. Relevant federal databases are checked during initial enrollment and at least monthly for all providers currently enrolled in CHIP. Views of responsible officials: HHSC concurs with the finding.
Special Tests and Provisions – Provider Eligibility – Lack of Documentation Federal Agency: U.S. Department of Health and Human Services Federal Program Title: Children’s Health Insurance Program ALN: 93.767 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: 2105TX5021, 2205TX5021, 2305TX3002, 2305TX5021 October 1, 2020 – September 30, 2022, October 1, 2021 – September 30, 2023, October 1, 2022 – September 30, 2024 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance and Noncompliance. Criteria or specific requirement: Per 2 CFR 200.303, a non-Federal entity must: Establish and maintain effective internal controls over federal awards that provide reasonable assurance they are managing federal awards in compliance with federal statutes, regulations, and the provisions of contracts or grant agreements that could have a material effect on each of its federal programs. Per 2 CFR 200.334, financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient. Federal awarding agencies and pass-through entities must not impose any other record retention requirements upon non-Federal entities. In order to comply with federal provider eligibility requirements, HHSC must adhere to various subsections of 42 CFR Section 455 including but not limited to: § 455.104 – HHSC must require that disclosing entities, fiscal agents, and managed care entities provide the following disclosures: The name and address of any person (individual or corporation) with an ownership or control interest in the disclosing entity, fiscal agent, or managed care entity. The address for corporate entities must include as applicable primary business address, every business location, and P.O. Box address. Date of birth and Social Security Number (in the case of an individual). Other tax identification number (in the case of a corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) or in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest. Whether the person (individual or corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling; or whether the person (individual or corporation) with an ownership or control interest in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling. The name of any other disclosing entity (or fiscal agent or managed care entity) in which an owner of the disclosing entity (or fiscal agent or managed care entity) has an ownership or control interest. The name, address, date of birth, and Social Security Number of any managing employee of the disclosing entity (or fiscal agent or managed care entity). § 455.105 – HHSC must enter into an agreement with each provider under which the provider agrees to furnish to it the following information related to business transactions within 35 days of request: The ownership of any subcontractor with whom the provider has had business transactions totaling more than $25,000 during the 12-month period ending on the date of the request; and Any significant business transactions between the provider and any wholly owned supplier, or between the provider and any subcontractor, during the 5-year period ending on the date of the request. § 455.106 – Before HHSC enters into or renews a provider agreement, or at any time upon written request by HHSC, the provider must disclose to HHSC the identity of any person who: Has ownership or control interest in the provider, or is an agent or managing employee of the provider; and Has been convicted of a criminal offense related to that person's involvement in any program under Medicare, Medicaid, or the title XX services program since the inception of those programs. § 455.410 – HHSC must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers. § 455.412 – HHSC must: Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State. Confirm that the provider's license has not expired and that there are no current limitations on the provider's license. § 455.414 – HHSC must revalidate the enrollment of all providers regardless of provider type at least every five years. § 455.432 – HHSC must: Conduct pre-enrollment and post-enrollment site visits of providers who are designated as “moderate” or “high” categorical risks to the Medicaid program. Require any enrolled provider to permit CMS, its agents, its designated contractors, or HHSC to conduct unannounced on-site inspections of any and all provider locations. § 455.434 – HHSC must: Require providers to consent to criminal background checks including fingerprinting when required to do so under State law or by the level of screening based on risk of fraud, waste or abuse as determined for that category of provider. Establish categorical risk levels for providers and provider categories who pose an increased financial risk of fraud, waste or abuse to the Medicaid program. o Upon HHSC determining that a provider, or a person with a 5 percent or more direct or indirect ownership interest in the provider, meets HHSC's criteria hereunder for criminal background checks as a “high” risk to the Medicaid program, HHSC will require that each such provider or person submit fingerprints, in a form and manner to be determined by HHSC, within 30 days upon request from CMS or HHSC. § 455.436 – HHSC must confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases. Upon enrollment and reenrollment, HHSC must check the Social Security Administration's Death Master File (SSADMF), the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe. During the period the provider is enrolled, HHSC must check the LEIE and EPLS no less frequently than monthly. § 455.434 – HHSC must screen all initial applications, including applications for a new practice location, and any applications received in response to a re-enrollment or revalidation of enrollment request based on a categorical risk level of “limited,” “moderate,” or “high.” If a provider could fit within more than one risk level described in this section, the highest level of screening is applicable. Condition: Various departments within and contractors of HHSC are responsible for ensuring medical providers are properly licensed, screened, and enrolled in the Medicaid Program including Contract Administration and Provider Monitoring (CAPM), Access and Eligibility Services (AES), Procurement and Contracting Services, and the Texas Medicaid and Healthcare Partnership. Audit procedures included a review of 60 providers for CHIP, which resulted in one exception for the following: A copy of the completed application was not included in the file. Enrollment of the provider was not completed within the last 5 years. Verification of the provider’s license was not included in the file. Required information on ownership and control was not disclosed. Supporting documentation was not included in the file indicating the SSADMF database was checked at the time of the most recent enrollment. Supporting documentation was not included in the file indicating the NPPES database was checked at the time of the most recent enrollment. Supporting documentation was not included in the file indicating the LEIE database was checked at the time of the most recent enrollment. Supporting documentation was not included in the file indicating the EPLS database was checked at the time of the most recent enrollment. Supporting documentation was not included in the file indicating the provider was categorized during screening as limited, moderate, or high risk. A copy of the provider agreement was not included in the files. Supporting documentation was not included indicating a pre- or post-enrollment site visit was conducted as required for providers designated as moderate or high risk. Supporting documentation was not included indicating the provider disclosed the identity of any person who had been convicted of a criminal offense related to that person's involvement in any program under Medicare, Medicaid, or the Title XX services program since the inception of those programs. Questioned costs: None. Context: See “Condition.” Cause: HHSC does not have adequate procedures in place to ensure required documentation is obtained and maintained to comply with federal provider eligibility requirements. Effect: Failure to obtain and maintain adequate documentation during the provider screening and enrollment process may result in otherwise ineligible or fraudulent providers receiving CHIP funds. Repeat Finding: No Recommendation: HHSC should implement controls to ensure: Documentation is maintained for at least the length of the providers’ current enrollment period or three years, whichever is greater in accordance with 2 CFR 200.334. Provider licenses are verified during enrollment. Providers are re-enrolled at least once every five years. Provider agreements are obtained, and the proper disclosures are made. Providers are categorized according to risk level and pre- and post-enrollment site visits are conducted as required for those deemed moderate or high risk. Relevant federal databases are checked during initial enrollment and at least monthly for all providers currently enrolled in CHIP. Views of responsible officials: HHSC concurs with the finding.
Special Tests and Provisions – Provider Eligibility – Lack of Documentation Federal Agency: U.S. Department of Health and Human Services Federal Program Title: Medicaid Cluster ALN: 93.775, 93.777, 93.778 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: Medicaid Cluster 2205TX5ADM, 2205TX5MAP, 2205TXIMPL; 2305TX5ADM, 2305TX5MAP, 2305TXIMPL October 1, 2021 – September 30, 2022, October 1, 2022 – September 30, 2023 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Material Weakness in Internal Control over Compliance and Material Noncompliance Criteria or specific requirement: Per 2 CFR 200.303, a non-Federal entity must: Establish and maintain effective internal controls over federal awards that provide reasonable assurance they are managing federal awards in compliance with federal statutes, regulations, and the provisions of contracts or grant agreements that could have a material effect on each of its federal programs. Per 2 CFR 200.334, financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient. Federal awarding agencies and pass-through entities must not impose any other record retention requirements upon non-Federal entities. In order to comply with federal provider eligibility requirements, HHSC must adhere to various subsections of 42 CFR Section 455 including but not limited to: § 455.104 – HHSC must require that disclosing entities, fiscal agents, and managed care entities provide the following disclosures: The name and address of any person (individual or corporation) with an ownership or control interest in the disclosing entity, fiscal agent, or managed care entity. The address for corporate entities must include as applicable primary business address, every business location, and P.O. Box address. Date of birth and Social Security Number (in the case of an individual) Other tax identification number (in the case of a corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) or in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest. Whether the person (individual or corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling; or whether the person (individual or corporation) with an ownership or control interest in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling. The name of any other disclosing entity (or fiscal agent or managed care entity) in which an owner of the disclosing entity (or fiscal agent or managed care entity) has an ownership or control interest. The name, address, date of birth, and Social Security Number of any managing employee of the disclosing entity (or fiscal agent or managed care entity). § 455.105 – HHSC must enter into an agreement with each provider under which the provider agrees to furnish to it the following information related to business transactions within 35 days of request: The ownership of any subcontractor with whom the provider has had business transactions totaling more than $25,000 during the 12-month period ending on the date of the request; and Any significant business transactions between the provider and any wholly owned supplier, or between the provider and any subcontractor, during the 5-year period ending on the date of the request. § 455.106 – Before HHSC enters into or renews a provider agreement, or at any time upon written request by HHSC, the provider must disclose to HHSC the identity of any person who: Has ownership or control interest in the provider, or is an agent or managing employee of the provider; and Has been convicted of a criminal offense related to that person's involvement in any program under Medicare, Medicaid, or the title XX services program since the inception of those programs. § 455.410 – HHSC must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers. § 455.412 – HHSC must: Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State. Confirm that the provider's license has not expired and that there are no current limitations on the provider's license. § 455.414 – HHSC must revalidate the enrollment of all providers regardless of provider type at least every five years. § 455.432 – HHSC must: Conduct pre-enrollment and post-enrollment site visits of providers who are designated as “moderate” or “high” categorical risks to the Medicaid program. Require any enrolled provider to permit CMS, its agents, its designated contractors, or HHSC to conduct unannounced on-site inspections of any and all provider locations. § 455.434 – HHSC must: Require providers to consent to criminal background checks including fingerprinting when required to do so under State law or by the level of screening based on risk of fraud, waste or abuse as determined for that category of provider. Establish categorical risk levels for providers and provider categories who pose an increased financial risk of fraud, waste or abuse to the Medicaid program. o Upon HHSC determining that a provider, or a person with a 5 percent or more direct or indirect ownership interest in the provider, meets HHSC's criteria hereunder for criminal background checks as a “high” risk to the Medicaid program, HHSC will require that each such provider or person submit fingerprints, in a form and manner to be determined by HHSC, within 30 days upon request from CMS or HHSC. § 455.436 – HHSC must confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases. Upon enrollment and reenrollment, HHSC must check the Social Security Administration's Death Master File (SSADMF), the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe. During the period the provider is enrolled, HHSC must check the LEIE and EPLS no less frequently than monthly. § 455.434 – HHSC must screen all initial applications, including applications for a new practice location, and any applications received in response to a re-enrollment or revalidation of enrollment request based on a categorical risk level of “limited,” “moderate,” or “high.” If a provider could fit within more than one risk level described in this section, the highest level of screening is applicable. Condition: Various departments within and contractors of HHSC are responsible for ensuring medical providers are properly licensed, screened, and enrolled in the Medicaid Program including Contract Administration and Provider Monitoring (CAPM), Access and Eligibility Services (AES), Procurement and Contracting Services, and the Texas Medicaid and Healthcare Partnership. Audit procedures included a review of 60 providers each for Medicaid, which resulted in the following (sampled exceptions noted in parentheses): A copy of the completed application was not included in the file. (9 providers) Enrollment of the provider was not completed within the last 5 years. (7 providers) Verification of the provider’s license was not included in the file. (7 providers) Required information on ownership and control was not disclosed. (11 providers) Supporting documentation was not included in the file indicating the provider consented to a criminal background check. (9 providers) Supporting documentation was not included in the file indicating the SSADMF database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the NPPES database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the LEIE database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the EPLS database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the provider was categorized during screening as limited, moderate, or high risk. (13 providers) A copy of the provider agreement was not included in the files. (13 providers) Supporting documentation was not included indicating a pre- or post-enrollment site visit was conducted as required for providers designated as moderate or high risk. (13 providers) Supporting documentation was not included indicating the provider disclosed the identity of any person who had been convicted of a criminal offense related to that person's involvement in any program under Medicare, Medicaid, or the Title XX services program since the inception of those programs. (9 providers) Questioned costs: None. Context: See “Condition.” Cause: HHSC does not have adequate procedures in place to ensure required documentation is obtained and maintained to comply with federal provider eligibility requirements. Effect: Failure to obtain and maintain adequate documentation during the provider screening and enrollment process may result in otherwise ineligible or fraudulent providers receiving Medicaid funds. Repeat finding: 2022-014, 2021-008 Recommendation: HHSC should implement controls to ensure: Documentation is maintained for at least the length of the providers’ current enrollment period or three years, whichever is greater in accordance with 2 CFR 200.334. Provider licenses are verified during enrollment. Providers are re-enrolled at least once every five years. Provider agreements are obtained, and the proper disclosures are made. Providers are categorized according to risk level and pre- and post-enrollment site visits are conducted as required for those deemed moderate or high risk. Relevant federal databases are checked during initial enrollment and at least monthly for all providers currently enrolled in Medicaid. Views of responsible officials: HHSC concurs with this repeat finding.
Special Tests and Provisions – Provider Eligibility – Lack of Documentation Federal Agency: U.S. Department of Health and Human Services Federal Program Title: Medicaid Cluster ALN: 93.775, 93.777, 93.778 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: Medicaid Cluster 2205TX5ADM, 2205TX5MAP, 2205TXIMPL; 2305TX5ADM, 2305TX5MAP, 2305TXIMPL October 1, 2021 – September 30, 2022, October 1, 2022 – September 30, 2023 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Material Weakness in Internal Control over Compliance and Material Noncompliance Criteria or specific requirement: Per 2 CFR 200.303, a non-Federal entity must: Establish and maintain effective internal controls over federal awards that provide reasonable assurance they are managing federal awards in compliance with federal statutes, regulations, and the provisions of contracts or grant agreements that could have a material effect on each of its federal programs. Per 2 CFR 200.334, financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient. Federal awarding agencies and pass-through entities must not impose any other record retention requirements upon non-Federal entities. In order to comply with federal provider eligibility requirements, HHSC must adhere to various subsections of 42 CFR Section 455 including but not limited to: § 455.104 – HHSC must require that disclosing entities, fiscal agents, and managed care entities provide the following disclosures: The name and address of any person (individual or corporation) with an ownership or control interest in the disclosing entity, fiscal agent, or managed care entity. The address for corporate entities must include as applicable primary business address, every business location, and P.O. Box address. Date of birth and Social Security Number (in the case of an individual) Other tax identification number (in the case of a corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) or in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest. Whether the person (individual or corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling; or whether the person (individual or corporation) with an ownership or control interest in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling. The name of any other disclosing entity (or fiscal agent or managed care entity) in which an owner of the disclosing entity (or fiscal agent or managed care entity) has an ownership or control interest. The name, address, date of birth, and Social Security Number of any managing employee of the disclosing entity (or fiscal agent or managed care entity). § 455.105 – HHSC must enter into an agreement with each provider under which the provider agrees to furnish to it the following information related to business transactions within 35 days of request: The ownership of any subcontractor with whom the provider has had business transactions totaling more than $25,000 during the 12-month period ending on the date of the request; and Any significant business transactions between the provider and any wholly owned supplier, or between the provider and any subcontractor, during the 5-year period ending on the date of the request. § 455.106 – Before HHSC enters into or renews a provider agreement, or at any time upon written request by HHSC, the provider must disclose to HHSC the identity of any person who: Has ownership or control interest in the provider, or is an agent or managing employee of the provider; and Has been convicted of a criminal offense related to that person's involvement in any program under Medicare, Medicaid, or the title XX services program since the inception of those programs. § 455.410 – HHSC must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers. § 455.412 – HHSC must: Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State. Confirm that the provider's license has not expired and that there are no current limitations on the provider's license. § 455.414 – HHSC must revalidate the enrollment of all providers regardless of provider type at least every five years. § 455.432 – HHSC must: Conduct pre-enrollment and post-enrollment site visits of providers who are designated as “moderate” or “high” categorical risks to the Medicaid program. Require any enrolled provider to permit CMS, its agents, its designated contractors, or HHSC to conduct unannounced on-site inspections of any and all provider locations. § 455.434 – HHSC must: Require providers to consent to criminal background checks including fingerprinting when required to do so under State law or by the level of screening based on risk of fraud, waste or abuse as determined for that category of provider. Establish categorical risk levels for providers and provider categories who pose an increased financial risk of fraud, waste or abuse to the Medicaid program. o Upon HHSC determining that a provider, or a person with a 5 percent or more direct or indirect ownership interest in the provider, meets HHSC's criteria hereunder for criminal background checks as a “high” risk to the Medicaid program, HHSC will require that each such provider or person submit fingerprints, in a form and manner to be determined by HHSC, within 30 days upon request from CMS or HHSC. § 455.436 – HHSC must confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases. Upon enrollment and reenrollment, HHSC must check the Social Security Administration's Death Master File (SSADMF), the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe. During the period the provider is enrolled, HHSC must check the LEIE and EPLS no less frequently than monthly. § 455.434 – HHSC must screen all initial applications, including applications for a new practice location, and any applications received in response to a re-enrollment or revalidation of enrollment request based on a categorical risk level of “limited,” “moderate,” or “high.” If a provider could fit within more than one risk level described in this section, the highest level of screening is applicable. Condition: Various departments within and contractors of HHSC are responsible for ensuring medical providers are properly licensed, screened, and enrolled in the Medicaid Program including Contract Administration and Provider Monitoring (CAPM), Access and Eligibility Services (AES), Procurement and Contracting Services, and the Texas Medicaid and Healthcare Partnership. Audit procedures included a review of 60 providers each for Medicaid, which resulted in the following (sampled exceptions noted in parentheses): A copy of the completed application was not included in the file. (9 providers) Enrollment of the provider was not completed within the last 5 years. (7 providers) Verification of the provider’s license was not included in the file. (7 providers) Required information on ownership and control was not disclosed. (11 providers) Supporting documentation was not included in the file indicating the provider consented to a criminal background check. (9 providers) Supporting documentation was not included in the file indicating the SSADMF database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the NPPES database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the LEIE database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the EPLS database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the provider was categorized during screening as limited, moderate, or high risk. (13 providers) A copy of the provider agreement was not included in the files. (13 providers) Supporting documentation was not included indicating a pre- or post-enrollment site visit was conducted as required for providers designated as moderate or high risk. (13 providers) Supporting documentation was not included indicating the provider disclosed the identity of any person who had been convicted of a criminal offense related to that person's involvement in any program under Medicare, Medicaid, or the Title XX services program since the inception of those programs. (9 providers) Questioned costs: None. Context: See “Condition.” Cause: HHSC does not have adequate procedures in place to ensure required documentation is obtained and maintained to comply with federal provider eligibility requirements. Effect: Failure to obtain and maintain adequate documentation during the provider screening and enrollment process may result in otherwise ineligible or fraudulent providers receiving Medicaid funds. Repeat finding: 2022-014, 2021-008 Recommendation: HHSC should implement controls to ensure: Documentation is maintained for at least the length of the providers’ current enrollment period or three years, whichever is greater in accordance with 2 CFR 200.334. Provider licenses are verified during enrollment. Providers are re-enrolled at least once every five years. Provider agreements are obtained, and the proper disclosures are made. Providers are categorized according to risk level and pre- and post-enrollment site visits are conducted as required for those deemed moderate or high risk. Relevant federal databases are checked during initial enrollment and at least monthly for all providers currently enrolled in Medicaid. Views of responsible officials: HHSC concurs with this repeat finding.
Special Tests and Provisions – Provider Eligibility – Lack of Documentation Federal Agency: U.S. Department of Health and Human Services Federal Program Title: Medicaid Cluster ALN: 93.775, 93.777, 93.778 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: Medicaid Cluster 2205TX5ADM, 2205TX5MAP, 2205TXIMPL; 2305TX5ADM, 2305TX5MAP, 2305TXIMPL October 1, 2021 – September 30, 2022, October 1, 2022 – September 30, 2023 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Material Weakness in Internal Control over Compliance and Material Noncompliance Criteria or specific requirement: Per 2 CFR 200.303, a non-Federal entity must: Establish and maintain effective internal controls over federal awards that provide reasonable assurance they are managing federal awards in compliance with federal statutes, regulations, and the provisions of contracts or grant agreements that could have a material effect on each of its federal programs. Per 2 CFR 200.334, financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient. Federal awarding agencies and pass-through entities must not impose any other record retention requirements upon non-Federal entities. In order to comply with federal provider eligibility requirements, HHSC must adhere to various subsections of 42 CFR Section 455 including but not limited to: § 455.104 – HHSC must require that disclosing entities, fiscal agents, and managed care entities provide the following disclosures: The name and address of any person (individual or corporation) with an ownership or control interest in the disclosing entity, fiscal agent, or managed care entity. The address for corporate entities must include as applicable primary business address, every business location, and P.O. Box address. Date of birth and Social Security Number (in the case of an individual) Other tax identification number (in the case of a corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) or in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest. Whether the person (individual or corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling; or whether the person (individual or corporation) with an ownership or control interest in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling. The name of any other disclosing entity (or fiscal agent or managed care entity) in which an owner of the disclosing entity (or fiscal agent or managed care entity) has an ownership or control interest. The name, address, date of birth, and Social Security Number of any managing employee of the disclosing entity (or fiscal agent or managed care entity). § 455.105 – HHSC must enter into an agreement with each provider under which the provider agrees to furnish to it the following information related to business transactions within 35 days of request: The ownership of any subcontractor with whom the provider has had business transactions totaling more than $25,000 during the 12-month period ending on the date of the request; and Any significant business transactions between the provider and any wholly owned supplier, or between the provider and any subcontractor, during the 5-year period ending on the date of the request. § 455.106 – Before HHSC enters into or renews a provider agreement, or at any time upon written request by HHSC, the provider must disclose to HHSC the identity of any person who: Has ownership or control interest in the provider, or is an agent or managing employee of the provider; and Has been convicted of a criminal offense related to that person's involvement in any program under Medicare, Medicaid, or the title XX services program since the inception of those programs. § 455.410 – HHSC must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers. § 455.412 – HHSC must: Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State. Confirm that the provider's license has not expired and that there are no current limitations on the provider's license. § 455.414 – HHSC must revalidate the enrollment of all providers regardless of provider type at least every five years. § 455.432 – HHSC must: Conduct pre-enrollment and post-enrollment site visits of providers who are designated as “moderate” or “high” categorical risks to the Medicaid program. Require any enrolled provider to permit CMS, its agents, its designated contractors, or HHSC to conduct unannounced on-site inspections of any and all provider locations. § 455.434 – HHSC must: Require providers to consent to criminal background checks including fingerprinting when required to do so under State law or by the level of screening based on risk of fraud, waste or abuse as determined for that category of provider. Establish categorical risk levels for providers and provider categories who pose an increased financial risk of fraud, waste or abuse to the Medicaid program. o Upon HHSC determining that a provider, or a person with a 5 percent or more direct or indirect ownership interest in the provider, meets HHSC's criteria hereunder for criminal background checks as a “high” risk to the Medicaid program, HHSC will require that each such provider or person submit fingerprints, in a form and manner to be determined by HHSC, within 30 days upon request from CMS or HHSC. § 455.436 – HHSC must confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases. Upon enrollment and reenrollment, HHSC must check the Social Security Administration's Death Master File (SSADMF), the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe. During the period the provider is enrolled, HHSC must check the LEIE and EPLS no less frequently than monthly. § 455.434 – HHSC must screen all initial applications, including applications for a new practice location, and any applications received in response to a re-enrollment or revalidation of enrollment request based on a categorical risk level of “limited,” “moderate,” or “high.” If a provider could fit within more than one risk level described in this section, the highest level of screening is applicable. Condition: Various departments within and contractors of HHSC are responsible for ensuring medical providers are properly licensed, screened, and enrolled in the Medicaid Program including Contract Administration and Provider Monitoring (CAPM), Access and Eligibility Services (AES), Procurement and Contracting Services, and the Texas Medicaid and Healthcare Partnership. Audit procedures included a review of 60 providers each for Medicaid, which resulted in the following (sampled exceptions noted in parentheses): A copy of the completed application was not included in the file. (9 providers) Enrollment of the provider was not completed within the last 5 years. (7 providers) Verification of the provider’s license was not included in the file. (7 providers) Required information on ownership and control was not disclosed. (11 providers) Supporting documentation was not included in the file indicating the provider consented to a criminal background check. (9 providers) Supporting documentation was not included in the file indicating the SSADMF database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the NPPES database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the LEIE database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the EPLS database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the provider was categorized during screening as limited, moderate, or high risk. (13 providers) A copy of the provider agreement was not included in the files. (13 providers) Supporting documentation was not included indicating a pre- or post-enrollment site visit was conducted as required for providers designated as moderate or high risk. (13 providers) Supporting documentation was not included indicating the provider disclosed the identity of any person who had been convicted of a criminal offense related to that person's involvement in any program under Medicare, Medicaid, or the Title XX services program since the inception of those programs. (9 providers) Questioned costs: None. Context: See “Condition.” Cause: HHSC does not have adequate procedures in place to ensure required documentation is obtained and maintained to comply with federal provider eligibility requirements. Effect: Failure to obtain and maintain adequate documentation during the provider screening and enrollment process may result in otherwise ineligible or fraudulent providers receiving Medicaid funds. Repeat finding: 2022-014, 2021-008 Recommendation: HHSC should implement controls to ensure: Documentation is maintained for at least the length of the providers’ current enrollment period or three years, whichever is greater in accordance with 2 CFR 200.334. Provider licenses are verified during enrollment. Providers are re-enrolled at least once every five years. Provider agreements are obtained, and the proper disclosures are made. Providers are categorized according to risk level and pre- and post-enrollment site visits are conducted as required for those deemed moderate or high risk. Relevant federal databases are checked during initial enrollment and at least monthly for all providers currently enrolled in Medicaid. Views of responsible officials: HHSC concurs with this repeat finding.
Special Tests and Provisions – Provider Eligibility – Lack of Documentation Federal Agency: U.S. Department of Health and Human Services Federal Program Title: Medicaid Cluster ALN: 93.775, 93.777, 93.778 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: Medicaid Cluster 2205TX5ADM, 2205TX5MAP, 2205TXIMPL; 2305TX5ADM, 2305TX5MAP, 2305TXIMPL October 1, 2021 – September 30, 2022, October 1, 2022 – September 30, 2023 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Material Weakness in Internal Control over Compliance and Material Noncompliance Criteria or specific requirement: Per 2 CFR 200.303, a non-Federal entity must: Establish and maintain effective internal controls over federal awards that provide reasonable assurance they are managing federal awards in compliance with federal statutes, regulations, and the provisions of contracts or grant agreements that could have a material effect on each of its federal programs. Per 2 CFR 200.334, financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient. Federal awarding agencies and pass-through entities must not impose any other record retention requirements upon non-Federal entities. In order to comply with federal provider eligibility requirements, HHSC must adhere to various subsections of 42 CFR Section 455 including but not limited to: § 455.104 – HHSC must require that disclosing entities, fiscal agents, and managed care entities provide the following disclosures: The name and address of any person (individual or corporation) with an ownership or control interest in the disclosing entity, fiscal agent, or managed care entity. The address for corporate entities must include as applicable primary business address, every business location, and P.O. Box address. Date of birth and Social Security Number (in the case of an individual) Other tax identification number (in the case of a corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) or in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest. Whether the person (individual or corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling; or whether the person (individual or corporation) with an ownership or control interest in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling. The name of any other disclosing entity (or fiscal agent or managed care entity) in which an owner of the disclosing entity (or fiscal agent or managed care entity) has an ownership or control interest. The name, address, date of birth, and Social Security Number of any managing employee of the disclosing entity (or fiscal agent or managed care entity). § 455.105 – HHSC must enter into an agreement with each provider under which the provider agrees to furnish to it the following information related to business transactions within 35 days of request: The ownership of any subcontractor with whom the provider has had business transactions totaling more than $25,000 during the 12-month period ending on the date of the request; and Any significant business transactions between the provider and any wholly owned supplier, or between the provider and any subcontractor, during the 5-year period ending on the date of the request. § 455.106 – Before HHSC enters into or renews a provider agreement, or at any time upon written request by HHSC, the provider must disclose to HHSC the identity of any person who: Has ownership or control interest in the provider, or is an agent or managing employee of the provider; and Has been convicted of a criminal offense related to that person's involvement in any program under Medicare, Medicaid, or the title XX services program since the inception of those programs. § 455.410 – HHSC must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers. § 455.412 – HHSC must: Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State. Confirm that the provider's license has not expired and that there are no current limitations on the provider's license. § 455.414 – HHSC must revalidate the enrollment of all providers regardless of provider type at least every five years. § 455.432 – HHSC must: Conduct pre-enrollment and post-enrollment site visits of providers who are designated as “moderate” or “high” categorical risks to the Medicaid program. Require any enrolled provider to permit CMS, its agents, its designated contractors, or HHSC to conduct unannounced on-site inspections of any and all provider locations. § 455.434 – HHSC must: Require providers to consent to criminal background checks including fingerprinting when required to do so under State law or by the level of screening based on risk of fraud, waste or abuse as determined for that category of provider. Establish categorical risk levels for providers and provider categories who pose an increased financial risk of fraud, waste or abuse to the Medicaid program. o Upon HHSC determining that a provider, or a person with a 5 percent or more direct or indirect ownership interest in the provider, meets HHSC's criteria hereunder for criminal background checks as a “high” risk to the Medicaid program, HHSC will require that each such provider or person submit fingerprints, in a form and manner to be determined by HHSC, within 30 days upon request from CMS or HHSC. § 455.436 – HHSC must confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases. Upon enrollment and reenrollment, HHSC must check the Social Security Administration's Death Master File (SSADMF), the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe. During the period the provider is enrolled, HHSC must check the LEIE and EPLS no less frequently than monthly. § 455.434 – HHSC must screen all initial applications, including applications for a new practice location, and any applications received in response to a re-enrollment or revalidation of enrollment request based on a categorical risk level of “limited,” “moderate,” or “high.” If a provider could fit within more than one risk level described in this section, the highest level of screening is applicable. Condition: Various departments within and contractors of HHSC are responsible for ensuring medical providers are properly licensed, screened, and enrolled in the Medicaid Program including Contract Administration and Provider Monitoring (CAPM), Access and Eligibility Services (AES), Procurement and Contracting Services, and the Texas Medicaid and Healthcare Partnership. Audit procedures included a review of 60 providers each for Medicaid, which resulted in the following (sampled exceptions noted in parentheses): A copy of the completed application was not included in the file. (9 providers) Enrollment of the provider was not completed within the last 5 years. (7 providers) Verification of the provider’s license was not included in the file. (7 providers) Required information on ownership and control was not disclosed. (11 providers) Supporting documentation was not included in the file indicating the provider consented to a criminal background check. (9 providers) Supporting documentation was not included in the file indicating the SSADMF database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the NPPES database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the LEIE database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the EPLS database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the provider was categorized during screening as limited, moderate, or high risk. (13 providers) A copy of the provider agreement was not included in the files. (13 providers) Supporting documentation was not included indicating a pre- or post-enrollment site visit was conducted as required for providers designated as moderate or high risk. (13 providers) Supporting documentation was not included indicating the provider disclosed the identity of any person who had been convicted of a criminal offense related to that person's involvement in any program under Medicare, Medicaid, or the Title XX services program since the inception of those programs. (9 providers) Questioned costs: None. Context: See “Condition.” Cause: HHSC does not have adequate procedures in place to ensure required documentation is obtained and maintained to comply with federal provider eligibility requirements. Effect: Failure to obtain and maintain adequate documentation during the provider screening and enrollment process may result in otherwise ineligible or fraudulent providers receiving Medicaid funds. Repeat finding: 2022-014, 2021-008 Recommendation: HHSC should implement controls to ensure: Documentation is maintained for at least the length of the providers’ current enrollment period or three years, whichever is greater in accordance with 2 CFR 200.334. Provider licenses are verified during enrollment. Providers are re-enrolled at least once every five years. Provider agreements are obtained, and the proper disclosures are made. Providers are categorized according to risk level and pre- and post-enrollment site visits are conducted as required for those deemed moderate or high risk. Relevant federal databases are checked during initial enrollment and at least monthly for all providers currently enrolled in Medicaid. Views of responsible officials: HHSC concurs with this repeat finding.
Special Tests and Provisions – Provider Eligibility – Lack of Documentation Federal Agency: U.S. Department of Health and Human Services Federal Program Title: Medicaid Cluster ALN: 93.775, 93.777, 93.778 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: Medicaid Cluster 2205TX5ADM, 2205TX5MAP, 2205TXIMPL; 2305TX5ADM, 2305TX5MAP, 2305TXIMPL October 1, 2021 – September 30, 2022, October 1, 2022 – September 30, 2023 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Material Weakness in Internal Control over Compliance and Material Noncompliance Criteria or specific requirement: Per 2 CFR 200.303, a non-Federal entity must: Establish and maintain effective internal controls over federal awards that provide reasonable assurance they are managing federal awards in compliance with federal statutes, regulations, and the provisions of contracts or grant agreements that could have a material effect on each of its federal programs. Per 2 CFR 200.334, financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient. Federal awarding agencies and pass-through entities must not impose any other record retention requirements upon non-Federal entities. In order to comply with federal provider eligibility requirements, HHSC must adhere to various subsections of 42 CFR Section 455 including but not limited to: § 455.104 – HHSC must require that disclosing entities, fiscal agents, and managed care entities provide the following disclosures: The name and address of any person (individual or corporation) with an ownership or control interest in the disclosing entity, fiscal agent, or managed care entity. The address for corporate entities must include as applicable primary business address, every business location, and P.O. Box address. Date of birth and Social Security Number (in the case of an individual) Other tax identification number (in the case of a corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) or in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest. Whether the person (individual or corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling; or whether the person (individual or corporation) with an ownership or control interest in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling. The name of any other disclosing entity (or fiscal agent or managed care entity) in which an owner of the disclosing entity (or fiscal agent or managed care entity) has an ownership or control interest. The name, address, date of birth, and Social Security Number of any managing employee of the disclosing entity (or fiscal agent or managed care entity). § 455.105 – HHSC must enter into an agreement with each provider under which the provider agrees to furnish to it the following information related to business transactions within 35 days of request: The ownership of any subcontractor with whom the provider has had business transactions totaling more than $25,000 during the 12-month period ending on the date of the request; and Any significant business transactions between the provider and any wholly owned supplier, or between the provider and any subcontractor, during the 5-year period ending on the date of the request. § 455.106 – Before HHSC enters into or renews a provider agreement, or at any time upon written request by HHSC, the provider must disclose to HHSC the identity of any person who: Has ownership or control interest in the provider, or is an agent or managing employee of the provider; and Has been convicted of a criminal offense related to that person's involvement in any program under Medicare, Medicaid, or the title XX services program since the inception of those programs. § 455.410 – HHSC must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers. § 455.412 – HHSC must: Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State. Confirm that the provider's license has not expired and that there are no current limitations on the provider's license. § 455.414 – HHSC must revalidate the enrollment of all providers regardless of provider type at least every five years. § 455.432 – HHSC must: Conduct pre-enrollment and post-enrollment site visits of providers who are designated as “moderate” or “high” categorical risks to the Medicaid program. Require any enrolled provider to permit CMS, its agents, its designated contractors, or HHSC to conduct unannounced on-site inspections of any and all provider locations. § 455.434 – HHSC must: Require providers to consent to criminal background checks including fingerprinting when required to do so under State law or by the level of screening based on risk of fraud, waste or abuse as determined for that category of provider. Establish categorical risk levels for providers and provider categories who pose an increased financial risk of fraud, waste or abuse to the Medicaid program. o Upon HHSC determining that a provider, or a person with a 5 percent or more direct or indirect ownership interest in the provider, meets HHSC's criteria hereunder for criminal background checks as a “high” risk to the Medicaid program, HHSC will require that each such provider or person submit fingerprints, in a form and manner to be determined by HHSC, within 30 days upon request from CMS or HHSC. § 455.436 – HHSC must confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases. Upon enrollment and reenrollment, HHSC must check the Social Security Administration's Death Master File (SSADMF), the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe. During the period the provider is enrolled, HHSC must check the LEIE and EPLS no less frequently than monthly. § 455.434 – HHSC must screen all initial applications, including applications for a new practice location, and any applications received in response to a re-enrollment or revalidation of enrollment request based on a categorical risk level of “limited,” “moderate,” or “high.” If a provider could fit within more than one risk level described in this section, the highest level of screening is applicable. Condition: Various departments within and contractors of HHSC are responsible for ensuring medical providers are properly licensed, screened, and enrolled in the Medicaid Program including Contract Administration and Provider Monitoring (CAPM), Access and Eligibility Services (AES), Procurement and Contracting Services, and the Texas Medicaid and Healthcare Partnership. Audit procedures included a review of 60 providers each for Medicaid, which resulted in the following (sampled exceptions noted in parentheses): A copy of the completed application was not included in the file. (9 providers) Enrollment of the provider was not completed within the last 5 years. (7 providers) Verification of the provider’s license was not included in the file. (7 providers) Required information on ownership and control was not disclosed. (11 providers) Supporting documentation was not included in the file indicating the provider consented to a criminal background check. (9 providers) Supporting documentation was not included in the file indicating the SSADMF database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the NPPES database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the LEIE database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the EPLS database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the provider was categorized during screening as limited, moderate, or high risk. (13 providers) A copy of the provider agreement was not included in the files. (13 providers) Supporting documentation was not included indicating a pre- or post-enrollment site visit was conducted as required for providers designated as moderate or high risk. (13 providers) Supporting documentation was not included indicating the provider disclosed the identity of any person who had been convicted of a criminal offense related to that person's involvement in any program under Medicare, Medicaid, or the Title XX services program since the inception of those programs. (9 providers) Questioned costs: None. Context: See “Condition.” Cause: HHSC does not have adequate procedures in place to ensure required documentation is obtained and maintained to comply with federal provider eligibility requirements. Effect: Failure to obtain and maintain adequate documentation during the provider screening and enrollment process may result in otherwise ineligible or fraudulent providers receiving Medicaid funds. Repeat finding: 2022-014, 2021-008 Recommendation: HHSC should implement controls to ensure: Documentation is maintained for at least the length of the providers’ current enrollment period or three years, whichever is greater in accordance with 2 CFR 200.334. Provider licenses are verified during enrollment. Providers are re-enrolled at least once every five years. Provider agreements are obtained, and the proper disclosures are made. Providers are categorized according to risk level and pre- and post-enrollment site visits are conducted as required for those deemed moderate or high risk. Relevant federal databases are checked during initial enrollment and at least monthly for all providers currently enrolled in Medicaid. Views of responsible officials: HHSC concurs with this repeat finding.
Special Tests and Provisions – Provider Eligibility – Lack of Documentation Federal Agency: U.S. Department of Health and Human Services Federal Program Title: Medicaid Cluster ALN: 93.775, 93.777, 93.778 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: Medicaid Cluster 2205TX5ADM, 2205TX5MAP, 2205TXIMPL; 2305TX5ADM, 2305TX5MAP, 2305TXIMPL October 1, 2021 – September 30, 2022, October 1, 2022 – September 30, 2023 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Material Weakness in Internal Control over Compliance and Material Noncompliance Criteria or specific requirement: Per 2 CFR 200.303, a non-Federal entity must: Establish and maintain effective internal controls over federal awards that provide reasonable assurance they are managing federal awards in compliance with federal statutes, regulations, and the provisions of contracts or grant agreements that could have a material effect on each of its federal programs. Per 2 CFR 200.334, financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient. Federal awarding agencies and pass-through entities must not impose any other record retention requirements upon non-Federal entities. In order to comply with federal provider eligibility requirements, HHSC must adhere to various subsections of 42 CFR Section 455 including but not limited to: § 455.104 – HHSC must require that disclosing entities, fiscal agents, and managed care entities provide the following disclosures: The name and address of any person (individual or corporation) with an ownership or control interest in the disclosing entity, fiscal agent, or managed care entity. The address for corporate entities must include as applicable primary business address, every business location, and P.O. Box address. Date of birth and Social Security Number (in the case of an individual) Other tax identification number (in the case of a corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) or in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest. Whether the person (individual or corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling; or whether the person (individual or corporation) with an ownership or control interest in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling. The name of any other disclosing entity (or fiscal agent or managed care entity) in which an owner of the disclosing entity (or fiscal agent or managed care entity) has an ownership or control interest. The name, address, date of birth, and Social Security Number of any managing employee of the disclosing entity (or fiscal agent or managed care entity). § 455.105 – HHSC must enter into an agreement with each provider under which the provider agrees to furnish to it the following information related to business transactions within 35 days of request: The ownership of any subcontractor with whom the provider has had business transactions totaling more than $25,000 during the 12-month period ending on the date of the request; and Any significant business transactions between the provider and any wholly owned supplier, or between the provider and any subcontractor, during the 5-year period ending on the date of the request. § 455.106 – Before HHSC enters into or renews a provider agreement, or at any time upon written request by HHSC, the provider must disclose to HHSC the identity of any person who: Has ownership or control interest in the provider, or is an agent or managing employee of the provider; and Has been convicted of a criminal offense related to that person's involvement in any program under Medicare, Medicaid, or the title XX services program since the inception of those programs. § 455.410 – HHSC must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers. § 455.412 – HHSC must: Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State. Confirm that the provider's license has not expired and that there are no current limitations on the provider's license. § 455.414 – HHSC must revalidate the enrollment of all providers regardless of provider type at least every five years. § 455.432 – HHSC must: Conduct pre-enrollment and post-enrollment site visits of providers who are designated as “moderate” or “high” categorical risks to the Medicaid program. Require any enrolled provider to permit CMS, its agents, its designated contractors, or HHSC to conduct unannounced on-site inspections of any and all provider locations. § 455.434 – HHSC must: Require providers to consent to criminal background checks including fingerprinting when required to do so under State law or by the level of screening based on risk of fraud, waste or abuse as determined for that category of provider. Establish categorical risk levels for providers and provider categories who pose an increased financial risk of fraud, waste or abuse to the Medicaid program. o Upon HHSC determining that a provider, or a person with a 5 percent or more direct or indirect ownership interest in the provider, meets HHSC's criteria hereunder for criminal background checks as a “high” risk to the Medicaid program, HHSC will require that each such provider or person submit fingerprints, in a form and manner to be determined by HHSC, within 30 days upon request from CMS or HHSC. § 455.436 – HHSC must confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases. Upon enrollment and reenrollment, HHSC must check the Social Security Administration's Death Master File (SSADMF), the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe. During the period the provider is enrolled, HHSC must check the LEIE and EPLS no less frequently than monthly. § 455.434 – HHSC must screen all initial applications, including applications for a new practice location, and any applications received in response to a re-enrollment or revalidation of enrollment request based on a categorical risk level of “limited,” “moderate,” or “high.” If a provider could fit within more than one risk level described in this section, the highest level of screening is applicable. Condition: Various departments within and contractors of HHSC are responsible for ensuring medical providers are properly licensed, screened, and enrolled in the Medicaid Program including Contract Administration and Provider Monitoring (CAPM), Access and Eligibility Services (AES), Procurement and Contracting Services, and the Texas Medicaid and Healthcare Partnership. Audit procedures included a review of 60 providers each for Medicaid, which resulted in the following (sampled exceptions noted in parentheses): A copy of the completed application was not included in the file. (9 providers) Enrollment of the provider was not completed within the last 5 years. (7 providers) Verification of the provider’s license was not included in the file. (7 providers) Required information on ownership and control was not disclosed. (11 providers) Supporting documentation was not included in the file indicating the provider consented to a criminal background check. (9 providers) Supporting documentation was not included in the file indicating the SSADMF database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the NPPES database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the LEIE database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the EPLS database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the provider was categorized during screening as limited, moderate, or high risk. (13 providers) A copy of the provider agreement was not included in the files. (13 providers) Supporting documentation was not included indicating a pre- or post-enrollment site visit was conducted as required for providers designated as moderate or high risk. (13 providers) Supporting documentation was not included indicating the provider disclosed the identity of any person who had been convicted of a criminal offense related to that person's involvement in any program under Medicare, Medicaid, or the Title XX services program since the inception of those programs. (9 providers) Questioned costs: None. Context: See “Condition.” Cause: HHSC does not have adequate procedures in place to ensure required documentation is obtained and maintained to comply with federal provider eligibility requirements. Effect: Failure to obtain and maintain adequate documentation during the provider screening and enrollment process may result in otherwise ineligible or fraudulent providers receiving Medicaid funds. Repeat finding: 2022-014, 2021-008 Recommendation: HHSC should implement controls to ensure: Documentation is maintained for at least the length of the providers’ current enrollment period or three years, whichever is greater in accordance with 2 CFR 200.334. Provider licenses are verified during enrollment. Providers are re-enrolled at least once every five years. Provider agreements are obtained, and the proper disclosures are made. Providers are categorized according to risk level and pre- and post-enrollment site visits are conducted as required for those deemed moderate or high risk. Relevant federal databases are checked during initial enrollment and at least monthly for all providers currently enrolled in Medicaid. Views of responsible officials: HHSC concurs with this repeat finding.
Activities Allowed or Unallowed, Allowable Costs/Cost Principles Federal Agency: U.S. Department of the Treasury Federal Program Title: Coronavirus State and Local Fiscal Recovery Funds ALN: 21.027 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: SLT – 8809: Project Name: HHSC Section 33; HHSC Section 12: Rural Hospitals, HHSC Section 22: Sunrise Canyon Hospital November 8, 2021 – December 31, 2026 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance and Noncompliance Criteria or specific requirement: Per 2 CFR 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that it is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in the “Internal Control Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Per 2 CFR 200.334, financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass through entity in the case of a subrecipient. Federal awarding agencies and pass-through entities must not impose any other record retention requirements upon non-Federal entities. In the 2021 Texas Senate Bill 8, HHSC was appropriated money in various sections of the bill received by Texas from the Coronavirus State Fiscal Recovery Fund for the following purposes related to costs incurred during the period beginning October 8, 2021, and ending November 8, 2023, due to the coronavirus pandemic: Section 11(a) – funding for the construction of a state hospital in Dallas, Texas. Section 12 – funding for grants to support rural hospitals that have been affected by the COVID-19 pandemic. Section 13 – funding for the creation of a consolidated internet portal for Medicaid and the Children’s Health Insurance Program medical services provider data. Section 14 – funding for technology updates to the Medicaid eligibility computer system. Section 15 – funding for COVID-19 related expenses incurred by the Texas Civil Commitment Office related to consumable supplies and travel. Section 22 – funding for the expansion of capacity of Sunrise Canyon Hospital. Section 33 – funding to administer one-time grants related to providing critical staffing needs resulting from frontline healthcare workers affected by COVID-19, including recruitment and retention bonuses for staff. Condition: Audit procedures included a selection of 60 sampled expenditures totaling $143,092,786 incurred during the fiscal year to test allowability with the grant awards. We noted that for 48 out of the 60 samples totaling $9,600,062, the agency did not obtain supporting documentation from the vendor to verify that the amounts advanced to the vendor were expended on allowable costs. We were unable to substantiate the amounts expended by the vendor and allowability of those expenditures in accordance with the relevant Senate Bill 8 section and the Department of the Treasury Final Rule. Questioned costs: $9,600,062. Context: See “Condition.” Cause: HHSC is not fully monitoring the use of program funds through collection, review, and maintenance of invoices supporting the expenditures. Effect: Failure to maintain adequate documentation pertinent to a federal award may result in noncompliance with grant terms and conditions. Repeat finding: No Recommendation: HHSC should implement policies and procedures to ensure documentation is maintained for a period of at least three years from the date of submission of the final expenditure report for the grant in accordance with 2 CFR 200.334. Views of responsible officials: HHSC concurs with the finding.
Activities Allowed or Unallowed, Allowable Costs/Cost Principles Federal Agency: U.S. Department of the Treasury Federal Program Title: Coronavirus State and Local Fiscal Recovery Funds ALN: 21.027 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: SLT – 8809: Project Name: HHSC Section 33; HHSC Section 12: Rural Hospitals, HHSC Section 22: Sunrise Canyon Hospital November 8, 2021 – December 31, 2026 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance and Noncompliance Criteria or specific requirement: Per 2 CFR 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that it is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in the “Internal Control Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Per 2 CFR 200.334, financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass through entity in the case of a subrecipient. Federal awarding agencies and pass-through entities must not impose any other record retention requirements upon non-Federal entities. In the 2021 Texas Senate Bill 8, HHSC was appropriated money in various sections of the bill received by Texas from the Coronavirus State Fiscal Recovery Fund for the following purposes related to costs incurred during the period beginning October 8, 2021, and ending November 8, 2023, due to the coronavirus pandemic: Section 11(a) – funding for the construction of a state hospital in Dallas, Texas. Section 12 – funding for grants to support rural hospitals that have been affected by the COVID-19 pandemic. Section 13 – funding for the creation of a consolidated internet portal for Medicaid and the Children’s Health Insurance Program medical services provider data. Section 14 – funding for technology updates to the Medicaid eligibility computer system. Section 15 – funding for COVID-19 related expenses incurred by the Texas Civil Commitment Office related to consumable supplies and travel. Section 22 – funding for the expansion of capacity of Sunrise Canyon Hospital. Section 33 – funding to administer one-time grants related to providing critical staffing needs resulting from frontline healthcare workers affected by COVID-19, including recruitment and retention bonuses for staff. Condition: Audit procedures included a selection of 60 sampled expenditures totaling $143,092,786 incurred during the fiscal year to test allowability with the grant awards. We noted that for 48 out of the 60 samples totaling $9,600,062, the agency did not obtain supporting documentation from the vendor to verify that the amounts advanced to the vendor were expended on allowable costs. We were unable to substantiate the amounts expended by the vendor and allowability of those expenditures in accordance with the relevant Senate Bill 8 section and the Department of the Treasury Final Rule. Questioned costs: $9,600,062. Context: See “Condition.” Cause: HHSC is not fully monitoring the use of program funds through collection, review, and maintenance of invoices supporting the expenditures. Effect: Failure to maintain adequate documentation pertinent to a federal award may result in noncompliance with grant terms and conditions. Repeat finding: No Recommendation: HHSC should implement policies and procedures to ensure documentation is maintained for a period of at least three years from the date of submission of the final expenditure report for the grant in accordance with 2 CFR 200.334. Views of responsible officials: HHSC concurs with the finding.
Activities Allowed or Unallowed, Allowable Costs/Cost Principles Federal Agency: U.S. Department of the Treasury Federal Program Title: Coronavirus State and Local Fiscal Recovery Funds ALN: 21.027 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: SLT – 8809: Project Name: HHSC Section 33; HHSC Section 12: Rural Hospitals, HHSC Section 22: Sunrise Canyon Hospital November 8, 2021 – December 31, 2026 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance and Noncompliance Criteria or specific requirement: Per 2 CFR 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that it is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in the “Internal Control Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Per 2 CFR 200.334, financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass through entity in the case of a subrecipient. Federal awarding agencies and pass-through entities must not impose any other record retention requirements upon non-Federal entities. In the 2021 Texas Senate Bill 8, HHSC was appropriated money in various sections of the bill received by Texas from the Coronavirus State Fiscal Recovery Fund for the following purposes related to costs incurred during the period beginning October 8, 2021, and ending November 8, 2023, due to the coronavirus pandemic: Section 11(a) – funding for the construction of a state hospital in Dallas, Texas. Section 12 – funding for grants to support rural hospitals that have been affected by the COVID-19 pandemic. Section 13 – funding for the creation of a consolidated internet portal for Medicaid and the Children’s Health Insurance Program medical services provider data. Section 14 – funding for technology updates to the Medicaid eligibility computer system. Section 15 – funding for COVID-19 related expenses incurred by the Texas Civil Commitment Office related to consumable supplies and travel. Section 22 – funding for the expansion of capacity of Sunrise Canyon Hospital. Section 33 – funding to administer one-time grants related to providing critical staffing needs resulting from frontline healthcare workers affected by COVID-19, including recruitment and retention bonuses for staff. Condition: Audit procedures included a selection of 60 sampled expenditures totaling $143,092,786 incurred during the fiscal year to test allowability with the grant awards. We noted that for 48 out of the 60 samples totaling $9,600,062, the agency did not obtain supporting documentation from the vendor to verify that the amounts advanced to the vendor were expended on allowable costs. We were unable to substantiate the amounts expended by the vendor and allowability of those expenditures in accordance with the relevant Senate Bill 8 section and the Department of the Treasury Final Rule. Questioned costs: $9,600,062. Context: See “Condition.” Cause: HHSC is not fully monitoring the use of program funds through collection, review, and maintenance of invoices supporting the expenditures. Effect: Failure to maintain adequate documentation pertinent to a federal award may result in noncompliance with grant terms and conditions. Repeat finding: No Recommendation: HHSC should implement policies and procedures to ensure documentation is maintained for a period of at least three years from the date of submission of the final expenditure report for the grant in accordance with 2 CFR 200.334. Views of responsible officials: HHSC concurs with the finding.
Activities Allowed or Unallowed, Allowable Costs/Cost Principles Federal Agency: U.S. Department of the Treasury Federal Program Title: Coronavirus State and Local Fiscal Recovery Funds ALN: 21.027 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: SLT – 8809: Project Name: HHSC Section 33; HHSC Section 12: Rural Hospitals, HHSC Section 22: Sunrise Canyon Hospital November 8, 2021 – December 31, 2026 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance and Noncompliance Criteria or specific requirement: Per 2 CFR 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that it is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in the “Internal Control Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Per 2 CFR 200.334, financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass through entity in the case of a subrecipient. Federal awarding agencies and pass-through entities must not impose any other record retention requirements upon non-Federal entities. In the 2021 Texas Senate Bill 8, HHSC was appropriated money in various sections of the bill received by Texas from the Coronavirus State Fiscal Recovery Fund for the following purposes related to costs incurred during the period beginning October 8, 2021, and ending November 8, 2023, due to the coronavirus pandemic: Section 11(a) – funding for the construction of a state hospital in Dallas, Texas. Section 12 – funding for grants to support rural hospitals that have been affected by the COVID-19 pandemic. Section 13 – funding for the creation of a consolidated internet portal for Medicaid and the Children’s Health Insurance Program medical services provider data. Section 14 – funding for technology updates to the Medicaid eligibility computer system. Section 15 – funding for COVID-19 related expenses incurred by the Texas Civil Commitment Office related to consumable supplies and travel. Section 22 – funding for the expansion of capacity of Sunrise Canyon Hospital. Section 33 – funding to administer one-time grants related to providing critical staffing needs resulting from frontline healthcare workers affected by COVID-19, including recruitment and retention bonuses for staff. Condition: Audit procedures included a selection of 60 sampled expenditures totaling $143,092,786 incurred during the fiscal year to test allowability with the grant awards. We noted that for 48 out of the 60 samples totaling $9,600,062, the agency did not obtain supporting documentation from the vendor to verify that the amounts advanced to the vendor were expended on allowable costs. We were unable to substantiate the amounts expended by the vendor and allowability of those expenditures in accordance with the relevant Senate Bill 8 section and the Department of the Treasury Final Rule. Questioned costs: $9,600,062. Context: See “Condition.” Cause: HHSC is not fully monitoring the use of program funds through collection, review, and maintenance of invoices supporting the expenditures. Effect: Failure to maintain adequate documentation pertinent to a federal award may result in noncompliance with grant terms and conditions. Repeat finding: No Recommendation: HHSC should implement policies and procedures to ensure documentation is maintained for a period of at least three years from the date of submission of the final expenditure report for the grant in accordance with 2 CFR 200.334. Views of responsible officials: HHSC concurs with the finding.
Activities Allowed or Unallowed, Allowable Costs/Cost Principles Federal Agency: U.S. Department of the Treasury Federal Program Title: Coronavirus State and Local Fiscal Recovery Funds ALN: 21.027 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: SLT – 8809: Project Name: HHSC Section 33; HHSC Section 12: Rural Hospitals, HHSC Section 22: Sunrise Canyon Hospital November 8, 2021 – December 31, 2026 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance and Noncompliance Criteria or specific requirement: Per 2 CFR 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that it is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in the “Internal Control Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Per 2 CFR 200.334, financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass through entity in the case of a subrecipient. Federal awarding agencies and pass-through entities must not impose any other record retention requirements upon non-Federal entities. In the 2021 Texas Senate Bill 8, HHSC was appropriated money in various sections of the bill received by Texas from the Coronavirus State Fiscal Recovery Fund for the following purposes related to costs incurred during the period beginning October 8, 2021, and ending November 8, 2023, due to the coronavirus pandemic: Section 11(a) – funding for the construction of a state hospital in Dallas, Texas. Section 12 – funding for grants to support rural hospitals that have been affected by the COVID-19 pandemic. Section 13 – funding for the creation of a consolidated internet portal for Medicaid and the Children’s Health Insurance Program medical services provider data. Section 14 – funding for technology updates to the Medicaid eligibility computer system. Section 15 – funding for COVID-19 related expenses incurred by the Texas Civil Commitment Office related to consumable supplies and travel. Section 22 – funding for the expansion of capacity of Sunrise Canyon Hospital. Section 33 – funding to administer one-time grants related to providing critical staffing needs resulting from frontline healthcare workers affected by COVID-19, including recruitment and retention bonuses for staff. Condition: Audit procedures included a selection of 60 sampled expenditures totaling $143,092,786 incurred during the fiscal year to test allowability with the grant awards. We noted that for 48 out of the 60 samples totaling $9,600,062, the agency did not obtain supporting documentation from the vendor to verify that the amounts advanced to the vendor were expended on allowable costs. We were unable to substantiate the amounts expended by the vendor and allowability of those expenditures in accordance with the relevant Senate Bill 8 section and the Department of the Treasury Final Rule. Questioned costs: $9,600,062. Context: See “Condition.” Cause: HHSC is not fully monitoring the use of program funds through collection, review, and maintenance of invoices supporting the expenditures. Effect: Failure to maintain adequate documentation pertinent to a federal award may result in noncompliance with grant terms and conditions. Repeat finding: No Recommendation: HHSC should implement policies and procedures to ensure documentation is maintained for a period of at least three years from the date of submission of the final expenditure report for the grant in accordance with 2 CFR 200.334. Views of responsible officials: HHSC concurs with the finding.
Activities Allowed or Unallowed, Allowable Costs/Cost Principles Federal Agency: U.S. Department of the Treasury Federal Program Title: Coronavirus State and Local Fiscal Recovery Funds ALN: 21.027 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: SLT – 8809: Project Name: HHSC Section 33; HHSC Section 12: Rural Hospitals, HHSC Section 22: Sunrise Canyon Hospital November 8, 2021 – December 31, 2026 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance and Noncompliance Criteria or specific requirement: Per 2 CFR 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that it is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in the “Internal Control Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Per 2 CFR 200.334, financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass through entity in the case of a subrecipient. Federal awarding agencies and pass-through entities must not impose any other record retention requirements upon non-Federal entities. In the 2021 Texas Senate Bill 8, HHSC was appropriated money in various sections of the bill received by Texas from the Coronavirus State Fiscal Recovery Fund for the following purposes related to costs incurred during the period beginning October 8, 2021, and ending November 8, 2023, due to the coronavirus pandemic: Section 11(a) – funding for the construction of a state hospital in Dallas, Texas. Section 12 – funding for grants to support rural hospitals that have been affected by the COVID-19 pandemic. Section 13 – funding for the creation of a consolidated internet portal for Medicaid and the Children’s Health Insurance Program medical services provider data. Section 14 – funding for technology updates to the Medicaid eligibility computer system. Section 15 – funding for COVID-19 related expenses incurred by the Texas Civil Commitment Office related to consumable supplies and travel. Section 22 – funding for the expansion of capacity of Sunrise Canyon Hospital. Section 33 – funding to administer one-time grants related to providing critical staffing needs resulting from frontline healthcare workers affected by COVID-19, including recruitment and retention bonuses for staff. Condition: Audit procedures included a selection of 60 sampled expenditures totaling $143,092,786 incurred during the fiscal year to test allowability with the grant awards. We noted that for 48 out of the 60 samples totaling $9,600,062, the agency did not obtain supporting documentation from the vendor to verify that the amounts advanced to the vendor were expended on allowable costs. We were unable to substantiate the amounts expended by the vendor and allowability of those expenditures in accordance with the relevant Senate Bill 8 section and the Department of the Treasury Final Rule. Questioned costs: $9,600,062. Context: See “Condition.” Cause: HHSC is not fully monitoring the use of program funds through collection, review, and maintenance of invoices supporting the expenditures. Effect: Failure to maintain adequate documentation pertinent to a federal award may result in noncompliance with grant terms and conditions. Repeat finding: No Recommendation: HHSC should implement policies and procedures to ensure documentation is maintained for a period of at least three years from the date of submission of the final expenditure report for the grant in accordance with 2 CFR 200.334. Views of responsible officials: HHSC concurs with the finding.
Activities Allowed or Unallowed, Allowable Costs/Cost Principles Federal Agency: U.S. Department of the Treasury Federal Program Title: Coronavirus State and Local Fiscal Recovery Funds ALN: 21.027 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: SLT – 8809: Project Name: HHSC Section 33; HHSC Section 12: Rural Hospitals, HHSC Section 22: Sunrise Canyon Hospital November 8, 2021 – December 31, 2026 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance and Noncompliance Criteria or specific requirement: Per 2 CFR 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that it is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in the “Internal Control Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Per 2 CFR 200.334, financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass through entity in the case of a subrecipient. Federal awarding agencies and pass-through entities must not impose any other record retention requirements upon non-Federal entities. In the 2021 Texas Senate Bill 8, HHSC was appropriated money in various sections of the bill received by Texas from the Coronavirus State Fiscal Recovery Fund for the following purposes related to costs incurred during the period beginning October 8, 2021, and ending November 8, 2023, due to the coronavirus pandemic: Section 11(a) – funding for the construction of a state hospital in Dallas, Texas. Section 12 – funding for grants to support rural hospitals that have been affected by the COVID-19 pandemic. Section 13 – funding for the creation of a consolidated internet portal for Medicaid and the Children’s Health Insurance Program medical services provider data. Section 14 – funding for technology updates to the Medicaid eligibility computer system. Section 15 – funding for COVID-19 related expenses incurred by the Texas Civil Commitment Office related to consumable supplies and travel. Section 22 – funding for the expansion of capacity of Sunrise Canyon Hospital. Section 33 – funding to administer one-time grants related to providing critical staffing needs resulting from frontline healthcare workers affected by COVID-19, including recruitment and retention bonuses for staff. Condition: Audit procedures included a selection of 60 sampled expenditures totaling $143,092,786 incurred during the fiscal year to test allowability with the grant awards. We noted that for 48 out of the 60 samples totaling $9,600,062, the agency did not obtain supporting documentation from the vendor to verify that the amounts advanced to the vendor were expended on allowable costs. We were unable to substantiate the amounts expended by the vendor and allowability of those expenditures in accordance with the relevant Senate Bill 8 section and the Department of the Treasury Final Rule. Questioned costs: $9,600,062. Context: See “Condition.” Cause: HHSC is not fully monitoring the use of program funds through collection, review, and maintenance of invoices supporting the expenditures. Effect: Failure to maintain adequate documentation pertinent to a federal award may result in noncompliance with grant terms and conditions. Repeat finding: No Recommendation: HHSC should implement policies and procedures to ensure documentation is maintained for a period of at least three years from the date of submission of the final expenditure report for the grant in accordance with 2 CFR 200.334. Views of responsible officials: HHSC concurs with the finding.
Reporting Federal Agency: U.S. Department of Health and Human Services Federal Program Title: Social Services Block Grant ALN: 93.667 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: 2301TXSOSR, 2201TXSOSR and 2101TXSOSR October 1, 2022 – September 30, 2024, October 1, 2021 – September 30, 2023 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance and Noncompliance Criteria or specific requirement: Per 2 CFR 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that it is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in the “Internal Control Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Per 2 CFR 200.334, financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass_x0002_through entity in the case of a subrecipient. Federal awarding agencies and pass-through entities must not impose any other record retention requirements upon non-Federal entities. Title 42 USC 1397e requires states and territories to submit to the federal administering agency, the Office of Community Services, an annual Post Expenditure Report no later than six months following the close of the fiscal year. The report includes certain critical key line information including: 1. The number of eligible individuals who received services paid for in part or in whole with federal funds under the SSBG. 2. The amount of Social Services Block Grant funds spent in providing each service. Condition: During testing of key line items noted above in the FY2022 Annual Post Expenditure Report submitted in March 2023, we noted the following variances between the amounts reported and supporting documentation: Key Line Item 1 Children Family Planning Services – variance of 1,796 Prevention and Intervention – variance of 9,866 Protective Services – Children – variance of 13,511 Adults Age 59 Years and Younger Family Planning Services – variance of 107,476 Prevention and Intervention – variance of 19,398 Protective Services – Adults – variance of 21,973 Other Services – variance of 10,733 Adults Age 60 Years and Older Family Planning Services – variance of 4,549 Prevention and Intervention – variance of 868 Protective Services – Adults – variance of 71,969 Other Services – variance of 14,408 Adults of Unknown Age Prevention and Intervention – variance of 151 Key Line Item 2 SSBG Allocation Foster Care Services – Children – variance of ($77,124) Information & Referral – variance of $2,116 Protective Services – Adults – variance of ($59,467) Protective Services – Children – variance of ($114,243) Funds Transferred into SSBG Protective Services – Children – variance of ($6,948,063) Expenditures of All Other Federal, State, and Local Funds Family Planning Services – variance of $172,504,171 Foster Care Services – Children – variance of $674,230,152 Information & Referral – variance of $35,508,405 Protective Services – Adults – variance of $67,694,139 Protective Services – Children – variance of $1,145,408,512 Other Services – $171,788,478 Questioned costs: None. Context: See “Condition.” Cause: Current internal controls are not at the correct precision level to ensure the completeness and accuracy of the report. Additionally, HHSC did not follow current policies and procedures regarding record retention. More specifically, all variances listed for key line item 1 were due to lack of supporting documentation except for the Protective Services – Children variance of 13,511, which was the difference between amounts reported and supporting documentation provided. All variances for key line item 2 were due to lack of supporting documentation except the four amounts listed under SSBG Allocation, which are a result difference between amounts reported and supporting documentation provided. Effect: Improperly designed internal controls over reporting may result in a misstatement of amounts reported on federal reports. In addition, failure to maintain adequate documentation pertinent to a federal award may result in noncompliance with grant terms and conditions. Repeat Finding: No Recommendation: We recommend management revise its internal controls to reconcile expenditures reported on federal reports to federal expenditures in the general ledger. Additionally, HHSC should implement or revise policies and procedures to ensure documentation is maintained for a period of at least three years from the date of submission of the final expenditure report for the grant in accordance with 2 CFR 200.334. Views of responsible officials: HHSC concurs with the finding.
Special Tests and Provisions – Provider Eligibility – Lack of Documentation Federal Agency: U.S. Department of Health and Human Services Federal Program Title: Children’s Health Insurance Program ALN: 93.767 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: 2105TX5021, 2205TX5021, 2305TX3002, 2305TX5021 October 1, 2020 – September 30, 2022, October 1, 2021 – September 30, 2023, October 1, 2022 – September 30, 2024 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance and Noncompliance. Criteria or specific requirement: Per 2 CFR 200.303, a non-Federal entity must: Establish and maintain effective internal controls over federal awards that provide reasonable assurance they are managing federal awards in compliance with federal statutes, regulations, and the provisions of contracts or grant agreements that could have a material effect on each of its federal programs. Per 2 CFR 200.334, financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient. Federal awarding agencies and pass-through entities must not impose any other record retention requirements upon non-Federal entities. In order to comply with federal provider eligibility requirements, HHSC must adhere to various subsections of 42 CFR Section 455 including but not limited to: § 455.104 – HHSC must require that disclosing entities, fiscal agents, and managed care entities provide the following disclosures: The name and address of any person (individual or corporation) with an ownership or control interest in the disclosing entity, fiscal agent, or managed care entity. The address for corporate entities must include as applicable primary business address, every business location, and P.O. Box address. Date of birth and Social Security Number (in the case of an individual). Other tax identification number (in the case of a corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) or in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest. Whether the person (individual or corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling; or whether the person (individual or corporation) with an ownership or control interest in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling. The name of any other disclosing entity (or fiscal agent or managed care entity) in which an owner of the disclosing entity (or fiscal agent or managed care entity) has an ownership or control interest. The name, address, date of birth, and Social Security Number of any managing employee of the disclosing entity (or fiscal agent or managed care entity). § 455.105 – HHSC must enter into an agreement with each provider under which the provider agrees to furnish to it the following information related to business transactions within 35 days of request: The ownership of any subcontractor with whom the provider has had business transactions totaling more than $25,000 during the 12-month period ending on the date of the request; and Any significant business transactions between the provider and any wholly owned supplier, or between the provider and any subcontractor, during the 5-year period ending on the date of the request. § 455.106 – Before HHSC enters into or renews a provider agreement, or at any time upon written request by HHSC, the provider must disclose to HHSC the identity of any person who: Has ownership or control interest in the provider, or is an agent or managing employee of the provider; and Has been convicted of a criminal offense related to that person's involvement in any program under Medicare, Medicaid, or the title XX services program since the inception of those programs. § 455.410 – HHSC must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers. § 455.412 – HHSC must: Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State. Confirm that the provider's license has not expired and that there are no current limitations on the provider's license. § 455.414 – HHSC must revalidate the enrollment of all providers regardless of provider type at least every five years. § 455.432 – HHSC must: Conduct pre-enrollment and post-enrollment site visits of providers who are designated as “moderate” or “high” categorical risks to the Medicaid program. Require any enrolled provider to permit CMS, its agents, its designated contractors, or HHSC to conduct unannounced on-site inspections of any and all provider locations. § 455.434 – HHSC must: Require providers to consent to criminal background checks including fingerprinting when required to do so under State law or by the level of screening based on risk of fraud, waste or abuse as determined for that category of provider. Establish categorical risk levels for providers and provider categories who pose an increased financial risk of fraud, waste or abuse to the Medicaid program. o Upon HHSC determining that a provider, or a person with a 5 percent or more direct or indirect ownership interest in the provider, meets HHSC's criteria hereunder for criminal background checks as a “high” risk to the Medicaid program, HHSC will require that each such provider or person submit fingerprints, in a form and manner to be determined by HHSC, within 30 days upon request from CMS or HHSC. § 455.436 – HHSC must confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases. Upon enrollment and reenrollment, HHSC must check the Social Security Administration's Death Master File (SSADMF), the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe. During the period the provider is enrolled, HHSC must check the LEIE and EPLS no less frequently than monthly. § 455.434 – HHSC must screen all initial applications, including applications for a new practice location, and any applications received in response to a re-enrollment or revalidation of enrollment request based on a categorical risk level of “limited,” “moderate,” or “high.” If a provider could fit within more than one risk level described in this section, the highest level of screening is applicable. Condition: Various departments within and contractors of HHSC are responsible for ensuring medical providers are properly licensed, screened, and enrolled in the Medicaid Program including Contract Administration and Provider Monitoring (CAPM), Access and Eligibility Services (AES), Procurement and Contracting Services, and the Texas Medicaid and Healthcare Partnership. Audit procedures included a review of 60 providers for CHIP, which resulted in one exception for the following: A copy of the completed application was not included in the file. Enrollment of the provider was not completed within the last 5 years. Verification of the provider’s license was not included in the file. Required information on ownership and control was not disclosed. Supporting documentation was not included in the file indicating the SSADMF database was checked at the time of the most recent enrollment. Supporting documentation was not included in the file indicating the NPPES database was checked at the time of the most recent enrollment. Supporting documentation was not included in the file indicating the LEIE database was checked at the time of the most recent enrollment. Supporting documentation was not included in the file indicating the EPLS database was checked at the time of the most recent enrollment. Supporting documentation was not included in the file indicating the provider was categorized during screening as limited, moderate, or high risk. A copy of the provider agreement was not included in the files. Supporting documentation was not included indicating a pre- or post-enrollment site visit was conducted as required for providers designated as moderate or high risk. Supporting documentation was not included indicating the provider disclosed the identity of any person who had been convicted of a criminal offense related to that person's involvement in any program under Medicare, Medicaid, or the Title XX services program since the inception of those programs. Questioned costs: None. Context: See “Condition.” Cause: HHSC does not have adequate procedures in place to ensure required documentation is obtained and maintained to comply with federal provider eligibility requirements. Effect: Failure to obtain and maintain adequate documentation during the provider screening and enrollment process may result in otherwise ineligible or fraudulent providers receiving CHIP funds. Repeat Finding: No Recommendation: HHSC should implement controls to ensure: Documentation is maintained for at least the length of the providers’ current enrollment period or three years, whichever is greater in accordance with 2 CFR 200.334. Provider licenses are verified during enrollment. Providers are re-enrolled at least once every five years. Provider agreements are obtained, and the proper disclosures are made. Providers are categorized according to risk level and pre- and post-enrollment site visits are conducted as required for those deemed moderate or high risk. Relevant federal databases are checked during initial enrollment and at least monthly for all providers currently enrolled in CHIP. Views of responsible officials: HHSC concurs with the finding.
Special Tests and Provisions – Provider Eligibility – Lack of Documentation Federal Agency: U.S. Department of Health and Human Services Federal Program Title: Children’s Health Insurance Program ALN: 93.767 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: 2105TX5021, 2205TX5021, 2305TX3002, 2305TX5021 October 1, 2020 – September 30, 2022, October 1, 2021 – September 30, 2023, October 1, 2022 – September 30, 2024 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Significant Deficiency in Internal Control over Compliance and Noncompliance. Criteria or specific requirement: Per 2 CFR 200.303, a non-Federal entity must: Establish and maintain effective internal controls over federal awards that provide reasonable assurance they are managing federal awards in compliance with federal statutes, regulations, and the provisions of contracts or grant agreements that could have a material effect on each of its federal programs. Per 2 CFR 200.334, financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient. Federal awarding agencies and pass-through entities must not impose any other record retention requirements upon non-Federal entities. In order to comply with federal provider eligibility requirements, HHSC must adhere to various subsections of 42 CFR Section 455 including but not limited to: § 455.104 – HHSC must require that disclosing entities, fiscal agents, and managed care entities provide the following disclosures: The name and address of any person (individual or corporation) with an ownership or control interest in the disclosing entity, fiscal agent, or managed care entity. The address for corporate entities must include as applicable primary business address, every business location, and P.O. Box address. Date of birth and Social Security Number (in the case of an individual). Other tax identification number (in the case of a corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) or in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest. Whether the person (individual or corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling; or whether the person (individual or corporation) with an ownership or control interest in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling. The name of any other disclosing entity (or fiscal agent or managed care entity) in which an owner of the disclosing entity (or fiscal agent or managed care entity) has an ownership or control interest. The name, address, date of birth, and Social Security Number of any managing employee of the disclosing entity (or fiscal agent or managed care entity). § 455.105 – HHSC must enter into an agreement with each provider under which the provider agrees to furnish to it the following information related to business transactions within 35 days of request: The ownership of any subcontractor with whom the provider has had business transactions totaling more than $25,000 during the 12-month period ending on the date of the request; and Any significant business transactions between the provider and any wholly owned supplier, or between the provider and any subcontractor, during the 5-year period ending on the date of the request. § 455.106 – Before HHSC enters into or renews a provider agreement, or at any time upon written request by HHSC, the provider must disclose to HHSC the identity of any person who: Has ownership or control interest in the provider, or is an agent or managing employee of the provider; and Has been convicted of a criminal offense related to that person's involvement in any program under Medicare, Medicaid, or the title XX services program since the inception of those programs. § 455.410 – HHSC must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers. § 455.412 – HHSC must: Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State. Confirm that the provider's license has not expired and that there are no current limitations on the provider's license. § 455.414 – HHSC must revalidate the enrollment of all providers regardless of provider type at least every five years. § 455.432 – HHSC must: Conduct pre-enrollment and post-enrollment site visits of providers who are designated as “moderate” or “high” categorical risks to the Medicaid program. Require any enrolled provider to permit CMS, its agents, its designated contractors, or HHSC to conduct unannounced on-site inspections of any and all provider locations. § 455.434 – HHSC must: Require providers to consent to criminal background checks including fingerprinting when required to do so under State law or by the level of screening based on risk of fraud, waste or abuse as determined for that category of provider. Establish categorical risk levels for providers and provider categories who pose an increased financial risk of fraud, waste or abuse to the Medicaid program. o Upon HHSC determining that a provider, or a person with a 5 percent or more direct or indirect ownership interest in the provider, meets HHSC's criteria hereunder for criminal background checks as a “high” risk to the Medicaid program, HHSC will require that each such provider or person submit fingerprints, in a form and manner to be determined by HHSC, within 30 days upon request from CMS or HHSC. § 455.436 – HHSC must confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases. Upon enrollment and reenrollment, HHSC must check the Social Security Administration's Death Master File (SSADMF), the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe. During the period the provider is enrolled, HHSC must check the LEIE and EPLS no less frequently than monthly. § 455.434 – HHSC must screen all initial applications, including applications for a new practice location, and any applications received in response to a re-enrollment or revalidation of enrollment request based on a categorical risk level of “limited,” “moderate,” or “high.” If a provider could fit within more than one risk level described in this section, the highest level of screening is applicable. Condition: Various departments within and contractors of HHSC are responsible for ensuring medical providers are properly licensed, screened, and enrolled in the Medicaid Program including Contract Administration and Provider Monitoring (CAPM), Access and Eligibility Services (AES), Procurement and Contracting Services, and the Texas Medicaid and Healthcare Partnership. Audit procedures included a review of 60 providers for CHIP, which resulted in one exception for the following: A copy of the completed application was not included in the file. Enrollment of the provider was not completed within the last 5 years. Verification of the provider’s license was not included in the file. Required information on ownership and control was not disclosed. Supporting documentation was not included in the file indicating the SSADMF database was checked at the time of the most recent enrollment. Supporting documentation was not included in the file indicating the NPPES database was checked at the time of the most recent enrollment. Supporting documentation was not included in the file indicating the LEIE database was checked at the time of the most recent enrollment. Supporting documentation was not included in the file indicating the EPLS database was checked at the time of the most recent enrollment. Supporting documentation was not included in the file indicating the provider was categorized during screening as limited, moderate, or high risk. A copy of the provider agreement was not included in the files. Supporting documentation was not included indicating a pre- or post-enrollment site visit was conducted as required for providers designated as moderate or high risk. Supporting documentation was not included indicating the provider disclosed the identity of any person who had been convicted of a criminal offense related to that person's involvement in any program under Medicare, Medicaid, or the Title XX services program since the inception of those programs. Questioned costs: None. Context: See “Condition.” Cause: HHSC does not have adequate procedures in place to ensure required documentation is obtained and maintained to comply with federal provider eligibility requirements. Effect: Failure to obtain and maintain adequate documentation during the provider screening and enrollment process may result in otherwise ineligible or fraudulent providers receiving CHIP funds. Repeat Finding: No Recommendation: HHSC should implement controls to ensure: Documentation is maintained for at least the length of the providers’ current enrollment period or three years, whichever is greater in accordance with 2 CFR 200.334. Provider licenses are verified during enrollment. Providers are re-enrolled at least once every five years. Provider agreements are obtained, and the proper disclosures are made. Providers are categorized according to risk level and pre- and post-enrollment site visits are conducted as required for those deemed moderate or high risk. Relevant federal databases are checked during initial enrollment and at least monthly for all providers currently enrolled in CHIP. Views of responsible officials: HHSC concurs with the finding.
Special Tests and Provisions – Provider Eligibility – Lack of Documentation Federal Agency: U.S. Department of Health and Human Services Federal Program Title: Medicaid Cluster ALN: 93.775, 93.777, 93.778 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: Medicaid Cluster 2205TX5ADM, 2205TX5MAP, 2205TXIMPL; 2305TX5ADM, 2305TX5MAP, 2305TXIMPL October 1, 2021 – September 30, 2022, October 1, 2022 – September 30, 2023 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Material Weakness in Internal Control over Compliance and Material Noncompliance Criteria or specific requirement: Per 2 CFR 200.303, a non-Federal entity must: Establish and maintain effective internal controls over federal awards that provide reasonable assurance they are managing federal awards in compliance with federal statutes, regulations, and the provisions of contracts or grant agreements that could have a material effect on each of its federal programs. Per 2 CFR 200.334, financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient. Federal awarding agencies and pass-through entities must not impose any other record retention requirements upon non-Federal entities. In order to comply with federal provider eligibility requirements, HHSC must adhere to various subsections of 42 CFR Section 455 including but not limited to: § 455.104 – HHSC must require that disclosing entities, fiscal agents, and managed care entities provide the following disclosures: The name and address of any person (individual or corporation) with an ownership or control interest in the disclosing entity, fiscal agent, or managed care entity. The address for corporate entities must include as applicable primary business address, every business location, and P.O. Box address. Date of birth and Social Security Number (in the case of an individual) Other tax identification number (in the case of a corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) or in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest. Whether the person (individual or corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling; or whether the person (individual or corporation) with an ownership or control interest in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling. The name of any other disclosing entity (or fiscal agent or managed care entity) in which an owner of the disclosing entity (or fiscal agent or managed care entity) has an ownership or control interest. The name, address, date of birth, and Social Security Number of any managing employee of the disclosing entity (or fiscal agent or managed care entity). § 455.105 – HHSC must enter into an agreement with each provider under which the provider agrees to furnish to it the following information related to business transactions within 35 days of request: The ownership of any subcontractor with whom the provider has had business transactions totaling more than $25,000 during the 12-month period ending on the date of the request; and Any significant business transactions between the provider and any wholly owned supplier, or between the provider and any subcontractor, during the 5-year period ending on the date of the request. § 455.106 – Before HHSC enters into or renews a provider agreement, or at any time upon written request by HHSC, the provider must disclose to HHSC the identity of any person who: Has ownership or control interest in the provider, or is an agent or managing employee of the provider; and Has been convicted of a criminal offense related to that person's involvement in any program under Medicare, Medicaid, or the title XX services program since the inception of those programs. § 455.410 – HHSC must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers. § 455.412 – HHSC must: Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State. Confirm that the provider's license has not expired and that there are no current limitations on the provider's license. § 455.414 – HHSC must revalidate the enrollment of all providers regardless of provider type at least every five years. § 455.432 – HHSC must: Conduct pre-enrollment and post-enrollment site visits of providers who are designated as “moderate” or “high” categorical risks to the Medicaid program. Require any enrolled provider to permit CMS, its agents, its designated contractors, or HHSC to conduct unannounced on-site inspections of any and all provider locations. § 455.434 – HHSC must: Require providers to consent to criminal background checks including fingerprinting when required to do so under State law or by the level of screening based on risk of fraud, waste or abuse as determined for that category of provider. Establish categorical risk levels for providers and provider categories who pose an increased financial risk of fraud, waste or abuse to the Medicaid program. o Upon HHSC determining that a provider, or a person with a 5 percent or more direct or indirect ownership interest in the provider, meets HHSC's criteria hereunder for criminal background checks as a “high” risk to the Medicaid program, HHSC will require that each such provider or person submit fingerprints, in a form and manner to be determined by HHSC, within 30 days upon request from CMS or HHSC. § 455.436 – HHSC must confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases. Upon enrollment and reenrollment, HHSC must check the Social Security Administration's Death Master File (SSADMF), the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe. During the period the provider is enrolled, HHSC must check the LEIE and EPLS no less frequently than monthly. § 455.434 – HHSC must screen all initial applications, including applications for a new practice location, and any applications received in response to a re-enrollment or revalidation of enrollment request based on a categorical risk level of “limited,” “moderate,” or “high.” If a provider could fit within more than one risk level described in this section, the highest level of screening is applicable. Condition: Various departments within and contractors of HHSC are responsible for ensuring medical providers are properly licensed, screened, and enrolled in the Medicaid Program including Contract Administration and Provider Monitoring (CAPM), Access and Eligibility Services (AES), Procurement and Contracting Services, and the Texas Medicaid and Healthcare Partnership. Audit procedures included a review of 60 providers each for Medicaid, which resulted in the following (sampled exceptions noted in parentheses): A copy of the completed application was not included in the file. (9 providers) Enrollment of the provider was not completed within the last 5 years. (7 providers) Verification of the provider’s license was not included in the file. (7 providers) Required information on ownership and control was not disclosed. (11 providers) Supporting documentation was not included in the file indicating the provider consented to a criminal background check. (9 providers) Supporting documentation was not included in the file indicating the SSADMF database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the NPPES database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the LEIE database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the EPLS database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the provider was categorized during screening as limited, moderate, or high risk. (13 providers) A copy of the provider agreement was not included in the files. (13 providers) Supporting documentation was not included indicating a pre- or post-enrollment site visit was conducted as required for providers designated as moderate or high risk. (13 providers) Supporting documentation was not included indicating the provider disclosed the identity of any person who had been convicted of a criminal offense related to that person's involvement in any program under Medicare, Medicaid, or the Title XX services program since the inception of those programs. (9 providers) Questioned costs: None. Context: See “Condition.” Cause: HHSC does not have adequate procedures in place to ensure required documentation is obtained and maintained to comply with federal provider eligibility requirements. Effect: Failure to obtain and maintain adequate documentation during the provider screening and enrollment process may result in otherwise ineligible or fraudulent providers receiving Medicaid funds. Repeat finding: 2022-014, 2021-008 Recommendation: HHSC should implement controls to ensure: Documentation is maintained for at least the length of the providers’ current enrollment period or three years, whichever is greater in accordance with 2 CFR 200.334. Provider licenses are verified during enrollment. Providers are re-enrolled at least once every five years. Provider agreements are obtained, and the proper disclosures are made. Providers are categorized according to risk level and pre- and post-enrollment site visits are conducted as required for those deemed moderate or high risk. Relevant federal databases are checked during initial enrollment and at least monthly for all providers currently enrolled in Medicaid. Views of responsible officials: HHSC concurs with this repeat finding.
Special Tests and Provisions – Provider Eligibility – Lack of Documentation Federal Agency: U.S. Department of Health and Human Services Federal Program Title: Medicaid Cluster ALN: 93.775, 93.777, 93.778 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: Medicaid Cluster 2205TX5ADM, 2205TX5MAP, 2205TXIMPL; 2305TX5ADM, 2305TX5MAP, 2305TXIMPL October 1, 2021 – September 30, 2022, October 1, 2022 – September 30, 2023 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Material Weakness in Internal Control over Compliance and Material Noncompliance Criteria or specific requirement: Per 2 CFR 200.303, a non-Federal entity must: Establish and maintain effective internal controls over federal awards that provide reasonable assurance they are managing federal awards in compliance with federal statutes, regulations, and the provisions of contracts or grant agreements that could have a material effect on each of its federal programs. Per 2 CFR 200.334, financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient. Federal awarding agencies and pass-through entities must not impose any other record retention requirements upon non-Federal entities. In order to comply with federal provider eligibility requirements, HHSC must adhere to various subsections of 42 CFR Section 455 including but not limited to: § 455.104 – HHSC must require that disclosing entities, fiscal agents, and managed care entities provide the following disclosures: The name and address of any person (individual or corporation) with an ownership or control interest in the disclosing entity, fiscal agent, or managed care entity. The address for corporate entities must include as applicable primary business address, every business location, and P.O. Box address. Date of birth and Social Security Number (in the case of an individual) Other tax identification number (in the case of a corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) or in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest. Whether the person (individual or corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling; or whether the person (individual or corporation) with an ownership or control interest in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling. The name of any other disclosing entity (or fiscal agent or managed care entity) in which an owner of the disclosing entity (or fiscal agent or managed care entity) has an ownership or control interest. The name, address, date of birth, and Social Security Number of any managing employee of the disclosing entity (or fiscal agent or managed care entity). § 455.105 – HHSC must enter into an agreement with each provider under which the provider agrees to furnish to it the following information related to business transactions within 35 days of request: The ownership of any subcontractor with whom the provider has had business transactions totaling more than $25,000 during the 12-month period ending on the date of the request; and Any significant business transactions between the provider and any wholly owned supplier, or between the provider and any subcontractor, during the 5-year period ending on the date of the request. § 455.106 – Before HHSC enters into or renews a provider agreement, or at any time upon written request by HHSC, the provider must disclose to HHSC the identity of any person who: Has ownership or control interest in the provider, or is an agent or managing employee of the provider; and Has been convicted of a criminal offense related to that person's involvement in any program under Medicare, Medicaid, or the title XX services program since the inception of those programs. § 455.410 – HHSC must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers. § 455.412 – HHSC must: Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State. Confirm that the provider's license has not expired and that there are no current limitations on the provider's license. § 455.414 – HHSC must revalidate the enrollment of all providers regardless of provider type at least every five years. § 455.432 – HHSC must: Conduct pre-enrollment and post-enrollment site visits of providers who are designated as “moderate” or “high” categorical risks to the Medicaid program. Require any enrolled provider to permit CMS, its agents, its designated contractors, or HHSC to conduct unannounced on-site inspections of any and all provider locations. § 455.434 – HHSC must: Require providers to consent to criminal background checks including fingerprinting when required to do so under State law or by the level of screening based on risk of fraud, waste or abuse as determined for that category of provider. Establish categorical risk levels for providers and provider categories who pose an increased financial risk of fraud, waste or abuse to the Medicaid program. o Upon HHSC determining that a provider, or a person with a 5 percent or more direct or indirect ownership interest in the provider, meets HHSC's criteria hereunder for criminal background checks as a “high” risk to the Medicaid program, HHSC will require that each such provider or person submit fingerprints, in a form and manner to be determined by HHSC, within 30 days upon request from CMS or HHSC. § 455.436 – HHSC must confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases. Upon enrollment and reenrollment, HHSC must check the Social Security Administration's Death Master File (SSADMF), the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe. During the period the provider is enrolled, HHSC must check the LEIE and EPLS no less frequently than monthly. § 455.434 – HHSC must screen all initial applications, including applications for a new practice location, and any applications received in response to a re-enrollment or revalidation of enrollment request based on a categorical risk level of “limited,” “moderate,” or “high.” If a provider could fit within more than one risk level described in this section, the highest level of screening is applicable. Condition: Various departments within and contractors of HHSC are responsible for ensuring medical providers are properly licensed, screened, and enrolled in the Medicaid Program including Contract Administration and Provider Monitoring (CAPM), Access and Eligibility Services (AES), Procurement and Contracting Services, and the Texas Medicaid and Healthcare Partnership. Audit procedures included a review of 60 providers each for Medicaid, which resulted in the following (sampled exceptions noted in parentheses): A copy of the completed application was not included in the file. (9 providers) Enrollment of the provider was not completed within the last 5 years. (7 providers) Verification of the provider’s license was not included in the file. (7 providers) Required information on ownership and control was not disclosed. (11 providers) Supporting documentation was not included in the file indicating the provider consented to a criminal background check. (9 providers) Supporting documentation was not included in the file indicating the SSADMF database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the NPPES database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the LEIE database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the EPLS database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the provider was categorized during screening as limited, moderate, or high risk. (13 providers) A copy of the provider agreement was not included in the files. (13 providers) Supporting documentation was not included indicating a pre- or post-enrollment site visit was conducted as required for providers designated as moderate or high risk. (13 providers) Supporting documentation was not included indicating the provider disclosed the identity of any person who had been convicted of a criminal offense related to that person's involvement in any program under Medicare, Medicaid, or the Title XX services program since the inception of those programs. (9 providers) Questioned costs: None. Context: See “Condition.” Cause: HHSC does not have adequate procedures in place to ensure required documentation is obtained and maintained to comply with federal provider eligibility requirements. Effect: Failure to obtain and maintain adequate documentation during the provider screening and enrollment process may result in otherwise ineligible or fraudulent providers receiving Medicaid funds. Repeat finding: 2022-014, 2021-008 Recommendation: HHSC should implement controls to ensure: Documentation is maintained for at least the length of the providers’ current enrollment period or three years, whichever is greater in accordance with 2 CFR 200.334. Provider licenses are verified during enrollment. Providers are re-enrolled at least once every five years. Provider agreements are obtained, and the proper disclosures are made. Providers are categorized according to risk level and pre- and post-enrollment site visits are conducted as required for those deemed moderate or high risk. Relevant federal databases are checked during initial enrollment and at least monthly for all providers currently enrolled in Medicaid. Views of responsible officials: HHSC concurs with this repeat finding.
Special Tests and Provisions – Provider Eligibility – Lack of Documentation Federal Agency: U.S. Department of Health and Human Services Federal Program Title: Medicaid Cluster ALN: 93.775, 93.777, 93.778 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: Medicaid Cluster 2205TX5ADM, 2205TX5MAP, 2205TXIMPL; 2305TX5ADM, 2305TX5MAP, 2305TXIMPL October 1, 2021 – September 30, 2022, October 1, 2022 – September 30, 2023 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Material Weakness in Internal Control over Compliance and Material Noncompliance Criteria or specific requirement: Per 2 CFR 200.303, a non-Federal entity must: Establish and maintain effective internal controls over federal awards that provide reasonable assurance they are managing federal awards in compliance with federal statutes, regulations, and the provisions of contracts or grant agreements that could have a material effect on each of its federal programs. Per 2 CFR 200.334, financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient. Federal awarding agencies and pass-through entities must not impose any other record retention requirements upon non-Federal entities. In order to comply with federal provider eligibility requirements, HHSC must adhere to various subsections of 42 CFR Section 455 including but not limited to: § 455.104 – HHSC must require that disclosing entities, fiscal agents, and managed care entities provide the following disclosures: The name and address of any person (individual or corporation) with an ownership or control interest in the disclosing entity, fiscal agent, or managed care entity. The address for corporate entities must include as applicable primary business address, every business location, and P.O. Box address. Date of birth and Social Security Number (in the case of an individual) Other tax identification number (in the case of a corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) or in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest. Whether the person (individual or corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling; or whether the person (individual or corporation) with an ownership or control interest in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling. The name of any other disclosing entity (or fiscal agent or managed care entity) in which an owner of the disclosing entity (or fiscal agent or managed care entity) has an ownership or control interest. The name, address, date of birth, and Social Security Number of any managing employee of the disclosing entity (or fiscal agent or managed care entity). § 455.105 – HHSC must enter into an agreement with each provider under which the provider agrees to furnish to it the following information related to business transactions within 35 days of request: The ownership of any subcontractor with whom the provider has had business transactions totaling more than $25,000 during the 12-month period ending on the date of the request; and Any significant business transactions between the provider and any wholly owned supplier, or between the provider and any subcontractor, during the 5-year period ending on the date of the request. § 455.106 – Before HHSC enters into or renews a provider agreement, or at any time upon written request by HHSC, the provider must disclose to HHSC the identity of any person who: Has ownership or control interest in the provider, or is an agent or managing employee of the provider; and Has been convicted of a criminal offense related to that person's involvement in any program under Medicare, Medicaid, or the title XX services program since the inception of those programs. § 455.410 – HHSC must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers. § 455.412 – HHSC must: Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State. Confirm that the provider's license has not expired and that there are no current limitations on the provider's license. § 455.414 – HHSC must revalidate the enrollment of all providers regardless of provider type at least every five years. § 455.432 – HHSC must: Conduct pre-enrollment and post-enrollment site visits of providers who are designated as “moderate” or “high” categorical risks to the Medicaid program. Require any enrolled provider to permit CMS, its agents, its designated contractors, or HHSC to conduct unannounced on-site inspections of any and all provider locations. § 455.434 – HHSC must: Require providers to consent to criminal background checks including fingerprinting when required to do so under State law or by the level of screening based on risk of fraud, waste or abuse as determined for that category of provider. Establish categorical risk levels for providers and provider categories who pose an increased financial risk of fraud, waste or abuse to the Medicaid program. o Upon HHSC determining that a provider, or a person with a 5 percent or more direct or indirect ownership interest in the provider, meets HHSC's criteria hereunder for criminal background checks as a “high” risk to the Medicaid program, HHSC will require that each such provider or person submit fingerprints, in a form and manner to be determined by HHSC, within 30 days upon request from CMS or HHSC. § 455.436 – HHSC must confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases. Upon enrollment and reenrollment, HHSC must check the Social Security Administration's Death Master File (SSADMF), the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe. During the period the provider is enrolled, HHSC must check the LEIE and EPLS no less frequently than monthly. § 455.434 – HHSC must screen all initial applications, including applications for a new practice location, and any applications received in response to a re-enrollment or revalidation of enrollment request based on a categorical risk level of “limited,” “moderate,” or “high.” If a provider could fit within more than one risk level described in this section, the highest level of screening is applicable. Condition: Various departments within and contractors of HHSC are responsible for ensuring medical providers are properly licensed, screened, and enrolled in the Medicaid Program including Contract Administration and Provider Monitoring (CAPM), Access and Eligibility Services (AES), Procurement and Contracting Services, and the Texas Medicaid and Healthcare Partnership. Audit procedures included a review of 60 providers each for Medicaid, which resulted in the following (sampled exceptions noted in parentheses): A copy of the completed application was not included in the file. (9 providers) Enrollment of the provider was not completed within the last 5 years. (7 providers) Verification of the provider’s license was not included in the file. (7 providers) Required information on ownership and control was not disclosed. (11 providers) Supporting documentation was not included in the file indicating the provider consented to a criminal background check. (9 providers) Supporting documentation was not included in the file indicating the SSADMF database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the NPPES database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the LEIE database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the EPLS database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the provider was categorized during screening as limited, moderate, or high risk. (13 providers) A copy of the provider agreement was not included in the files. (13 providers) Supporting documentation was not included indicating a pre- or post-enrollment site visit was conducted as required for providers designated as moderate or high risk. (13 providers) Supporting documentation was not included indicating the provider disclosed the identity of any person who had been convicted of a criminal offense related to that person's involvement in any program under Medicare, Medicaid, or the Title XX services program since the inception of those programs. (9 providers) Questioned costs: None. Context: See “Condition.” Cause: HHSC does not have adequate procedures in place to ensure required documentation is obtained and maintained to comply with federal provider eligibility requirements. Effect: Failure to obtain and maintain adequate documentation during the provider screening and enrollment process may result in otherwise ineligible or fraudulent providers receiving Medicaid funds. Repeat finding: 2022-014, 2021-008 Recommendation: HHSC should implement controls to ensure: Documentation is maintained for at least the length of the providers’ current enrollment period or three years, whichever is greater in accordance with 2 CFR 200.334. Provider licenses are verified during enrollment. Providers are re-enrolled at least once every five years. Provider agreements are obtained, and the proper disclosures are made. Providers are categorized according to risk level and pre- and post-enrollment site visits are conducted as required for those deemed moderate or high risk. Relevant federal databases are checked during initial enrollment and at least monthly for all providers currently enrolled in Medicaid. Views of responsible officials: HHSC concurs with this repeat finding.
Special Tests and Provisions – Provider Eligibility – Lack of Documentation Federal Agency: U.S. Department of Health and Human Services Federal Program Title: Medicaid Cluster ALN: 93.775, 93.777, 93.778 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: Medicaid Cluster 2205TX5ADM, 2205TX5MAP, 2205TXIMPL; 2305TX5ADM, 2305TX5MAP, 2305TXIMPL October 1, 2021 – September 30, 2022, October 1, 2022 – September 30, 2023 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Material Weakness in Internal Control over Compliance and Material Noncompliance Criteria or specific requirement: Per 2 CFR 200.303, a non-Federal entity must: Establish and maintain effective internal controls over federal awards that provide reasonable assurance they are managing federal awards in compliance with federal statutes, regulations, and the provisions of contracts or grant agreements that could have a material effect on each of its federal programs. Per 2 CFR 200.334, financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient. Federal awarding agencies and pass-through entities must not impose any other record retention requirements upon non-Federal entities. In order to comply with federal provider eligibility requirements, HHSC must adhere to various subsections of 42 CFR Section 455 including but not limited to: § 455.104 – HHSC must require that disclosing entities, fiscal agents, and managed care entities provide the following disclosures: The name and address of any person (individual or corporation) with an ownership or control interest in the disclosing entity, fiscal agent, or managed care entity. The address for corporate entities must include as applicable primary business address, every business location, and P.O. Box address. Date of birth and Social Security Number (in the case of an individual) Other tax identification number (in the case of a corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) or in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest. Whether the person (individual or corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling; or whether the person (individual or corporation) with an ownership or control interest in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling. The name of any other disclosing entity (or fiscal agent or managed care entity) in which an owner of the disclosing entity (or fiscal agent or managed care entity) has an ownership or control interest. The name, address, date of birth, and Social Security Number of any managing employee of the disclosing entity (or fiscal agent or managed care entity). § 455.105 – HHSC must enter into an agreement with each provider under which the provider agrees to furnish to it the following information related to business transactions within 35 days of request: The ownership of any subcontractor with whom the provider has had business transactions totaling more than $25,000 during the 12-month period ending on the date of the request; and Any significant business transactions between the provider and any wholly owned supplier, or between the provider and any subcontractor, during the 5-year period ending on the date of the request. § 455.106 – Before HHSC enters into or renews a provider agreement, or at any time upon written request by HHSC, the provider must disclose to HHSC the identity of any person who: Has ownership or control interest in the provider, or is an agent or managing employee of the provider; and Has been convicted of a criminal offense related to that person's involvement in any program under Medicare, Medicaid, or the title XX services program since the inception of those programs. § 455.410 – HHSC must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers. § 455.412 – HHSC must: Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State. Confirm that the provider's license has not expired and that there are no current limitations on the provider's license. § 455.414 – HHSC must revalidate the enrollment of all providers regardless of provider type at least every five years. § 455.432 – HHSC must: Conduct pre-enrollment and post-enrollment site visits of providers who are designated as “moderate” or “high” categorical risks to the Medicaid program. Require any enrolled provider to permit CMS, its agents, its designated contractors, or HHSC to conduct unannounced on-site inspections of any and all provider locations. § 455.434 – HHSC must: Require providers to consent to criminal background checks including fingerprinting when required to do so under State law or by the level of screening based on risk of fraud, waste or abuse as determined for that category of provider. Establish categorical risk levels for providers and provider categories who pose an increased financial risk of fraud, waste or abuse to the Medicaid program. o Upon HHSC determining that a provider, or a person with a 5 percent or more direct or indirect ownership interest in the provider, meets HHSC's criteria hereunder for criminal background checks as a “high” risk to the Medicaid program, HHSC will require that each such provider or person submit fingerprints, in a form and manner to be determined by HHSC, within 30 days upon request from CMS or HHSC. § 455.436 – HHSC must confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases. Upon enrollment and reenrollment, HHSC must check the Social Security Administration's Death Master File (SSADMF), the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe. During the period the provider is enrolled, HHSC must check the LEIE and EPLS no less frequently than monthly. § 455.434 – HHSC must screen all initial applications, including applications for a new practice location, and any applications received in response to a re-enrollment or revalidation of enrollment request based on a categorical risk level of “limited,” “moderate,” or “high.” If a provider could fit within more than one risk level described in this section, the highest level of screening is applicable. Condition: Various departments within and contractors of HHSC are responsible for ensuring medical providers are properly licensed, screened, and enrolled in the Medicaid Program including Contract Administration and Provider Monitoring (CAPM), Access and Eligibility Services (AES), Procurement and Contracting Services, and the Texas Medicaid and Healthcare Partnership. Audit procedures included a review of 60 providers each for Medicaid, which resulted in the following (sampled exceptions noted in parentheses): A copy of the completed application was not included in the file. (9 providers) Enrollment of the provider was not completed within the last 5 years. (7 providers) Verification of the provider’s license was not included in the file. (7 providers) Required information on ownership and control was not disclosed. (11 providers) Supporting documentation was not included in the file indicating the provider consented to a criminal background check. (9 providers) Supporting documentation was not included in the file indicating the SSADMF database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the NPPES database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the LEIE database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the EPLS database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the provider was categorized during screening as limited, moderate, or high risk. (13 providers) A copy of the provider agreement was not included in the files. (13 providers) Supporting documentation was not included indicating a pre- or post-enrollment site visit was conducted as required for providers designated as moderate or high risk. (13 providers) Supporting documentation was not included indicating the provider disclosed the identity of any person who had been convicted of a criminal offense related to that person's involvement in any program under Medicare, Medicaid, or the Title XX services program since the inception of those programs. (9 providers) Questioned costs: None. Context: See “Condition.” Cause: HHSC does not have adequate procedures in place to ensure required documentation is obtained and maintained to comply with federal provider eligibility requirements. Effect: Failure to obtain and maintain adequate documentation during the provider screening and enrollment process may result in otherwise ineligible or fraudulent providers receiving Medicaid funds. Repeat finding: 2022-014, 2021-008 Recommendation: HHSC should implement controls to ensure: Documentation is maintained for at least the length of the providers’ current enrollment period or three years, whichever is greater in accordance with 2 CFR 200.334. Provider licenses are verified during enrollment. Providers are re-enrolled at least once every five years. Provider agreements are obtained, and the proper disclosures are made. Providers are categorized according to risk level and pre- and post-enrollment site visits are conducted as required for those deemed moderate or high risk. Relevant federal databases are checked during initial enrollment and at least monthly for all providers currently enrolled in Medicaid. Views of responsible officials: HHSC concurs with this repeat finding.
Special Tests and Provisions – Provider Eligibility – Lack of Documentation Federal Agency: U.S. Department of Health and Human Services Federal Program Title: Medicaid Cluster ALN: 93.775, 93.777, 93.778 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: Medicaid Cluster 2205TX5ADM, 2205TX5MAP, 2205TXIMPL; 2305TX5ADM, 2305TX5MAP, 2305TXIMPL October 1, 2021 – September 30, 2022, October 1, 2022 – September 30, 2023 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Material Weakness in Internal Control over Compliance and Material Noncompliance Criteria or specific requirement: Per 2 CFR 200.303, a non-Federal entity must: Establish and maintain effective internal controls over federal awards that provide reasonable assurance they are managing federal awards in compliance with federal statutes, regulations, and the provisions of contracts or grant agreements that could have a material effect on each of its federal programs. Per 2 CFR 200.334, financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient. Federal awarding agencies and pass-through entities must not impose any other record retention requirements upon non-Federal entities. In order to comply with federal provider eligibility requirements, HHSC must adhere to various subsections of 42 CFR Section 455 including but not limited to: § 455.104 – HHSC must require that disclosing entities, fiscal agents, and managed care entities provide the following disclosures: The name and address of any person (individual or corporation) with an ownership or control interest in the disclosing entity, fiscal agent, or managed care entity. The address for corporate entities must include as applicable primary business address, every business location, and P.O. Box address. Date of birth and Social Security Number (in the case of an individual) Other tax identification number (in the case of a corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) or in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest. Whether the person (individual or corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling; or whether the person (individual or corporation) with an ownership or control interest in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling. The name of any other disclosing entity (or fiscal agent or managed care entity) in which an owner of the disclosing entity (or fiscal agent or managed care entity) has an ownership or control interest. The name, address, date of birth, and Social Security Number of any managing employee of the disclosing entity (or fiscal agent or managed care entity). § 455.105 – HHSC must enter into an agreement with each provider under which the provider agrees to furnish to it the following information related to business transactions within 35 days of request: The ownership of any subcontractor with whom the provider has had business transactions totaling more than $25,000 during the 12-month period ending on the date of the request; and Any significant business transactions between the provider and any wholly owned supplier, or between the provider and any subcontractor, during the 5-year period ending on the date of the request. § 455.106 – Before HHSC enters into or renews a provider agreement, or at any time upon written request by HHSC, the provider must disclose to HHSC the identity of any person who: Has ownership or control interest in the provider, or is an agent or managing employee of the provider; and Has been convicted of a criminal offense related to that person's involvement in any program under Medicare, Medicaid, or the title XX services program since the inception of those programs. § 455.410 – HHSC must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers. § 455.412 – HHSC must: Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State. Confirm that the provider's license has not expired and that there are no current limitations on the provider's license. § 455.414 – HHSC must revalidate the enrollment of all providers regardless of provider type at least every five years. § 455.432 – HHSC must: Conduct pre-enrollment and post-enrollment site visits of providers who are designated as “moderate” or “high” categorical risks to the Medicaid program. Require any enrolled provider to permit CMS, its agents, its designated contractors, or HHSC to conduct unannounced on-site inspections of any and all provider locations. § 455.434 – HHSC must: Require providers to consent to criminal background checks including fingerprinting when required to do so under State law or by the level of screening based on risk of fraud, waste or abuse as determined for that category of provider. Establish categorical risk levels for providers and provider categories who pose an increased financial risk of fraud, waste or abuse to the Medicaid program. o Upon HHSC determining that a provider, or a person with a 5 percent or more direct or indirect ownership interest in the provider, meets HHSC's criteria hereunder for criminal background checks as a “high” risk to the Medicaid program, HHSC will require that each such provider or person submit fingerprints, in a form and manner to be determined by HHSC, within 30 days upon request from CMS or HHSC. § 455.436 – HHSC must confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases. Upon enrollment and reenrollment, HHSC must check the Social Security Administration's Death Master File (SSADMF), the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe. During the period the provider is enrolled, HHSC must check the LEIE and EPLS no less frequently than monthly. § 455.434 – HHSC must screen all initial applications, including applications for a new practice location, and any applications received in response to a re-enrollment or revalidation of enrollment request based on a categorical risk level of “limited,” “moderate,” or “high.” If a provider could fit within more than one risk level described in this section, the highest level of screening is applicable. Condition: Various departments within and contractors of HHSC are responsible for ensuring medical providers are properly licensed, screened, and enrolled in the Medicaid Program including Contract Administration and Provider Monitoring (CAPM), Access and Eligibility Services (AES), Procurement and Contracting Services, and the Texas Medicaid and Healthcare Partnership. Audit procedures included a review of 60 providers each for Medicaid, which resulted in the following (sampled exceptions noted in parentheses): A copy of the completed application was not included in the file. (9 providers) Enrollment of the provider was not completed within the last 5 years. (7 providers) Verification of the provider’s license was not included in the file. (7 providers) Required information on ownership and control was not disclosed. (11 providers) Supporting documentation was not included in the file indicating the provider consented to a criminal background check. (9 providers) Supporting documentation was not included in the file indicating the SSADMF database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the NPPES database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the LEIE database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the EPLS database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the provider was categorized during screening as limited, moderate, or high risk. (13 providers) A copy of the provider agreement was not included in the files. (13 providers) Supporting documentation was not included indicating a pre- or post-enrollment site visit was conducted as required for providers designated as moderate or high risk. (13 providers) Supporting documentation was not included indicating the provider disclosed the identity of any person who had been convicted of a criminal offense related to that person's involvement in any program under Medicare, Medicaid, or the Title XX services program since the inception of those programs. (9 providers) Questioned costs: None. Context: See “Condition.” Cause: HHSC does not have adequate procedures in place to ensure required documentation is obtained and maintained to comply with federal provider eligibility requirements. Effect: Failure to obtain and maintain adequate documentation during the provider screening and enrollment process may result in otherwise ineligible or fraudulent providers receiving Medicaid funds. Repeat finding: 2022-014, 2021-008 Recommendation: HHSC should implement controls to ensure: Documentation is maintained for at least the length of the providers’ current enrollment period or three years, whichever is greater in accordance with 2 CFR 200.334. Provider licenses are verified during enrollment. Providers are re-enrolled at least once every five years. Provider agreements are obtained, and the proper disclosures are made. Providers are categorized according to risk level and pre- and post-enrollment site visits are conducted as required for those deemed moderate or high risk. Relevant federal databases are checked during initial enrollment and at least monthly for all providers currently enrolled in Medicaid. Views of responsible officials: HHSC concurs with this repeat finding.
Special Tests and Provisions – Provider Eligibility – Lack of Documentation Federal Agency: U.S. Department of Health and Human Services Federal Program Title: Medicaid Cluster ALN: 93.775, 93.777, 93.778 Pass-Through Agency: N/A Pass-Through Number(s): N/A Award Number and Period: Medicaid Cluster 2205TX5ADM, 2205TX5MAP, 2205TXIMPL; 2305TX5ADM, 2305TX5MAP, 2305TXIMPL October 1, 2021 – September 30, 2022, October 1, 2022 – September 30, 2023 Statistically Valid Sample: No, and not intended to be a statistically valid sample Type of Finding: Material Weakness in Internal Control over Compliance and Material Noncompliance Criteria or specific requirement: Per 2 CFR 200.303, a non-Federal entity must: Establish and maintain effective internal controls over federal awards that provide reasonable assurance they are managing federal awards in compliance with federal statutes, regulations, and the provisions of contracts or grant agreements that could have a material effect on each of its federal programs. Per 2 CFR 200.334, financial records, supporting documents, statistical records, and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient. Federal awarding agencies and pass-through entities must not impose any other record retention requirements upon non-Federal entities. In order to comply with federal provider eligibility requirements, HHSC must adhere to various subsections of 42 CFR Section 455 including but not limited to: § 455.104 – HHSC must require that disclosing entities, fiscal agents, and managed care entities provide the following disclosures: The name and address of any person (individual or corporation) with an ownership or control interest in the disclosing entity, fiscal agent, or managed care entity. The address for corporate entities must include as applicable primary business address, every business location, and P.O. Box address. Date of birth and Social Security Number (in the case of an individual) Other tax identification number (in the case of a corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) or in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest. Whether the person (individual or corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling; or whether the person (individual or corporation) with an ownership or control interest in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling. The name of any other disclosing entity (or fiscal agent or managed care entity) in which an owner of the disclosing entity (or fiscal agent or managed care entity) has an ownership or control interest. The name, address, date of birth, and Social Security Number of any managing employee of the disclosing entity (or fiscal agent or managed care entity). § 455.105 – HHSC must enter into an agreement with each provider under which the provider agrees to furnish to it the following information related to business transactions within 35 days of request: The ownership of any subcontractor with whom the provider has had business transactions totaling more than $25,000 during the 12-month period ending on the date of the request; and Any significant business transactions between the provider and any wholly owned supplier, or between the provider and any subcontractor, during the 5-year period ending on the date of the request. § 455.106 – Before HHSC enters into or renews a provider agreement, or at any time upon written request by HHSC, the provider must disclose to HHSC the identity of any person who: Has ownership or control interest in the provider, or is an agent or managing employee of the provider; and Has been convicted of a criminal offense related to that person's involvement in any program under Medicare, Medicaid, or the title XX services program since the inception of those programs. § 455.410 – HHSC must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers. § 455.412 – HHSC must: Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State. Confirm that the provider's license has not expired and that there are no current limitations on the provider's license. § 455.414 – HHSC must revalidate the enrollment of all providers regardless of provider type at least every five years. § 455.432 – HHSC must: Conduct pre-enrollment and post-enrollment site visits of providers who are designated as “moderate” or “high” categorical risks to the Medicaid program. Require any enrolled provider to permit CMS, its agents, its designated contractors, or HHSC to conduct unannounced on-site inspections of any and all provider locations. § 455.434 – HHSC must: Require providers to consent to criminal background checks including fingerprinting when required to do so under State law or by the level of screening based on risk of fraud, waste or abuse as determined for that category of provider. Establish categorical risk levels for providers and provider categories who pose an increased financial risk of fraud, waste or abuse to the Medicaid program. o Upon HHSC determining that a provider, or a person with a 5 percent or more direct or indirect ownership interest in the provider, meets HHSC's criteria hereunder for criminal background checks as a “high” risk to the Medicaid program, HHSC will require that each such provider or person submit fingerprints, in a form and manner to be determined by HHSC, within 30 days upon request from CMS or HHSC. § 455.436 – HHSC must confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases. Upon enrollment and reenrollment, HHSC must check the Social Security Administration's Death Master File (SSADMF), the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe. During the period the provider is enrolled, HHSC must check the LEIE and EPLS no less frequently than monthly. § 455.434 – HHSC must screen all initial applications, including applications for a new practice location, and any applications received in response to a re-enrollment or revalidation of enrollment request based on a categorical risk level of “limited,” “moderate,” or “high.” If a provider could fit within more than one risk level described in this section, the highest level of screening is applicable. Condition: Various departments within and contractors of HHSC are responsible for ensuring medical providers are properly licensed, screened, and enrolled in the Medicaid Program including Contract Administration and Provider Monitoring (CAPM), Access and Eligibility Services (AES), Procurement and Contracting Services, and the Texas Medicaid and Healthcare Partnership. Audit procedures included a review of 60 providers each for Medicaid, which resulted in the following (sampled exceptions noted in parentheses): A copy of the completed application was not included in the file. (9 providers) Enrollment of the provider was not completed within the last 5 years. (7 providers) Verification of the provider’s license was not included in the file. (7 providers) Required information on ownership and control was not disclosed. (11 providers) Supporting documentation was not included in the file indicating the provider consented to a criminal background check. (9 providers) Supporting documentation was not included in the file indicating the SSADMF database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the NPPES database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the LEIE database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the EPLS database was checked at the time of the most recent enrollment. (12 providers) Supporting documentation was not included in the file indicating the provider was categorized during screening as limited, moderate, or high risk. (13 providers) A copy of the provider agreement was not included in the files. (13 providers) Supporting documentation was not included indicating a pre- or post-enrollment site visit was conducted as required for providers designated as moderate or high risk. (13 providers) Supporting documentation was not included indicating the provider disclosed the identity of any person who had been convicted of a criminal offense related to that person's involvement in any program under Medicare, Medicaid, or the Title XX services program since the inception of those programs. (9 providers) Questioned costs: None. Context: See “Condition.” Cause: HHSC does not have adequate procedures in place to ensure required documentation is obtained and maintained to comply with federal provider eligibility requirements. Effect: Failure to obtain and maintain adequate documentation during the provider screening and enrollment process may result in otherwise ineligible or fraudulent providers receiving Medicaid funds. Repeat finding: 2022-014, 2021-008 Recommendation: HHSC should implement controls to ensure: Documentation is maintained for at least the length of the providers’ current enrollment period or three years, whichever is greater in accordance with 2 CFR 200.334. Provider licenses are verified during enrollment. Providers are re-enrolled at least once every five years. Provider agreements are obtained, and the proper disclosures are made. Providers are categorized according to risk level and pre- and post-enrollment site visits are conducted as required for those deemed moderate or high risk. Relevant federal databases are checked during initial enrollment and at least monthly for all providers currently enrolled in Medicaid. Views of responsible officials: HHSC concurs with this repeat finding.
FINDING 2023-001 DOCUMENT RETENTION SIGNIFICANT DEFICIENCY Federal Program: Title I, Part A Assistance Listing Number: 84.010 Condition The Indiana Department of Education uses data on the poverty levels of students in determining funding amounts for the program. We selected a sample of forty students from the Real Time Data report used in making funding assessments for the year under audit. The School was unable to provide documentation to support the poverty levels of ten of those students. Criteria Per 7 CFR 200.334, “Financial records, supporting documents, statistical records, and all other non- Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.” Cause The School did not maintain poverty level documentation for all students reported. Effect We were unable to determine if the poverty levels of all students were properly reported. Funding amounts could have been incorrectly determined. Recommendation We recommend the School develop internal controls requiring the maintenance of student poverty level documentation. Views of Responsible Officials The School’s Corrective Action Plan is included on page 24.
FINDING 2023-001 DOCUMENT RETENTION SIGNIFICANT DEFICIENCY Federal Program: Title I, Part A Assistance Listing Number: 84.010 Condition The Indiana Department of Education uses data on the poverty levels of students in determining funding amounts for the program. We selected a sample of forty students from the Real Time Data report used in making funding assessments for the year under audit. The School was unable to provide documentation to support the poverty levels of ten of those students. Criteria Per 7 CFR 200.334, “Financial records, supporting documents, statistical records, and all other non- Federal entity records pertinent to a Federal award must be retained for a period of three years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.” Cause The School did not maintain poverty level documentation for all students reported. Effect We were unable to determine if the poverty levels of all students were properly reported. Funding amounts could have been incorrectly determined. Recommendation We recommend the School develop internal controls requiring the maintenance of student poverty level documentation. Views of Responsible Officials The School’s Corrective Action Plan is included on page 24.
Assistance Listing Number(s): 10.553 and 10.555 Name of Federal Program or Cluster: Child Nutrition Cluster Name of Federal Agency: Department of Agriculture Name of Pass-through Entity: Wisconsin Department of Public Instruction Pass-through Entity Identifying Number(s): 2023-138142-DPI-SB-546, 2023-138005-DPI-SB-546, 2023-138005-DPI-NSL-547, and 2023-138005-DPI-SK_NSLAE-566 Award Period: July 1, 2022 through June 30, 2023 Criteria: According to 2 CFR, Part 200.334 of the Uniform Guidance, supporting documentation pertinent to a federal award must be retained for a period of three years from the date of submission of the expenditure. According to 2 CFR, Part 200.302(3) of the Uniform Guidance, records must be supported by source documentation. Condition: Supporting documentation for claims were not retained. Cause: Internal controls for funding claims have not been designed appropriately. Currently, there are no internal controls to ensure support for claims are retained in accordance with federal requirements. Questioned Costs: $344,674 Effect or Potential Effect: Incomplete or inaccurate information could be reported on funding claims. Context: A sample of 8 claims reports were selected from a population of 39. The testing found that supporting documentation for claims was not retained for any of the claims in the sample. Repeat Finding: No Recommendation: One City Schools, Inc. should design and implement appropriate internal controls for retaining support for claims in accordance with federal requirements. Views of Responsible Officials: One City Schools, Inc. agrees with the finding and are working on implementing internal controls for maintaining supporting documentation.
Assistance Listing Number(s): 10.553 and 10.555 Name of Federal Program or Cluster: Child Nutrition Cluster Name of Federal Agency: Department of Agriculture Name of Pass-through Entity: Wisconsin Department of Public Instruction Pass-through Entity Identifying Number(s): 2023-138142-DPI-SB-546, 2023-138005-DPI-SB-546, 2023-138005-DPI-NSL-547, and 2023-138005-DPI-SK_NSLAE-566 Award Period: July 1, 2022 through June 30, 2023 Criteria: According to 2 CFR, Part 200.334 of the Uniform Guidance, supporting documentation pertinent to a federal award must be retained for a period of three years from the date of submission of the expenditure. According to 2 CFR, Part 200.302(3) of the Uniform Guidance, records must be supported by source documentation. Condition: Supporting documentation for claims were not retained. Cause: Internal controls for funding claims have not been designed appropriately. Currently, there are no internal controls to ensure support for claims are retained in accordance with federal requirements. Questioned Costs: $344,674 Effect or Potential Effect: Incomplete or inaccurate information could be reported on funding claims. Context: A sample of 8 claims reports were selected from a population of 39. The testing found that supporting documentation for claims was not retained for any of the claims in the sample. Repeat Finding: No Recommendation: One City Schools, Inc. should design and implement appropriate internal controls for retaining support for claims in accordance with federal requirements. Views of Responsible Officials: One City Schools, Inc. agrees with the finding and are working on implementing internal controls for maintaining supporting documentation.