FINDING 2022-049 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; and Matching, Level of Effort, and Earmarking - Home Help Payment Oversight See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not review home help provider invoices for 4 (27%) of 15 sampled payments to individual providers, totaling $485, to help ensure home help payments were reflective of the services provided. Criteria Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under HHP. MDHHS has developed the ASM to further define specific policies and procedures for delivery of Medicaid HHP services. ASM Section 135 requires individual providers to submit monthly invoices for reimbursement. Cause Although the Electronic Service Verifications (ESV) and Paper Service Verifications (PSV) collect information on completed services, prior to April 1, 2022 there was no automated review of the ESV information and there continues to be no automated review of the PSV information to determine if all services were provided before payment was issued. Effect MDHHS paid a total of $485 for services from October 1, 2021 through September 30, 2022 that were not supported by home help provider invoices for the sampled payments. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $348 - federal share. ? $137 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend MDHHS review home help provider invoices to help ensure home help payments are reflective of the services provided. Management Views MDHHS agrees with the finding.
FINDING 2022-019 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility See Schedule of Findings and Questioned Costs for chart/table. Background In 2014, federal regulations changed the methodology for determining eligibility for certain Medicaid Cluster and CHIP beneficiaries to a methodology using federal income tax data known as MAGI. Federal regulation 26 CFR 301.6103(a) prohibits an auditor from using federal income tax data unless in connection with an audit of the state agency responsible for the administration of the state tax law. For 2014 through 2018, auditors were not expected to review MAGI eligibility determinations. Beginning in 2019, the U.S. Office of Management and Budget* (OMB) Compliance Supplement was revised requiring auditors to review MAGI eligibility determinations for both the Medicaid Cluster and CHIP. Also, because of the public health emergency, MDHHS was not required to perform redeterminations and could not end healthcare coverage unless the individual voluntarily requested termination, moved out of state, or was deceased. As a result, we sampled beneficiaries for each program who either began receiving assistance or had a change in their type of assistance during fiscal year 2022. We summarized the results of our eligibility review in the following table: See Schedule of Findings and Questioned Costs for chart/table. For an estimated 74,086 Medicaid and 16,324 CHIP beneficiaries, we were unable to determine if MDHHS complied with federal laws and regulations related to MAGI-based eligibility because federal regulations prohibited our use of federal income tax data and the beneficiaries' case record did not contain other available income information. Other income information is not required to be included in the case record when a determination of eligibility is based on MAGI. However, if such information was available, we reviewed this information for eligibility purposes to accurately report the sample items that could not be tested. The results of the testing for the remaining 54 Medicaid and 48 CHIP beneficiaries we were able to review are summarized in the finding below. Condition MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility. Our review disclosed: a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 4 (7%) of 54 Medicaid and 11 (23%) of 48 CHIP cases reviewed. b. MDHHS did not maintain case file documentation that supports the beneficiary eligibility determination for 1 (2%) of 54 Medicaid cases reviewed. Criteria Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulation 42 CFR 435.914 requires case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Cause For part a., MDHHS indicated it did not properly consider all available beneficiary information when determining beneficiary eligibility because of system issues and staff actions. For part b., MDHHS indicated the missing documentation resulted from staff oversight. Effect We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 9% Medicaid and 23% CHIP error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $1,969 - federal share. ? $656 - State share of costs MDHHS inappropriately used as matching. Recommendations We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements. We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements. Management Views MDHHS agrees with the finding.
FINDING 2022-020 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely. On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified it incorrectly recorded $39.1 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2022. However, we selected a sample of 2 beneficiaries that were transferred to CHIP and noted both beneficiaries were not eligible for CHIP but were in fact Medicaid eligible and, therefore, should not have been transferred. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury that prescribe specific methods of drawing down federal funds for selected large programs. Cause MDHHS implemented a system change to correct eligibility classifications in Bridges in April 2021. All new cases are being correctly routed. MDHHS expects all existing cases will be updated during the 14-month period following the May 11, 2023 end of the public health emergency, as allowed by the Centers for Medicare and Medicaid Services (CMS). The Medicaid Cluster to CHIP transfer was completed correctly; however, because of an incorrect eligibility determination reflected in Bridges, some cases were transferred in error. Effect MDHHS inappropriately transferred $294 Medicaid Cluster expenditures to CHIP. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Also, of the $39.1 million in quarterly transfers, MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws. For the CHIP compliance requirements noted, we consider this to be a material weakness and material noncompliance because the $39.1 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 14% of total CHIP expenditures and both sample items were inappropriately transferred to CHIP. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $235 - federal share of CHIP payments made to providers for ineligible CHIP beneficiaries, of which $235 is questioned in Finding 2022-019. ? $58 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely. Management Views MDHHS agrees with the finding.
FINDING 2022-047 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Payments on Behalf of Ineligible Beneficiaries See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure beneficiary eligibility was updated in CHAMPS. As a result, MDHHS issued $5,774 for 15 (50%) of 30 payments sampled from a $1,390,653 population of beneficiary payments with no corresponding Medicaid coverage. Criteria Federal regulation 42 CFR 435.1002(b) indicates that federal funding is available only for services provided to eligible beneficiaries. Cause MDHHS informed us because of system and interface issues in both Bridges and CHAMPS, eligibility information was not always properly updated in CHAMPS, resulting in beneficiaries appearing eligible in CHAMPS in error and payments being processed based on that eligibility. Effect MDHHS made payments on behalf of ineligible beneficiaries. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs exceed $25,000. ? $5,103 - federal share of payments made to providers on behalf of ineligible beneficiaries. ? $671 - State share of payments made to providers on behalf of ineligible beneficiaries. Recommendation We recommend that MDHHS ensure that beneficiary eligibility is updated in CHAMPS. Management Views MDHHS agrees with the finding.
FINDING 2022-048 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Ineligible HHP Payments See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not prevent or timely recover payments, totaling $324, for 2 (25%) of 8 sampled clients who were hospitalized while receiving Home Help Program (HHP) services and no longer met eligibility requirements. Criteria Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under HHP. MDHHS has developed the Adult Services Manual (ASM) to further define specific policies and procedures for delivery of Medicaid HHP services. ASM Section 135 prohibits payment for HHP services on days a client is admitted to a hospital and for all subsequent days they remain in that facility. ASM Section 135 allows payment for HHP services on the day a client is discharged from the hospital. Cause MDHHS informed us the post-payment review process is complicated by the lag time (up to one year) associated with MDHHS receiving and processing hospital claims and delays in changes to clients' level of care. Also, the monthly hospitalization reports are not capturing all facility stays for home help clients. Effect MDHHS paid a total of $324 from October 1, 2021 through September 30, 2022 for sampled clients who did not qualify for the HHP services because they were hospitalized. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $232 - federal share of amounts paid for HHP services while sampled clients were hospitalized. ? $92 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend MDHHS prevent or timely recover payments for HHP services when clients no longer meet eligibility requirements. Management Views MDHHS agrees with the finding.
FINDING 2022-049 Medicaid Cluster, ALN 93.775, 93.777, and 93.778, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; and Matching, Level of Effort, and Earmarking - Home Help Payment Oversight See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not review home help provider invoices for 4 (27%) of 15 sampled payments to individual providers, totaling $485, to help ensure home help payments were reflective of the services provided. Criteria Federal regulation 42 CFR 435.10 requires MDHHS to specify in its State Plan the groups to whom Medicaid is provided and the conditions of eligibility for individuals in those groups. MDHHS's Medicaid State Plan states it will provide personal care services under HHP. MDHHS has developed the ASM to further define specific policies and procedures for delivery of Medicaid HHP services. ASM Section 135 requires individual providers to submit monthly invoices for reimbursement. Cause Although the Electronic Service Verifications (ESV) and Paper Service Verifications (PSV) collect information on completed services, prior to April 1, 2022 there was no automated review of the ESV information and there continues to be no automated review of the PSV information to determine if all services were provided before payment was issued. Effect MDHHS paid a total of $485 for services from October 1, 2021 through September 30, 2022 that were not supported by home help provider invoices for the sampled payments. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $348 - federal share. ? $137 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend MDHHS review home help provider invoices to help ensure home help payments are reflective of the services provided. Management Views MDHHS agrees with the finding.
FINDING 2022-054 Temporary Assistance for Needy Families, ALN 93.558, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Non-Financial Eligibility Documentation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not obtain or maintain sufficient non-financial case record documentation to support client eligibility for TANF-funded assistance payments. We noted the client's case records did not include the following: a. Documentation to support completion of the Family Self-Sufficiency Plan, verifications to support the relationship of the child to the adult on the case record, records to support children older than 6 were attending school full time, and inquiry regarding parole violations for 6 (30%) of 20 sampled TANF-funded Family Independence Program (FIP) payments. b. Completed applications, support for timely completion of the Family Automated Screening Tool, verifications to support the relationship of the child to the adult on the case record, and records to support children older than 6 were attending school full time for 2 (29%) of 7 sampled TANF-COVID-19 funded clothing allowance payments for eligible children receiving FIP or ineligible for FIP due to receiving Supplemental Security Income during September 2022. Criteria Federal regulation 45 CFR 260.20 requires a family be needy in order to be eligible for TANF assistance and job preparation services. Federal regulation 45 CFR 205.60(a) requires MDHHS to maintain records to support eligibility, including facts to support the client's need for assistance. MDHHS's policies and procedures require documentation used to verify eligibility be maintained in the case file. Also, federal law 42 USC 608(a)(9)(A) states that a state may not provide assistance to any individual who is violating a condition of probation or parole imposed under federal or State law. Further, Public Act 166 of 2022 required MDHHS to allocate an annual clothing allowance to all eligible children in a FIP group. In addition, Subpart E of federal regulation 45 CFR 75 requires costs charged to federal programs be adequately documented, be necessary and reasonable for the administration of the federal award, be in accordance with the relative benefits received by the program, and be consistent with policies and procedures that apply to both the federal award and other activities of the state. Cause For part a., MDHHS informed us its controls were not sufficient to ensure that all of the required verification documentation was appropriately maintained in the client's case record. For part b., MDHHS informed us that because these families received FIP benefits during September 2022, they were eligible for the COVID-19 clothing allowance. However, our review disclosed the two case records did not support FIP eligibility for September 2022. Effect We consider this to be a material weakness and material noncompliance because MDHHS may have made payments to ineligible recipients and because of the high error rates noted. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $8,368 - federal share. ? $56 - State share of costs MDHHS inappropriately used as State maintenance of effort. Recommendation We recommend MDHHS obtain and maintain sufficient non-financial case record documentation to support client eligibility for TANF-funded assistance payments. Management Views MDHHS agrees with the finding.
FINDING 2022-054 Temporary Assistance for Needy Families, ALN 93.558, Activities Allowed or Unallowed; Allowable Costs/Cost Principles; Eligibility; and Matching, Level of Effort, and Earmarking - Non-Financial Eligibility Documentation See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not obtain or maintain sufficient non-financial case record documentation to support client eligibility for TANF-funded assistance payments. We noted the client's case records did not include the following: a. Documentation to support completion of the Family Self-Sufficiency Plan, verifications to support the relationship of the child to the adult on the case record, records to support children older than 6 were attending school full time, and inquiry regarding parole violations for 6 (30%) of 20 sampled TANF-funded Family Independence Program (FIP) payments. b. Completed applications, support for timely completion of the Family Automated Screening Tool, verifications to support the relationship of the child to the adult on the case record, and records to support children older than 6 were attending school full time for 2 (29%) of 7 sampled TANF-COVID-19 funded clothing allowance payments for eligible children receiving FIP or ineligible for FIP due to receiving Supplemental Security Income during September 2022. Criteria Federal regulation 45 CFR 260.20 requires a family be needy in order to be eligible for TANF assistance and job preparation services. Federal regulation 45 CFR 205.60(a) requires MDHHS to maintain records to support eligibility, including facts to support the client's need for assistance. MDHHS's policies and procedures require documentation used to verify eligibility be maintained in the case file. Also, federal law 42 USC 608(a)(9)(A) states that a state may not provide assistance to any individual who is violating a condition of probation or parole imposed under federal or State law. Further, Public Act 166 of 2022 required MDHHS to allocate an annual clothing allowance to all eligible children in a FIP group. In addition, Subpart E of federal regulation 45 CFR 75 requires costs charged to federal programs be adequately documented, be necessary and reasonable for the administration of the federal award, be in accordance with the relative benefits received by the program, and be consistent with policies and procedures that apply to both the federal award and other activities of the state. Cause For part a., MDHHS informed us its controls were not sufficient to ensure that all of the required verification documentation was appropriately maintained in the client's case record. For part b., MDHHS informed us that because these families received FIP benefits during September 2022, they were eligible for the COVID-19 clothing allowance. However, our review disclosed the two case records did not support FIP eligibility for September 2022. Effect We consider this to be a material weakness and material noncompliance because MDHHS may have made payments to ineligible recipients and because of the high error rates noted. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $8,368 - federal share. ? $56 - State share of costs MDHHS inappropriately used as State maintenance of effort. Recommendation We recommend MDHHS obtain and maintain sufficient non-financial case record documentation to support client eligibility for TANF-funded assistance payments. Management Views MDHHS agrees with the finding.
FINDING 2022-057 Low-Income Home Energy Assistance, ALN 93.568, Eligibility - Eligibility Determinations See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not maintain sufficient documentation of its efforts to evaluate client eligibility; examples of documentation include support for the verification of the client's income, assets, and proof of energy crisis for 13 (32%) of 41 sampled LIHEAP-funded State Emergency Relief (SER) energy payments. Criteria Federal law 42 USC 8624 requires the State to expend funds in accordance with the LIHEAP State Plan and allows MDHHS to use LIHEAP funds to intervene in energy-related crisis situations and assist eligible households to meet the costs of home energy. MDHHS policy requires county/district office caseworkers to verify and include certain assets or income of SER group members during intake in order to determine eligibility for SER energy services. Also, policy states the payment amount must match the amount on the past due or shut-off notice. Cause MDHHS's internal control and monitoring activities were not sufficient to ensure that county/district office caseworkers adhered to established policies and procedures. Effect We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible recipients and because of the high error rate. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $3,772 ? federal share. Recommendation We recommend MDHHS maintain sufficient documentation to support client eligibility for LIHEAP-funded SER energy payments. Management Views MDHHS agrees with the finding.
FINDING 2022-057 Low-Income Home Energy Assistance, ALN 93.568, Eligibility - Eligibility Determinations See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not maintain sufficient documentation of its efforts to evaluate client eligibility; examples of documentation include support for the verification of the client's income, assets, and proof of energy crisis for 13 (32%) of 41 sampled LIHEAP-funded State Emergency Relief (SER) energy payments. Criteria Federal law 42 USC 8624 requires the State to expend funds in accordance with the LIHEAP State Plan and allows MDHHS to use LIHEAP funds to intervene in energy-related crisis situations and assist eligible households to meet the costs of home energy. MDHHS policy requires county/district office caseworkers to verify and include certain assets or income of SER group members during intake in order to determine eligibility for SER energy services. Also, policy states the payment amount must match the amount on the past due or shut-off notice. Cause MDHHS's internal control and monitoring activities were not sufficient to ensure that county/district office caseworkers adhered to established policies and procedures. Effect We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible recipients and because of the high error rate. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $3,772 ? federal share. Recommendation We recommend MDHHS maintain sufficient documentation to support client eligibility for LIHEAP-funded SER energy payments. Management Views MDHHS agrees with the finding.
FINDING 2022-019 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility See Schedule of Findings and Questioned Costs for chart/table. Background In 2014, federal regulations changed the methodology for determining eligibility for certain Medicaid Cluster and CHIP beneficiaries to a methodology using federal income tax data known as MAGI. Federal regulation 26 CFR 301.6103(a) prohibits an auditor from using federal income tax data unless in connection with an audit of the state agency responsible for the administration of the state tax law. For 2014 through 2018, auditors were not expected to review MAGI eligibility determinations. Beginning in 2019, the U.S. Office of Management and Budget* (OMB) Compliance Supplement was revised requiring auditors to review MAGI eligibility determinations for both the Medicaid Cluster and CHIP. Also, because of the public health emergency, MDHHS was not required to perform redeterminations and could not end healthcare coverage unless the individual voluntarily requested termination, moved out of state, or was deceased. As a result, we sampled beneficiaries for each program who either began receiving assistance or had a change in their type of assistance during fiscal year 2022. We summarized the results of our eligibility review in the following table: See Schedule of Findings and Questioned Costs for chart/table. For an estimated 74,086 Medicaid and 16,324 CHIP beneficiaries, we were unable to determine if MDHHS complied with federal laws and regulations related to MAGI-based eligibility because federal regulations prohibited our use of federal income tax data and the beneficiaries' case record did not contain other available income information. Other income information is not required to be included in the case record when a determination of eligibility is based on MAGI. However, if such information was available, we reviewed this information for eligibility purposes to accurately report the sample items that could not be tested. The results of the testing for the remaining 54 Medicaid and 48 CHIP beneficiaries we were able to review are summarized in the finding below. Condition MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility. Our review disclosed: a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 4 (7%) of 54 Medicaid and 11 (23%) of 48 CHIP cases reviewed. b. MDHHS did not maintain case file documentation that supports the beneficiary eligibility determination for 1 (2%) of 54 Medicaid cases reviewed. Criteria Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulation 42 CFR 435.914 requires case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Cause For part a., MDHHS indicated it did not properly consider all available beneficiary information when determining beneficiary eligibility because of system issues and staff actions. For part b., MDHHS indicated the missing documentation resulted from staff oversight. Effect We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 9% Medicaid and 23% CHIP error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $1,969 - federal share. ? $656 - State share of costs MDHHS inappropriately used as matching. Recommendations We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements. We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements. Management Views MDHHS agrees with the finding.
FINDING 2022-020 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely. On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified it incorrectly recorded $39.1 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2022. However, we selected a sample of 2 beneficiaries that were transferred to CHIP and noted both beneficiaries were not eligible for CHIP but were in fact Medicaid eligible and, therefore, should not have been transferred. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury that prescribe specific methods of drawing down federal funds for selected large programs. Cause MDHHS implemented a system change to correct eligibility classifications in Bridges in April 2021. All new cases are being correctly routed. MDHHS expects all existing cases will be updated during the 14-month period following the May 11, 2023 end of the public health emergency, as allowed by the Centers for Medicare and Medicaid Services (CMS). The Medicaid Cluster to CHIP transfer was completed correctly; however, because of an incorrect eligibility determination reflected in Bridges, some cases were transferred in error. Effect MDHHS inappropriately transferred $294 Medicaid Cluster expenditures to CHIP. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Also, of the $39.1 million in quarterly transfers, MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws. For the CHIP compliance requirements noted, we consider this to be a material weakness and material noncompliance because the $39.1 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 14% of total CHIP expenditures and both sample items were inappropriately transferred to CHIP. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $235 - federal share of CHIP payments made to providers for ineligible CHIP beneficiaries, of which $235 is questioned in Finding 2022-019. ? $58 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely. Management Views MDHHS agrees with the finding.
FINDING 2022-019 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Beneficiary Eligibility See Schedule of Findings and Questioned Costs for chart/table. Background In 2014, federal regulations changed the methodology for determining eligibility for certain Medicaid Cluster and CHIP beneficiaries to a methodology using federal income tax data known as MAGI. Federal regulation 26 CFR 301.6103(a) prohibits an auditor from using federal income tax data unless in connection with an audit of the state agency responsible for the administration of the state tax law. For 2014 through 2018, auditors were not expected to review MAGI eligibility determinations. Beginning in 2019, the U.S. Office of Management and Budget* (OMB) Compliance Supplement was revised requiring auditors to review MAGI eligibility determinations for both the Medicaid Cluster and CHIP. Also, because of the public health emergency, MDHHS was not required to perform redeterminations and could not end healthcare coverage unless the individual voluntarily requested termination, moved out of state, or was deceased. As a result, we sampled beneficiaries for each program who either began receiving assistance or had a change in their type of assistance during fiscal year 2022. We summarized the results of our eligibility review in the following table: See Schedule of Findings and Questioned Costs for chart/table. For an estimated 74,086 Medicaid and 16,324 CHIP beneficiaries, we were unable to determine if MDHHS complied with federal laws and regulations related to MAGI-based eligibility because federal regulations prohibited our use of federal income tax data and the beneficiaries' case record did not contain other available income information. Other income information is not required to be included in the case record when a determination of eligibility is based on MAGI. However, if such information was available, we reviewed this information for eligibility purposes to accurately report the sample items that could not be tested. The results of the testing for the remaining 54 Medicaid and 48 CHIP beneficiaries we were able to review are summarized in the finding below. Condition MDHHS did not ensure or demonstrate compliance with federal laws and regulations relating to beneficiary eligibility. Our review disclosed: a. MDHHS did not determine beneficiary eligibility in accordance with eligibility requirements for 4 (7%) of 54 Medicaid and 11 (23%) of 48 CHIP cases reviewed. b. MDHHS did not maintain case file documentation that supports the beneficiary eligibility determination for 1 (2%) of 54 Medicaid cases reviewed. Criteria Federal regulations 42 CFR 435.1002(b) and 42 CFR 457.622(d) indicate federal funding is available only for services provided to eligible beneficiaries. Federal regulation 42 CFR 435.914 requires case record documentation be maintained to support the eligibility decision. Federal regulations 42 CFR 435.10, 42 CFR 457.50, and 42 CFR 457.70 require MDHHS to specify in its State Plan the groups to whom Medicaid and CHIP are provided and the conditions of eligibility for individuals in those groups. Cause For part a., MDHHS indicated it did not properly consider all available beneficiary information when determining beneficiary eligibility because of system issues and staff actions. For part b., MDHHS indicated the missing documentation resulted from staff oversight. Effect We consider this to be a material weakness and material noncompliance because MDHHS may have made payments on behalf of ineligible beneficiaries and because of the 9% Medicaid and 23% CHIP error rates. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $1,969 - federal share. ? $656 - State share of costs MDHHS inappropriately used as matching. Recommendations We recommend MDHHS properly consider Medicaid and CHIP eligibility documentation in accordance with eligibility requirements. We also recommend MDHHS maintain documentation to support beneficiary eligibility was determined in accordance with eligibility requirements. Management Views MDHHS agrees with the finding.
FINDING 2022-020 Medicaid Cluster, ALN 93.775, 93.777, and 93.778 and Children's Health Insurance Program, ALN 93.767 - Expenditure Processing for Medical Payments See Schedule of Findings and Questioned Costs for chart/table. Condition MDHHS did not ensure Bridges and CHAMPS contained the correct Medicaid Cluster and CHIP eligibility information to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw was accurate and timely. On a quarterly basis, MDHHS transferred expenditure amounts from the Medicaid Cluster to CHIP by completing a summary-level adjustment determined by analyzing CHAMPS payment data and Bridges eligibility data. As a result, MDHHS identified it incorrectly recorded $39.1 million of CHIP medical payments to the Medicaid Cluster throughout fiscal year 2022. However, we selected a sample of 2 beneficiaries that were transferred to CHIP and noted both beneficiaries were not eligible for CHIP but were in fact Medicaid eligible and, therefore, should not have been transferred. Criteria Federal regulation 45 CFR 75.303 requires the auditee to establish and maintain effective internal control over federal programs that provides reasonable assurance the auditee is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Federal regulation 31 CFR 205 requires state recipients to enter into agreements with the U.S. Department of the Treasury that prescribe specific methods of drawing down federal funds for selected large programs. Cause MDHHS implemented a system change to correct eligibility classifications in Bridges in April 2021. All new cases are being correctly routed. MDHHS expects all existing cases will be updated during the 14-month period following the May 11, 2023 end of the public health emergency, as allowed by the Centers for Medicare and Medicaid Services (CMS). The Medicaid Cluster to CHIP transfer was completed correctly; however, because of an incorrect eligibility determination reflected in Bridges, some cases were transferred in error. Effect MDHHS inappropriately transferred $294 Medicaid Cluster expenditures to CHIP. The federal grantor agency could issue sanctions or disallowances related to noncompliance. Also, of the $39.1 million in quarterly transfers, MDHHS may have improperly received either federal Medicaid Cluster funds or federal CHIP funds depending on the accuracy of the transferred amount. After MDHHS recorded the quarterly summary-level adjustments in the accounting system, it returned the Medicaid Cluster funds to the federal government and appropriately received reimbursement from CHIP. The quarterly CHIP draws were not compliant with the State's Cash Management Improvement Act (CMIA) agreement, which required weekly actual costs draws. For the CHIP compliance requirements noted, we consider this to be a material weakness and material noncompliance because the $39.1 million CHIP expenditures identified by MDHHS as inappropriately charged to and reimbursed by the Medicaid Cluster represented 14% of total CHIP expenditures and both sample items were inappropriately transferred to CHIP. Known Questioned Costs Federal regulation 2 CFR 200.516(a)(3) requires the auditor to report known questioned costs that are less than $25,000 if it is likely total questioned costs would exceed $25,000. ? $235 - federal share of CHIP payments made to providers for ineligible CHIP beneficiaries, of which $235 is questioned in Finding 2022-019. ? $58 - State share of costs MDHHS inappropriately used as matching. Recommendation We recommend MDHHS ensure Bridges and CHAMPS contain the correct Medicaid Cluster and CHIP eligibility information to allow MDHHS to record expenditures to the appropriate program at the time of payment and to ensure the related federal draw is accurate and timely. Management Views MDHHS agrees with the finding.
This section identifies audit findings required to be reported by 2 CFR 200.516(a), including significant deficiencies, material weaknesses, and material instances of noncompliance, including questioned costs, and significant instances of abuse. 2022-001: Submission of Single Audit Reports ? Material Weakness (Repeat Comment 2021-001) Federal Agency: U.S. Department of Health and Human Services, U.S. Department of Housing and Urban Development Program Title: Medical Assistance Program, HOME Investment Partnership Programs, Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution, Section 223 Demonstration Programs to Improve Community Mental Health Services, Block Grants for Community Mental Health Services, Block Grants for Prevention and Treatment of Substance Abuse ALN: 93.778, 14.239, 93.498, 93.829, 93.958, 93.959 Federal Award Source: Pass-through funding and direct funding Pass-Through Entities: AHCCCS (ALN 93.778), Health Resources & Services Administration (ALN 93.498), Substance Abuse & Mental Health Services Administration (ALN 93.829), Arizona Complete Health (ALN?s 93.958 and 93.959) Pass-Through Identifying Number: Various, see schedule of expenditures of federal awards Criteria ? Section 200.512 of the Uniform Guidance states that the Single Audit shall be completed and the data collection form and reporting package shall be submitted within the earlier of 30 calendar days after receipt of the auditor?s report, or nine months after the end of the audit period, unless a longer period is agreed to in advance by the cognizant or oversight agency for audit. Condition and Context - The Organization did not complete and submit its single audits prior to fiscal year 2021 by the required deadline. Cause and Effect - Due to a delay in the preparation of the schedule of expenditures of federal awards and the compiling of records and supporting documentation related to the compliance audit, the Company was not in compliance with the OMB Compliance Supplement reporting requirements. Questioned Costs - None identified. Recommendation ? We recommend that the Organization complete its annual Single Audit and submit the related data collection form and reporting package to the federal clearinghouse by the required deadline. View of Responsible Officials - Management acknowledges the lack of completion and filing of the Single Audit reports prior to fiscal year 2021. This is attributable to a change in ownership of the Organization. All future reports will be filed prior to the deadline in a timely manner through adequate planning and appropriate staffing.
This section identifies audit findings required to be reported by 2 CFR 200.516(a), including significant deficiencies, material weaknesses, and material instances of noncompliance, including questioned costs, and significant instances of abuse. 2022-001: Submission of Single Audit Reports ? Material Weakness (Repeat Comment 2021-001) Federal Agency: U.S. Department of Health and Human Services, U.S. Department of Housing and Urban Development Program Title: Medical Assistance Program, HOME Investment Partnership Programs, Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution, Section 223 Demonstration Programs to Improve Community Mental Health Services, Block Grants for Community Mental Health Services, Block Grants for Prevention and Treatment of Substance Abuse ALN: 93.778, 14.239, 93.498, 93.829, 93.958, 93.959 Federal Award Source: Pass-through funding and direct funding Pass-Through Entities: AHCCCS (ALN 93.778), Health Resources & Services Administration (ALN 93.498), Substance Abuse & Mental Health Services Administration (ALN 93.829), Arizona Complete Health (ALN?s 93.958 and 93.959) Pass-Through Identifying Number: Various, see schedule of expenditures of federal awards Criteria ? Section 200.512 of the Uniform Guidance states that the Single Audit shall be completed and the data collection form and reporting package shall be submitted within the earlier of 30 calendar days after receipt of the auditor?s report, or nine months after the end of the audit period, unless a longer period is agreed to in advance by the cognizant or oversight agency for audit. Condition and Context - The Organization did not complete and submit its single audits prior to fiscal year 2021 by the required deadline. Cause and Effect - Due to a delay in the preparation of the schedule of expenditures of federal awards and the compiling of records and supporting documentation related to the compliance audit, the Company was not in compliance with the OMB Compliance Supplement reporting requirements. Questioned Costs - None identified. Recommendation ? We recommend that the Organization complete its annual Single Audit and submit the related data collection form and reporting package to the federal clearinghouse by the required deadline. View of Responsible Officials - Management acknowledges the lack of completion and filing of the Single Audit reports prior to fiscal year 2021. This is attributable to a change in ownership of the Organization. All future reports will be filed prior to the deadline in a timely manner through adequate planning and appropriate staffing.
This section identifies audit findings required to be reported by 2 CFR 200.516(a), including significant deficiencies, material weaknesses, and material instances of noncompliance, including questioned costs, and significant instances of abuse. 2022-001: Submission of Single Audit Reports ? Material Weakness (Repeat Comment 2021-001) Federal Agency: U.S. Department of Health and Human Services, U.S. Department of Housing and Urban Development Program Title: Medical Assistance Program, HOME Investment Partnership Programs, Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution, Section 223 Demonstration Programs to Improve Community Mental Health Services, Block Grants for Community Mental Health Services, Block Grants for Prevention and Treatment of Substance Abuse ALN: 93.778, 14.239, 93.498, 93.829, 93.958, 93.959 Federal Award Source: Pass-through funding and direct funding Pass-Through Entities: AHCCCS (ALN 93.778), Health Resources & Services Administration (ALN 93.498), Substance Abuse & Mental Health Services Administration (ALN 93.829), Arizona Complete Health (ALN?s 93.958 and 93.959) Pass-Through Identifying Number: Various, see schedule of expenditures of federal awards Criteria ? Section 200.512 of the Uniform Guidance states that the Single Audit shall be completed and the data collection form and reporting package shall be submitted within the earlier of 30 calendar days after receipt of the auditor?s report, or nine months after the end of the audit period, unless a longer period is agreed to in advance by the cognizant or oversight agency for audit. Condition and Context - The Organization did not complete and submit its single audits prior to fiscal year 2021 by the required deadline. Cause and Effect - Due to a delay in the preparation of the schedule of expenditures of federal awards and the compiling of records and supporting documentation related to the compliance audit, the Company was not in compliance with the OMB Compliance Supplement reporting requirements. Questioned Costs - None identified. Recommendation ? We recommend that the Organization complete its annual Single Audit and submit the related data collection form and reporting package to the federal clearinghouse by the required deadline. View of Responsible Officials - Management acknowledges the lack of completion and filing of the Single Audit reports prior to fiscal year 2021. This is attributable to a change in ownership of the Organization. All future reports will be filed prior to the deadline in a timely manner through adequate planning and appropriate staffing.
This section identifies audit findings required to be reported by 2 CFR 200.516(a), including significant deficiencies, material weaknesses, and material instances of noncompliance, including questioned costs, and significant instances of abuse. 2022-001: Submission of Single Audit Reports ? Material Weakness (Repeat Comment 2021-001) Federal Agency: U.S. Department of Health and Human Services, U.S. Department of Housing and Urban Development Program Title: Medical Assistance Program, HOME Investment Partnership Programs, Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution, Section 223 Demonstration Programs to Improve Community Mental Health Services, Block Grants for Community Mental Health Services, Block Grants for Prevention and Treatment of Substance Abuse ALN: 93.778, 14.239, 93.498, 93.829, 93.958, 93.959 Federal Award Source: Pass-through funding and direct funding Pass-Through Entities: AHCCCS (ALN 93.778), Health Resources & Services Administration (ALN 93.498), Substance Abuse & Mental Health Services Administration (ALN 93.829), Arizona Complete Health (ALN?s 93.958 and 93.959) Pass-Through Identifying Number: Various, see schedule of expenditures of federal awards Criteria ? Section 200.512 of the Uniform Guidance states that the Single Audit shall be completed and the data collection form and reporting package shall be submitted within the earlier of 30 calendar days after receipt of the auditor?s report, or nine months after the end of the audit period, unless a longer period is agreed to in advance by the cognizant or oversight agency for audit. Condition and Context - The Organization did not complete and submit its single audits prior to fiscal year 2021 by the required deadline. Cause and Effect - Due to a delay in the preparation of the schedule of expenditures of federal awards and the compiling of records and supporting documentation related to the compliance audit, the Company was not in compliance with the OMB Compliance Supplement reporting requirements. Questioned Costs - None identified. Recommendation ? We recommend that the Organization complete its annual Single Audit and submit the related data collection form and reporting package to the federal clearinghouse by the required deadline. View of Responsible Officials - Management acknowledges the lack of completion and filing of the Single Audit reports prior to fiscal year 2021. This is attributable to a change in ownership of the Organization. All future reports will be filed prior to the deadline in a timely manner through adequate planning and appropriate staffing.
This section identifies audit findings required to be reported by 2 CFR 200.516(a), including significant deficiencies, material weaknesses, and material instances of noncompliance, including questioned costs, and significant instances of abuse. 2022-001: Submission of Single Audit Reports ? Material Weakness (Repeat Comment 2021-001) Federal Agency: U.S. Department of Health and Human Services, U.S. Department of Housing and Urban Development Program Title: Medical Assistance Program, HOME Investment Partnership Programs, Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution, Section 223 Demonstration Programs to Improve Community Mental Health Services, Block Grants for Community Mental Health Services, Block Grants for Prevention and Treatment of Substance Abuse ALN: 93.778, 14.239, 93.498, 93.829, 93.958, 93.959 Federal Award Source: Pass-through funding and direct funding Pass-Through Entities: AHCCCS (ALN 93.778), Health Resources & Services Administration (ALN 93.498), Substance Abuse & Mental Health Services Administration (ALN 93.829), Arizona Complete Health (ALN?s 93.958 and 93.959) Pass-Through Identifying Number: Various, see schedule of expenditures of federal awards Criteria ? Section 200.512 of the Uniform Guidance states that the Single Audit shall be completed and the data collection form and reporting package shall be submitted within the earlier of 30 calendar days after receipt of the auditor?s report, or nine months after the end of the audit period, unless a longer period is agreed to in advance by the cognizant or oversight agency for audit. Condition and Context - The Organization did not complete and submit its single audits prior to fiscal year 2021 by the required deadline. Cause and Effect - Due to a delay in the preparation of the schedule of expenditures of federal awards and the compiling of records and supporting documentation related to the compliance audit, the Company was not in compliance with the OMB Compliance Supplement reporting requirements. Questioned Costs - None identified. Recommendation ? We recommend that the Organization complete its annual Single Audit and submit the related data collection form and reporting package to the federal clearinghouse by the required deadline. View of Responsible Officials - Management acknowledges the lack of completion and filing of the Single Audit reports prior to fiscal year 2021. This is attributable to a change in ownership of the Organization. All future reports will be filed prior to the deadline in a timely manner through adequate planning and appropriate staffing.
This section identifies audit findings required to be reported by 2 CFR 200.516(a), including significant deficiencies, material weaknesses, and material instances of noncompliance, including questioned costs, and significant instances of abuse. 2022-001: Submission of Single Audit Reports ? Material Weakness (Repeat Comment 2021-001) Federal Agency: U.S. Department of Health and Human Services, U.S. Department of Housing and Urban Development Program Title: Medical Assistance Program, HOME Investment Partnership Programs, Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution, Section 223 Demonstration Programs to Improve Community Mental Health Services, Block Grants for Community Mental Health Services, Block Grants for Prevention and Treatment of Substance Abuse ALN: 93.778, 14.239, 93.498, 93.829, 93.958, 93.959 Federal Award Source: Pass-through funding and direct funding Pass-Through Entities: AHCCCS (ALN 93.778), Health Resources & Services Administration (ALN 93.498), Substance Abuse & Mental Health Services Administration (ALN 93.829), Arizona Complete Health (ALN?s 93.958 and 93.959) Pass-Through Identifying Number: Various, see schedule of expenditures of federal awards Criteria ? Section 200.512 of the Uniform Guidance states that the Single Audit shall be completed and the data collection form and reporting package shall be submitted within the earlier of 30 calendar days after receipt of the auditor?s report, or nine months after the end of the audit period, unless a longer period is agreed to in advance by the cognizant or oversight agency for audit. Condition and Context - The Organization did not complete and submit its single audits prior to fiscal year 2021 by the required deadline. Cause and Effect - Due to a delay in the preparation of the schedule of expenditures of federal awards and the compiling of records and supporting documentation related to the compliance audit, the Company was not in compliance with the OMB Compliance Supplement reporting requirements. Questioned Costs - None identified. Recommendation ? We recommend that the Organization complete its annual Single Audit and submit the related data collection form and reporting package to the federal clearinghouse by the required deadline. View of Responsible Officials - Management acknowledges the lack of completion and filing of the Single Audit reports prior to fiscal year 2021. This is attributable to a change in ownership of the Organization. All future reports will be filed prior to the deadline in a timely manner through adequate planning and appropriate staffing.
This section identifies audit findings required to be reported by 2 CFR 200.516(a), including significant deficiencies, material weaknesses, and material instances of noncompliance, including questioned costs, and significant instances of abuse. 2022-001: Submission of Single Audit Reports ? Material Weakness (Repeat Comment 2021-001) Federal Agency: U.S. Department of Health and Human Services, U.S. Department of Housing and Urban Development Program Title: Medical Assistance Program, HOME Investment Partnership Programs, Provider Relief Fund and American Rescue Plan (ARP) Rural Distribution, Section 223 Demonstration Programs to Improve Community Mental Health Services, Block Grants for Community Mental Health Services, Block Grants for Prevention and Treatment of Substance Abuse ALN: 93.778, 14.239, 93.498, 93.829, 93.958, 93.959 Federal Award Source: Pass-through funding and direct funding Pass-Through Entities: AHCCCS (ALN 93.778), Health Resources & Services Administration (ALN 93.498), Substance Abuse & Mental Health Services Administration (ALN 93.829), Arizona Complete Health (ALN?s 93.958 and 93.959) Pass-Through Identifying Number: Various, see schedule of expenditures of federal awards Criteria ? Section 200.512 of the Uniform Guidance states that the Single Audit shall be completed and the data collection form and reporting package shall be submitted within the earlier of 30 calendar days after receipt of the auditor?s report, or nine months after the end of the audit period, unless a longer period is agreed to in advance by the cognizant or oversight agency for audit. Condition and Context - The Organization did not complete and submit its single audits prior to fiscal year 2021 by the required deadline. Cause and Effect - Due to a delay in the preparation of the schedule of expenditures of federal awards and the compiling of records and supporting documentation related to the compliance audit, the Company was not in compliance with the OMB Compliance Supplement reporting requirements. Questioned Costs - None identified. Recommendation ? We recommend that the Organization complete its annual Single Audit and submit the related data collection form and reporting package to the federal clearinghouse by the required deadline. View of Responsible Officials - Management acknowledges the lack of completion and filing of the Single Audit reports prior to fiscal year 2021. This is attributable to a change in ownership of the Organization. All future reports will be filed prior to the deadline in a timely manner through adequate planning and appropriate staffing.
Item 2022-01 ? Late Submissions for Reporting Requirements and Fiscal Year Reporting Audit findings under 2 CFR section 200.516(a). Criteria: In accordance with terms of the federal award granted for the major program, Faith Community United Credit Union, Inc. (?the Credit Union?) must submit the annual report components in accordance with the Credit Union?s fiscal year. Condition: During our procedures performed over compliance with reporting requirements (as stipulated under Schedule 1, Section A of the CDFI Fund Assistance Agreement for the major program), we noted that the Credit Union?s annual report components were based on a fiscal year ending December 31, 2021. Inquiry with management and inspection of the prior period audit reports identified that the Credit Union?s fiscal year is September 30. As a result, the report due dates for the annual report components were improperly identified. This resulted in the annual report components that were submitted late to document the incorrect fiscal year end date. This also resulted in the submissions for the Financial Statements, TLR, Performance Progress Report, and Uses of Award Report for fiscal year 2021 to incorrectly include information for October through December 2021. This financial information should have been included in the fiscal year 2022 reporting. Cause: The Credit Union did not maintain adequate internal controls to ensure the Credit Union?s fiscal year end was appropriately reported, and by extension, that the annual report submissions were completed within the correct due dates for the proper reporting timeframe. Recommendation: We recommend that management properly reflect the annual reporting components using its September 30 fiscal year end. We also recommend that management contact their CDFI representative to identify what correcting steps be completed, if any, for the year ended September 30, 2021 reporting components.
COVID-19 Coronavirus Relief Fund (21.019) Agency: Department of Treasury Federal Award Number/Year: 2020 Program & ALN: COVID-19 Coronavirus Relief Fund - 21.019 Pass-through Entities: Virginia Department of Accounts Compliance Requirement: Reporting Finding Type: Finding reported in accordance with 2 CFR section 200.516(a) and material weakness of internal controls surrounding reporting requirements. Criteria: Per single audit requirements, prime recipients (i.e. the Commonwealth of Virginia) are required to submit quarterly Financial Progress reports. To assist with the reporting requirement, the Commonwealth required quarterly reports from its subrecipients (the County). Condition: The County did not file a required quarterly report for the quarter ended September 30, 2021. Cause: The County did not have a proper reporting and review process of federal grants and failed to submit the required report. Effect: The amounts reported by the County to the Commonwealth are understated resulting in an error in reporting by the Commonwealth to the federal government. Recommendation: Management should establish a reconciliation process and reports should be reviewed by someone other than the preparer prior to submission to ensure accuracy of reporting. Views of Responsible Officials and Planned Corrective Action: The County concurs with the finding. The County corrected activity with the final reporting filed for the period ended December 31, 2021.
A. Summary of Auditor's Results 1. The auditor's report expresses a unmodified opinion on whether the financial statements of Geneva Avenue Elderly Housing, Inc. were prepared in accordance with generally accepted accounting principles. 2. No significant deficiencies related to the audit of the financial statements were reported in the Independent Auditor's Report on Internal Control over Financial Reporting and on Compliance and Other Matters Based on an Audit of Financial Statements Performed in Accordance with Government Auditing Standards. No material weaknesses were reported. 3. One instance of noncompliance material to the financial statements of Geneva Avenue Elderly Housing, Inc., which would be required to be reported in accordance with Government Auditing Standards, was disclosed during the audit. 4. One significant deficiency in internal control over major federal award programs was disclosed during the audit and reported in the Independent Auditor's Report on Compliance for the Major Federal Program and on Internal Control over Compliance Required by the Uniform Guidance. No material weaknesses were reported. 5. The auditor's report on compliance for the major federal award programs for Geneva Avenue Elderly Housing, Inc. expresses a qualified opinion on all major federal programs. 6. There is one audit finding required to be reported in accordance with 2 CFR Section 200.516(a) in this Schedule. 7. The programs tested as major programs included: CFDA Number Name of Federal Program 14.157 HUD Section 202 (Capital Advance) 8. The threshold for distinguishing between Type A and B programs was $750,000. 9. Geneva Avenue Elderly Housing, Inc. was determined to be a low risk auditee. B. Financial Statement Findings None reported C. Federal Award Findings and Questioned Costs Department of Housing and Urban Development Finding No. 2022-001; Assistance Listing No. 14.157 Support Housing for the Elderly (Section 202) Criteria Tenant lease files are required to be maintained and tenant eligibility determined in accordance with HUD Handbook 4571.3, Section 202 Supportive Housing for the Elderly. Condition In connection with our lease file testing, we noted that six tenant files out of the six tenant files tested did not have the EIV completed timely for the most recent annual recertification. Cause There was an administrative error involving personnel involved in the annual recertification process resulting in the EIV reports not being run in accordance with the HUD program guidelines. Effect or Potential Effect The Corporation is not in compliance with HUD Program guidelines. Recommendation The Corporation should ensure that EIV reports are run timely in connection with the annual recertification in accordance with the HUD Program guidelines, and it should monitor its compliance with those policies and procedures. Auditor Noncompliance Code: R - Section 8 program administration Reporting Views of Responsible Officials: Management concurs with the finding. Management has communicated with the staff the importance of completing EIV reports in accordance with HUD Program guidelines, and on a go forward basis will enhance its monitoring of compliance with this requirement to ensure that EIV's are run within an appropriate time frame.
THIS FINDING IS: New FINDING TYPE: Internal Control DEFICIENCY TYPE: Significant Deficiency Federal Program Name and Year: Education Stabilization Fund - 2022 Project No.: 20-4998-ER AL No.: 84.425D Passed Through: Illinois State Board of Education Federal Agency: U.S. Department of Education Criteria or specific requirement (including statutory, regulatory, or other citation): The District is required to report grant expenditures in accordance with the Illinois State Board of Education State and Federal Grant Administration Policy and Fiscal Requirements and Procedures and the ISBE Illinois Program Account Manual, which is consistent with the provisions of the Uniform Guidance. According to Uniform Guidance, Title 2 CFR 200.516, the District is required to maintain internal control over Federal programs that provide reasonable assurance that the Auditee is managing Federal awards in compliance with laws, regulations, and provisions of contracts or grant agreements that could have a material effect on each of its Federal programs. Under Uniform Guidance, Title 2 CFR 200.501, a non-Federal entity that expends $750,000 or more during the entity's fiscal year in Federal awards must have a single audit conducted for that year. Condition: The District overstated expenditures on the ESSER I June 30, 2021 expenditure report. Questioned Costs: The ESSER I 2020 project year's June 30, 2021 expenditure report included $10,678 of questioned costs. Purchased Services were overstated by $2,300, Supplies and Materials were overstated by $6,035, and Capital Outlay was overstated by $2,343 when compared to the accounting records. Context: The ESSER I 2020 project year's June 30, 2021 expenditure report included $10,678 of questioned costs. Purchased Services were overstated by $2,300, Supplies and Materials were overstated by $6,035, and Capital Outlay was overstated by $2,343 when compared to the accounting records. Effect: Expenditures reported on the final project expenditure report were overstated by $10,678. Excluding the $10,678 of overstated expenditures from the calculation of over all expenditures of federal awards resulted in the district expending less than $750,000 of federal awards during the year ended June 30, 2021 and thereby not being subject to the Uniform Guidance/Single Audit provisions. Cause: ESSER I 2020 project year's final expenditures were reported in error. Recommendation: Grant expenditures should be reviewed and reconciled back to the accounting records prior to submitting final reports; ISBE grants division should be contacted regarding this discrepancy. Management's response: The District agrees that the expenditures claimed on the June 30, 2021 expenditure report was overstated by $10,678 and in the future will review and reconcile the expenditure reports to the accounting records before submitting to ISBE.
2022-028 The University of Washington did not establish adequate internal controls to ensure payments to contractors and subrecipients for the Global AIDS program were allowable, properly supported and within the period of performance. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs / Cost Principles Period of Performance Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. To achieve the performance goals of the program, the Seattle headquarters of I-TECH (Seattle HQ) provides funding to subrecipients and contractors. Invoices submitted by contractors directly to Seattle HQ are reviewed and approved for payment by budget managers who have delegated authority from the Principal Investigator. Invoices submitted by subrecipients are reviewed and approved for payment by a Principal Investigator. Principal Investigators are also responsible for monitoring the subrecipient?s technical progress and performance. Seattle HQ also provides funding to country offices operating within the University?s global network. The country offices incur costs associated with furnishing supplies and equipment to address the HIV/AIDS epidemic, as well as staffing resources and acquiring goods and services from contractors to carry out the objectives of the program. Payments made by country offices are approved by Country Directors and Country Representatives as delegated by the University. Under the University?s policies, country offices are reimbursed for locally incurred expenses at least monthly. An invoice, accompanied by a schedule of expenses incurred, is submitted and approved by the Country Director and then by the Director of Finance at Seattle HQ, prior to payment. Country offices also responsible for obtaining and retaining supporting documentation for costs incurred and paid on each project. Monthly, Budget Managers review and approve a Budget Activity Report (BAR) that details the expenses charged to the project for the previous month to ensure accurate posting of already approved expenses. This review is also to determine whether the work performed during the billing period reconciles to costs claimed within the contractor?s invoice so that payment may be authorized. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls to ensure payments to contractors and subrecipients of the Global AIDS program were allowable properly supported and within the period of performance. Payments to country offices We used a statistical sampling method to randomly select and examine 58 out of 1,644 transactions for country offices. Of the 58 payments examined, we identified one payment (1.7 percent) that was not approved by the Country Director and the corresponding Budget Activity Report was not approved by the Director of Finance. Payments to contractors We used a statistical sampling method to randomly select and review 58 out of 3,040 payments to contractors. We found: ? Invoices for three payments (5 percent) were not approved by a Budget Manager ? Monthly Budget Activity Reports were not approved for 12 payments (20 percent) Subrecipient reimbursements We used a statistical sampling method to randomly select and review 55 out of 438 payments to subrecipients. We found the assigned Budget Manager did not review and approve the monthly Budget Activity Reports for 52 payments (94 percent). We consider these internal control deficiencies to be a material weakness. This issue was not reported as a finding in the prior audit. Cause of Condition Program management did not require supporting documentation for each payment to be forwarded to and reviewed by headquarters personnel prior to payment authorization. Management also did not monitor the submission of invoices and Budget Activity Reports to ensure they were approved by the responsible Budget Manager, as required. Effect of Condition Without establishing adequate internal controls, the University cannot reasonably ensure it is using federal funds for allowable purposes and that expenditures of federal funds are supported by adequate documentation. Recommendations We recommend the University: ? Improve its internal controls to ensure invoices are properly approved by Principal Investigators, as required ? Improve its internal controls to ensure Budget Mangers review and approve monthly Budget Activity Reports before authorizing payments for projects incurring reimbursement requests ? Ensure it retains supporting documentation sufficient to show costs incurred and paid by the program are allowable, and to demonstrate the required managerial reviews have occurred prior to issuing payment University?s Response In response to the findings for the Global Aids Program, we would like to clarify the following: General Clarification: The draft finding inaccurately represents the role of BARS approvals as part of the internal controls to ensure payments to country offices, contractors and subrecipients are allowable, properly supported and within the period of performance. This is not the role of the BARS review process. Compliance, Budget Manager and PI reviews are the controls that ensure allowability of payments and BARS approvals are after-the-fact validations of accurate posting of already approved expenditures. We provided edits to the Background section to reflect our process. We request in light of this that the description of condition, cause of condition and recommendation sections of this finding be updated accordingly. Payments to country offices I-TECH country offices are not contractors; the offices are an extension of the University of Washington. Your review identified one of fifty-eight samples (1.7%) did not meet the approval requirements set forth in I-TECH?s standard operating procedure. Based on the error percentage, we disagree with this finding. Payments to contractors Payments to contractors have multiple approvals. Upon receipt, individual invoices are approved by the program/budget manager either by signature or email. Invoices are then sent to the I-TECH Accounts Payable Administrator for input to the University?s procurement system, ARIBA, which requires compliance approval from the Accounts Payable Supervisor or other manager, as well as funding approval from the budget manager prior to payment. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to contractors, they are reviews of the monthly expenses posted to the budget and the program manager?s concurrence that the expenses are as expected. The exceptions noted were payments made to country offices instead of contractors. The support for approvals were provided to the State Auditors on April 26, 2023, prior to the completion of fieldwork. We therefore disagree with this finding. We also request that the finding be adjusted to omit the 20% of missing BARS approvals as this is not related to the contractor payments. Subrecipient reimbursements Each subrecipient invoice is reviewed for reasonableness, allowability and allocability by the contracts manager and approved by both budget managers and principal investigators prior to being processed for payment in ARIBA. PI approvals were provided and verified for each subrecipient selection with no omissions noted by the auditors. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to subrecipients, they are after-the-fact reviews of the monthly expenses posted to the budget, intended as documentation of the program manager?s concurrence that the expenses are posted as expected. We acknowledge the instances detailed in the finding where we were unable to produce related BARS approvals for 52 of the transactions; however, we request that the finding be adjusted as these BARS approvals are not related to subrecipient invoice review and approvals. Our record keeping process for BARS approvals was to save the emails in a folder within our Finance Team mailbox. We learned during this review that emails beyond a certain date are deleted but maintained in the MS360 file. We?ve searched for the missing BARS approvals but have not yet been able to locate them. We have since begun saving the approvals to our server to ensure we have access to the data going forward. Auditor?s Remarks The University?s I-TECH Global Operations Manual stipulates that BARs will be generated, reviewed and approved monthly by the Budget Manager and management team. This information was provided to our Office as part of the University?s overall design of internal controls over payments to contractors, subrecipients and country offices. The University responded to our Office on April 20, 2023 adding that ?BAR review is the University?s key post payment control designed to ensure charges are accurately processed, coded and allowable on the budget charged.? We interpret this response to indicate the BAR review process is a monitoring control, and the University asserted on multiple occasions this is a key internal control, which is why we tested it. On January 5, our Office notified University management in writing that the BAR review process would be tested as a key control over the cost principles and period of performance requirements for Global AIDS expenditures. We received no additional inquiry or concerns from University management regarding this internal control until the draft finding was issued on April 14. We provided the University with a final written summary of our fieldwork in this area on April 6, 2023, after fieldwork had concluded. On April 7, the Finance Director responded to our Office in writing confirming they had no further questions or concerns regarding our testing results. It was not until after the University received this finding that additional documentation supporting expenditures tested during the audit were ultimately given to our Office. The basis for this audit finding is the key internal control failure rate of BAR approvals that exceeds our established materiality threshold of five percent, and constitutes a material weakness in internal control, which under the Uniform Guidance is required to be reported as an audit finding in accordance with 2 CFR 200.516 ? Audit findings. We reaffirm our finding and will follow up on the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 02 ? Acceptance of Sponsored Program Awards and Fiscal Compliance on Sponsored Program Accounts (Budget Numbers), states in part: Responsibilities Principal Investigator ? Supervises expenditure of sponsored program funds and approves sub-recipient invoices (see GIM 8) to assure: o That funds are used only for purposes that directly relate to and benefit the activity supported in the award. o That expenditures are consistent with all special terms, conditions, or limitations that apply to expenditures under the particular grant or contract. o That expenditures do not exceed the total funds authorized for a given period under the grant or contract. GIM 07 ? Sponsored Program Subaward Administration, states in part: Principal Investigator ? Review and approve subaward invoices. GIM 08 ? Subrecipient Monitoring, states in part: Roles & Responsibilities PI / Department Responsibilities Project level monitoring of subrecipient including: o Reviews that expenses are necessary, reasonable, and allocable to the work completed and are aligned with technical progress. o Approve invoices for payment. Subrecipient Monitoring ? Project Level Subrecipient invoices are reviewed and approved in accordance with the requirements of GIM 2 in the manner and frequency stated in the subaward. The University of Washington I-TECH Global Operations Manual (GRef 2.3), Section 2, Finance, Accounting Policy and Procedure Requirements, states in part: In addition to the Fiscal Guidelines set forth in the I-TECH Field Operations Manual, these country specific policies are implemented at I-TECH. 10. Budget Management and Reporting f. Reports that show the variance between the budget plan and the activity for each region and activity code will be generated, reviewed and approved by the budget managers and the Management Team each month.
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward
2022-028 The University of Washington did not establish adequate internal controls to ensure payments to contractors and subrecipients for the Global AIDS program were allowable, properly supported and within the period of performance. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs / Cost Principles Period of Performance Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. To achieve the performance goals of the program, the Seattle headquarters of I-TECH (Seattle HQ) provides funding to subrecipients and contractors. Invoices submitted by contractors directly to Seattle HQ are reviewed and approved for payment by budget managers who have delegated authority from the Principal Investigator. Invoices submitted by subrecipients are reviewed and approved for payment by a Principal Investigator. Principal Investigators are also responsible for monitoring the subrecipient?s technical progress and performance. Seattle HQ also provides funding to country offices operating within the University?s global network. The country offices incur costs associated with furnishing supplies and equipment to address the HIV/AIDS epidemic, as well as staffing resources and acquiring goods and services from contractors to carry out the objectives of the program. Payments made by country offices are approved by Country Directors and Country Representatives as delegated by the University. Under the University?s policies, country offices are reimbursed for locally incurred expenses at least monthly. An invoice, accompanied by a schedule of expenses incurred, is submitted and approved by the Country Director and then by the Director of Finance at Seattle HQ, prior to payment. Country offices also responsible for obtaining and retaining supporting documentation for costs incurred and paid on each project. Monthly, Budget Managers review and approve a Budget Activity Report (BAR) that details the expenses charged to the project for the previous month to ensure accurate posting of already approved expenses. This review is also to determine whether the work performed during the billing period reconciles to costs claimed within the contractor?s invoice so that payment may be authorized. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls to ensure payments to contractors and subrecipients of the Global AIDS program were allowable properly supported and within the period of performance. Payments to country offices We used a statistical sampling method to randomly select and examine 58 out of 1,644 transactions for country offices. Of the 58 payments examined, we identified one payment (1.7 percent) that was not approved by the Country Director and the corresponding Budget Activity Report was not approved by the Director of Finance. Payments to contractors We used a statistical sampling method to randomly select and review 58 out of 3,040 payments to contractors. We found: ? Invoices for three payments (5 percent) were not approved by a Budget Manager ? Monthly Budget Activity Reports were not approved for 12 payments (20 percent) Subrecipient reimbursements We used a statistical sampling method to randomly select and review 55 out of 438 payments to subrecipients. We found the assigned Budget Manager did not review and approve the monthly Budget Activity Reports for 52 payments (94 percent). We consider these internal control deficiencies to be a material weakness. This issue was not reported as a finding in the prior audit. Cause of Condition Program management did not require supporting documentation for each payment to be forwarded to and reviewed by headquarters personnel prior to payment authorization. Management also did not monitor the submission of invoices and Budget Activity Reports to ensure they were approved by the responsible Budget Manager, as required. Effect of Condition Without establishing adequate internal controls, the University cannot reasonably ensure it is using federal funds for allowable purposes and that expenditures of federal funds are supported by adequate documentation. Recommendations We recommend the University: ? Improve its internal controls to ensure invoices are properly approved by Principal Investigators, as required ? Improve its internal controls to ensure Budget Mangers review and approve monthly Budget Activity Reports before authorizing payments for projects incurring reimbursement requests ? Ensure it retains supporting documentation sufficient to show costs incurred and paid by the program are allowable, and to demonstrate the required managerial reviews have occurred prior to issuing payment University?s Response In response to the findings for the Global Aids Program, we would like to clarify the following: General Clarification: The draft finding inaccurately represents the role of BARS approvals as part of the internal controls to ensure payments to country offices, contractors and subrecipients are allowable, properly supported and within the period of performance. This is not the role of the BARS review process. Compliance, Budget Manager and PI reviews are the controls that ensure allowability of payments and BARS approvals are after-the-fact validations of accurate posting of already approved expenditures. We provided edits to the Background section to reflect our process. We request in light of this that the description of condition, cause of condition and recommendation sections of this finding be updated accordingly. Payments to country offices I-TECH country offices are not contractors; the offices are an extension of the University of Washington. Your review identified one of fifty-eight samples (1.7%) did not meet the approval requirements set forth in I-TECH?s standard operating procedure. Based on the error percentage, we disagree with this finding. Payments to contractors Payments to contractors have multiple approvals. Upon receipt, individual invoices are approved by the program/budget manager either by signature or email. Invoices are then sent to the I-TECH Accounts Payable Administrator for input to the University?s procurement system, ARIBA, which requires compliance approval from the Accounts Payable Supervisor or other manager, as well as funding approval from the budget manager prior to payment. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to contractors, they are reviews of the monthly expenses posted to the budget and the program manager?s concurrence that the expenses are as expected. The exceptions noted were payments made to country offices instead of contractors. The support for approvals were provided to the State Auditors on April 26, 2023, prior to the completion of fieldwork. We therefore disagree with this finding. We also request that the finding be adjusted to omit the 20% of missing BARS approvals as this is not related to the contractor payments. Subrecipient reimbursements Each subrecipient invoice is reviewed for reasonableness, allowability and allocability by the contracts manager and approved by both budget managers and principal investigators prior to being processed for payment in ARIBA. PI approvals were provided and verified for each subrecipient selection with no omissions noted by the auditors. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to subrecipients, they are after-the-fact reviews of the monthly expenses posted to the budget, intended as documentation of the program manager?s concurrence that the expenses are posted as expected. We acknowledge the instances detailed in the finding where we were unable to produce related BARS approvals for 52 of the transactions; however, we request that the finding be adjusted as these BARS approvals are not related to subrecipient invoice review and approvals. Our record keeping process for BARS approvals was to save the emails in a folder within our Finance Team mailbox. We learned during this review that emails beyond a certain date are deleted but maintained in the MS360 file. We?ve searched for the missing BARS approvals but have not yet been able to locate them. We have since begun saving the approvals to our server to ensure we have access to the data going forward. Auditor?s Remarks The University?s I-TECH Global Operations Manual stipulates that BARs will be generated, reviewed and approved monthly by the Budget Manager and management team. This information was provided to our Office as part of the University?s overall design of internal controls over payments to contractors, subrecipients and country offices. The University responded to our Office on April 20, 2023 adding that ?BAR review is the University?s key post payment control designed to ensure charges are accurately processed, coded and allowable on the budget charged.? We interpret this response to indicate the BAR review process is a monitoring control, and the University asserted on multiple occasions this is a key internal control, which is why we tested it. On January 5, our Office notified University management in writing that the BAR review process would be tested as a key control over the cost principles and period of performance requirements for Global AIDS expenditures. We received no additional inquiry or concerns from University management regarding this internal control until the draft finding was issued on April 14. We provided the University with a final written summary of our fieldwork in this area on April 6, 2023, after fieldwork had concluded. On April 7, the Finance Director responded to our Office in writing confirming they had no further questions or concerns regarding our testing results. It was not until after the University received this finding that additional documentation supporting expenditures tested during the audit were ultimately given to our Office. The basis for this audit finding is the key internal control failure rate of BAR approvals that exceeds our established materiality threshold of five percent, and constitutes a material weakness in internal control, which under the Uniform Guidance is required to be reported as an audit finding in accordance with 2 CFR 200.516 ? Audit findings. We reaffirm our finding and will follow up on the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 02 ? Acceptance of Sponsored Program Awards and Fiscal Compliance on Sponsored Program Accounts (Budget Numbers), states in part: Responsibilities Principal Investigator ? Supervises expenditure of sponsored program funds and approves sub-recipient invoices (see GIM 8) to assure: o That funds are used only for purposes that directly relate to and benefit the activity supported in the award. o That expenditures are consistent with all special terms, conditions, or limitations that apply to expenditures under the particular grant or contract. o That expenditures do not exceed the total funds authorized for a given period under the grant or contract. GIM 07 ? Sponsored Program Subaward Administration, states in part: Principal Investigator ? Review and approve subaward invoices. GIM 08 ? Subrecipient Monitoring, states in part: Roles & Responsibilities PI / Department Responsibilities Project level monitoring of subrecipient including: o Reviews that expenses are necessary, reasonable, and allocable to the work completed and are aligned with technical progress. o Approve invoices for payment. Subrecipient Monitoring ? Project Level Subrecipient invoices are reviewed and approved in accordance with the requirements of GIM 2 in the manner and frequency stated in the subaward. The University of Washington I-TECH Global Operations Manual (GRef 2.3), Section 2, Finance, Accounting Policy and Procedure Requirements, states in part: In addition to the Fiscal Guidelines set forth in the I-TECH Field Operations Manual, these country specific policies are implemented at I-TECH. 10. Budget Management and Reporting f. Reports that show the variance between the budget plan and the activity for each region and activity code will be generated, reviewed and approved by the budget managers and the Management Team each month.
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward
2022-028 The University of Washington did not establish adequate internal controls to ensure payments to contractors and subrecipients for the Global AIDS program were allowable, properly supported and within the period of performance. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs / Cost Principles Period of Performance Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. To achieve the performance goals of the program, the Seattle headquarters of I-TECH (Seattle HQ) provides funding to subrecipients and contractors. Invoices submitted by contractors directly to Seattle HQ are reviewed and approved for payment by budget managers who have delegated authority from the Principal Investigator. Invoices submitted by subrecipients are reviewed and approved for payment by a Principal Investigator. Principal Investigators are also responsible for monitoring the subrecipient?s technical progress and performance. Seattle HQ also provides funding to country offices operating within the University?s global network. The country offices incur costs associated with furnishing supplies and equipment to address the HIV/AIDS epidemic, as well as staffing resources and acquiring goods and services from contractors to carry out the objectives of the program. Payments made by country offices are approved by Country Directors and Country Representatives as delegated by the University. Under the University?s policies, country offices are reimbursed for locally incurred expenses at least monthly. An invoice, accompanied by a schedule of expenses incurred, is submitted and approved by the Country Director and then by the Director of Finance at Seattle HQ, prior to payment. Country offices also responsible for obtaining and retaining supporting documentation for costs incurred and paid on each project. Monthly, Budget Managers review and approve a Budget Activity Report (BAR) that details the expenses charged to the project for the previous month to ensure accurate posting of already approved expenses. This review is also to determine whether the work performed during the billing period reconciles to costs claimed within the contractor?s invoice so that payment may be authorized. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls to ensure payments to contractors and subrecipients of the Global AIDS program were allowable properly supported and within the period of performance. Payments to country offices We used a statistical sampling method to randomly select and examine 58 out of 1,644 transactions for country offices. Of the 58 payments examined, we identified one payment (1.7 percent) that was not approved by the Country Director and the corresponding Budget Activity Report was not approved by the Director of Finance. Payments to contractors We used a statistical sampling method to randomly select and review 58 out of 3,040 payments to contractors. We found: ? Invoices for three payments (5 percent) were not approved by a Budget Manager ? Monthly Budget Activity Reports were not approved for 12 payments (20 percent) Subrecipient reimbursements We used a statistical sampling method to randomly select and review 55 out of 438 payments to subrecipients. We found the assigned Budget Manager did not review and approve the monthly Budget Activity Reports for 52 payments (94 percent). We consider these internal control deficiencies to be a material weakness. This issue was not reported as a finding in the prior audit. Cause of Condition Program management did not require supporting documentation for each payment to be forwarded to and reviewed by headquarters personnel prior to payment authorization. Management also did not monitor the submission of invoices and Budget Activity Reports to ensure they were approved by the responsible Budget Manager, as required. Effect of Condition Without establishing adequate internal controls, the University cannot reasonably ensure it is using federal funds for allowable purposes and that expenditures of federal funds are supported by adequate documentation. Recommendations We recommend the University: ? Improve its internal controls to ensure invoices are properly approved by Principal Investigators, as required ? Improve its internal controls to ensure Budget Mangers review and approve monthly Budget Activity Reports before authorizing payments for projects incurring reimbursement requests ? Ensure it retains supporting documentation sufficient to show costs incurred and paid by the program are allowable, and to demonstrate the required managerial reviews have occurred prior to issuing payment University?s Response In response to the findings for the Global Aids Program, we would like to clarify the following: General Clarification: The draft finding inaccurately represents the role of BARS approvals as part of the internal controls to ensure payments to country offices, contractors and subrecipients are allowable, properly supported and within the period of performance. This is not the role of the BARS review process. Compliance, Budget Manager and PI reviews are the controls that ensure allowability of payments and BARS approvals are after-the-fact validations of accurate posting of already approved expenditures. We provided edits to the Background section to reflect our process. We request in light of this that the description of condition, cause of condition and recommendation sections of this finding be updated accordingly. Payments to country offices I-TECH country offices are not contractors; the offices are an extension of the University of Washington. Your review identified one of fifty-eight samples (1.7%) did not meet the approval requirements set forth in I-TECH?s standard operating procedure. Based on the error percentage, we disagree with this finding. Payments to contractors Payments to contractors have multiple approvals. Upon receipt, individual invoices are approved by the program/budget manager either by signature or email. Invoices are then sent to the I-TECH Accounts Payable Administrator for input to the University?s procurement system, ARIBA, which requires compliance approval from the Accounts Payable Supervisor or other manager, as well as funding approval from the budget manager prior to payment. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to contractors, they are reviews of the monthly expenses posted to the budget and the program manager?s concurrence that the expenses are as expected. The exceptions noted were payments made to country offices instead of contractors. The support for approvals were provided to the State Auditors on April 26, 2023, prior to the completion of fieldwork. We therefore disagree with this finding. We also request that the finding be adjusted to omit the 20% of missing BARS approvals as this is not related to the contractor payments. Subrecipient reimbursements Each subrecipient invoice is reviewed for reasonableness, allowability and allocability by the contracts manager and approved by both budget managers and principal investigators prior to being processed for payment in ARIBA. PI approvals were provided and verified for each subrecipient selection with no omissions noted by the auditors. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to subrecipients, they are after-the-fact reviews of the monthly expenses posted to the budget, intended as documentation of the program manager?s concurrence that the expenses are posted as expected. We acknowledge the instances detailed in the finding where we were unable to produce related BARS approvals for 52 of the transactions; however, we request that the finding be adjusted as these BARS approvals are not related to subrecipient invoice review and approvals. Our record keeping process for BARS approvals was to save the emails in a folder within our Finance Team mailbox. We learned during this review that emails beyond a certain date are deleted but maintained in the MS360 file. We?ve searched for the missing BARS approvals but have not yet been able to locate them. We have since begun saving the approvals to our server to ensure we have access to the data going forward. Auditor?s Remarks The University?s I-TECH Global Operations Manual stipulates that BARs will be generated, reviewed and approved monthly by the Budget Manager and management team. This information was provided to our Office as part of the University?s overall design of internal controls over payments to contractors, subrecipients and country offices. The University responded to our Office on April 20, 2023 adding that ?BAR review is the University?s key post payment control designed to ensure charges are accurately processed, coded and allowable on the budget charged.? We interpret this response to indicate the BAR review process is a monitoring control, and the University asserted on multiple occasions this is a key internal control, which is why we tested it. On January 5, our Office notified University management in writing that the BAR review process would be tested as a key control over the cost principles and period of performance requirements for Global AIDS expenditures. We received no additional inquiry or concerns from University management regarding this internal control until the draft finding was issued on April 14. We provided the University with a final written summary of our fieldwork in this area on April 6, 2023, after fieldwork had concluded. On April 7, the Finance Director responded to our Office in writing confirming they had no further questions or concerns regarding our testing results. It was not until after the University received this finding that additional documentation supporting expenditures tested during the audit were ultimately given to our Office. The basis for this audit finding is the key internal control failure rate of BAR approvals that exceeds our established materiality threshold of five percent, and constitutes a material weakness in internal control, which under the Uniform Guidance is required to be reported as an audit finding in accordance with 2 CFR 200.516 ? Audit findings. We reaffirm our finding and will follow up on the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 02 ? Acceptance of Sponsored Program Awards and Fiscal Compliance on Sponsored Program Accounts (Budget Numbers), states in part: Responsibilities Principal Investigator ? Supervises expenditure of sponsored program funds and approves sub-recipient invoices (see GIM 8) to assure: o That funds are used only for purposes that directly relate to and benefit the activity supported in the award. o That expenditures are consistent with all special terms, conditions, or limitations that apply to expenditures under the particular grant or contract. o That expenditures do not exceed the total funds authorized for a given period under the grant or contract. GIM 07 ? Sponsored Program Subaward Administration, states in part: Principal Investigator ? Review and approve subaward invoices. GIM 08 ? Subrecipient Monitoring, states in part: Roles & Responsibilities PI / Department Responsibilities Project level monitoring of subrecipient including: o Reviews that expenses are necessary, reasonable, and allocable to the work completed and are aligned with technical progress. o Approve invoices for payment. Subrecipient Monitoring ? Project Level Subrecipient invoices are reviewed and approved in accordance with the requirements of GIM 2 in the manner and frequency stated in the subaward. The University of Washington I-TECH Global Operations Manual (GRef 2.3), Section 2, Finance, Accounting Policy and Procedure Requirements, states in part: In addition to the Fiscal Guidelines set forth in the I-TECH Field Operations Manual, these country specific policies are implemented at I-TECH. 10. Budget Management and Reporting f. Reports that show the variance between the budget plan and the activity for each region and activity code will be generated, reviewed and approved by the budget managers and the Management Team each month.
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward
2022-028 The University of Washington did not establish adequate internal controls to ensure payments to contractors and subrecipients for the Global AIDS program were allowable, properly supported and within the period of performance. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs / Cost Principles Period of Performance Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. To achieve the performance goals of the program, the Seattle headquarters of I-TECH (Seattle HQ) provides funding to subrecipients and contractors. Invoices submitted by contractors directly to Seattle HQ are reviewed and approved for payment by budget managers who have delegated authority from the Principal Investigator. Invoices submitted by subrecipients are reviewed and approved for payment by a Principal Investigator. Principal Investigators are also responsible for monitoring the subrecipient?s technical progress and performance. Seattle HQ also provides funding to country offices operating within the University?s global network. The country offices incur costs associated with furnishing supplies and equipment to address the HIV/AIDS epidemic, as well as staffing resources and acquiring goods and services from contractors to carry out the objectives of the program. Payments made by country offices are approved by Country Directors and Country Representatives as delegated by the University. Under the University?s policies, country offices are reimbursed for locally incurred expenses at least monthly. An invoice, accompanied by a schedule of expenses incurred, is submitted and approved by the Country Director and then by the Director of Finance at Seattle HQ, prior to payment. Country offices also responsible for obtaining and retaining supporting documentation for costs incurred and paid on each project. Monthly, Budget Managers review and approve a Budget Activity Report (BAR) that details the expenses charged to the project for the previous month to ensure accurate posting of already approved expenses. This review is also to determine whether the work performed during the billing period reconciles to costs claimed within the contractor?s invoice so that payment may be authorized. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls to ensure payments to contractors and subrecipients of the Global AIDS program were allowable properly supported and within the period of performance. Payments to country offices We used a statistical sampling method to randomly select and examine 58 out of 1,644 transactions for country offices. Of the 58 payments examined, we identified one payment (1.7 percent) that was not approved by the Country Director and the corresponding Budget Activity Report was not approved by the Director of Finance. Payments to contractors We used a statistical sampling method to randomly select and review 58 out of 3,040 payments to contractors. We found: ? Invoices for three payments (5 percent) were not approved by a Budget Manager ? Monthly Budget Activity Reports were not approved for 12 payments (20 percent) Subrecipient reimbursements We used a statistical sampling method to randomly select and review 55 out of 438 payments to subrecipients. We found the assigned Budget Manager did not review and approve the monthly Budget Activity Reports for 52 payments (94 percent). We consider these internal control deficiencies to be a material weakness. This issue was not reported as a finding in the prior audit. Cause of Condition Program management did not require supporting documentation for each payment to be forwarded to and reviewed by headquarters personnel prior to payment authorization. Management also did not monitor the submission of invoices and Budget Activity Reports to ensure they were approved by the responsible Budget Manager, as required. Effect of Condition Without establishing adequate internal controls, the University cannot reasonably ensure it is using federal funds for allowable purposes and that expenditures of federal funds are supported by adequate documentation. Recommendations We recommend the University: ? Improve its internal controls to ensure invoices are properly approved by Principal Investigators, as required ? Improve its internal controls to ensure Budget Mangers review and approve monthly Budget Activity Reports before authorizing payments for projects incurring reimbursement requests ? Ensure it retains supporting documentation sufficient to show costs incurred and paid by the program are allowable, and to demonstrate the required managerial reviews have occurred prior to issuing payment University?s Response In response to the findings for the Global Aids Program, we would like to clarify the following: General Clarification: The draft finding inaccurately represents the role of BARS approvals as part of the internal controls to ensure payments to country offices, contractors and subrecipients are allowable, properly supported and within the period of performance. This is not the role of the BARS review process. Compliance, Budget Manager and PI reviews are the controls that ensure allowability of payments and BARS approvals are after-the-fact validations of accurate posting of already approved expenditures. We provided edits to the Background section to reflect our process. We request in light of this that the description of condition, cause of condition and recommendation sections of this finding be updated accordingly. Payments to country offices I-TECH country offices are not contractors; the offices are an extension of the University of Washington. Your review identified one of fifty-eight samples (1.7%) did not meet the approval requirements set forth in I-TECH?s standard operating procedure. Based on the error percentage, we disagree with this finding. Payments to contractors Payments to contractors have multiple approvals. Upon receipt, individual invoices are approved by the program/budget manager either by signature or email. Invoices are then sent to the I-TECH Accounts Payable Administrator for input to the University?s procurement system, ARIBA, which requires compliance approval from the Accounts Payable Supervisor or other manager, as well as funding approval from the budget manager prior to payment. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to contractors, they are reviews of the monthly expenses posted to the budget and the program manager?s concurrence that the expenses are as expected. The exceptions noted were payments made to country offices instead of contractors. The support for approvals were provided to the State Auditors on April 26, 2023, prior to the completion of fieldwork. We therefore disagree with this finding. We also request that the finding be adjusted to omit the 20% of missing BARS approvals as this is not related to the contractor payments. Subrecipient reimbursements Each subrecipient invoice is reviewed for reasonableness, allowability and allocability by the contracts manager and approved by both budget managers and principal investigators prior to being processed for payment in ARIBA. PI approvals were provided and verified for each subrecipient selection with no omissions noted by the auditors. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to subrecipients, they are after-the-fact reviews of the monthly expenses posted to the budget, intended as documentation of the program manager?s concurrence that the expenses are posted as expected. We acknowledge the instances detailed in the finding where we were unable to produce related BARS approvals for 52 of the transactions; however, we request that the finding be adjusted as these BARS approvals are not related to subrecipient invoice review and approvals. Our record keeping process for BARS approvals was to save the emails in a folder within our Finance Team mailbox. We learned during this review that emails beyond a certain date are deleted but maintained in the MS360 file. We?ve searched for the missing BARS approvals but have not yet been able to locate them. We have since begun saving the approvals to our server to ensure we have access to the data going forward. Auditor?s Remarks The University?s I-TECH Global Operations Manual stipulates that BARs will be generated, reviewed and approved monthly by the Budget Manager and management team. This information was provided to our Office as part of the University?s overall design of internal controls over payments to contractors, subrecipients and country offices. The University responded to our Office on April 20, 2023 adding that ?BAR review is the University?s key post payment control designed to ensure charges are accurately processed, coded and allowable on the budget charged.? We interpret this response to indicate the BAR review process is a monitoring control, and the University asserted on multiple occasions this is a key internal control, which is why we tested it. On January 5, our Office notified University management in writing that the BAR review process would be tested as a key control over the cost principles and period of performance requirements for Global AIDS expenditures. We received no additional inquiry or concerns from University management regarding this internal control until the draft finding was issued on April 14. We provided the University with a final written summary of our fieldwork in this area on April 6, 2023, after fieldwork had concluded. On April 7, the Finance Director responded to our Office in writing confirming they had no further questions or concerns regarding our testing results. It was not until after the University received this finding that additional documentation supporting expenditures tested during the audit were ultimately given to our Office. The basis for this audit finding is the key internal control failure rate of BAR approvals that exceeds our established materiality threshold of five percent, and constitutes a material weakness in internal control, which under the Uniform Guidance is required to be reported as an audit finding in accordance with 2 CFR 200.516 ? Audit findings. We reaffirm our finding and will follow up on the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 02 ? Acceptance of Sponsored Program Awards and Fiscal Compliance on Sponsored Program Accounts (Budget Numbers), states in part: Responsibilities Principal Investigator ? Supervises expenditure of sponsored program funds and approves sub-recipient invoices (see GIM 8) to assure: o That funds are used only for purposes that directly relate to and benefit the activity supported in the award. o That expenditures are consistent with all special terms, conditions, or limitations that apply to expenditures under the particular grant or contract. o That expenditures do not exceed the total funds authorized for a given period under the grant or contract. GIM 07 ? Sponsored Program Subaward Administration, states in part: Principal Investigator ? Review and approve subaward invoices. GIM 08 ? Subrecipient Monitoring, states in part: Roles & Responsibilities PI / Department Responsibilities Project level monitoring of subrecipient including: o Reviews that expenses are necessary, reasonable, and allocable to the work completed and are aligned with technical progress. o Approve invoices for payment. Subrecipient Monitoring ? Project Level Subrecipient invoices are reviewed and approved in accordance with the requirements of GIM 2 in the manner and frequency stated in the subaward. The University of Washington I-TECH Global Operations Manual (GRef 2.3), Section 2, Finance, Accounting Policy and Procedure Requirements, states in part: In addition to the Fiscal Guidelines set forth in the I-TECH Field Operations Manual, these country specific policies are implemented at I-TECH. 10. Budget Management and Reporting f. Reports that show the variance between the budget plan and the activity for each region and activity code will be generated, reviewed and approved by the budget managers and the Management Team each month.
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward
2022-028 The University of Washington did not establish adequate internal controls to ensure payments to contractors and subrecipients for the Global AIDS program were allowable, properly supported and within the period of performance. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs / Cost Principles Period of Performance Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. To achieve the performance goals of the program, the Seattle headquarters of I-TECH (Seattle HQ) provides funding to subrecipients and contractors. Invoices submitted by contractors directly to Seattle HQ are reviewed and approved for payment by budget managers who have delegated authority from the Principal Investigator. Invoices submitted by subrecipients are reviewed and approved for payment by a Principal Investigator. Principal Investigators are also responsible for monitoring the subrecipient?s technical progress and performance. Seattle HQ also provides funding to country offices operating within the University?s global network. The country offices incur costs associated with furnishing supplies and equipment to address the HIV/AIDS epidemic, as well as staffing resources and acquiring goods and services from contractors to carry out the objectives of the program. Payments made by country offices are approved by Country Directors and Country Representatives as delegated by the University. Under the University?s policies, country offices are reimbursed for locally incurred expenses at least monthly. An invoice, accompanied by a schedule of expenses incurred, is submitted and approved by the Country Director and then by the Director of Finance at Seattle HQ, prior to payment. Country offices also responsible for obtaining and retaining supporting documentation for costs incurred and paid on each project. Monthly, Budget Managers review and approve a Budget Activity Report (BAR) that details the expenses charged to the project for the previous month to ensure accurate posting of already approved expenses. This review is also to determine whether the work performed during the billing period reconciles to costs claimed within the contractor?s invoice so that payment may be authorized. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls to ensure payments to contractors and subrecipients of the Global AIDS program were allowable properly supported and within the period of performance. Payments to country offices We used a statistical sampling method to randomly select and examine 58 out of 1,644 transactions for country offices. Of the 58 payments examined, we identified one payment (1.7 percent) that was not approved by the Country Director and the corresponding Budget Activity Report was not approved by the Director of Finance. Payments to contractors We used a statistical sampling method to randomly select and review 58 out of 3,040 payments to contractors. We found: ? Invoices for three payments (5 percent) were not approved by a Budget Manager ? Monthly Budget Activity Reports were not approved for 12 payments (20 percent) Subrecipient reimbursements We used a statistical sampling method to randomly select and review 55 out of 438 payments to subrecipients. We found the assigned Budget Manager did not review and approve the monthly Budget Activity Reports for 52 payments (94 percent). We consider these internal control deficiencies to be a material weakness. This issue was not reported as a finding in the prior audit. Cause of Condition Program management did not require supporting documentation for each payment to be forwarded to and reviewed by headquarters personnel prior to payment authorization. Management also did not monitor the submission of invoices and Budget Activity Reports to ensure they were approved by the responsible Budget Manager, as required. Effect of Condition Without establishing adequate internal controls, the University cannot reasonably ensure it is using federal funds for allowable purposes and that expenditures of federal funds are supported by adequate documentation. Recommendations We recommend the University: ? Improve its internal controls to ensure invoices are properly approved by Principal Investigators, as required ? Improve its internal controls to ensure Budget Mangers review and approve monthly Budget Activity Reports before authorizing payments for projects incurring reimbursement requests ? Ensure it retains supporting documentation sufficient to show costs incurred and paid by the program are allowable, and to demonstrate the required managerial reviews have occurred prior to issuing payment University?s Response In response to the findings for the Global Aids Program, we would like to clarify the following: General Clarification: The draft finding inaccurately represents the role of BARS approvals as part of the internal controls to ensure payments to country offices, contractors and subrecipients are allowable, properly supported and within the period of performance. This is not the role of the BARS review process. Compliance, Budget Manager and PI reviews are the controls that ensure allowability of payments and BARS approvals are after-the-fact validations of accurate posting of already approved expenditures. We provided edits to the Background section to reflect our process. We request in light of this that the description of condition, cause of condition and recommendation sections of this finding be updated accordingly. Payments to country offices I-TECH country offices are not contractors; the offices are an extension of the University of Washington. Your review identified one of fifty-eight samples (1.7%) did not meet the approval requirements set forth in I-TECH?s standard operating procedure. Based on the error percentage, we disagree with this finding. Payments to contractors Payments to contractors have multiple approvals. Upon receipt, individual invoices are approved by the program/budget manager either by signature or email. Invoices are then sent to the I-TECH Accounts Payable Administrator for input to the University?s procurement system, ARIBA, which requires compliance approval from the Accounts Payable Supervisor or other manager, as well as funding approval from the budget manager prior to payment. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to contractors, they are reviews of the monthly expenses posted to the budget and the program manager?s concurrence that the expenses are as expected. The exceptions noted were payments made to country offices instead of contractors. The support for approvals were provided to the State Auditors on April 26, 2023, prior to the completion of fieldwork. We therefore disagree with this finding. We also request that the finding be adjusted to omit the 20% of missing BARS approvals as this is not related to the contractor payments. Subrecipient reimbursements Each subrecipient invoice is reviewed for reasonableness, allowability and allocability by the contracts manager and approved by both budget managers and principal investigators prior to being processed for payment in ARIBA. PI approvals were provided and verified for each subrecipient selection with no omissions noted by the auditors. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to subrecipients, they are after-the-fact reviews of the monthly expenses posted to the budget, intended as documentation of the program manager?s concurrence that the expenses are posted as expected. We acknowledge the instances detailed in the finding where we were unable to produce related BARS approvals for 52 of the transactions; however, we request that the finding be adjusted as these BARS approvals are not related to subrecipient invoice review and approvals. Our record keeping process for BARS approvals was to save the emails in a folder within our Finance Team mailbox. We learned during this review that emails beyond a certain date are deleted but maintained in the MS360 file. We?ve searched for the missing BARS approvals but have not yet been able to locate them. We have since begun saving the approvals to our server to ensure we have access to the data going forward. Auditor?s Remarks The University?s I-TECH Global Operations Manual stipulates that BARs will be generated, reviewed and approved monthly by the Budget Manager and management team. This information was provided to our Office as part of the University?s overall design of internal controls over payments to contractors, subrecipients and country offices. The University responded to our Office on April 20, 2023 adding that ?BAR review is the University?s key post payment control designed to ensure charges are accurately processed, coded and allowable on the budget charged.? We interpret this response to indicate the BAR review process is a monitoring control, and the University asserted on multiple occasions this is a key internal control, which is why we tested it. On January 5, our Office notified University management in writing that the BAR review process would be tested as a key control over the cost principles and period of performance requirements for Global AIDS expenditures. We received no additional inquiry or concerns from University management regarding this internal control until the draft finding was issued on April 14. We provided the University with a final written summary of our fieldwork in this area on April 6, 2023, after fieldwork had concluded. On April 7, the Finance Director responded to our Office in writing confirming they had no further questions or concerns regarding our testing results. It was not until after the University received this finding that additional documentation supporting expenditures tested during the audit were ultimately given to our Office. The basis for this audit finding is the key internal control failure rate of BAR approvals that exceeds our established materiality threshold of five percent, and constitutes a material weakness in internal control, which under the Uniform Guidance is required to be reported as an audit finding in accordance with 2 CFR 200.516 ? Audit findings. We reaffirm our finding and will follow up on the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 02 ? Acceptance of Sponsored Program Awards and Fiscal Compliance on Sponsored Program Accounts (Budget Numbers), states in part: Responsibilities Principal Investigator ? Supervises expenditure of sponsored program funds and approves sub-recipient invoices (see GIM 8) to assure: o That funds are used only for purposes that directly relate to and benefit the activity supported in the award. o That expenditures are consistent with all special terms, conditions, or limitations that apply to expenditures under the particular grant or contract. o That expenditures do not exceed the total funds authorized for a given period under the grant or contract. GIM 07 ? Sponsored Program Subaward Administration, states in part: Principal Investigator ? Review and approve subaward invoices. GIM 08 ? Subrecipient Monitoring, states in part: Roles & Responsibilities PI / Department Responsibilities Project level monitoring of subrecipient including: o Reviews that expenses are necessary, reasonable, and allocable to the work completed and are aligned with technical progress. o Approve invoices for payment. Subrecipient Monitoring ? Project Level Subrecipient invoices are reviewed and approved in accordance with the requirements of GIM 2 in the manner and frequency stated in the subaward. The University of Washington I-TECH Global Operations Manual (GRef 2.3), Section 2, Finance, Accounting Policy and Procedure Requirements, states in part: In addition to the Fiscal Guidelines set forth in the I-TECH Field Operations Manual, these country specific policies are implemented at I-TECH. 10. Budget Management and Reporting f. Reports that show the variance between the budget plan and the activity for each region and activity code will be generated, reviewed and approved by the budget managers and the Management Team each month.
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward
2022-028 The University of Washington did not establish adequate internal controls to ensure payments to contractors and subrecipients for the Global AIDS program were allowable, properly supported and within the period of performance. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs / Cost Principles Period of Performance Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. To achieve the performance goals of the program, the Seattle headquarters of I-TECH (Seattle HQ) provides funding to subrecipients and contractors. Invoices submitted by contractors directly to Seattle HQ are reviewed and approved for payment by budget managers who have delegated authority from the Principal Investigator. Invoices submitted by subrecipients are reviewed and approved for payment by a Principal Investigator. Principal Investigators are also responsible for monitoring the subrecipient?s technical progress and performance. Seattle HQ also provides funding to country offices operating within the University?s global network. The country offices incur costs associated with furnishing supplies and equipment to address the HIV/AIDS epidemic, as well as staffing resources and acquiring goods and services from contractors to carry out the objectives of the program. Payments made by country offices are approved by Country Directors and Country Representatives as delegated by the University. Under the University?s policies, country offices are reimbursed for locally incurred expenses at least monthly. An invoice, accompanied by a schedule of expenses incurred, is submitted and approved by the Country Director and then by the Director of Finance at Seattle HQ, prior to payment. Country offices also responsible for obtaining and retaining supporting documentation for costs incurred and paid on each project. Monthly, Budget Managers review and approve a Budget Activity Report (BAR) that details the expenses charged to the project for the previous month to ensure accurate posting of already approved expenses. This review is also to determine whether the work performed during the billing period reconciles to costs claimed within the contractor?s invoice so that payment may be authorized. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls to ensure payments to contractors and subrecipients of the Global AIDS program were allowable properly supported and within the period of performance. Payments to country offices We used a statistical sampling method to randomly select and examine 58 out of 1,644 transactions for country offices. Of the 58 payments examined, we identified one payment (1.7 percent) that was not approved by the Country Director and the corresponding Budget Activity Report was not approved by the Director of Finance. Payments to contractors We used a statistical sampling method to randomly select and review 58 out of 3,040 payments to contractors. We found: ? Invoices for three payments (5 percent) were not approved by a Budget Manager ? Monthly Budget Activity Reports were not approved for 12 payments (20 percent) Subrecipient reimbursements We used a statistical sampling method to randomly select and review 55 out of 438 payments to subrecipients. We found the assigned Budget Manager did not review and approve the monthly Budget Activity Reports for 52 payments (94 percent). We consider these internal control deficiencies to be a material weakness. This issue was not reported as a finding in the prior audit. Cause of Condition Program management did not require supporting documentation for each payment to be forwarded to and reviewed by headquarters personnel prior to payment authorization. Management also did not monitor the submission of invoices and Budget Activity Reports to ensure they were approved by the responsible Budget Manager, as required. Effect of Condition Without establishing adequate internal controls, the University cannot reasonably ensure it is using federal funds for allowable purposes and that expenditures of federal funds are supported by adequate documentation. Recommendations We recommend the University: ? Improve its internal controls to ensure invoices are properly approved by Principal Investigators, as required ? Improve its internal controls to ensure Budget Mangers review and approve monthly Budget Activity Reports before authorizing payments for projects incurring reimbursement requests ? Ensure it retains supporting documentation sufficient to show costs incurred and paid by the program are allowable, and to demonstrate the required managerial reviews have occurred prior to issuing payment University?s Response In response to the findings for the Global Aids Program, we would like to clarify the following: General Clarification: The draft finding inaccurately represents the role of BARS approvals as part of the internal controls to ensure payments to country offices, contractors and subrecipients are allowable, properly supported and within the period of performance. This is not the role of the BARS review process. Compliance, Budget Manager and PI reviews are the controls that ensure allowability of payments and BARS approvals are after-the-fact validations of accurate posting of already approved expenditures. We provided edits to the Background section to reflect our process. We request in light of this that the description of condition, cause of condition and recommendation sections of this finding be updated accordingly. Payments to country offices I-TECH country offices are not contractors; the offices are an extension of the University of Washington. Your review identified one of fifty-eight samples (1.7%) did not meet the approval requirements set forth in I-TECH?s standard operating procedure. Based on the error percentage, we disagree with this finding. Payments to contractors Payments to contractors have multiple approvals. Upon receipt, individual invoices are approved by the program/budget manager either by signature or email. Invoices are then sent to the I-TECH Accounts Payable Administrator for input to the University?s procurement system, ARIBA, which requires compliance approval from the Accounts Payable Supervisor or other manager, as well as funding approval from the budget manager prior to payment. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to contractors, they are reviews of the monthly expenses posted to the budget and the program manager?s concurrence that the expenses are as expected. The exceptions noted were payments made to country offices instead of contractors. The support for approvals were provided to the State Auditors on April 26, 2023, prior to the completion of fieldwork. We therefore disagree with this finding. We also request that the finding be adjusted to omit the 20% of missing BARS approvals as this is not related to the contractor payments. Subrecipient reimbursements Each subrecipient invoice is reviewed for reasonableness, allowability and allocability by the contracts manager and approved by both budget managers and principal investigators prior to being processed for payment in ARIBA. PI approvals were provided and verified for each subrecipient selection with no omissions noted by the auditors. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to subrecipients, they are after-the-fact reviews of the monthly expenses posted to the budget, intended as documentation of the program manager?s concurrence that the expenses are posted as expected. We acknowledge the instances detailed in the finding where we were unable to produce related BARS approvals for 52 of the transactions; however, we request that the finding be adjusted as these BARS approvals are not related to subrecipient invoice review and approvals. Our record keeping process for BARS approvals was to save the emails in a folder within our Finance Team mailbox. We learned during this review that emails beyond a certain date are deleted but maintained in the MS360 file. We?ve searched for the missing BARS approvals but have not yet been able to locate them. We have since begun saving the approvals to our server to ensure we have access to the data going forward. Auditor?s Remarks The University?s I-TECH Global Operations Manual stipulates that BARs will be generated, reviewed and approved monthly by the Budget Manager and management team. This information was provided to our Office as part of the University?s overall design of internal controls over payments to contractors, subrecipients and country offices. The University responded to our Office on April 20, 2023 adding that ?BAR review is the University?s key post payment control designed to ensure charges are accurately processed, coded and allowable on the budget charged.? We interpret this response to indicate the BAR review process is a monitoring control, and the University asserted on multiple occasions this is a key internal control, which is why we tested it. On January 5, our Office notified University management in writing that the BAR review process would be tested as a key control over the cost principles and period of performance requirements for Global AIDS expenditures. We received no additional inquiry or concerns from University management regarding this internal control until the draft finding was issued on April 14. We provided the University with a final written summary of our fieldwork in this area on April 6, 2023, after fieldwork had concluded. On April 7, the Finance Director responded to our Office in writing confirming they had no further questions or concerns regarding our testing results. It was not until after the University received this finding that additional documentation supporting expenditures tested during the audit were ultimately given to our Office. The basis for this audit finding is the key internal control failure rate of BAR approvals that exceeds our established materiality threshold of five percent, and constitutes a material weakness in internal control, which under the Uniform Guidance is required to be reported as an audit finding in accordance with 2 CFR 200.516 ? Audit findings. We reaffirm our finding and will follow up on the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 02 ? Acceptance of Sponsored Program Awards and Fiscal Compliance on Sponsored Program Accounts (Budget Numbers), states in part: Responsibilities Principal Investigator ? Supervises expenditure of sponsored program funds and approves sub-recipient invoices (see GIM 8) to assure: o That funds are used only for purposes that directly relate to and benefit the activity supported in the award. o That expenditures are consistent with all special terms, conditions, or limitations that apply to expenditures under the particular grant or contract. o That expenditures do not exceed the total funds authorized for a given period under the grant or contract. GIM 07 ? Sponsored Program Subaward Administration, states in part: Principal Investigator ? Review and approve subaward invoices. GIM 08 ? Subrecipient Monitoring, states in part: Roles & Responsibilities PI / Department Responsibilities Project level monitoring of subrecipient including: o Reviews that expenses are necessary, reasonable, and allocable to the work completed and are aligned with technical progress. o Approve invoices for payment. Subrecipient Monitoring ? Project Level Subrecipient invoices are reviewed and approved in accordance with the requirements of GIM 2 in the manner and frequency stated in the subaward. The University of Washington I-TECH Global Operations Manual (GRef 2.3), Section 2, Finance, Accounting Policy and Procedure Requirements, states in part: In addition to the Fiscal Guidelines set forth in the I-TECH Field Operations Manual, these country specific policies are implemented at I-TECH. 10. Budget Management and Reporting f. Reports that show the variance between the budget plan and the activity for each region and activity code will be generated, reviewed and approved by the budget managers and the Management Team each month.
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward
2022-028 The University of Washington did not establish adequate internal controls to ensure payments to contractors and subrecipients for the Global AIDS program were allowable, properly supported and within the period of performance. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs / Cost Principles Period of Performance Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. To achieve the performance goals of the program, the Seattle headquarters of I-TECH (Seattle HQ) provides funding to subrecipients and contractors. Invoices submitted by contractors directly to Seattle HQ are reviewed and approved for payment by budget managers who have delegated authority from the Principal Investigator. Invoices submitted by subrecipients are reviewed and approved for payment by a Principal Investigator. Principal Investigators are also responsible for monitoring the subrecipient?s technical progress and performance. Seattle HQ also provides funding to country offices operating within the University?s global network. The country offices incur costs associated with furnishing supplies and equipment to address the HIV/AIDS epidemic, as well as staffing resources and acquiring goods and services from contractors to carry out the objectives of the program. Payments made by country offices are approved by Country Directors and Country Representatives as delegated by the University. Under the University?s policies, country offices are reimbursed for locally incurred expenses at least monthly. An invoice, accompanied by a schedule of expenses incurred, is submitted and approved by the Country Director and then by the Director of Finance at Seattle HQ, prior to payment. Country offices also responsible for obtaining and retaining supporting documentation for costs incurred and paid on each project. Monthly, Budget Managers review and approve a Budget Activity Report (BAR) that details the expenses charged to the project for the previous month to ensure accurate posting of already approved expenses. This review is also to determine whether the work performed during the billing period reconciles to costs claimed within the contractor?s invoice so that payment may be authorized. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls to ensure payments to contractors and subrecipients of the Global AIDS program were allowable properly supported and within the period of performance. Payments to country offices We used a statistical sampling method to randomly select and examine 58 out of 1,644 transactions for country offices. Of the 58 payments examined, we identified one payment (1.7 percent) that was not approved by the Country Director and the corresponding Budget Activity Report was not approved by the Director of Finance. Payments to contractors We used a statistical sampling method to randomly select and review 58 out of 3,040 payments to contractors. We found: ? Invoices for three payments (5 percent) were not approved by a Budget Manager ? Monthly Budget Activity Reports were not approved for 12 payments (20 percent) Subrecipient reimbursements We used a statistical sampling method to randomly select and review 55 out of 438 payments to subrecipients. We found the assigned Budget Manager did not review and approve the monthly Budget Activity Reports for 52 payments (94 percent). We consider these internal control deficiencies to be a material weakness. This issue was not reported as a finding in the prior audit. Cause of Condition Program management did not require supporting documentation for each payment to be forwarded to and reviewed by headquarters personnel prior to payment authorization. Management also did not monitor the submission of invoices and Budget Activity Reports to ensure they were approved by the responsible Budget Manager, as required. Effect of Condition Without establishing adequate internal controls, the University cannot reasonably ensure it is using federal funds for allowable purposes and that expenditures of federal funds are supported by adequate documentation. Recommendations We recommend the University: ? Improve its internal controls to ensure invoices are properly approved by Principal Investigators, as required ? Improve its internal controls to ensure Budget Mangers review and approve monthly Budget Activity Reports before authorizing payments for projects incurring reimbursement requests ? Ensure it retains supporting documentation sufficient to show costs incurred and paid by the program are allowable, and to demonstrate the required managerial reviews have occurred prior to issuing payment University?s Response In response to the findings for the Global Aids Program, we would like to clarify the following: General Clarification: The draft finding inaccurately represents the role of BARS approvals as part of the internal controls to ensure payments to country offices, contractors and subrecipients are allowable, properly supported and within the period of performance. This is not the role of the BARS review process. Compliance, Budget Manager and PI reviews are the controls that ensure allowability of payments and BARS approvals are after-the-fact validations of accurate posting of already approved expenditures. We provided edits to the Background section to reflect our process. We request in light of this that the description of condition, cause of condition and recommendation sections of this finding be updated accordingly. Payments to country offices I-TECH country offices are not contractors; the offices are an extension of the University of Washington. Your review identified one of fifty-eight samples (1.7%) did not meet the approval requirements set forth in I-TECH?s standard operating procedure. Based on the error percentage, we disagree with this finding. Payments to contractors Payments to contractors have multiple approvals. Upon receipt, individual invoices are approved by the program/budget manager either by signature or email. Invoices are then sent to the I-TECH Accounts Payable Administrator for input to the University?s procurement system, ARIBA, which requires compliance approval from the Accounts Payable Supervisor or other manager, as well as funding approval from the budget manager prior to payment. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to contractors, they are reviews of the monthly expenses posted to the budget and the program manager?s concurrence that the expenses are as expected. The exceptions noted were payments made to country offices instead of contractors. The support for approvals were provided to the State Auditors on April 26, 2023, prior to the completion of fieldwork. We therefore disagree with this finding. We also request that the finding be adjusted to omit the 20% of missing BARS approvals as this is not related to the contractor payments. Subrecipient reimbursements Each subrecipient invoice is reviewed for reasonableness, allowability and allocability by the contracts manager and approved by both budget managers and principal investigators prior to being processed for payment in ARIBA. PI approvals were provided and verified for each subrecipient selection with no omissions noted by the auditors. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to subrecipients, they are after-the-fact reviews of the monthly expenses posted to the budget, intended as documentation of the program manager?s concurrence that the expenses are posted as expected. We acknowledge the instances detailed in the finding where we were unable to produce related BARS approvals for 52 of the transactions; however, we request that the finding be adjusted as these BARS approvals are not related to subrecipient invoice review and approvals. Our record keeping process for BARS approvals was to save the emails in a folder within our Finance Team mailbox. We learned during this review that emails beyond a certain date are deleted but maintained in the MS360 file. We?ve searched for the missing BARS approvals but have not yet been able to locate them. We have since begun saving the approvals to our server to ensure we have access to the data going forward. Auditor?s Remarks The University?s I-TECH Global Operations Manual stipulates that BARs will be generated, reviewed and approved monthly by the Budget Manager and management team. This information was provided to our Office as part of the University?s overall design of internal controls over payments to contractors, subrecipients and country offices. The University responded to our Office on April 20, 2023 adding that ?BAR review is the University?s key post payment control designed to ensure charges are accurately processed, coded and allowable on the budget charged.? We interpret this response to indicate the BAR review process is a monitoring control, and the University asserted on multiple occasions this is a key internal control, which is why we tested it. On January 5, our Office notified University management in writing that the BAR review process would be tested as a key control over the cost principles and period of performance requirements for Global AIDS expenditures. We received no additional inquiry or concerns from University management regarding this internal control until the draft finding was issued on April 14. We provided the University with a final written summary of our fieldwork in this area on April 6, 2023, after fieldwork had concluded. On April 7, the Finance Director responded to our Office in writing confirming they had no further questions or concerns regarding our testing results. It was not until after the University received this finding that additional documentation supporting expenditures tested during the audit were ultimately given to our Office. The basis for this audit finding is the key internal control failure rate of BAR approvals that exceeds our established materiality threshold of five percent, and constitutes a material weakness in internal control, which under the Uniform Guidance is required to be reported as an audit finding in accordance with 2 CFR 200.516 ? Audit findings. We reaffirm our finding and will follow up on the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 02 ? Acceptance of Sponsored Program Awards and Fiscal Compliance on Sponsored Program Accounts (Budget Numbers), states in part: Responsibilities Principal Investigator ? Supervises expenditure of sponsored program funds and approves sub-recipient invoices (see GIM 8) to assure: o That funds are used only for purposes that directly relate to and benefit the activity supported in the award. o That expenditures are consistent with all special terms, conditions, or limitations that apply to expenditures under the particular grant or contract. o That expenditures do not exceed the total funds authorized for a given period under the grant or contract. GIM 07 ? Sponsored Program Subaward Administration, states in part: Principal Investigator ? Review and approve subaward invoices. GIM 08 ? Subrecipient Monitoring, states in part: Roles & Responsibilities PI / Department Responsibilities Project level monitoring of subrecipient including: o Reviews that expenses are necessary, reasonable, and allocable to the work completed and are aligned with technical progress. o Approve invoices for payment. Subrecipient Monitoring ? Project Level Subrecipient invoices are reviewed and approved in accordance with the requirements of GIM 2 in the manner and frequency stated in the subaward. The University of Washington I-TECH Global Operations Manual (GRef 2.3), Section 2, Finance, Accounting Policy and Procedure Requirements, states in part: In addition to the Fiscal Guidelines set forth in the I-TECH Field Operations Manual, these country specific policies are implemented at I-TECH. 10. Budget Management and Reporting f. Reports that show the variance between the budget plan and the activity for each region and activity code will be generated, reviewed and approved by the budget managers and the Management Team each month.
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward
2022-028 The University of Washington did not establish adequate internal controls to ensure payments to contractors and subrecipients for the Global AIDS program were allowable, properly supported and within the period of performance. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs / Cost Principles Period of Performance Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. To achieve the performance goals of the program, the Seattle headquarters of I-TECH (Seattle HQ) provides funding to subrecipients and contractors. Invoices submitted by contractors directly to Seattle HQ are reviewed and approved for payment by budget managers who have delegated authority from the Principal Investigator. Invoices submitted by subrecipients are reviewed and approved for payment by a Principal Investigator. Principal Investigators are also responsible for monitoring the subrecipient?s technical progress and performance. Seattle HQ also provides funding to country offices operating within the University?s global network. The country offices incur costs associated with furnishing supplies and equipment to address the HIV/AIDS epidemic, as well as staffing resources and acquiring goods and services from contractors to carry out the objectives of the program. Payments made by country offices are approved by Country Directors and Country Representatives as delegated by the University. Under the University?s policies, country offices are reimbursed for locally incurred expenses at least monthly. An invoice, accompanied by a schedule of expenses incurred, is submitted and approved by the Country Director and then by the Director of Finance at Seattle HQ, prior to payment. Country offices also responsible for obtaining and retaining supporting documentation for costs incurred and paid on each project. Monthly, Budget Managers review and approve a Budget Activity Report (BAR) that details the expenses charged to the project for the previous month to ensure accurate posting of already approved expenses. This review is also to determine whether the work performed during the billing period reconciles to costs claimed within the contractor?s invoice so that payment may be authorized. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls to ensure payments to contractors and subrecipients of the Global AIDS program were allowable properly supported and within the period of performance. Payments to country offices We used a statistical sampling method to randomly select and examine 58 out of 1,644 transactions for country offices. Of the 58 payments examined, we identified one payment (1.7 percent) that was not approved by the Country Director and the corresponding Budget Activity Report was not approved by the Director of Finance. Payments to contractors We used a statistical sampling method to randomly select and review 58 out of 3,040 payments to contractors. We found: ? Invoices for three payments (5 percent) were not approved by a Budget Manager ? Monthly Budget Activity Reports were not approved for 12 payments (20 percent) Subrecipient reimbursements We used a statistical sampling method to randomly select and review 55 out of 438 payments to subrecipients. We found the assigned Budget Manager did not review and approve the monthly Budget Activity Reports for 52 payments (94 percent). We consider these internal control deficiencies to be a material weakness. This issue was not reported as a finding in the prior audit. Cause of Condition Program management did not require supporting documentation for each payment to be forwarded to and reviewed by headquarters personnel prior to payment authorization. Management also did not monitor the submission of invoices and Budget Activity Reports to ensure they were approved by the responsible Budget Manager, as required. Effect of Condition Without establishing adequate internal controls, the University cannot reasonably ensure it is using federal funds for allowable purposes and that expenditures of federal funds are supported by adequate documentation. Recommendations We recommend the University: ? Improve its internal controls to ensure invoices are properly approved by Principal Investigators, as required ? Improve its internal controls to ensure Budget Mangers review and approve monthly Budget Activity Reports before authorizing payments for projects incurring reimbursement requests ? Ensure it retains supporting documentation sufficient to show costs incurred and paid by the program are allowable, and to demonstrate the required managerial reviews have occurred prior to issuing payment University?s Response In response to the findings for the Global Aids Program, we would like to clarify the following: General Clarification: The draft finding inaccurately represents the role of BARS approvals as part of the internal controls to ensure payments to country offices, contractors and subrecipients are allowable, properly supported and within the period of performance. This is not the role of the BARS review process. Compliance, Budget Manager and PI reviews are the controls that ensure allowability of payments and BARS approvals are after-the-fact validations of accurate posting of already approved expenditures. We provided edits to the Background section to reflect our process. We request in light of this that the description of condition, cause of condition and recommendation sections of this finding be updated accordingly. Payments to country offices I-TECH country offices are not contractors; the offices are an extension of the University of Washington. Your review identified one of fifty-eight samples (1.7%) did not meet the approval requirements set forth in I-TECH?s standard operating procedure. Based on the error percentage, we disagree with this finding. Payments to contractors Payments to contractors have multiple approvals. Upon receipt, individual invoices are approved by the program/budget manager either by signature or email. Invoices are then sent to the I-TECH Accounts Payable Administrator for input to the University?s procurement system, ARIBA, which requires compliance approval from the Accounts Payable Supervisor or other manager, as well as funding approval from the budget manager prior to payment. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to contractors, they are reviews of the monthly expenses posted to the budget and the program manager?s concurrence that the expenses are as expected. The exceptions noted were payments made to country offices instead of contractors. The support for approvals were provided to the State Auditors on April 26, 2023, prior to the completion of fieldwork. We therefore disagree with this finding. We also request that the finding be adjusted to omit the 20% of missing BARS approvals as this is not related to the contractor payments. Subrecipient reimbursements Each subrecipient invoice is reviewed for reasonableness, allowability and allocability by the contracts manager and approved by both budget managers and principal investigators prior to being processed for payment in ARIBA. PI approvals were provided and verified for each subrecipient selection with no omissions noted by the auditors. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to subrecipients, they are after-the-fact reviews of the monthly expenses posted to the budget, intended as documentation of the program manager?s concurrence that the expenses are posted as expected. We acknowledge the instances detailed in the finding where we were unable to produce related BARS approvals for 52 of the transactions; however, we request that the finding be adjusted as these BARS approvals are not related to subrecipient invoice review and approvals. Our record keeping process for BARS approvals was to save the emails in a folder within our Finance Team mailbox. We learned during this review that emails beyond a certain date are deleted but maintained in the MS360 file. We?ve searched for the missing BARS approvals but have not yet been able to locate them. We have since begun saving the approvals to our server to ensure we have access to the data going forward. Auditor?s Remarks The University?s I-TECH Global Operations Manual stipulates that BARs will be generated, reviewed and approved monthly by the Budget Manager and management team. This information was provided to our Office as part of the University?s overall design of internal controls over payments to contractors, subrecipients and country offices. The University responded to our Office on April 20, 2023 adding that ?BAR review is the University?s key post payment control designed to ensure charges are accurately processed, coded and allowable on the budget charged.? We interpret this response to indicate the BAR review process is a monitoring control, and the University asserted on multiple occasions this is a key internal control, which is why we tested it. On January 5, our Office notified University management in writing that the BAR review process would be tested as a key control over the cost principles and period of performance requirements for Global AIDS expenditures. We received no additional inquiry or concerns from University management regarding this internal control until the draft finding was issued on April 14. We provided the University with a final written summary of our fieldwork in this area on April 6, 2023, after fieldwork had concluded. On April 7, the Finance Director responded to our Office in writing confirming they had no further questions or concerns regarding our testing results. It was not until after the University received this finding that additional documentation supporting expenditures tested during the audit were ultimately given to our Office. The basis for this audit finding is the key internal control failure rate of BAR approvals that exceeds our established materiality threshold of five percent, and constitutes a material weakness in internal control, which under the Uniform Guidance is required to be reported as an audit finding in accordance with 2 CFR 200.516 ? Audit findings. We reaffirm our finding and will follow up on the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 02 ? Acceptance of Sponsored Program Awards and Fiscal Compliance on Sponsored Program Accounts (Budget Numbers), states in part: Responsibilities Principal Investigator ? Supervises expenditure of sponsored program funds and approves sub-recipient invoices (see GIM 8) to assure: o That funds are used only for purposes that directly relate to and benefit the activity supported in the award. o That expenditures are consistent with all special terms, conditions, or limitations that apply to expenditures under the particular grant or contract. o That expenditures do not exceed the total funds authorized for a given period under the grant or contract. GIM 07 ? Sponsored Program Subaward Administration, states in part: Principal Investigator ? Review and approve subaward invoices. GIM 08 ? Subrecipient Monitoring, states in part: Roles & Responsibilities PI / Department Responsibilities Project level monitoring of subrecipient including: o Reviews that expenses are necessary, reasonable, and allocable to the work completed and are aligned with technical progress. o Approve invoices for payment. Subrecipient Monitoring ? Project Level Subrecipient invoices are reviewed and approved in accordance with the requirements of GIM 2 in the manner and frequency stated in the subaward. The University of Washington I-TECH Global Operations Manual (GRef 2.3), Section 2, Finance, Accounting Policy and Procedure Requirements, states in part: In addition to the Fiscal Guidelines set forth in the I-TECH Field Operations Manual, these country specific policies are implemented at I-TECH. 10. Budget Management and Reporting f. Reports that show the variance between the budget plan and the activity for each region and activity code will be generated, reviewed and approved by the budget managers and the Management Team each month.
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward
2022-028 The University of Washington did not establish adequate internal controls to ensure payments to contractors and subrecipients for the Global AIDS program were allowable, properly supported and within the period of performance. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs / Cost Principles Period of Performance Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. To achieve the performance goals of the program, the Seattle headquarters of I-TECH (Seattle HQ) provides funding to subrecipients and contractors. Invoices submitted by contractors directly to Seattle HQ are reviewed and approved for payment by budget managers who have delegated authority from the Principal Investigator. Invoices submitted by subrecipients are reviewed and approved for payment by a Principal Investigator. Principal Investigators are also responsible for monitoring the subrecipient?s technical progress and performance. Seattle HQ also provides funding to country offices operating within the University?s global network. The country offices incur costs associated with furnishing supplies and equipment to address the HIV/AIDS epidemic, as well as staffing resources and acquiring goods and services from contractors to carry out the objectives of the program. Payments made by country offices are approved by Country Directors and Country Representatives as delegated by the University. Under the University?s policies, country offices are reimbursed for locally incurred expenses at least monthly. An invoice, accompanied by a schedule of expenses incurred, is submitted and approved by the Country Director and then by the Director of Finance at Seattle HQ, prior to payment. Country offices also responsible for obtaining and retaining supporting documentation for costs incurred and paid on each project. Monthly, Budget Managers review and approve a Budget Activity Report (BAR) that details the expenses charged to the project for the previous month to ensure accurate posting of already approved expenses. This review is also to determine whether the work performed during the billing period reconciles to costs claimed within the contractor?s invoice so that payment may be authorized. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls to ensure payments to contractors and subrecipients of the Global AIDS program were allowable properly supported and within the period of performance. Payments to country offices We used a statistical sampling method to randomly select and examine 58 out of 1,644 transactions for country offices. Of the 58 payments examined, we identified one payment (1.7 percent) that was not approved by the Country Director and the corresponding Budget Activity Report was not approved by the Director of Finance. Payments to contractors We used a statistical sampling method to randomly select and review 58 out of 3,040 payments to contractors. We found: ? Invoices for three payments (5 percent) were not approved by a Budget Manager ? Monthly Budget Activity Reports were not approved for 12 payments (20 percent) Subrecipient reimbursements We used a statistical sampling method to randomly select and review 55 out of 438 payments to subrecipients. We found the assigned Budget Manager did not review and approve the monthly Budget Activity Reports for 52 payments (94 percent). We consider these internal control deficiencies to be a material weakness. This issue was not reported as a finding in the prior audit. Cause of Condition Program management did not require supporting documentation for each payment to be forwarded to and reviewed by headquarters personnel prior to payment authorization. Management also did not monitor the submission of invoices and Budget Activity Reports to ensure they were approved by the responsible Budget Manager, as required. Effect of Condition Without establishing adequate internal controls, the University cannot reasonably ensure it is using federal funds for allowable purposes and that expenditures of federal funds are supported by adequate documentation. Recommendations We recommend the University: ? Improve its internal controls to ensure invoices are properly approved by Principal Investigators, as required ? Improve its internal controls to ensure Budget Mangers review and approve monthly Budget Activity Reports before authorizing payments for projects incurring reimbursement requests ? Ensure it retains supporting documentation sufficient to show costs incurred and paid by the program are allowable, and to demonstrate the required managerial reviews have occurred prior to issuing payment University?s Response In response to the findings for the Global Aids Program, we would like to clarify the following: General Clarification: The draft finding inaccurately represents the role of BARS approvals as part of the internal controls to ensure payments to country offices, contractors and subrecipients are allowable, properly supported and within the period of performance. This is not the role of the BARS review process. Compliance, Budget Manager and PI reviews are the controls that ensure allowability of payments and BARS approvals are after-the-fact validations of accurate posting of already approved expenditures. We provided edits to the Background section to reflect our process. We request in light of this that the description of condition, cause of condition and recommendation sections of this finding be updated accordingly. Payments to country offices I-TECH country offices are not contractors; the offices are an extension of the University of Washington. Your review identified one of fifty-eight samples (1.7%) did not meet the approval requirements set forth in I-TECH?s standard operating procedure. Based on the error percentage, we disagree with this finding. Payments to contractors Payments to contractors have multiple approvals. Upon receipt, individual invoices are approved by the program/budget manager either by signature or email. Invoices are then sent to the I-TECH Accounts Payable Administrator for input to the University?s procurement system, ARIBA, which requires compliance approval from the Accounts Payable Supervisor or other manager, as well as funding approval from the budget manager prior to payment. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to contractors, they are reviews of the monthly expenses posted to the budget and the program manager?s concurrence that the expenses are as expected. The exceptions noted were payments made to country offices instead of contractors. The support for approvals were provided to the State Auditors on April 26, 2023, prior to the completion of fieldwork. We therefore disagree with this finding. We also request that the finding be adjusted to omit the 20% of missing BARS approvals as this is not related to the contractor payments. Subrecipient reimbursements Each subrecipient invoice is reviewed for reasonableness, allowability and allocability by the contracts manager and approved by both budget managers and principal investigators prior to being processed for payment in ARIBA. PI approvals were provided and verified for each subrecipient selection with no omissions noted by the auditors. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to subrecipients, they are after-the-fact reviews of the monthly expenses posted to the budget, intended as documentation of the program manager?s concurrence that the expenses are posted as expected. We acknowledge the instances detailed in the finding where we were unable to produce related BARS approvals for 52 of the transactions; however, we request that the finding be adjusted as these BARS approvals are not related to subrecipient invoice review and approvals. Our record keeping process for BARS approvals was to save the emails in a folder within our Finance Team mailbox. We learned during this review that emails beyond a certain date are deleted but maintained in the MS360 file. We?ve searched for the missing BARS approvals but have not yet been able to locate them. We have since begun saving the approvals to our server to ensure we have access to the data going forward. Auditor?s Remarks The University?s I-TECH Global Operations Manual stipulates that BARs will be generated, reviewed and approved monthly by the Budget Manager and management team. This information was provided to our Office as part of the University?s overall design of internal controls over payments to contractors, subrecipients and country offices. The University responded to our Office on April 20, 2023 adding that ?BAR review is the University?s key post payment control designed to ensure charges are accurately processed, coded and allowable on the budget charged.? We interpret this response to indicate the BAR review process is a monitoring control, and the University asserted on multiple occasions this is a key internal control, which is why we tested it. On January 5, our Office notified University management in writing that the BAR review process would be tested as a key control over the cost principles and period of performance requirements for Global AIDS expenditures. We received no additional inquiry or concerns from University management regarding this internal control until the draft finding was issued on April 14. We provided the University with a final written summary of our fieldwork in this area on April 6, 2023, after fieldwork had concluded. On April 7, the Finance Director responded to our Office in writing confirming they had no further questions or concerns regarding our testing results. It was not until after the University received this finding that additional documentation supporting expenditures tested during the audit were ultimately given to our Office. The basis for this audit finding is the key internal control failure rate of BAR approvals that exceeds our established materiality threshold of five percent, and constitutes a material weakness in internal control, which under the Uniform Guidance is required to be reported as an audit finding in accordance with 2 CFR 200.516 ? Audit findings. We reaffirm our finding and will follow up on the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 02 ? Acceptance of Sponsored Program Awards and Fiscal Compliance on Sponsored Program Accounts (Budget Numbers), states in part: Responsibilities Principal Investigator ? Supervises expenditure of sponsored program funds and approves sub-recipient invoices (see GIM 8) to assure: o That funds are used only for purposes that directly relate to and benefit the activity supported in the award. o That expenditures are consistent with all special terms, conditions, or limitations that apply to expenditures under the particular grant or contract. o That expenditures do not exceed the total funds authorized for a given period under the grant or contract. GIM 07 ? Sponsored Program Subaward Administration, states in part: Principal Investigator ? Review and approve subaward invoices. GIM 08 ? Subrecipient Monitoring, states in part: Roles & Responsibilities PI / Department Responsibilities Project level monitoring of subrecipient including: o Reviews that expenses are necessary, reasonable, and allocable to the work completed and are aligned with technical progress. o Approve invoices for payment. Subrecipient Monitoring ? Project Level Subrecipient invoices are reviewed and approved in accordance with the requirements of GIM 2 in the manner and frequency stated in the subaward. The University of Washington I-TECH Global Operations Manual (GRef 2.3), Section 2, Finance, Accounting Policy and Procedure Requirements, states in part: In addition to the Fiscal Guidelines set forth in the I-TECH Field Operations Manual, these country specific policies are implemented at I-TECH. 10. Budget Management and Reporting f. Reports that show the variance between the budget plan and the activity for each region and activity code will be generated, reviewed and approved by the budget managers and the Management Team each month.
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward
2022-028 The University of Washington did not establish adequate internal controls to ensure payments to contractors and subrecipients for the Global AIDS program were allowable, properly supported and within the period of performance. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs / Cost Principles Period of Performance Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. To achieve the performance goals of the program, the Seattle headquarters of I-TECH (Seattle HQ) provides funding to subrecipients and contractors. Invoices submitted by contractors directly to Seattle HQ are reviewed and approved for payment by budget managers who have delegated authority from the Principal Investigator. Invoices submitted by subrecipients are reviewed and approved for payment by a Principal Investigator. Principal Investigators are also responsible for monitoring the subrecipient?s technical progress and performance. Seattle HQ also provides funding to country offices operating within the University?s global network. The country offices incur costs associated with furnishing supplies and equipment to address the HIV/AIDS epidemic, as well as staffing resources and acquiring goods and services from contractors to carry out the objectives of the program. Payments made by country offices are approved by Country Directors and Country Representatives as delegated by the University. Under the University?s policies, country offices are reimbursed for locally incurred expenses at least monthly. An invoice, accompanied by a schedule of expenses incurred, is submitted and approved by the Country Director and then by the Director of Finance at Seattle HQ, prior to payment. Country offices also responsible for obtaining and retaining supporting documentation for costs incurred and paid on each project. Monthly, Budget Managers review and approve a Budget Activity Report (BAR) that details the expenses charged to the project for the previous month to ensure accurate posting of already approved expenses. This review is also to determine whether the work performed during the billing period reconciles to costs claimed within the contractor?s invoice so that payment may be authorized. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls to ensure payments to contractors and subrecipients of the Global AIDS program were allowable properly supported and within the period of performance. Payments to country offices We used a statistical sampling method to randomly select and examine 58 out of 1,644 transactions for country offices. Of the 58 payments examined, we identified one payment (1.7 percent) that was not approved by the Country Director and the corresponding Budget Activity Report was not approved by the Director of Finance. Payments to contractors We used a statistical sampling method to randomly select and review 58 out of 3,040 payments to contractors. We found: ? Invoices for three payments (5 percent) were not approved by a Budget Manager ? Monthly Budget Activity Reports were not approved for 12 payments (20 percent) Subrecipient reimbursements We used a statistical sampling method to randomly select and review 55 out of 438 payments to subrecipients. We found the assigned Budget Manager did not review and approve the monthly Budget Activity Reports for 52 payments (94 percent). We consider these internal control deficiencies to be a material weakness. This issue was not reported as a finding in the prior audit. Cause of Condition Program management did not require supporting documentation for each payment to be forwarded to and reviewed by headquarters personnel prior to payment authorization. Management also did not monitor the submission of invoices and Budget Activity Reports to ensure they were approved by the responsible Budget Manager, as required. Effect of Condition Without establishing adequate internal controls, the University cannot reasonably ensure it is using federal funds for allowable purposes and that expenditures of federal funds are supported by adequate documentation. Recommendations We recommend the University: ? Improve its internal controls to ensure invoices are properly approved by Principal Investigators, as required ? Improve its internal controls to ensure Budget Mangers review and approve monthly Budget Activity Reports before authorizing payments for projects incurring reimbursement requests ? Ensure it retains supporting documentation sufficient to show costs incurred and paid by the program are allowable, and to demonstrate the required managerial reviews have occurred prior to issuing payment University?s Response In response to the findings for the Global Aids Program, we would like to clarify the following: General Clarification: The draft finding inaccurately represents the role of BARS approvals as part of the internal controls to ensure payments to country offices, contractors and subrecipients are allowable, properly supported and within the period of performance. This is not the role of the BARS review process. Compliance, Budget Manager and PI reviews are the controls that ensure allowability of payments and BARS approvals are after-the-fact validations of accurate posting of already approved expenditures. We provided edits to the Background section to reflect our process. We request in light of this that the description of condition, cause of condition and recommendation sections of this finding be updated accordingly. Payments to country offices I-TECH country offices are not contractors; the offices are an extension of the University of Washington. Your review identified one of fifty-eight samples (1.7%) did not meet the approval requirements set forth in I-TECH?s standard operating procedure. Based on the error percentage, we disagree with this finding. Payments to contractors Payments to contractors have multiple approvals. Upon receipt, individual invoices are approved by the program/budget manager either by signature or email. Invoices are then sent to the I-TECH Accounts Payable Administrator for input to the University?s procurement system, ARIBA, which requires compliance approval from the Accounts Payable Supervisor or other manager, as well as funding approval from the budget manager prior to payment. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to contractors, they are reviews of the monthly expenses posted to the budget and the program manager?s concurrence that the expenses are as expected. The exceptions noted were payments made to country offices instead of contractors. The support for approvals were provided to the State Auditors on April 26, 2023, prior to the completion of fieldwork. We therefore disagree with this finding. We also request that the finding be adjusted to omit the 20% of missing BARS approvals as this is not related to the contractor payments. Subrecipient reimbursements Each subrecipient invoice is reviewed for reasonableness, allowability and allocability by the contracts manager and approved by both budget managers and principal investigators prior to being processed for payment in ARIBA. PI approvals were provided and verified for each subrecipient selection with no omissions noted by the auditors. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to subrecipients, they are after-the-fact reviews of the monthly expenses posted to the budget, intended as documentation of the program manager?s concurrence that the expenses are posted as expected. We acknowledge the instances detailed in the finding where we were unable to produce related BARS approvals for 52 of the transactions; however, we request that the finding be adjusted as these BARS approvals are not related to subrecipient invoice review and approvals. Our record keeping process for BARS approvals was to save the emails in a folder within our Finance Team mailbox. We learned during this review that emails beyond a certain date are deleted but maintained in the MS360 file. We?ve searched for the missing BARS approvals but have not yet been able to locate them. We have since begun saving the approvals to our server to ensure we have access to the data going forward. Auditor?s Remarks The University?s I-TECH Global Operations Manual stipulates that BARs will be generated, reviewed and approved monthly by the Budget Manager and management team. This information was provided to our Office as part of the University?s overall design of internal controls over payments to contractors, subrecipients and country offices. The University responded to our Office on April 20, 2023 adding that ?BAR review is the University?s key post payment control designed to ensure charges are accurately processed, coded and allowable on the budget charged.? We interpret this response to indicate the BAR review process is a monitoring control, and the University asserted on multiple occasions this is a key internal control, which is why we tested it. On January 5, our Office notified University management in writing that the BAR review process would be tested as a key control over the cost principles and period of performance requirements for Global AIDS expenditures. We received no additional inquiry or concerns from University management regarding this internal control until the draft finding was issued on April 14. We provided the University with a final written summary of our fieldwork in this area on April 6, 2023, after fieldwork had concluded. On April 7, the Finance Director responded to our Office in writing confirming they had no further questions or concerns regarding our testing results. It was not until after the University received this finding that additional documentation supporting expenditures tested during the audit were ultimately given to our Office. The basis for this audit finding is the key internal control failure rate of BAR approvals that exceeds our established materiality threshold of five percent, and constitutes a material weakness in internal control, which under the Uniform Guidance is required to be reported as an audit finding in accordance with 2 CFR 200.516 ? Audit findings. We reaffirm our finding and will follow up on the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 02 ? Acceptance of Sponsored Program Awards and Fiscal Compliance on Sponsored Program Accounts (Budget Numbers), states in part: Responsibilities Principal Investigator ? Supervises expenditure of sponsored program funds and approves sub-recipient invoices (see GIM 8) to assure: o That funds are used only for purposes that directly relate to and benefit the activity supported in the award. o That expenditures are consistent with all special terms, conditions, or limitations that apply to expenditures under the particular grant or contract. o That expenditures do not exceed the total funds authorized for a given period under the grant or contract. GIM 07 ? Sponsored Program Subaward Administration, states in part: Principal Investigator ? Review and approve subaward invoices. GIM 08 ? Subrecipient Monitoring, states in part: Roles & Responsibilities PI / Department Responsibilities Project level monitoring of subrecipient including: o Reviews that expenses are necessary, reasonable, and allocable to the work completed and are aligned with technical progress. o Approve invoices for payment. Subrecipient Monitoring ? Project Level Subrecipient invoices are reviewed and approved in accordance with the requirements of GIM 2 in the manner and frequency stated in the subaward. The University of Washington I-TECH Global Operations Manual (GRef 2.3), Section 2, Finance, Accounting Policy and Procedure Requirements, states in part: In addition to the Fiscal Guidelines set forth in the I-TECH Field Operations Manual, these country specific policies are implemented at I-TECH. 10. Budget Management and Reporting f. Reports that show the variance between the budget plan and the activity for each region and activity code will be generated, reviewed and approved by the budget managers and the Management Team each month.
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward
2022-028 The University of Washington did not establish adequate internal controls to ensure payments to contractors and subrecipients for the Global AIDS program were allowable, properly supported and within the period of performance. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs / Cost Principles Period of Performance Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. To achieve the performance goals of the program, the Seattle headquarters of I-TECH (Seattle HQ) provides funding to subrecipients and contractors. Invoices submitted by contractors directly to Seattle HQ are reviewed and approved for payment by budget managers who have delegated authority from the Principal Investigator. Invoices submitted by subrecipients are reviewed and approved for payment by a Principal Investigator. Principal Investigators are also responsible for monitoring the subrecipient?s technical progress and performance. Seattle HQ also provides funding to country offices operating within the University?s global network. The country offices incur costs associated with furnishing supplies and equipment to address the HIV/AIDS epidemic, as well as staffing resources and acquiring goods and services from contractors to carry out the objectives of the program. Payments made by country offices are approved by Country Directors and Country Representatives as delegated by the University. Under the University?s policies, country offices are reimbursed for locally incurred expenses at least monthly. An invoice, accompanied by a schedule of expenses incurred, is submitted and approved by the Country Director and then by the Director of Finance at Seattle HQ, prior to payment. Country offices also responsible for obtaining and retaining supporting documentation for costs incurred and paid on each project. Monthly, Budget Managers review and approve a Budget Activity Report (BAR) that details the expenses charged to the project for the previous month to ensure accurate posting of already approved expenses. This review is also to determine whether the work performed during the billing period reconciles to costs claimed within the contractor?s invoice so that payment may be authorized. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls to ensure payments to contractors and subrecipients of the Global AIDS program were allowable properly supported and within the period of performance. Payments to country offices We used a statistical sampling method to randomly select and examine 58 out of 1,644 transactions for country offices. Of the 58 payments examined, we identified one payment (1.7 percent) that was not approved by the Country Director and the corresponding Budget Activity Report was not approved by the Director of Finance. Payments to contractors We used a statistical sampling method to randomly select and review 58 out of 3,040 payments to contractors. We found: ? Invoices for three payments (5 percent) were not approved by a Budget Manager ? Monthly Budget Activity Reports were not approved for 12 payments (20 percent) Subrecipient reimbursements We used a statistical sampling method to randomly select and review 55 out of 438 payments to subrecipients. We found the assigned Budget Manager did not review and approve the monthly Budget Activity Reports for 52 payments (94 percent). We consider these internal control deficiencies to be a material weakness. This issue was not reported as a finding in the prior audit. Cause of Condition Program management did not require supporting documentation for each payment to be forwarded to and reviewed by headquarters personnel prior to payment authorization. Management also did not monitor the submission of invoices and Budget Activity Reports to ensure they were approved by the responsible Budget Manager, as required. Effect of Condition Without establishing adequate internal controls, the University cannot reasonably ensure it is using federal funds for allowable purposes and that expenditures of federal funds are supported by adequate documentation. Recommendations We recommend the University: ? Improve its internal controls to ensure invoices are properly approved by Principal Investigators, as required ? Improve its internal controls to ensure Budget Mangers review and approve monthly Budget Activity Reports before authorizing payments for projects incurring reimbursement requests ? Ensure it retains supporting documentation sufficient to show costs incurred and paid by the program are allowable, and to demonstrate the required managerial reviews have occurred prior to issuing payment University?s Response In response to the findings for the Global Aids Program, we would like to clarify the following: General Clarification: The draft finding inaccurately represents the role of BARS approvals as part of the internal controls to ensure payments to country offices, contractors and subrecipients are allowable, properly supported and within the period of performance. This is not the role of the BARS review process. Compliance, Budget Manager and PI reviews are the controls that ensure allowability of payments and BARS approvals are after-the-fact validations of accurate posting of already approved expenditures. We provided edits to the Background section to reflect our process. We request in light of this that the description of condition, cause of condition and recommendation sections of this finding be updated accordingly. Payments to country offices I-TECH country offices are not contractors; the offices are an extension of the University of Washington. Your review identified one of fifty-eight samples (1.7%) did not meet the approval requirements set forth in I-TECH?s standard operating procedure. Based on the error percentage, we disagree with this finding. Payments to contractors Payments to contractors have multiple approvals. Upon receipt, individual invoices are approved by the program/budget manager either by signature or email. Invoices are then sent to the I-TECH Accounts Payable Administrator for input to the University?s procurement system, ARIBA, which requires compliance approval from the Accounts Payable Supervisor or other manager, as well as funding approval from the budget manager prior to payment. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to contractors, they are reviews of the monthly expenses posted to the budget and the program manager?s concurrence that the expenses are as expected. The exceptions noted were payments made to country offices instead of contractors. The support for approvals were provided to the State Auditors on April 26, 2023, prior to the completion of fieldwork. We therefore disagree with this finding. We also request that the finding be adjusted to omit the 20% of missing BARS approvals as this is not related to the contractor payments. Subrecipient reimbursements Each subrecipient invoice is reviewed for reasonableness, allowability and allocability by the contracts manager and approved by both budget managers and principal investigators prior to being processed for payment in ARIBA. PI approvals were provided and verified for each subrecipient selection with no omissions noted by the auditors. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to subrecipients, they are after-the-fact reviews of the monthly expenses posted to the budget, intended as documentation of the program manager?s concurrence that the expenses are posted as expected. We acknowledge the instances detailed in the finding where we were unable to produce related BARS approvals for 52 of the transactions; however, we request that the finding be adjusted as these BARS approvals are not related to subrecipient invoice review and approvals. Our record keeping process for BARS approvals was to save the emails in a folder within our Finance Team mailbox. We learned during this review that emails beyond a certain date are deleted but maintained in the MS360 file. We?ve searched for the missing BARS approvals but have not yet been able to locate them. We have since begun saving the approvals to our server to ensure we have access to the data going forward. Auditor?s Remarks The University?s I-TECH Global Operations Manual stipulates that BARs will be generated, reviewed and approved monthly by the Budget Manager and management team. This information was provided to our Office as part of the University?s overall design of internal controls over payments to contractors, subrecipients and country offices. The University responded to our Office on April 20, 2023 adding that ?BAR review is the University?s key post payment control designed to ensure charges are accurately processed, coded and allowable on the budget charged.? We interpret this response to indicate the BAR review process is a monitoring control, and the University asserted on multiple occasions this is a key internal control, which is why we tested it. On January 5, our Office notified University management in writing that the BAR review process would be tested as a key control over the cost principles and period of performance requirements for Global AIDS expenditures. We received no additional inquiry or concerns from University management regarding this internal control until the draft finding was issued on April 14. We provided the University with a final written summary of our fieldwork in this area on April 6, 2023, after fieldwork had concluded. On April 7, the Finance Director responded to our Office in writing confirming they had no further questions or concerns regarding our testing results. It was not until after the University received this finding that additional documentation supporting expenditures tested during the audit were ultimately given to our Office. The basis for this audit finding is the key internal control failure rate of BAR approvals that exceeds our established materiality threshold of five percent, and constitutes a material weakness in internal control, which under the Uniform Guidance is required to be reported as an audit finding in accordance with 2 CFR 200.516 ? Audit findings. We reaffirm our finding and will follow up on the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 02 ? Acceptance of Sponsored Program Awards and Fiscal Compliance on Sponsored Program Accounts (Budget Numbers), states in part: Responsibilities Principal Investigator ? Supervises expenditure of sponsored program funds and approves sub-recipient invoices (see GIM 8) to assure: o That funds are used only for purposes that directly relate to and benefit the activity supported in the award. o That expenditures are consistent with all special terms, conditions, or limitations that apply to expenditures under the particular grant or contract. o That expenditures do not exceed the total funds authorized for a given period under the grant or contract. GIM 07 ? Sponsored Program Subaward Administration, states in part: Principal Investigator ? Review and approve subaward invoices. GIM 08 ? Subrecipient Monitoring, states in part: Roles & Responsibilities PI / Department Responsibilities Project level monitoring of subrecipient including: o Reviews that expenses are necessary, reasonable, and allocable to the work completed and are aligned with technical progress. o Approve invoices for payment. Subrecipient Monitoring ? Project Level Subrecipient invoices are reviewed and approved in accordance with the requirements of GIM 2 in the manner and frequency stated in the subaward. The University of Washington I-TECH Global Operations Manual (GRef 2.3), Section 2, Finance, Accounting Policy and Procedure Requirements, states in part: In addition to the Fiscal Guidelines set forth in the I-TECH Field Operations Manual, these country specific policies are implemented at I-TECH. 10. Budget Management and Reporting f. Reports that show the variance between the budget plan and the activity for each region and activity code will be generated, reviewed and approved by the budget managers and the Management Team each month.
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward
2022-028 The University of Washington did not establish adequate internal controls to ensure payments to contractors and subrecipients for the Global AIDS program were allowable, properly supported and within the period of performance. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs / Cost Principles Period of Performance Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. To achieve the performance goals of the program, the Seattle headquarters of I-TECH (Seattle HQ) provides funding to subrecipients and contractors. Invoices submitted by contractors directly to Seattle HQ are reviewed and approved for payment by budget managers who have delegated authority from the Principal Investigator. Invoices submitted by subrecipients are reviewed and approved for payment by a Principal Investigator. Principal Investigators are also responsible for monitoring the subrecipient?s technical progress and performance. Seattle HQ also provides funding to country offices operating within the University?s global network. The country offices incur costs associated with furnishing supplies and equipment to address the HIV/AIDS epidemic, as well as staffing resources and acquiring goods and services from contractors to carry out the objectives of the program. Payments made by country offices are approved by Country Directors and Country Representatives as delegated by the University. Under the University?s policies, country offices are reimbursed for locally incurred expenses at least monthly. An invoice, accompanied by a schedule of expenses incurred, is submitted and approved by the Country Director and then by the Director of Finance at Seattle HQ, prior to payment. Country offices also responsible for obtaining and retaining supporting documentation for costs incurred and paid on each project. Monthly, Budget Managers review and approve a Budget Activity Report (BAR) that details the expenses charged to the project for the previous month to ensure accurate posting of already approved expenses. This review is also to determine whether the work performed during the billing period reconciles to costs claimed within the contractor?s invoice so that payment may be authorized. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls to ensure payments to contractors and subrecipients of the Global AIDS program were allowable properly supported and within the period of performance. Payments to country offices We used a statistical sampling method to randomly select and examine 58 out of 1,644 transactions for country offices. Of the 58 payments examined, we identified one payment (1.7 percent) that was not approved by the Country Director and the corresponding Budget Activity Report was not approved by the Director of Finance. Payments to contractors We used a statistical sampling method to randomly select and review 58 out of 3,040 payments to contractors. We found: ? Invoices for three payments (5 percent) were not approved by a Budget Manager ? Monthly Budget Activity Reports were not approved for 12 payments (20 percent) Subrecipient reimbursements We used a statistical sampling method to randomly select and review 55 out of 438 payments to subrecipients. We found the assigned Budget Manager did not review and approve the monthly Budget Activity Reports for 52 payments (94 percent). We consider these internal control deficiencies to be a material weakness. This issue was not reported as a finding in the prior audit. Cause of Condition Program management did not require supporting documentation for each payment to be forwarded to and reviewed by headquarters personnel prior to payment authorization. Management also did not monitor the submission of invoices and Budget Activity Reports to ensure they were approved by the responsible Budget Manager, as required. Effect of Condition Without establishing adequate internal controls, the University cannot reasonably ensure it is using federal funds for allowable purposes and that expenditures of federal funds are supported by adequate documentation. Recommendations We recommend the University: ? Improve its internal controls to ensure invoices are properly approved by Principal Investigators, as required ? Improve its internal controls to ensure Budget Mangers review and approve monthly Budget Activity Reports before authorizing payments for projects incurring reimbursement requests ? Ensure it retains supporting documentation sufficient to show costs incurred and paid by the program are allowable, and to demonstrate the required managerial reviews have occurred prior to issuing payment University?s Response In response to the findings for the Global Aids Program, we would like to clarify the following: General Clarification: The draft finding inaccurately represents the role of BARS approvals as part of the internal controls to ensure payments to country offices, contractors and subrecipients are allowable, properly supported and within the period of performance. This is not the role of the BARS review process. Compliance, Budget Manager and PI reviews are the controls that ensure allowability of payments and BARS approvals are after-the-fact validations of accurate posting of already approved expenditures. We provided edits to the Background section to reflect our process. We request in light of this that the description of condition, cause of condition and recommendation sections of this finding be updated accordingly. Payments to country offices I-TECH country offices are not contractors; the offices are an extension of the University of Washington. Your review identified one of fifty-eight samples (1.7%) did not meet the approval requirements set forth in I-TECH?s standard operating procedure. Based on the error percentage, we disagree with this finding. Payments to contractors Payments to contractors have multiple approvals. Upon receipt, individual invoices are approved by the program/budget manager either by signature or email. Invoices are then sent to the I-TECH Accounts Payable Administrator for input to the University?s procurement system, ARIBA, which requires compliance approval from the Accounts Payable Supervisor or other manager, as well as funding approval from the budget manager prior to payment. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to contractors, they are reviews of the monthly expenses posted to the budget and the program manager?s concurrence that the expenses are as expected. The exceptions noted were payments made to country offices instead of contractors. The support for approvals were provided to the State Auditors on April 26, 2023, prior to the completion of fieldwork. We therefore disagree with this finding. We also request that the finding be adjusted to omit the 20% of missing BARS approvals as this is not related to the contractor payments. Subrecipient reimbursements Each subrecipient invoice is reviewed for reasonableness, allowability and allocability by the contracts manager and approved by both budget managers and principal investigators prior to being processed for payment in ARIBA. PI approvals were provided and verified for each subrecipient selection with no omissions noted by the auditors. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to subrecipients, they are after-the-fact reviews of the monthly expenses posted to the budget, intended as documentation of the program manager?s concurrence that the expenses are posted as expected. We acknowledge the instances detailed in the finding where we were unable to produce related BARS approvals for 52 of the transactions; however, we request that the finding be adjusted as these BARS approvals are not related to subrecipient invoice review and approvals. Our record keeping process for BARS approvals was to save the emails in a folder within our Finance Team mailbox. We learned during this review that emails beyond a certain date are deleted but maintained in the MS360 file. We?ve searched for the missing BARS approvals but have not yet been able to locate them. We have since begun saving the approvals to our server to ensure we have access to the data going forward. Auditor?s Remarks The University?s I-TECH Global Operations Manual stipulates that BARs will be generated, reviewed and approved monthly by the Budget Manager and management team. This information was provided to our Office as part of the University?s overall design of internal controls over payments to contractors, subrecipients and country offices. The University responded to our Office on April 20, 2023 adding that ?BAR review is the University?s key post payment control designed to ensure charges are accurately processed, coded and allowable on the budget charged.? We interpret this response to indicate the BAR review process is a monitoring control, and the University asserted on multiple occasions this is a key internal control, which is why we tested it. On January 5, our Office notified University management in writing that the BAR review process would be tested as a key control over the cost principles and period of performance requirements for Global AIDS expenditures. We received no additional inquiry or concerns from University management regarding this internal control until the draft finding was issued on April 14. We provided the University with a final written summary of our fieldwork in this area on April 6, 2023, after fieldwork had concluded. On April 7, the Finance Director responded to our Office in writing confirming they had no further questions or concerns regarding our testing results. It was not until after the University received this finding that additional documentation supporting expenditures tested during the audit were ultimately given to our Office. The basis for this audit finding is the key internal control failure rate of BAR approvals that exceeds our established materiality threshold of five percent, and constitutes a material weakness in internal control, which under the Uniform Guidance is required to be reported as an audit finding in accordance with 2 CFR 200.516 ? Audit findings. We reaffirm our finding and will follow up on the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 02 ? Acceptance of Sponsored Program Awards and Fiscal Compliance on Sponsored Program Accounts (Budget Numbers), states in part: Responsibilities Principal Investigator ? Supervises expenditure of sponsored program funds and approves sub-recipient invoices (see GIM 8) to assure: o That funds are used only for purposes that directly relate to and benefit the activity supported in the award. o That expenditures are consistent with all special terms, conditions, or limitations that apply to expenditures under the particular grant or contract. o That expenditures do not exceed the total funds authorized for a given period under the grant or contract. GIM 07 ? Sponsored Program Subaward Administration, states in part: Principal Investigator ? Review and approve subaward invoices. GIM 08 ? Subrecipient Monitoring, states in part: Roles & Responsibilities PI / Department Responsibilities Project level monitoring of subrecipient including: o Reviews that expenses are necessary, reasonable, and allocable to the work completed and are aligned with technical progress. o Approve invoices for payment. Subrecipient Monitoring ? Project Level Subrecipient invoices are reviewed and approved in accordance with the requirements of GIM 2 in the manner and frequency stated in the subaward. The University of Washington I-TECH Global Operations Manual (GRef 2.3), Section 2, Finance, Accounting Policy and Procedure Requirements, states in part: In addition to the Fiscal Guidelines set forth in the I-TECH Field Operations Manual, these country specific policies are implemented at I-TECH. 10. Budget Management and Reporting f. Reports that show the variance between the budget plan and the activity for each region and activity code will be generated, reviewed and approved by the budget managers and the Management Team each month.
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward
2022-028 The University of Washington did not establish adequate internal controls to ensure payments to contractors and subrecipients for the Global AIDS program were allowable, properly supported and within the period of performance. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs / Cost Principles Period of Performance Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. To achieve the performance goals of the program, the Seattle headquarters of I-TECH (Seattle HQ) provides funding to subrecipients and contractors. Invoices submitted by contractors directly to Seattle HQ are reviewed and approved for payment by budget managers who have delegated authority from the Principal Investigator. Invoices submitted by subrecipients are reviewed and approved for payment by a Principal Investigator. Principal Investigators are also responsible for monitoring the subrecipient?s technical progress and performance. Seattle HQ also provides funding to country offices operating within the University?s global network. The country offices incur costs associated with furnishing supplies and equipment to address the HIV/AIDS epidemic, as well as staffing resources and acquiring goods and services from contractors to carry out the objectives of the program. Payments made by country offices are approved by Country Directors and Country Representatives as delegated by the University. Under the University?s policies, country offices are reimbursed for locally incurred expenses at least monthly. An invoice, accompanied by a schedule of expenses incurred, is submitted and approved by the Country Director and then by the Director of Finance at Seattle HQ, prior to payment. Country offices also responsible for obtaining and retaining supporting documentation for costs incurred and paid on each project. Monthly, Budget Managers review and approve a Budget Activity Report (BAR) that details the expenses charged to the project for the previous month to ensure accurate posting of already approved expenses. This review is also to determine whether the work performed during the billing period reconciles to costs claimed within the contractor?s invoice so that payment may be authorized. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls to ensure payments to contractors and subrecipients of the Global AIDS program were allowable properly supported and within the period of performance. Payments to country offices We used a statistical sampling method to randomly select and examine 58 out of 1,644 transactions for country offices. Of the 58 payments examined, we identified one payment (1.7 percent) that was not approved by the Country Director and the corresponding Budget Activity Report was not approved by the Director of Finance. Payments to contractors We used a statistical sampling method to randomly select and review 58 out of 3,040 payments to contractors. We found: ? Invoices for three payments (5 percent) were not approved by a Budget Manager ? Monthly Budget Activity Reports were not approved for 12 payments (20 percent) Subrecipient reimbursements We used a statistical sampling method to randomly select and review 55 out of 438 payments to subrecipients. We found the assigned Budget Manager did not review and approve the monthly Budget Activity Reports for 52 payments (94 percent). We consider these internal control deficiencies to be a material weakness. This issue was not reported as a finding in the prior audit. Cause of Condition Program management did not require supporting documentation for each payment to be forwarded to and reviewed by headquarters personnel prior to payment authorization. Management also did not monitor the submission of invoices and Budget Activity Reports to ensure they were approved by the responsible Budget Manager, as required. Effect of Condition Without establishing adequate internal controls, the University cannot reasonably ensure it is using federal funds for allowable purposes and that expenditures of federal funds are supported by adequate documentation. Recommendations We recommend the University: ? Improve its internal controls to ensure invoices are properly approved by Principal Investigators, as required ? Improve its internal controls to ensure Budget Mangers review and approve monthly Budget Activity Reports before authorizing payments for projects incurring reimbursement requests ? Ensure it retains supporting documentation sufficient to show costs incurred and paid by the program are allowable, and to demonstrate the required managerial reviews have occurred prior to issuing payment University?s Response In response to the findings for the Global Aids Program, we would like to clarify the following: General Clarification: The draft finding inaccurately represents the role of BARS approvals as part of the internal controls to ensure payments to country offices, contractors and subrecipients are allowable, properly supported and within the period of performance. This is not the role of the BARS review process. Compliance, Budget Manager and PI reviews are the controls that ensure allowability of payments and BARS approvals are after-the-fact validations of accurate posting of already approved expenditures. We provided edits to the Background section to reflect our process. We request in light of this that the description of condition, cause of condition and recommendation sections of this finding be updated accordingly. Payments to country offices I-TECH country offices are not contractors; the offices are an extension of the University of Washington. Your review identified one of fifty-eight samples (1.7%) did not meet the approval requirements set forth in I-TECH?s standard operating procedure. Based on the error percentage, we disagree with this finding. Payments to contractors Payments to contractors have multiple approvals. Upon receipt, individual invoices are approved by the program/budget manager either by signature or email. Invoices are then sent to the I-TECH Accounts Payable Administrator for input to the University?s procurement system, ARIBA, which requires compliance approval from the Accounts Payable Supervisor or other manager, as well as funding approval from the budget manager prior to payment. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to contractors, they are reviews of the monthly expenses posted to the budget and the program manager?s concurrence that the expenses are as expected. The exceptions noted were payments made to country offices instead of contractors. The support for approvals were provided to the State Auditors on April 26, 2023, prior to the completion of fieldwork. We therefore disagree with this finding. We also request that the finding be adjusted to omit the 20% of missing BARS approvals as this is not related to the contractor payments. Subrecipient reimbursements Each subrecipient invoice is reviewed for reasonableness, allowability and allocability by the contracts manager and approved by both budget managers and principal investigators prior to being processed for payment in ARIBA. PI approvals were provided and verified for each subrecipient selection with no omissions noted by the auditors. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to subrecipients, they are after-the-fact reviews of the monthly expenses posted to the budget, intended as documentation of the program manager?s concurrence that the expenses are posted as expected. We acknowledge the instances detailed in the finding where we were unable to produce related BARS approvals for 52 of the transactions; however, we request that the finding be adjusted as these BARS approvals are not related to subrecipient invoice review and approvals. Our record keeping process for BARS approvals was to save the emails in a folder within our Finance Team mailbox. We learned during this review that emails beyond a certain date are deleted but maintained in the MS360 file. We?ve searched for the missing BARS approvals but have not yet been able to locate them. We have since begun saving the approvals to our server to ensure we have access to the data going forward. Auditor?s Remarks The University?s I-TECH Global Operations Manual stipulates that BARs will be generated, reviewed and approved monthly by the Budget Manager and management team. This information was provided to our Office as part of the University?s overall design of internal controls over payments to contractors, subrecipients and country offices. The University responded to our Office on April 20, 2023 adding that ?BAR review is the University?s key post payment control designed to ensure charges are accurately processed, coded and allowable on the budget charged.? We interpret this response to indicate the BAR review process is a monitoring control, and the University asserted on multiple occasions this is a key internal control, which is why we tested it. On January 5, our Office notified University management in writing that the BAR review process would be tested as a key control over the cost principles and period of performance requirements for Global AIDS expenditures. We received no additional inquiry or concerns from University management regarding this internal control until the draft finding was issued on April 14. We provided the University with a final written summary of our fieldwork in this area on April 6, 2023, after fieldwork had concluded. On April 7, the Finance Director responded to our Office in writing confirming they had no further questions or concerns regarding our testing results. It was not until after the University received this finding that additional documentation supporting expenditures tested during the audit were ultimately given to our Office. The basis for this audit finding is the key internal control failure rate of BAR approvals that exceeds our established materiality threshold of five percent, and constitutes a material weakness in internal control, which under the Uniform Guidance is required to be reported as an audit finding in accordance with 2 CFR 200.516 ? Audit findings. We reaffirm our finding and will follow up on the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 02 ? Acceptance of Sponsored Program Awards and Fiscal Compliance on Sponsored Program Accounts (Budget Numbers), states in part: Responsibilities Principal Investigator ? Supervises expenditure of sponsored program funds and approves sub-recipient invoices (see GIM 8) to assure: o That funds are used only for purposes that directly relate to and benefit the activity supported in the award. o That expenditures are consistent with all special terms, conditions, or limitations that apply to expenditures under the particular grant or contract. o That expenditures do not exceed the total funds authorized for a given period under the grant or contract. GIM 07 ? Sponsored Program Subaward Administration, states in part: Principal Investigator ? Review and approve subaward invoices. GIM 08 ? Subrecipient Monitoring, states in part: Roles & Responsibilities PI / Department Responsibilities Project level monitoring of subrecipient including: o Reviews that expenses are necessary, reasonable, and allocable to the work completed and are aligned with technical progress. o Approve invoices for payment. Subrecipient Monitoring ? Project Level Subrecipient invoices are reviewed and approved in accordance with the requirements of GIM 2 in the manner and frequency stated in the subaward. The University of Washington I-TECH Global Operations Manual (GRef 2.3), Section 2, Finance, Accounting Policy and Procedure Requirements, states in part: In addition to the Fiscal Guidelines set forth in the I-TECH Field Operations Manual, these country specific policies are implemented at I-TECH. 10. Budget Management and Reporting f. Reports that show the variance between the budget plan and the activity for each region and activity code will be generated, reviewed and approved by the budget managers and the Management Team each month.