Finding 2022-704: Research and Development Cluster?Unallowable Costs Background: During FY 2021-22, UW institutions were awarded $741.6 million in federal funding as part of the Research and Development Cluster, for which UW Madison expended the majority of the funding. UW Madison purchases a variety of supplies and other goods or services to conduct its research activities. Criteria: Under 2 CFR s. 200.303, UW Madison is responsible for establishing and maintaining effective internal control over federal awards that provides reasonable assurance that it is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of federal awards. Further, 2 CFR s. 200.405 (a) specifies that for a cost to be allocable to a federal award the cost must be incurred specifically for the federal award; benefit both the federal award and other work; be distributed in proportions; be necessary to overall institutional operations; and be assignable, in part, to the federal award. Condition: We found that UW-Madison charged two unallowable costs to two federal awards during FY 2021 22. First, we found that UW Madison charged $54 for facilities and maintenance expenses relating to a location not used for purposes related to the federal award. Second, we found that UW Madison charged $596 in software license fees to a federal award. However, it is UW Madison?s practice to charge such fees to a nonfederal project. Context: During FY 2021-22, UW-Madison expended $86.9 million in certain nonpayroll expenses using federal Research and Development Cluster funding. There were 84,230 transactions comprising this amount with an average dollar amount of $1,032. We reviewed 40 such transactions to determine if the expenses were allowable under federal regulations. To complete our testing, we requested supporting documentation and information from UW-Madison for the transactions we reviewed. Questioned Costs: We questioned $650 in known questioned costs and an undetermined amount for other expenses we did not review. Because our testing was based upon a sample of payments it is likely there are additional cases where the payment is inappropriately charged to a federal award. We estimate these additional questioned costs are likely over $25,000, which is required to be reported under 2 CFR s. 200.516. Effect: UW-Madison used $650 in federal funds from the Research and Development Cluster for unallowable costs during FY 2021-22. Because unallowable costs were charged to the Research and Development Cluster, UW-Madison was not in compliance with federal requirements for the use of federal funding. Cause: UW-Madison staff indicated that the charges were applied to incorrect accounting codes when the expenses were originally recorded. For example, the $54 for facilities and maintenance expenses was charged to a federal award in the accounting system due to a limitation of certain billing codes for applying such expenses to the correct location of the work. These errors were not identified or corrected during the review of the payment or of other UW Madison monitoring activities. In December 2022 and January 2023, UW Madison corrected these accounting codes for these transactions and transferred the expenses to nonfederal projects. Recommendation: We recommend the University of Wisconsin Madison provide guidance and training to staff to ensure all costs are properly charged to federal award accounting codes and only costs allowable under federal regulations are charged to federal funds. Finding 2022-704: Research and Development Cluster?Unallowable Costs Research and Development Cluster (various Assistance Listing numbers) Award Numbers Award Years Various Various Questioned Costs: $650 Type of Finding: Noncompliance Response from the University of Wisconsin Madison: The University of Wisconsin-Madison agrees with the audit finding and recommendation.
Program: AL 21.023 ? COVID-19 Emergency Rental Assistance ? Allowability & Eligibility Grant Number & Year: N/A Federal Grantor Agency: U.S. Department of the Treasury Criteria: Per 2 CFR ? 1000.10 (January 1, 2022), the U.S. Department of the Treasury adopted the Uniform Administrative Requirements, Cost Principles, and Audit Requirements set forth at 2 CFR part 200. 2 CFR ? 200.303 (January 1, 2022) states, in relevant part, the following: The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. . . . Good internal controls require risk assessments to be performed, and procedures to verify the validity of applicants prior to payment. 2 CFR ? 200.403 (January 1, 2022) states, in part: Except where otherwise authorized by statute, costs must meet the following general criteria in order to be allowable under Federal awards: (a) Be necessary and reasonable for the performance of the Federal award and be allocable thereto under these principles. * * * * (g) Be adequately documented. The Nebraska ERA Program FAQ states, ?Who is eligible? You are eligible if you answer YES to ALL of the following: . . .Your landlord is not an immediate family member.? Division N ? Additional Coronavirus Response and Relief, Title V ? Banking, Section 501(k)(3)(A) of the Consolidated Appropriations Act, 2021, states that an eligible household is a household of one or more individuals that is obligated to pay rent on a residential dwelling. Good internal controls require procedures to verify the validity of applicants prior to payment. Condition: Procedures were not adequate to ensure that payments were allowable, and individuals were eligible for assistance. A similar finding was noted in the prior audit. Repeat Finding: 2021-064 Questioned Costs: $76,050 known Statistical Sample: No Context: During testing of 40 aid payments, we noted one payment, totaling $1,350, made to an applicant whose landlord was an immediate relative. The total sample tested was $87,526, and total assistance payments for the fiscal year were $17,456,087. The dollar error rate for the sample was 1.54% ($1,350/$87,526), which estimates the potential dollars at risk for fiscal year 2022 to be $268,824 (dollar rate multiplied by the population.) In the prior and current audit, we noted that the Agency identified likely fraudulent payments. As of January 9, 2023, the Agency had identified $155,360 and $822,188 of likely fraudulent payments in fiscal years ended June 30, 2021, and June 30, 2022, respectively. We reviewed five of these payments, totaling $74,700, in fiscal year 2022. For all five payments, we noted indicators of possible fraud, as information on the application provided was inconsistent with the information from other databases or systems. Examples of such indicators include the following: 1) the owner of the property per the County Assessors website not agreeing to the owner listed on the application; 2) generic and editable supporting documentation; and 3) tenants and landlords having out-of-state identification and telephone numbers. According to the Agency, these payments have been referred to the State Patrol for further investigation. Cause: The Agency had various procedures for ensuring that application information was accurate; however, verifying the property owner to County Assessor information was not required. Effect: There is an increased risk for fraudulent payments. Once fraudulent payments have been made, the likelihood of recouping them is low. Recommendation: We recommend the Agency improve its procedures for verifying the validity of applicants prior to payments. We further recommend the Agency continue to work with law enforcement to recoup improper payments. Management Response: The Military Department does not agree with this finding. The State has implemented a strong system of internal controls to determine program eligibility. These controls include detailed pre-payment and post-payment analytics to help identify applications at risk for fraud. As the ERA program progressed in Nebraska and nationally, program procedures continued to be enhanced to monitor for and prevent potentially fraudulent applications. During its life the program provided proactive fraud detection for over 56,000 tenant and landlord applications and prevented approximately $23M of funding from being paid out erroneously. Additionally, the State turns over any paid applications that have been subsequently determined at risk of being fraudulent to the State Patrol for further investigation and potential prosecution. APA Response: In addition to the one of 40 payments tested with errors, five payments we reviewed noted possible indications of fraud. Once fraudulent payments have been made, the likelihood of recouping them is low. 2 CFR ? 200.516 (January 1, 2022) requires reporting known or likely fraud affecting a Federal award.
Section I - Summary of Auditor's Results Financial Statements Type of auditor's report issued: Unmodified Internal control over financial reporting: Material weakness(es) identified? yes X no Significant deficiency(ies) identified that are not considered to be material weaknesses? yes X none reported Noncompliance material to financial statements noted? yes X no Federal Awards Internal control over major programs: Material weakness(es) identified? yes X no Significant deficiency(ies) identified that are not considered to be material weaknesses? yes X none reported Type of auditor's report issued on compliance for major programs: Unmodified Any audit findings disclosed that are required to be reported in accordance with the 2 CFR 200.516(a)? X yes no Identification of major programs A s sCiFsDtaAn cNeu Lmisbteinr(gs )Number(s) Name of Federal Program or Cluster Various Student Financial Assistance Cluster Dollar threshold used to distinguish between type A and type B programs: $ 3,000,000 Auditee qualified as low-risk auditee? X yes no Section II - Financial Statement Findings No matters noted. Section III ? Federal Award Findings and Questioned Costs Finding 2022-001: Notification of Title IV disbursement not provided appropriately Federal Agency: Department of Education Program: Student Financial Assistance Cluster Assistance Listing #: Various Award #: Various Award Year: 2021-2022 Criteria: 34 CFR 668.165, Before an institution disburses Title IV, HEA program funds for any award year, the institution must notify a student of the amount of funds that the student or his or her parent can expect to receive under each Title IV, HEA program, and how and when those funds will be disbursed. If those funds include Direct Loan program funds, the notice must indicate which funds are from subsidized loans, which are from unsubsidized loans, and which are from PLUS loans. Questioned Costs: None. Condition: During the 2021-2022 award year, four out of twenty-five students tested in our sample of disbursements of Title IV funds were not provided notification prior to disbursement of funds as dictated by 34 CFR 668.165. Notification was provided subsequent to disbursement for three of these students; however, one student was not notified at all. Cause: The University?s internal controls over Title IV eligibility and disbursement include a manual review of each student?s account prior to disbursement. Upon completion of this review, the employee performing the review will manually flag the student?s account in the system which generates the required notification prior to disbursement. These four student accounts were not manually flagged for notification. Effect: The University did not provide timely notification to three students and did not provide notification at all for one student. Recommendation: We recommend the University reiterate to control owners the importance of manually flagging students? accounts when reviews are performed. Additionally, a review control to ensure notifications are provided prior to disbursement should be considered. Views of Responsible Officials/Management Response: See Management?s view and corrective action plan included at the end of this report.
Section I - Summary of Auditor's Results Financial Statements Type of auditor's report issued: Unmodified Internal control over financial reporting: Material weakness(es) identified? yes X no Significant deficiency(ies) identified that are not considered to be material weaknesses? yes X none reported Noncompliance material to financial statements noted? yes X no Federal Awards Internal control over major programs: Material weakness(es) identified? yes X no Significant deficiency(ies) identified that are not considered to be material weaknesses? yes X none reported Type of auditor's report issued on compliance for major programs: Unmodified Any audit findings disclosed that are required to be reported in accordance with the 2 CFR 200.516(a)? X yes no Identification of major programs A s sCiFsDtaAn cNeu Lmisbteinr(gs )Number(s) Name of Federal Program or Cluster Various Student Financial Assistance Cluster Dollar threshold used to distinguish between type A and type B programs: $ 3,000,000 Auditee qualified as low-risk auditee? X yes no Section II - Financial Statement Findings No matters noted. Section III ? Federal Award Findings and Questioned Costs Finding 2022-001: Notification of Title IV disbursement not provided appropriately Federal Agency: Department of Education Program: Student Financial Assistance Cluster Assistance Listing #: Various Award #: Various Award Year: 2021-2022 Criteria: 34 CFR 668.165, Before an institution disburses Title IV, HEA program funds for any award year, the institution must notify a student of the amount of funds that the student or his or her parent can expect to receive under each Title IV, HEA program, and how and when those funds will be disbursed. If those funds include Direct Loan program funds, the notice must indicate which funds are from subsidized loans, which are from unsubsidized loans, and which are from PLUS loans. Questioned Costs: None. Condition: During the 2021-2022 award year, four out of twenty-five students tested in our sample of disbursements of Title IV funds were not provided notification prior to disbursement of funds as dictated by 34 CFR 668.165. Notification was provided subsequent to disbursement for three of these students; however, one student was not notified at all. Cause: The University?s internal controls over Title IV eligibility and disbursement include a manual review of each student?s account prior to disbursement. Upon completion of this review, the employee performing the review will manually flag the student?s account in the system which generates the required notification prior to disbursement. These four student accounts were not manually flagged for notification. Effect: The University did not provide timely notification to three students and did not provide notification at all for one student. Recommendation: We recommend the University reiterate to control owners the importance of manually flagging students? accounts when reviews are performed. Additionally, a review control to ensure notifications are provided prior to disbursement should be considered. Views of Responsible Officials/Management Response: See Management?s view and corrective action plan included at the end of this report.
Section I - Summary of Auditor's Results Financial Statements Type of auditor's report issued: Unmodified Internal control over financial reporting: Material weakness(es) identified? yes X no Significant deficiency(ies) identified that are not considered to be material weaknesses? yes X none reported Noncompliance material to financial statements noted? yes X no Federal Awards Internal control over major programs: Material weakness(es) identified? yes X no Significant deficiency(ies) identified that are not considered to be material weaknesses? yes X none reported Type of auditor's report issued on compliance for major programs: Unmodified Any audit findings disclosed that are required to be reported in accordance with the 2 CFR 200.516(a)? X yes no Identification of major programs A s sCiFsDtaAn cNeu Lmisbteinr(gs )Number(s) Name of Federal Program or Cluster Various Student Financial Assistance Cluster Dollar threshold used to distinguish between type A and type B programs: $ 3,000,000 Auditee qualified as low-risk auditee? X yes no Section II - Financial Statement Findings No matters noted. Section III ? Federal Award Findings and Questioned Costs Finding 2022-001: Notification of Title IV disbursement not provided appropriately Federal Agency: Department of Education Program: Student Financial Assistance Cluster Assistance Listing #: Various Award #: Various Award Year: 2021-2022 Criteria: 34 CFR 668.165, Before an institution disburses Title IV, HEA program funds for any award year, the institution must notify a student of the amount of funds that the student or his or her parent can expect to receive under each Title IV, HEA program, and how and when those funds will be disbursed. If those funds include Direct Loan program funds, the notice must indicate which funds are from subsidized loans, which are from unsubsidized loans, and which are from PLUS loans. Questioned Costs: None. Condition: During the 2021-2022 award year, four out of twenty-five students tested in our sample of disbursements of Title IV funds were not provided notification prior to disbursement of funds as dictated by 34 CFR 668.165. Notification was provided subsequent to disbursement for three of these students; however, one student was not notified at all. Cause: The University?s internal controls over Title IV eligibility and disbursement include a manual review of each student?s account prior to disbursement. Upon completion of this review, the employee performing the review will manually flag the student?s account in the system which generates the required notification prior to disbursement. These four student accounts were not manually flagged for notification. Effect: The University did not provide timely notification to three students and did not provide notification at all for one student. Recommendation: We recommend the University reiterate to control owners the importance of manually flagging students? accounts when reviews are performed. Additionally, a review control to ensure notifications are provided prior to disbursement should be considered. Views of Responsible Officials/Management Response: See Management?s view and corrective action plan included at the end of this report.
Section I - Summary of Auditor's Results Financial Statements Type of auditor's report issued: Unmodified Internal control over financial reporting: Material weakness(es) identified? yes X no Significant deficiency(ies) identified that are not considered to be material weaknesses? yes X none reported Noncompliance material to financial statements noted? yes X no Federal Awards Internal control over major programs: Material weakness(es) identified? yes X no Significant deficiency(ies) identified that are not considered to be material weaknesses? yes X none reported Type of auditor's report issued on compliance for major programs: Unmodified Any audit findings disclosed that are required to be reported in accordance with the 2 CFR 200.516(a)? X yes no Identification of major programs A s sCiFsDtaAn cNeu Lmisbteinr(gs )Number(s) Name of Federal Program or Cluster Various Student Financial Assistance Cluster Dollar threshold used to distinguish between type A and type B programs: $ 3,000,000 Auditee qualified as low-risk auditee? X yes no Section II - Financial Statement Findings No matters noted. Section III ? Federal Award Findings and Questioned Costs Finding 2022-001: Notification of Title IV disbursement not provided appropriately Federal Agency: Department of Education Program: Student Financial Assistance Cluster Assistance Listing #: Various Award #: Various Award Year: 2021-2022 Criteria: 34 CFR 668.165, Before an institution disburses Title IV, HEA program funds for any award year, the institution must notify a student of the amount of funds that the student or his or her parent can expect to receive under each Title IV, HEA program, and how and when those funds will be disbursed. If those funds include Direct Loan program funds, the notice must indicate which funds are from subsidized loans, which are from unsubsidized loans, and which are from PLUS loans. Questioned Costs: None. Condition: During the 2021-2022 award year, four out of twenty-five students tested in our sample of disbursements of Title IV funds were not provided notification prior to disbursement of funds as dictated by 34 CFR 668.165. Notification was provided subsequent to disbursement for three of these students; however, one student was not notified at all. Cause: The University?s internal controls over Title IV eligibility and disbursement include a manual review of each student?s account prior to disbursement. Upon completion of this review, the employee performing the review will manually flag the student?s account in the system which generates the required notification prior to disbursement. These four student accounts were not manually flagged for notification. Effect: The University did not provide timely notification to three students and did not provide notification at all for one student. Recommendation: We recommend the University reiterate to control owners the importance of manually flagging students? accounts when reviews are performed. Additionally, a review control to ensure notifications are provided prior to disbursement should be considered. Views of Responsible Officials/Management Response: See Management?s view and corrective action plan included at the end of this report.
Section I - Summary of Auditor's Results Financial Statements Type of auditor's report issued: Unmodified Internal control over financial reporting: Material weakness(es) identified? yes X no Significant deficiency(ies) identified that are not considered to be material weaknesses? yes X none reported Noncompliance material to financial statements noted? yes X no Federal Awards Internal control over major programs: Material weakness(es) identified? yes X no Significant deficiency(ies) identified that are not considered to be material weaknesses? yes X none reported Type of auditor's report issued on compliance for major programs: Unmodified Any audit findings disclosed that are required to be reported in accordance with the 2 CFR 200.516(a)? X yes no Identification of major programs A s sCiFsDtaAn cNeu Lmisbteinr(gs )Number(s) Name of Federal Program or Cluster Various Student Financial Assistance Cluster Dollar threshold used to distinguish between type A and type B programs: $ 3,000,000 Auditee qualified as low-risk auditee? X yes no Section II - Financial Statement Findings No matters noted. Section III ? Federal Award Findings and Questioned Costs Finding 2022-001: Notification of Title IV disbursement not provided appropriately Federal Agency: Department of Education Program: Student Financial Assistance Cluster Assistance Listing #: Various Award #: Various Award Year: 2021-2022 Criteria: 34 CFR 668.165, Before an institution disburses Title IV, HEA program funds for any award year, the institution must notify a student of the amount of funds that the student or his or her parent can expect to receive under each Title IV, HEA program, and how and when those funds will be disbursed. If those funds include Direct Loan program funds, the notice must indicate which funds are from subsidized loans, which are from unsubsidized loans, and which are from PLUS loans. Questioned Costs: None. Condition: During the 2021-2022 award year, four out of twenty-five students tested in our sample of disbursements of Title IV funds were not provided notification prior to disbursement of funds as dictated by 34 CFR 668.165. Notification was provided subsequent to disbursement for three of these students; however, one student was not notified at all. Cause: The University?s internal controls over Title IV eligibility and disbursement include a manual review of each student?s account prior to disbursement. Upon completion of this review, the employee performing the review will manually flag the student?s account in the system which generates the required notification prior to disbursement. These four student accounts were not manually flagged for notification. Effect: The University did not provide timely notification to three students and did not provide notification at all for one student. Recommendation: We recommend the University reiterate to control owners the importance of manually flagging students? accounts when reviews are performed. Additionally, a review control to ensure notifications are provided prior to disbursement should be considered. Views of Responsible Officials/Management Response: See Management?s view and corrective action plan included at the end of this report.
Section I - Summary of Auditor's Results Financial Statements Type of auditor's report issued: Unmodified Internal control over financial reporting: Material weakness(es) identified? yes X no Significant deficiency(ies) identified that are not considered to be material weaknesses? yes X none reported Noncompliance material to financial statements noted? yes X no Federal Awards Internal control over major programs: Material weakness(es) identified? yes X no Significant deficiency(ies) identified that are not considered to be material weaknesses? yes X none reported Type of auditor's report issued on compliance for major programs: Unmodified Any audit findings disclosed that are required to be reported in accordance with the 2 CFR 200.516(a)? X yes no Identification of major programs A s sCiFsDtaAn cNeu Lmisbteinr(gs )Number(s) Name of Federal Program or Cluster Various Student Financial Assistance Cluster Dollar threshold used to distinguish between type A and type B programs: $ 3,000,000 Auditee qualified as low-risk auditee? X yes no Section II - Financial Statement Findings No matters noted. Section III ? Federal Award Findings and Questioned Costs Finding 2022-001: Notification of Title IV disbursement not provided appropriately Federal Agency: Department of Education Program: Student Financial Assistance Cluster Assistance Listing #: Various Award #: Various Award Year: 2021-2022 Criteria: 34 CFR 668.165, Before an institution disburses Title IV, HEA program funds for any award year, the institution must notify a student of the amount of funds that the student or his or her parent can expect to receive under each Title IV, HEA program, and how and when those funds will be disbursed. If those funds include Direct Loan program funds, the notice must indicate which funds are from subsidized loans, which are from unsubsidized loans, and which are from PLUS loans. Questioned Costs: None. Condition: During the 2021-2022 award year, four out of twenty-five students tested in our sample of disbursements of Title IV funds were not provided notification prior to disbursement of funds as dictated by 34 CFR 668.165. Notification was provided subsequent to disbursement for three of these students; however, one student was not notified at all. Cause: The University?s internal controls over Title IV eligibility and disbursement include a manual review of each student?s account prior to disbursement. Upon completion of this review, the employee performing the review will manually flag the student?s account in the system which generates the required notification prior to disbursement. These four student accounts were not manually flagged for notification. Effect: The University did not provide timely notification to three students and did not provide notification at all for one student. Recommendation: We recommend the University reiterate to control owners the importance of manually flagging students? accounts when reviews are performed. Additionally, a review control to ensure notifications are provided prior to disbursement should be considered. Views of Responsible Officials/Management Response: See Management?s view and corrective action plan included at the end of this report.
Section I - Summary of Auditor's Results Financial Statements Type of auditor's report issued: Unmodified Internal control over financial reporting: Material weakness(es) identified? yes X no Significant deficiency(ies) identified that are not considered to be material weaknesses? yes X none reported Noncompliance material to financial statements noted? yes X no Federal Awards Internal control over major programs: Material weakness(es) identified? yes X no Significant deficiency(ies) identified that are not considered to be material weaknesses? yes X none reported Type of auditor's report issued on compliance for major programs: Unmodified Any audit findings disclosed that are required to be reported in accordance with the 2 CFR 200.516(a)? X yes no Identification of major programs A s sCiFsDtaAn cNeu Lmisbteinr(gs )Number(s) Name of Federal Program or Cluster Various Student Financial Assistance Cluster Dollar threshold used to distinguish between type A and type B programs: $ 3,000,000 Auditee qualified as low-risk auditee? X yes no Section II - Financial Statement Findings No matters noted. Section III ? Federal Award Findings and Questioned Costs Finding 2022-001: Notification of Title IV disbursement not provided appropriately Federal Agency: Department of Education Program: Student Financial Assistance Cluster Assistance Listing #: Various Award #: Various Award Year: 2021-2022 Criteria: 34 CFR 668.165, Before an institution disburses Title IV, HEA program funds for any award year, the institution must notify a student of the amount of funds that the student or his or her parent can expect to receive under each Title IV, HEA program, and how and when those funds will be disbursed. If those funds include Direct Loan program funds, the notice must indicate which funds are from subsidized loans, which are from unsubsidized loans, and which are from PLUS loans. Questioned Costs: None. Condition: During the 2021-2022 award year, four out of twenty-five students tested in our sample of disbursements of Title IV funds were not provided notification prior to disbursement of funds as dictated by 34 CFR 668.165. Notification was provided subsequent to disbursement for three of these students; however, one student was not notified at all. Cause: The University?s internal controls over Title IV eligibility and disbursement include a manual review of each student?s account prior to disbursement. Upon completion of this review, the employee performing the review will manually flag the student?s account in the system which generates the required notification prior to disbursement. These four student accounts were not manually flagged for notification. Effect: The University did not provide timely notification to three students and did not provide notification at all for one student. Recommendation: We recommend the University reiterate to control owners the importance of manually flagging students? accounts when reviews are performed. Additionally, a review control to ensure notifications are provided prior to disbursement should be considered. Views of Responsible Officials/Management Response: See Management?s view and corrective action plan included at the end of this report.
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-045 Payments for Non-Emergent Medical Transportation ClaimsPrior to July 2020, in 55 counties, the Department worked with various county offices to have them broker Non-Emergent Medical Transportation (NEMT) services for Medicaid recipients, including rides to and from Medicaid medical appointments, personal mileage reimbursement, and trip-related meals and lodging. For example, these counties arranged the rides with transportation providers, submitted the claims or had providers submit claims for reimbursement to the Department, and passed on reimbursements to providers as needed. For the remaining nine counties, the Department contracted with IntelliRide to serve as the NEMT broker for services in those areas. From July 1, 2020, to August 31, 2021, when the Department contracted with IntelliRide to be the statewide broker, most recipients throughout the state scheduled NEMT rides by contacting IntelliRide through its call center, website chat function, or smartphone applications. IntelliRide scheduled rides and assigned transportation providers to them, and had providers upload trip information into IntelliRide?s EcoLane transportation scheduling system. EcoLane maintains information related to recipients? requests for rides and provider trip information, such as the trip date and time, names of the recipient and driver, and scheduled pick-up and destination addresses. IntelliRide submitted claims through the Department?s interChange system (interChange) requesting payments for providers? NEMT services, paid providers for their services, and received reimbursement from the Department. In addition, the Department paid NEMT claims submitted directly by NEMT providers. In Fiscal Year 2021, from July 1, 2020, through February 28, 2021 (the audit period), the Department paid 362,110 claims for NEMT services totaling about $33.2 million, as shown in the following table. In September 2021, the Department plans to transition back to IntelliRide brokering services in nine counties, while the NEMT providers in the remaining counties will broker their own services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote What audit work was performed and how were the results measured? The purpose of the audit work was to determine whether the Department has ensured that NEMT claims adhere to the following federal and state requirements. ? NEMT trips were to be brokered through, and all claims submitted by, the statewide broker, Intelliride. According to state regulations and the Department?s NEMT Billing Manual, all NEMT trips during Fiscal Year 2021 had to be authorized by the statewide broker, IntelliRide [10 CCR 2505-10 8.014.7.A]. This means that each recipient?s NEMT ride request should have been sent to IntelliRide for approval or authorization before the trip, and any unauthorized trips should ?not be reimbursed or paid? [Billing Manual]. According to the Department, it allowed NEMT providers time to transition to working with IntelliRide because some providers were reluctant to join the statewide brokerage and the Department needed time to onboard providers. By Fall 2020, most providers should have been working with IntelliRide to schedule NEMT rides. The Department told us that six NEMT providers received its express permission to bypass IntelliRide to schedule rides and submit claims directly to the Department because the providers are unique, such as only serving recipients with disabilities or receiving federal grant funding to provide NEMT. To assess whether IntelliRide brokered most NEMT services in the State and submitted the related claims in line with regulations and its contract, we reviewed the Department?s aggregate data for the 128,998 NEMT claims paid from December 2020 through February 2021. ? The Department must pay claims based on accurate service rates and trip mileage. Non-taxi NEMT services, such as wheelchair and mobility vehicle services, have base rates and mileage rates set by the Department. IntelliRide tracks the mileage of each NEMT trip in EcoLane and submits mileage claims to the Department?s interChange system. The Public Utilities Commission (PUC) sets the rate for each permitted taxi provider, which generally includes a rate for the first trip mile and a different rate for each additional mile. According to the Department?s NEMT Billing Manual and NEMT Rate Schedule for Fiscal Year 2021, taxi claims should have been paid at the rate set by the PUC. For example, if a taxi company?s PUC rate was $4 for the first mile and $2 for each additional mile, the Department should have paid $6 for a two-mile NEMT trip claim. To verify that the Department paid NEMT claims based on the correct trip mileage and rates, we reviewed the trip mileage and rates for 362,110 NEMT claims paid from July 2020 through February 2021, and PUC documentation on the taxi rates for permitted taxi companies. ? Claims must be supported with accurate and complete documentation confirming the service provided. Both IntelliRide and providers that submit claims for NEMT services must keep and be able to furnish accurate, complete supporting documentation for all claims [42 USC 1396a(27), 42 CFR ?? 431.17 and 433.32, and 10 CCR 2505-10 8.014.3.C and 8.014.6.B]. For example, a claim must be supported by medical documentation showing that the type of vehicle was needed to transport the recipient, and documentation from the transportation provider showing the trip occurred and when the recipient was picked-up and dropped-off. IntelliRide should only submit a claim to the Department after IntelliRide confirms the trip has been completed and marks the status complete in EcoLane [IntelliRide Policies and Procedures]. If an NEMT provider does not show up for a trip, IntelliRide should mark the trip as ?cancelled? in EcoLane. Payments for Medicaid claims that lack supporting documentation for the services provided are unallowable, meaning they should not be paid. IntelliRide or the Department must maintain documentation from recipients? medical providers showing why certain NEMT services, like transportation in a wheelchair van or with an escort, are medically necessary [10 CCR 2505-10 8.014.7.B and 8.014.5.D.1; Billing Manual]. To verify that there was support for NEMT claims, we reviewed IntelliRide data in EcoLane for all 362,110 NEMT claims paid from July 2020 through February 2021, and Department documentation for a sample of 85 NEMT paid claims?75 selected randomly from the four NEMT service areas of the state, and 10 that were the highest paid NEMT claims. ? NEMT services must be medically necessary. NEMT services shall only be provided to recipients with no other means to attend medically necessary, non-emergency treatment covered by Medicaid [42 USC 1396a(70); 42 CFR 431.53; 10 CCR 2505-10 8.014.5.B]. To verify that NEMT claims were only paid for recipients to access medical care, we reviewed the Department?s data on paid medical claims to determine if the recipients related to 22 sampled NEMT claims paid in December 2020 had a corresponding medical appointment. For another 61 paid NEMT claims that involved IntelliRide scheduling and submitting claims for trips every day in December for two recipients, we reviewed whether the recipients had paid medical claims corresponding with the trips. ? Prior authorization is required for air ambulance. The Department must grant prior authorization for the use of an NEMT air ambulance before the trip occurs in order for the claim to be paid [10 CCR 2505-10 8.014.7.D.1.b]. To verify that the Department granted prior authorization for air ambulance trips, we reviewed the use of air ambulances in 11 paid claims from July 2020 to February 2021. ? Recipients are to receive the least-costly NEMT transportation option appropriate for their medical condition. For example, recipients should only ride in a vehicle for recipients with mobility needs when they have a mobility issue or if there is a lack of access to public transportation [10 CCR 2505-10 8.014.6.B, 42 USC 1396(a(70), and 42 CFR 440.170(a)(4)]. Higher-cost NEMT services, such as ambulance and wheelchair van services, must be supported with documentation of the recipient?s need for the specific higher-cost services [10 CCR 2505-10 8.014.5.B.1.b]. To determine whether recipients received the least costly NEMT services to meet their needs, we reviewed documentation submitted by medical or transportation providers to IntelliRide or the Department for the 85 sampled NEMT claims. ? Taxi providers must be permitted by the PUC to provide NEMT taxi rides. To provide NEMT rides by taxi and receive payment for them, the provider must maintain a common carrier permit issued by the PUC [10 CCR 2505-10 8.014.3.B.4.a]. To verify that the providers that were paid for taxi claims had been permitted to provide taxi services, we reviewed the 33,791 NEMT claims for taxi services from July 2020 to February 2021. What problems were identified? The Department paid $3.5 million directly to 66 NEMT providers for claims that were not brokered by Intelliride. From December 2020 through February 2021, 26,890 of the approximately 129,000 NEMT claims paid by the Department (21 percent), totaling about $3.5 million, were not brokered through IntelliRide, which violated state regulations requiring all NEMT services to be brokered through the statewide brokerage in effect at the time. The following chart shows the amounts the Department paid for claims submitted directly by NEMT providers compared to its payments for claims submitted by IntelliRide from July 2020 through February 2021. During these months, the number of claims that providers submitted directly to the Department decreased as providers transitioned to working with IntelliRide to broker NEMT rides; however, as of February 2021, the Department was still paying about $1 million in monthly claims that were submitted directly by providers. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote The Department paid 36,910 NEMT claims totaling $5.5 million, which either violated or may have violated federal and/or state regulations. The claims were for unallowable services or were overpaid, and resulted in $291,597 in known questioned costs and $5,180,962 in likely questioned costs for Medicaid. A questioned cost is a payment that ?resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds? or ?the costs, at the time of the audit, [that] are not supported by adequate documentation?? [2 CFR 200.84]. A known questioned cost reflects a violation that the auditor confirmed; a likely questioned cost is the auditor?s best estimate of a potential violation [2 CFR 200.516(a)(3)]. Known and likely questioned costs should be investigated by the Department and recovered, as appropriate, because Medicaid overpayments are recoverable regardless of whether they occurred due to an error by the Department, entity acting on behalf of the Department, or a provider [Section 25.5-4-301(2), C.R.S.]. We found the following problems resulting in $291,597 in known questioned costs: ? Claims paid with no support that services were provided. For 3,958 of the 362,110 NEMT claims (1 percent), which totaled $258,115 paid from July 2020 to February 2021, IntelliRide or providers submitted the claims without any documentation showing that recipients received the NEMT services from the providers listed in the claim. The $258,115 is known questioned costs and includes: o 3,323 claims totaling $163,985 submitted by IntelliRide with no documentation in EcoLane of a ride being scheduled or provided. o 619 claims totaling $61,431 submitted by IntelliRide for which EcoLane showed the scheduled ride was cancelled. o 16 sampled claims totaling $32,699 submitted by providers directly to the Department had no documentation that an NEMT service occurred because the providers did not send the Department documentation for their claims. Upon our request, the Department attempted to obtain supporting documentation from providers for these claims but was unable to obtain any. ? Overpayments due to incorrect mileage and taxi rates. For 466 of the 321,099 mileage and taxi claims (less than 1 percent), the Department overpaid IntelliRide. Specifically, for 50 of the 287,308 mileage claims (less than 1 percent), the mileage submitted by IntelliRide that the Department paid was more than the ride mileage that IntelliRide documented in EcoLane. For 416 of the 33,791 (1 percent) claims submitted by IntelliRide on behalf of providers that were permitted to operate as taxis, the Department paid a higher rate than the providers? set PUC rate. The following table breaks out the overpayments that we identified, which totaled $6,759 in known questioned costs. We did not find issues with the rate amounts that the Department paid for non-mileage and non-taxi services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Examples of these overpayments include: o An overpayment of $48 for a claim submitted by IntelliRide for a taxi provider that billed the wrong taxi rate. The Department paid $60 for a 4-mile trip, when it should have paid $12 based on the PUC rate of $3 per mile. o An overpayment of $79 for a claim submitted by IntelliRide on behalf of a provider because the claim showed the trip was 76 miles, but the EcoLane data showed the trip was 38 miles. The Department paid $157, when it should have paid $78. ? Unallowable rides, not for medical appointments. For 61 claims showing NEMT trips every day in December 2020 for two recipients, there were no medical claims corresponding to their trips, so it appears that either NEMT was used repeatedly to transport these recipients to unallowable destinations or the provider did not provide the trips claimed. The NEMT provider reported to IntelliRide that these trips were completed even though the recipients did not attend any medical appointments that month. IntelliRide submitted the 61 NEMT claims and its EcoLane data showed that the NEMT providers self-reported that the trips were completed. However, IntelliRide confirmed that these trips were not used to access medical care. The issues we identified resulted in $2,674 of known questioned costs. ? Air ambulance claims paid without prior authorization. None of the 11 air ambulance NEMT claims had supporting documentation that the provider requested or received prior authorization from the Department before the trip occurred. These 11 claims to three providers resulted in $23,122 in known questioned costs. ? Claims paid for trips that were not the least costly, medically necessary, and/or for approved escorts. For seven of the 85 sampled claims (8 percent), IntelliRide submitted the claims without having required documentation from medical providers. Specifically, four claims lacked documentation to support the medical necessity for the type of vehicle used (either mobility vehicle, taxi, or wheelchair van); the other three claims lacked documentation of the recipient?s need for an escort to support the associated cost, which indicates that the three sampled NEMT trips were provided to an escort ineligible to ride with the recipient. The issues we identified for the seven claims resulted in $927 of known questioned costs. In addition, we found the following problems resulting in $5,180,962 in likely questioned costs, which are estimated potential violations of federal requirements that we could not confirm due to a lack of documentation: ? $4.8 million paid for taxi claims without mileage. For 29,049 taxi claims totaling $4,763,071, the Department paid the claims without ensuring taxi providers were paid at their PUC per-mile rate. These claims were submitted directly to the Department by 10 permitted taxi providers. The Department required providers to submit claims showing only the number of one-way trips driven, not the number of miles driven. As a result, the Department could not ensure that these taxi claims were paid at the correct PUC rates, as required in its Billing Manual and Rate Schedule. The Department paid the full amount that each taxi provider requested, as long as the claim was not more than $1,000 per one-way trip. For example, the Department paid $4,000 to one taxi provider for a claim showing four one-way trips for a recipient on a single day. Based on the claim amount, the taxi provider would have had to have driven the recipient on four 400-mile, one-way trips that day to justify this amount, because the taxi provider?s PUC rate is $4 for the first mile and $2.50 for each additional mile. Since the Department did not obtain the miles driven for each one-way trip from taxi providers for these 29,049 claims, we could not determine whether the payments were accurate based on each provider?s PUC rate, as required. ? $409,575 paid for taxi claims for providers not permitted as taxis. For 3,284 NEMT claims for taxi services from eight providers, the providers were not permitted by the PUC to operate as taxis. For example, one provider was paid for an NEMT taxi claim for $5,875 for 12 trips, or $490 per trip. Since these providers were not permitted as taxis, they did not have PUC-set taxi rates, so we could not determine how much these providers should have been paid. ? $4,718 paid for trips that may not have been to attend medical services. As of April 2021, 13 of the 22 sampled NEMT claims (59 percent) for trips in December 2020 had no medical claims for dates corresponding to the NEMT trips. Department staff told us that Medicaid medical claims are typically submitted and paid within 3 months of the date of service, but that there is a possibility that medical providers had not yet submitted medical claims for the recipients since federal regulations technically allow providers up to 12 months to submit claims [42 CFR 447.45(d)(1)]. In addition, six of these 13 recipients had both Medicaid and other types of medical insurance, such as Medicare. According to the Department, it is possible that the six recipients used NEMT trips to access medical services but the Department did not have a Medicaid claim for the services because they were paid by the other types of insurance, which is allowed by state regulations [10 CCR 2505-10 8.014.5.B.2]. Therefore, we could not determine whether the NEMT trips associated with the 13 claims had been for recipients to attend medical services. ? $3,598 paid for trips that may not have been completed. For 61 of the 362,110 paid claims (less than 1 percent), the scheduled trips were not marked as complete in EcoLane, so we could not determine whether they had been completed. Why did these problems occur? The Department lacks effective internal controls over NEMT claims to ensure they are appropriate and consistently comply with federal and state requirements. According to federal regulations [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls to provide reasonable assurance that federal funds are spent in compliance with federal requirements. We identified the following areas where Department controls are lacking for NEMT claims: Lack of Department information technology (IT) Controls in interChange ? No IT controls to prevent providers from bypassing broker. From December 2020 through February 2021, the Department paid NEMT providers directly for unsupported NEMT trips because the Department did not have IT controls in interChange to deny claims for trips that were not brokered through IntelliRide, as required at the time. As of September 1, 2021, the Department plans to require only the NEMT providers operating in nine metro-Denver counties to broker trips through IntelliRide, so the Department needs IT controls to ensure providers in these counties work with IntelliRide to schedule all trips and submit related claims. ? Lack of IT and other controls to ensure proper payments for NEMT taxi services. InterChange is programmed to pay each NEMT taxi claim based on one-way trips, but the Department has not implemented an IT or other control to ensure that NEMT taxi claims are paid at the providers? current PUC-approved per-mile rates, and that the Department only pays taxi rates when the provider is permitted by the PUC to operate as a taxi. Department staff stated that the only IT control the Department has built into interChange to help ensure proper payment of taxi claims is limiting payments for taxi claims to no more than $1,000 per one-way trip, and that this control is in accordance with the NEMT Billing Manual and Rate Schedule. However, Department staff also acknowledged that there is a conflict within the Billing Manual that requires taxi claims to be based on the number of one-way trips, but also paid based on per-mile PUC rates. By setting the limit based only on the number of one-way trips instead of providers? PUC per-mile rate, this Department IT control is not effective at ensuring taxi claims are paid properly. To ensure accurate payments for NEMT taxi claims, the Department will need methods, such as IT controls in interChange, and clarification in the Billing Manual and Rate Schedule, to ensure taxi providers are paid based on set rates, and ensure each taxi provider is permitted. ? No IT controls to ensure required prior authorizations. Air ambulance services were paid without the Department?s prior authorization for the services because the Department does not have IT controls to ensure prior authorization before payment. If the Department does not implement IT controls to ensure appropriate prior authorizations of NEMT services, the Department will need to develop manual processes to ensure that NEMT services receive required authorization prior to paying the related claims. Lack of Department Monitoring of NEMT Services and Claims ? Insufficient methods to ensure appropriate payment and collect necessary documentation from providers that bypass the statewide brokerage. Although the Department reviewed NEMT provider supporting documentation for NEMT services in 2019, the Department did not do so in 2020 or 2021, and had no process to require the providers that bypassed the statewide brokerage to submit documentation to support their NEMT claims before they were paid. According to the Department, in September 2021, it plans to require providers in nine counties covered by the IntelliRide brokerage contract to provide and submit claims through IntelliRide; however, NEMT providers in the remaining 55 counties will be submitting NEMT claims directly to the Department. Therefore, it is important that the Department develop a process to ensure that providers in these 55 counties maintain required documentation for each claim. ? Lack of monitoring to ensure Intelliride submits accurate mileage claims and collects necessary documentation. The Department does not conduct reviews of IntelliRide?s documentation in EcoLane to ensure it submits claims for accurate mileage and maintains support for claims submitted to or paid by the Department. For example, the Department does not reconcile its NEMT claims data from interChange and IntelliRide?s EcoLane system data to ensure each claim is supported. Furthermore, the Department has never completed a file review of IntelliRide?s supporting documentation for NEMT claims, such as when the Department contracted with IntelliRide to be a regional broker prior to becoming the statewide broker. ? No method to ensure NEMT service claims are for rides for medical treatment and the least costly. The Department does not conduct any reconciliation of its interChange data on NEMT trip claims to its interChange data on Medicaid medical claims to ensure NEMT claims are only paid for recipients to access medical care. The Department also does not require confirmation from medical providers that recipients used NEMT to access necessary medical care. For example, NEMT providers told us that before the start of the IntelliRide statewide brokerage contract, they either called medical providers to confirm that the recipients? NEMT trips were to access medical appointments or collected medical providers? signatures for each NEMT trip. In addition, the Department has no controls to ensure providers that submit claims directly to the Department are providing the least costly NEMT service appropriate to each recipient, such as public transportation when it is accessible and appropriate. For example, IntelliRide instructs its staff to attempt to schedule the lowest-cost NEMT service based on recipients? mobility needs and access to public transportation; however, the Department has no such method to ensure services are the least costly when NEMT providers schedule services for recipients. As of September 2021, the Department plans to have the recipients who live in the 55 counties not served by IntelliRide begin scheduling their rides directly with the NEMT providers of their choosing, yet the Department has not developed a method to ensure recipients in these areas receive the lowest-cost services appropriate for their needs. ? Potentially insufficient Department staffing to monitor NEMT claims effectively. For Fiscal Year 2021, the Department was appropriated three full-time equivalent (FTE) staff to oversee NEMT claims; however, the Department had two vacancies in these positions from July 2020 through May 2021 that it did not fill, so there was only one Department staff overseeing NEMT and the IntelliRide statewide contract during the audit time period. In June 2021, the Department added an additional FTE staff member to assist in administering the NEMT benefit. Why do these problems matter? Likely federal recovery of funds used for improper payments. Section 25.5-4-301(2), C.R.S., states that any overpayments of claims to providers are recoverable and ?are recoverable regardless of whether the overpayment is the result of an error by the state department? an entity acting on behalf of [the department], or the provider or any agent of the provider.? Our audit identified $291,597 in known questioned costs, of which about $145,797 is the federal portion of funds that the federal government may recover. We also identified $5,180,962 in likely questioned costs, of which $2,590,480 is the federal portion of funds that could be recovered if the payments are determined to have not been appropriate. The following table shows the questioned costs and federal portions for each problem we identified. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote When providers bypass broker controls, service quality is not monitored. When the Department allows some NEMT providers to bypass the IntelliRide broker, and does not obtain documentation to support their claims, the Department is unable to monitor the services of these providers. Additionally, when the Department does not monitor providers that bypass the statewide broker, the Department is applying different and possibly inadequate standards for the providers that bypass compared to the providers that work with IntelliRide. Although the Department plans for IntelliRide to no longer be the statewide NEMT broker for all 64 counties beginning September 2021, IntelliRide will continue to administer NEMT trips for nine Front Range counties that account for the majority of NEMT trips. It is important that all NEMT trips in these counties be brokered through IntelliRide so that the Department can monitor the quality of the trips and IntelliRide?s oversight of them. Risk of fraud, waste, and abuse. When the Department pays NEMT claims that are not supported by documentation of the service, medical documentation showing NEMT was for medical treatment, or the required prior authorizations, there is a significant risk of misappropriation of federal and state funds by providers and/or recipients. In addition, the eight providers not permitted as taxis that submitted taxi claims appear to have set their own rates of payment at a significantly higher rate, since the PUC did not permit or set rates for these providers. While we did not identify confirmed fraud by recipients or providers due to a lack of supporting documentation for claims, the problems identified demonstrate waste of public funds and potential abuse of the Medicaid program. When the Department overpays Medicaid funds and pays for unallowable services, there are fewer funds available to service the recipients who need them. In addition, there is no federal or state limit on payments for NEMT services, so it is important that the Department ensure Medicaid recipients receive appropriate transportation to medical treatment, while also ensuring the Department is acting as a good steward of federal and state funds. See Schedule of Findings and Questioned Costs for chart/table Character Limit Exceeded See Statewide Single Audit Report
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-045 Payments for Non-Emergent Medical Transportation ClaimsPrior to July 2020, in 55 counties, the Department worked with various county offices to have them broker Non-Emergent Medical Transportation (NEMT) services for Medicaid recipients, including rides to and from Medicaid medical appointments, personal mileage reimbursement, and trip-related meals and lodging. For example, these counties arranged the rides with transportation providers, submitted the claims or had providers submit claims for reimbursement to the Department, and passed on reimbursements to providers as needed. For the remaining nine counties, the Department contracted with IntelliRide to serve as the NEMT broker for services in those areas. From July 1, 2020, to August 31, 2021, when the Department contracted with IntelliRide to be the statewide broker, most recipients throughout the state scheduled NEMT rides by contacting IntelliRide through its call center, website chat function, or smartphone applications. IntelliRide scheduled rides and assigned transportation providers to them, and had providers upload trip information into IntelliRide?s EcoLane transportation scheduling system. EcoLane maintains information related to recipients? requests for rides and provider trip information, such as the trip date and time, names of the recipient and driver, and scheduled pick-up and destination addresses. IntelliRide submitted claims through the Department?s interChange system (interChange) requesting payments for providers? NEMT services, paid providers for their services, and received reimbursement from the Department. In addition, the Department paid NEMT claims submitted directly by NEMT providers. In Fiscal Year 2021, from July 1, 2020, through February 28, 2021 (the audit period), the Department paid 362,110 claims for NEMT services totaling about $33.2 million, as shown in the following table. In September 2021, the Department plans to transition back to IntelliRide brokering services in nine counties, while the NEMT providers in the remaining counties will broker their own services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote What audit work was performed and how were the results measured? The purpose of the audit work was to determine whether the Department has ensured that NEMT claims adhere to the following federal and state requirements. ? NEMT trips were to be brokered through, and all claims submitted by, the statewide broker, Intelliride. According to state regulations and the Department?s NEMT Billing Manual, all NEMT trips during Fiscal Year 2021 had to be authorized by the statewide broker, IntelliRide [10 CCR 2505-10 8.014.7.A]. This means that each recipient?s NEMT ride request should have been sent to IntelliRide for approval or authorization before the trip, and any unauthorized trips should ?not be reimbursed or paid? [Billing Manual]. According to the Department, it allowed NEMT providers time to transition to working with IntelliRide because some providers were reluctant to join the statewide brokerage and the Department needed time to onboard providers. By Fall 2020, most providers should have been working with IntelliRide to schedule NEMT rides. The Department told us that six NEMT providers received its express permission to bypass IntelliRide to schedule rides and submit claims directly to the Department because the providers are unique, such as only serving recipients with disabilities or receiving federal grant funding to provide NEMT. To assess whether IntelliRide brokered most NEMT services in the State and submitted the related claims in line with regulations and its contract, we reviewed the Department?s aggregate data for the 128,998 NEMT claims paid from December 2020 through February 2021. ? The Department must pay claims based on accurate service rates and trip mileage. Non-taxi NEMT services, such as wheelchair and mobility vehicle services, have base rates and mileage rates set by the Department. IntelliRide tracks the mileage of each NEMT trip in EcoLane and submits mileage claims to the Department?s interChange system. The Public Utilities Commission (PUC) sets the rate for each permitted taxi provider, which generally includes a rate for the first trip mile and a different rate for each additional mile. According to the Department?s NEMT Billing Manual and NEMT Rate Schedule for Fiscal Year 2021, taxi claims should have been paid at the rate set by the PUC. For example, if a taxi company?s PUC rate was $4 for the first mile and $2 for each additional mile, the Department should have paid $6 for a two-mile NEMT trip claim. To verify that the Department paid NEMT claims based on the correct trip mileage and rates, we reviewed the trip mileage and rates for 362,110 NEMT claims paid from July 2020 through February 2021, and PUC documentation on the taxi rates for permitted taxi companies. ? Claims must be supported with accurate and complete documentation confirming the service provided. Both IntelliRide and providers that submit claims for NEMT services must keep and be able to furnish accurate, complete supporting documentation for all claims [42 USC 1396a(27), 42 CFR ?? 431.17 and 433.32, and 10 CCR 2505-10 8.014.3.C and 8.014.6.B]. For example, a claim must be supported by medical documentation showing that the type of vehicle was needed to transport the recipient, and documentation from the transportation provider showing the trip occurred and when the recipient was picked-up and dropped-off. IntelliRide should only submit a claim to the Department after IntelliRide confirms the trip has been completed and marks the status complete in EcoLane [IntelliRide Policies and Procedures]. If an NEMT provider does not show up for a trip, IntelliRide should mark the trip as ?cancelled? in EcoLane. Payments for Medicaid claims that lack supporting documentation for the services provided are unallowable, meaning they should not be paid. IntelliRide or the Department must maintain documentation from recipients? medical providers showing why certain NEMT services, like transportation in a wheelchair van or with an escort, are medically necessary [10 CCR 2505-10 8.014.7.B and 8.014.5.D.1; Billing Manual]. To verify that there was support for NEMT claims, we reviewed IntelliRide data in EcoLane for all 362,110 NEMT claims paid from July 2020 through February 2021, and Department documentation for a sample of 85 NEMT paid claims?75 selected randomly from the four NEMT service areas of the state, and 10 that were the highest paid NEMT claims. ? NEMT services must be medically necessary. NEMT services shall only be provided to recipients with no other means to attend medically necessary, non-emergency treatment covered by Medicaid [42 USC 1396a(70); 42 CFR 431.53; 10 CCR 2505-10 8.014.5.B]. To verify that NEMT claims were only paid for recipients to access medical care, we reviewed the Department?s data on paid medical claims to determine if the recipients related to 22 sampled NEMT claims paid in December 2020 had a corresponding medical appointment. For another 61 paid NEMT claims that involved IntelliRide scheduling and submitting claims for trips every day in December for two recipients, we reviewed whether the recipients had paid medical claims corresponding with the trips. ? Prior authorization is required for air ambulance. The Department must grant prior authorization for the use of an NEMT air ambulance before the trip occurs in order for the claim to be paid [10 CCR 2505-10 8.014.7.D.1.b]. To verify that the Department granted prior authorization for air ambulance trips, we reviewed the use of air ambulances in 11 paid claims from July 2020 to February 2021. ? Recipients are to receive the least-costly NEMT transportation option appropriate for their medical condition. For example, recipients should only ride in a vehicle for recipients with mobility needs when they have a mobility issue or if there is a lack of access to public transportation [10 CCR 2505-10 8.014.6.B, 42 USC 1396(a(70), and 42 CFR 440.170(a)(4)]. Higher-cost NEMT services, such as ambulance and wheelchair van services, must be supported with documentation of the recipient?s need for the specific higher-cost services [10 CCR 2505-10 8.014.5.B.1.b]. To determine whether recipients received the least costly NEMT services to meet their needs, we reviewed documentation submitted by medical or transportation providers to IntelliRide or the Department for the 85 sampled NEMT claims. ? Taxi providers must be permitted by the PUC to provide NEMT taxi rides. To provide NEMT rides by taxi and receive payment for them, the provider must maintain a common carrier permit issued by the PUC [10 CCR 2505-10 8.014.3.B.4.a]. To verify that the providers that were paid for taxi claims had been permitted to provide taxi services, we reviewed the 33,791 NEMT claims for taxi services from July 2020 to February 2021. What problems were identified? The Department paid $3.5 million directly to 66 NEMT providers for claims that were not brokered by Intelliride. From December 2020 through February 2021, 26,890 of the approximately 129,000 NEMT claims paid by the Department (21 percent), totaling about $3.5 million, were not brokered through IntelliRide, which violated state regulations requiring all NEMT services to be brokered through the statewide brokerage in effect at the time. The following chart shows the amounts the Department paid for claims submitted directly by NEMT providers compared to its payments for claims submitted by IntelliRide from July 2020 through February 2021. During these months, the number of claims that providers submitted directly to the Department decreased as providers transitioned to working with IntelliRide to broker NEMT rides; however, as of February 2021, the Department was still paying about $1 million in monthly claims that were submitted directly by providers. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote The Department paid 36,910 NEMT claims totaling $5.5 million, which either violated or may have violated federal and/or state regulations. The claims were for unallowable services or were overpaid, and resulted in $291,597 in known questioned costs and $5,180,962 in likely questioned costs for Medicaid. A questioned cost is a payment that ?resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds? or ?the costs, at the time of the audit, [that] are not supported by adequate documentation?? [2 CFR 200.84]. A known questioned cost reflects a violation that the auditor confirmed; a likely questioned cost is the auditor?s best estimate of a potential violation [2 CFR 200.516(a)(3)]. Known and likely questioned costs should be investigated by the Department and recovered, as appropriate, because Medicaid overpayments are recoverable regardless of whether they occurred due to an error by the Department, entity acting on behalf of the Department, or a provider [Section 25.5-4-301(2), C.R.S.]. We found the following problems resulting in $291,597 in known questioned costs: ? Claims paid with no support that services were provided. For 3,958 of the 362,110 NEMT claims (1 percent), which totaled $258,115 paid from July 2020 to February 2021, IntelliRide or providers submitted the claims without any documentation showing that recipients received the NEMT services from the providers listed in the claim. The $258,115 is known questioned costs and includes: o 3,323 claims totaling $163,985 submitted by IntelliRide with no documentation in EcoLane of a ride being scheduled or provided. o 619 claims totaling $61,431 submitted by IntelliRide for which EcoLane showed the scheduled ride was cancelled. o 16 sampled claims totaling $32,699 submitted by providers directly to the Department had no documentation that an NEMT service occurred because the providers did not send the Department documentation for their claims. Upon our request, the Department attempted to obtain supporting documentation from providers for these claims but was unable to obtain any. ? Overpayments due to incorrect mileage and taxi rates. For 466 of the 321,099 mileage and taxi claims (less than 1 percent), the Department overpaid IntelliRide. Specifically, for 50 of the 287,308 mileage claims (less than 1 percent), the mileage submitted by IntelliRide that the Department paid was more than the ride mileage that IntelliRide documented in EcoLane. For 416 of the 33,791 (1 percent) claims submitted by IntelliRide on behalf of providers that were permitted to operate as taxis, the Department paid a higher rate than the providers? set PUC rate. The following table breaks out the overpayments that we identified, which totaled $6,759 in known questioned costs. We did not find issues with the rate amounts that the Department paid for non-mileage and non-taxi services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Examples of these overpayments include: o An overpayment of $48 for a claim submitted by IntelliRide for a taxi provider that billed the wrong taxi rate. The Department paid $60 for a 4-mile trip, when it should have paid $12 based on the PUC rate of $3 per mile. o An overpayment of $79 for a claim submitted by IntelliRide on behalf of a provider because the claim showed the trip was 76 miles, but the EcoLane data showed the trip was 38 miles. The Department paid $157, when it should have paid $78. ? Unallowable rides, not for medical appointments. For 61 claims showing NEMT trips every day in December 2020 for two recipients, there were no medical claims corresponding to their trips, so it appears that either NEMT was used repeatedly to transport these recipients to unallowable destinations or the provider did not provide the trips claimed. The NEMT provider reported to IntelliRide that these trips were completed even though the recipients did not attend any medical appointments that month. IntelliRide submitted the 61 NEMT claims and its EcoLane data showed that the NEMT providers self-reported that the trips were completed. However, IntelliRide confirmed that these trips were not used to access medical care. The issues we identified resulted in $2,674 of known questioned costs. ? Air ambulance claims paid without prior authorization. None of the 11 air ambulance NEMT claims had supporting documentation that the provider requested or received prior authorization from the Department before the trip occurred. These 11 claims to three providers resulted in $23,122 in known questioned costs. ? Claims paid for trips that were not the least costly, medically necessary, and/or for approved escorts. For seven of the 85 sampled claims (8 percent), IntelliRide submitted the claims without having required documentation from medical providers. Specifically, four claims lacked documentation to support the medical necessity for the type of vehicle used (either mobility vehicle, taxi, or wheelchair van); the other three claims lacked documentation of the recipient?s need for an escort to support the associated cost, which indicates that the three sampled NEMT trips were provided to an escort ineligible to ride with the recipient. The issues we identified for the seven claims resulted in $927 of known questioned costs. In addition, we found the following problems resulting in $5,180,962 in likely questioned costs, which are estimated potential violations of federal requirements that we could not confirm due to a lack of documentation: ? $4.8 million paid for taxi claims without mileage. For 29,049 taxi claims totaling $4,763,071, the Department paid the claims without ensuring taxi providers were paid at their PUC per-mile rate. These claims were submitted directly to the Department by 10 permitted taxi providers. The Department required providers to submit claims showing only the number of one-way trips driven, not the number of miles driven. As a result, the Department could not ensure that these taxi claims were paid at the correct PUC rates, as required in its Billing Manual and Rate Schedule. The Department paid the full amount that each taxi provider requested, as long as the claim was not more than $1,000 per one-way trip. For example, the Department paid $4,000 to one taxi provider for a claim showing four one-way trips for a recipient on a single day. Based on the claim amount, the taxi provider would have had to have driven the recipient on four 400-mile, one-way trips that day to justify this amount, because the taxi provider?s PUC rate is $4 for the first mile and $2.50 for each additional mile. Since the Department did not obtain the miles driven for each one-way trip from taxi providers for these 29,049 claims, we could not determine whether the payments were accurate based on each provider?s PUC rate, as required. ? $409,575 paid for taxi claims for providers not permitted as taxis. For 3,284 NEMT claims for taxi services from eight providers, the providers were not permitted by the PUC to operate as taxis. For example, one provider was paid for an NEMT taxi claim for $5,875 for 12 trips, or $490 per trip. Since these providers were not permitted as taxis, they did not have PUC-set taxi rates, so we could not determine how much these providers should have been paid. ? $4,718 paid for trips that may not have been to attend medical services. As of April 2021, 13 of the 22 sampled NEMT claims (59 percent) for trips in December 2020 had no medical claims for dates corresponding to the NEMT trips. Department staff told us that Medicaid medical claims are typically submitted and paid within 3 months of the date of service, but that there is a possibility that medical providers had not yet submitted medical claims for the recipients since federal regulations technically allow providers up to 12 months to submit claims [42 CFR 447.45(d)(1)]. In addition, six of these 13 recipients had both Medicaid and other types of medical insurance, such as Medicare. According to the Department, it is possible that the six recipients used NEMT trips to access medical services but the Department did not have a Medicaid claim for the services because they were paid by the other types of insurance, which is allowed by state regulations [10 CCR 2505-10 8.014.5.B.2]. Therefore, we could not determine whether the NEMT trips associated with the 13 claims had been for recipients to attend medical services. ? $3,598 paid for trips that may not have been completed. For 61 of the 362,110 paid claims (less than 1 percent), the scheduled trips were not marked as complete in EcoLane, so we could not determine whether they had been completed. Why did these problems occur? The Department lacks effective internal controls over NEMT claims to ensure they are appropriate and consistently comply with federal and state requirements. According to federal regulations [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls to provide reasonable assurance that federal funds are spent in compliance with federal requirements. We identified the following areas where Department controls are lacking for NEMT claims: Lack of Department information technology (IT) Controls in interChange ? No IT controls to prevent providers from bypassing broker. From December 2020 through February 2021, the Department paid NEMT providers directly for unsupported NEMT trips because the Department did not have IT controls in interChange to deny claims for trips that were not brokered through IntelliRide, as required at the time. As of September 1, 2021, the Department plans to require only the NEMT providers operating in nine metro-Denver counties to broker trips through IntelliRide, so the Department needs IT controls to ensure providers in these counties work with IntelliRide to schedule all trips and submit related claims. ? Lack of IT and other controls to ensure proper payments for NEMT taxi services. InterChange is programmed to pay each NEMT taxi claim based on one-way trips, but the Department has not implemented an IT or other control to ensure that NEMT taxi claims are paid at the providers? current PUC-approved per-mile rates, and that the Department only pays taxi rates when the provider is permitted by the PUC to operate as a taxi. Department staff stated that the only IT control the Department has built into interChange to help ensure proper payment of taxi claims is limiting payments for taxi claims to no more than $1,000 per one-way trip, and that this control is in accordance with the NEMT Billing Manual and Rate Schedule. However, Department staff also acknowledged that there is a conflict within the Billing Manual that requires taxi claims to be based on the number of one-way trips, but also paid based on per-mile PUC rates. By setting the limit based only on the number of one-way trips instead of providers? PUC per-mile rate, this Department IT control is not effective at ensuring taxi claims are paid properly. To ensure accurate payments for NEMT taxi claims, the Department will need methods, such as IT controls in interChange, and clarification in the Billing Manual and Rate Schedule, to ensure taxi providers are paid based on set rates, and ensure each taxi provider is permitted. ? No IT controls to ensure required prior authorizations. Air ambulance services were paid without the Department?s prior authorization for the services because the Department does not have IT controls to ensure prior authorization before payment. If the Department does not implement IT controls to ensure appropriate prior authorizations of NEMT services, the Department will need to develop manual processes to ensure that NEMT services receive required authorization prior to paying the related claims. Lack of Department Monitoring of NEMT Services and Claims ? Insufficient methods to ensure appropriate payment and collect necessary documentation from providers that bypass the statewide brokerage. Although the Department reviewed NEMT provider supporting documentation for NEMT services in 2019, the Department did not do so in 2020 or 2021, and had no process to require the providers that bypassed the statewide brokerage to submit documentation to support their NEMT claims before they were paid. According to the Department, in September 2021, it plans to require providers in nine counties covered by the IntelliRide brokerage contract to provide and submit claims through IntelliRide; however, NEMT providers in the remaining 55 counties will be submitting NEMT claims directly to the Department. Therefore, it is important that the Department develop a process to ensure that providers in these 55 counties maintain required documentation for each claim. ? Lack of monitoring to ensure Intelliride submits accurate mileage claims and collects necessary documentation. The Department does not conduct reviews of IntelliRide?s documentation in EcoLane to ensure it submits claims for accurate mileage and maintains support for claims submitted to or paid by the Department. For example, the Department does not reconcile its NEMT claims data from interChange and IntelliRide?s EcoLane system data to ensure each claim is supported. Furthermore, the Department has never completed a file review of IntelliRide?s supporting documentation for NEMT claims, such as when the Department contracted with IntelliRide to be a regional broker prior to becoming the statewide broker. ? No method to ensure NEMT service claims are for rides for medical treatment and the least costly. The Department does not conduct any reconciliation of its interChange data on NEMT trip claims to its interChange data on Medicaid medical claims to ensure NEMT claims are only paid for recipients to access medical care. The Department also does not require confirmation from medical providers that recipients used NEMT to access necessary medical care. For example, NEMT providers told us that before the start of the IntelliRide statewide brokerage contract, they either called medical providers to confirm that the recipients? NEMT trips were to access medical appointments or collected medical providers? signatures for each NEMT trip. In addition, the Department has no controls to ensure providers that submit claims directly to the Department are providing the least costly NEMT service appropriate to each recipient, such as public transportation when it is accessible and appropriate. For example, IntelliRide instructs its staff to attempt to schedule the lowest-cost NEMT service based on recipients? mobility needs and access to public transportation; however, the Department has no such method to ensure services are the least costly when NEMT providers schedule services for recipients. As of September 2021, the Department plans to have the recipients who live in the 55 counties not served by IntelliRide begin scheduling their rides directly with the NEMT providers of their choosing, yet the Department has not developed a method to ensure recipients in these areas receive the lowest-cost services appropriate for their needs. ? Potentially insufficient Department staffing to monitor NEMT claims effectively. For Fiscal Year 2021, the Department was appropriated three full-time equivalent (FTE) staff to oversee NEMT claims; however, the Department had two vacancies in these positions from July 2020 through May 2021 that it did not fill, so there was only one Department staff overseeing NEMT and the IntelliRide statewide contract during the audit time period. In June 2021, the Department added an additional FTE staff member to assist in administering the NEMT benefit. Why do these problems matter? Likely federal recovery of funds used for improper payments. Section 25.5-4-301(2), C.R.S., states that any overpayments of claims to providers are recoverable and ?are recoverable regardless of whether the overpayment is the result of an error by the state department? an entity acting on behalf of [the department], or the provider or any agent of the provider.? Our audit identified $291,597 in known questioned costs, of which about $145,797 is the federal portion of funds that the federal government may recover. We also identified $5,180,962 in likely questioned costs, of which $2,590,480 is the federal portion of funds that could be recovered if the payments are determined to have not been appropriate. The following table shows the questioned costs and federal portions for each problem we identified. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote When providers bypass broker controls, service quality is not monitored. When the Department allows some NEMT providers to bypass the IntelliRide broker, and does not obtain documentation to support their claims, the Department is unable to monitor the services of these providers. Additionally, when the Department does not monitor providers that bypass the statewide broker, the Department is applying different and possibly inadequate standards for the providers that bypass compared to the providers that work with IntelliRide. Although the Department plans for IntelliRide to no longer be the statewide NEMT broker for all 64 counties beginning September 2021, IntelliRide will continue to administer NEMT trips for nine Front Range counties that account for the majority of NEMT trips. It is important that all NEMT trips in these counties be brokered through IntelliRide so that the Department can monitor the quality of the trips and IntelliRide?s oversight of them. Risk of fraud, waste, and abuse. When the Department pays NEMT claims that are not supported by documentation of the service, medical documentation showing NEMT was for medical treatment, or the required prior authorizations, there is a significant risk of misappropriation of federal and state funds by providers and/or recipients. In addition, the eight providers not permitted as taxis that submitted taxi claims appear to have set their own rates of payment at a significantly higher rate, since the PUC did not permit or set rates for these providers. While we did not identify confirmed fraud by recipients or providers due to a lack of supporting documentation for claims, the problems identified demonstrate waste of public funds and potential abuse of the Medicaid program. When the Department overpays Medicaid funds and pays for unallowable services, there are fewer funds available to service the recipients who need them. In addition, there is no federal or state limit on payments for NEMT services, so it is important that the Department ensure Medicaid recipients receive appropriate transportation to medical treatment, while also ensuring the Department is acting as a good steward of federal and state funds. See Schedule of Findings and Questioned Costs for chart/table Character Limit Exceeded See Statewide Single Audit Report
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-045 Payments for Non-Emergent Medical Transportation ClaimsPrior to July 2020, in 55 counties, the Department worked with various county offices to have them broker Non-Emergent Medical Transportation (NEMT) services for Medicaid recipients, including rides to and from Medicaid medical appointments, personal mileage reimbursement, and trip-related meals and lodging. For example, these counties arranged the rides with transportation providers, submitted the claims or had providers submit claims for reimbursement to the Department, and passed on reimbursements to providers as needed. For the remaining nine counties, the Department contracted with IntelliRide to serve as the NEMT broker for services in those areas. From July 1, 2020, to August 31, 2021, when the Department contracted with IntelliRide to be the statewide broker, most recipients throughout the state scheduled NEMT rides by contacting IntelliRide through its call center, website chat function, or smartphone applications. IntelliRide scheduled rides and assigned transportation providers to them, and had providers upload trip information into IntelliRide?s EcoLane transportation scheduling system. EcoLane maintains information related to recipients? requests for rides and provider trip information, such as the trip date and time, names of the recipient and driver, and scheduled pick-up and destination addresses. IntelliRide submitted claims through the Department?s interChange system (interChange) requesting payments for providers? NEMT services, paid providers for their services, and received reimbursement from the Department. In addition, the Department paid NEMT claims submitted directly by NEMT providers. In Fiscal Year 2021, from July 1, 2020, through February 28, 2021 (the audit period), the Department paid 362,110 claims for NEMT services totaling about $33.2 million, as shown in the following table. In September 2021, the Department plans to transition back to IntelliRide brokering services in nine counties, while the NEMT providers in the remaining counties will broker their own services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote What audit work was performed and how were the results measured? The purpose of the audit work was to determine whether the Department has ensured that NEMT claims adhere to the following federal and state requirements. ? NEMT trips were to be brokered through, and all claims submitted by, the statewide broker, Intelliride. According to state regulations and the Department?s NEMT Billing Manual, all NEMT trips during Fiscal Year 2021 had to be authorized by the statewide broker, IntelliRide [10 CCR 2505-10 8.014.7.A]. This means that each recipient?s NEMT ride request should have been sent to IntelliRide for approval or authorization before the trip, and any unauthorized trips should ?not be reimbursed or paid? [Billing Manual]. According to the Department, it allowed NEMT providers time to transition to working with IntelliRide because some providers were reluctant to join the statewide brokerage and the Department needed time to onboard providers. By Fall 2020, most providers should have been working with IntelliRide to schedule NEMT rides. The Department told us that six NEMT providers received its express permission to bypass IntelliRide to schedule rides and submit claims directly to the Department because the providers are unique, such as only serving recipients with disabilities or receiving federal grant funding to provide NEMT. To assess whether IntelliRide brokered most NEMT services in the State and submitted the related claims in line with regulations and its contract, we reviewed the Department?s aggregate data for the 128,998 NEMT claims paid from December 2020 through February 2021. ? The Department must pay claims based on accurate service rates and trip mileage. Non-taxi NEMT services, such as wheelchair and mobility vehicle services, have base rates and mileage rates set by the Department. IntelliRide tracks the mileage of each NEMT trip in EcoLane and submits mileage claims to the Department?s interChange system. The Public Utilities Commission (PUC) sets the rate for each permitted taxi provider, which generally includes a rate for the first trip mile and a different rate for each additional mile. According to the Department?s NEMT Billing Manual and NEMT Rate Schedule for Fiscal Year 2021, taxi claims should have been paid at the rate set by the PUC. For example, if a taxi company?s PUC rate was $4 for the first mile and $2 for each additional mile, the Department should have paid $6 for a two-mile NEMT trip claim. To verify that the Department paid NEMT claims based on the correct trip mileage and rates, we reviewed the trip mileage and rates for 362,110 NEMT claims paid from July 2020 through February 2021, and PUC documentation on the taxi rates for permitted taxi companies. ? Claims must be supported with accurate and complete documentation confirming the service provided. Both IntelliRide and providers that submit claims for NEMT services must keep and be able to furnish accurate, complete supporting documentation for all claims [42 USC 1396a(27), 42 CFR ?? 431.17 and 433.32, and 10 CCR 2505-10 8.014.3.C and 8.014.6.B]. For example, a claim must be supported by medical documentation showing that the type of vehicle was needed to transport the recipient, and documentation from the transportation provider showing the trip occurred and when the recipient was picked-up and dropped-off. IntelliRide should only submit a claim to the Department after IntelliRide confirms the trip has been completed and marks the status complete in EcoLane [IntelliRide Policies and Procedures]. If an NEMT provider does not show up for a trip, IntelliRide should mark the trip as ?cancelled? in EcoLane. Payments for Medicaid claims that lack supporting documentation for the services provided are unallowable, meaning they should not be paid. IntelliRide or the Department must maintain documentation from recipients? medical providers showing why certain NEMT services, like transportation in a wheelchair van or with an escort, are medically necessary [10 CCR 2505-10 8.014.7.B and 8.014.5.D.1; Billing Manual]. To verify that there was support for NEMT claims, we reviewed IntelliRide data in EcoLane for all 362,110 NEMT claims paid from July 2020 through February 2021, and Department documentation for a sample of 85 NEMT paid claims?75 selected randomly from the four NEMT service areas of the state, and 10 that were the highest paid NEMT claims. ? NEMT services must be medically necessary. NEMT services shall only be provided to recipients with no other means to attend medically necessary, non-emergency treatment covered by Medicaid [42 USC 1396a(70); 42 CFR 431.53; 10 CCR 2505-10 8.014.5.B]. To verify that NEMT claims were only paid for recipients to access medical care, we reviewed the Department?s data on paid medical claims to determine if the recipients related to 22 sampled NEMT claims paid in December 2020 had a corresponding medical appointment. For another 61 paid NEMT claims that involved IntelliRide scheduling and submitting claims for trips every day in December for two recipients, we reviewed whether the recipients had paid medical claims corresponding with the trips. ? Prior authorization is required for air ambulance. The Department must grant prior authorization for the use of an NEMT air ambulance before the trip occurs in order for the claim to be paid [10 CCR 2505-10 8.014.7.D.1.b]. To verify that the Department granted prior authorization for air ambulance trips, we reviewed the use of air ambulances in 11 paid claims from July 2020 to February 2021. ? Recipients are to receive the least-costly NEMT transportation option appropriate for their medical condition. For example, recipients should only ride in a vehicle for recipients with mobility needs when they have a mobility issue or if there is a lack of access to public transportation [10 CCR 2505-10 8.014.6.B, 42 USC 1396(a(70), and 42 CFR 440.170(a)(4)]. Higher-cost NEMT services, such as ambulance and wheelchair van services, must be supported with documentation of the recipient?s need for the specific higher-cost services [10 CCR 2505-10 8.014.5.B.1.b]. To determine whether recipients received the least costly NEMT services to meet their needs, we reviewed documentation submitted by medical or transportation providers to IntelliRide or the Department for the 85 sampled NEMT claims. ? Taxi providers must be permitted by the PUC to provide NEMT taxi rides. To provide NEMT rides by taxi and receive payment for them, the provider must maintain a common carrier permit issued by the PUC [10 CCR 2505-10 8.014.3.B.4.a]. To verify that the providers that were paid for taxi claims had been permitted to provide taxi services, we reviewed the 33,791 NEMT claims for taxi services from July 2020 to February 2021. What problems were identified? The Department paid $3.5 million directly to 66 NEMT providers for claims that were not brokered by Intelliride. From December 2020 through February 2021, 26,890 of the approximately 129,000 NEMT claims paid by the Department (21 percent), totaling about $3.5 million, were not brokered through IntelliRide, which violated state regulations requiring all NEMT services to be brokered through the statewide brokerage in effect at the time. The following chart shows the amounts the Department paid for claims submitted directly by NEMT providers compared to its payments for claims submitted by IntelliRide from July 2020 through February 2021. During these months, the number of claims that providers submitted directly to the Department decreased as providers transitioned to working with IntelliRide to broker NEMT rides; however, as of February 2021, the Department was still paying about $1 million in monthly claims that were submitted directly by providers. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote The Department paid 36,910 NEMT claims totaling $5.5 million, which either violated or may have violated federal and/or state regulations. The claims were for unallowable services or were overpaid, and resulted in $291,597 in known questioned costs and $5,180,962 in likely questioned costs for Medicaid. A questioned cost is a payment that ?resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds? or ?the costs, at the time of the audit, [that] are not supported by adequate documentation?? [2 CFR 200.84]. A known questioned cost reflects a violation that the auditor confirmed; a likely questioned cost is the auditor?s best estimate of a potential violation [2 CFR 200.516(a)(3)]. Known and likely questioned costs should be investigated by the Department and recovered, as appropriate, because Medicaid overpayments are recoverable regardless of whether they occurred due to an error by the Department, entity acting on behalf of the Department, or a provider [Section 25.5-4-301(2), C.R.S.]. We found the following problems resulting in $291,597 in known questioned costs: ? Claims paid with no support that services were provided. For 3,958 of the 362,110 NEMT claims (1 percent), which totaled $258,115 paid from July 2020 to February 2021, IntelliRide or providers submitted the claims without any documentation showing that recipients received the NEMT services from the providers listed in the claim. The $258,115 is known questioned costs and includes: o 3,323 claims totaling $163,985 submitted by IntelliRide with no documentation in EcoLane of a ride being scheduled or provided. o 619 claims totaling $61,431 submitted by IntelliRide for which EcoLane showed the scheduled ride was cancelled. o 16 sampled claims totaling $32,699 submitted by providers directly to the Department had no documentation that an NEMT service occurred because the providers did not send the Department documentation for their claims. Upon our request, the Department attempted to obtain supporting documentation from providers for these claims but was unable to obtain any. ? Overpayments due to incorrect mileage and taxi rates. For 466 of the 321,099 mileage and taxi claims (less than 1 percent), the Department overpaid IntelliRide. Specifically, for 50 of the 287,308 mileage claims (less than 1 percent), the mileage submitted by IntelliRide that the Department paid was more than the ride mileage that IntelliRide documented in EcoLane. For 416 of the 33,791 (1 percent) claims submitted by IntelliRide on behalf of providers that were permitted to operate as taxis, the Department paid a higher rate than the providers? set PUC rate. The following table breaks out the overpayments that we identified, which totaled $6,759 in known questioned costs. We did not find issues with the rate amounts that the Department paid for non-mileage and non-taxi services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Examples of these overpayments include: o An overpayment of $48 for a claim submitted by IntelliRide for a taxi provider that billed the wrong taxi rate. The Department paid $60 for a 4-mile trip, when it should have paid $12 based on the PUC rate of $3 per mile. o An overpayment of $79 for a claim submitted by IntelliRide on behalf of a provider because the claim showed the trip was 76 miles, but the EcoLane data showed the trip was 38 miles. The Department paid $157, when it should have paid $78. ? Unallowable rides, not for medical appointments. For 61 claims showing NEMT trips every day in December 2020 for two recipients, there were no medical claims corresponding to their trips, so it appears that either NEMT was used repeatedly to transport these recipients to unallowable destinations or the provider did not provide the trips claimed. The NEMT provider reported to IntelliRide that these trips were completed even though the recipients did not attend any medical appointments that month. IntelliRide submitted the 61 NEMT claims and its EcoLane data showed that the NEMT providers self-reported that the trips were completed. However, IntelliRide confirmed that these trips were not used to access medical care. The issues we identified resulted in $2,674 of known questioned costs. ? Air ambulance claims paid without prior authorization. None of the 11 air ambulance NEMT claims had supporting documentation that the provider requested or received prior authorization from the Department before the trip occurred. These 11 claims to three providers resulted in $23,122 in known questioned costs. ? Claims paid for trips that were not the least costly, medically necessary, and/or for approved escorts. For seven of the 85 sampled claims (8 percent), IntelliRide submitted the claims without having required documentation from medical providers. Specifically, four claims lacked documentation to support the medical necessity for the type of vehicle used (either mobility vehicle, taxi, or wheelchair van); the other three claims lacked documentation of the recipient?s need for an escort to support the associated cost, which indicates that the three sampled NEMT trips were provided to an escort ineligible to ride with the recipient. The issues we identified for the seven claims resulted in $927 of known questioned costs. In addition, we found the following problems resulting in $5,180,962 in likely questioned costs, which are estimated potential violations of federal requirements that we could not confirm due to a lack of documentation: ? $4.8 million paid for taxi claims without mileage. For 29,049 taxi claims totaling $4,763,071, the Department paid the claims without ensuring taxi providers were paid at their PUC per-mile rate. These claims were submitted directly to the Department by 10 permitted taxi providers. The Department required providers to submit claims showing only the number of one-way trips driven, not the number of miles driven. As a result, the Department could not ensure that these taxi claims were paid at the correct PUC rates, as required in its Billing Manual and Rate Schedule. The Department paid the full amount that each taxi provider requested, as long as the claim was not more than $1,000 per one-way trip. For example, the Department paid $4,000 to one taxi provider for a claim showing four one-way trips for a recipient on a single day. Based on the claim amount, the taxi provider would have had to have driven the recipient on four 400-mile, one-way trips that day to justify this amount, because the taxi provider?s PUC rate is $4 for the first mile and $2.50 for each additional mile. Since the Department did not obtain the miles driven for each one-way trip from taxi providers for these 29,049 claims, we could not determine whether the payments were accurate based on each provider?s PUC rate, as required. ? $409,575 paid for taxi claims for providers not permitted as taxis. For 3,284 NEMT claims for taxi services from eight providers, the providers were not permitted by the PUC to operate as taxis. For example, one provider was paid for an NEMT taxi claim for $5,875 for 12 trips, or $490 per trip. Since these providers were not permitted as taxis, they did not have PUC-set taxi rates, so we could not determine how much these providers should have been paid. ? $4,718 paid for trips that may not have been to attend medical services. As of April 2021, 13 of the 22 sampled NEMT claims (59 percent) for trips in December 2020 had no medical claims for dates corresponding to the NEMT trips. Department staff told us that Medicaid medical claims are typically submitted and paid within 3 months of the date of service, but that there is a possibility that medical providers had not yet submitted medical claims for the recipients since federal regulations technically allow providers up to 12 months to submit claims [42 CFR 447.45(d)(1)]. In addition, six of these 13 recipients had both Medicaid and other types of medical insurance, such as Medicare. According to the Department, it is possible that the six recipients used NEMT trips to access medical services but the Department did not have a Medicaid claim for the services because they were paid by the other types of insurance, which is allowed by state regulations [10 CCR 2505-10 8.014.5.B.2]. Therefore, we could not determine whether the NEMT trips associated with the 13 claims had been for recipients to attend medical services. ? $3,598 paid for trips that may not have been completed. For 61 of the 362,110 paid claims (less than 1 percent), the scheduled trips were not marked as complete in EcoLane, so we could not determine whether they had been completed. Why did these problems occur? The Department lacks effective internal controls over NEMT claims to ensure they are appropriate and consistently comply with federal and state requirements. According to federal regulations [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls to provide reasonable assurance that federal funds are spent in compliance with federal requirements. We identified the following areas where Department controls are lacking for NEMT claims: Lack of Department information technology (IT) Controls in interChange ? No IT controls to prevent providers from bypassing broker. From December 2020 through February 2021, the Department paid NEMT providers directly for unsupported NEMT trips because the Department did not have IT controls in interChange to deny claims for trips that were not brokered through IntelliRide, as required at the time. As of September 1, 2021, the Department plans to require only the NEMT providers operating in nine metro-Denver counties to broker trips through IntelliRide, so the Department needs IT controls to ensure providers in these counties work with IntelliRide to schedule all trips and submit related claims. ? Lack of IT and other controls to ensure proper payments for NEMT taxi services. InterChange is programmed to pay each NEMT taxi claim based on one-way trips, but the Department has not implemented an IT or other control to ensure that NEMT taxi claims are paid at the providers? current PUC-approved per-mile rates, and that the Department only pays taxi rates when the provider is permitted by the PUC to operate as a taxi. Department staff stated that the only IT control the Department has built into interChange to help ensure proper payment of taxi claims is limiting payments for taxi claims to no more than $1,000 per one-way trip, and that this control is in accordance with the NEMT Billing Manual and Rate Schedule. However, Department staff also acknowledged that there is a conflict within the Billing Manual that requires taxi claims to be based on the number of one-way trips, but also paid based on per-mile PUC rates. By setting the limit based only on the number of one-way trips instead of providers? PUC per-mile rate, this Department IT control is not effective at ensuring taxi claims are paid properly. To ensure accurate payments for NEMT taxi claims, the Department will need methods, such as IT controls in interChange, and clarification in the Billing Manual and Rate Schedule, to ensure taxi providers are paid based on set rates, and ensure each taxi provider is permitted. ? No IT controls to ensure required prior authorizations. Air ambulance services were paid without the Department?s prior authorization for the services because the Department does not have IT controls to ensure prior authorization before payment. If the Department does not implement IT controls to ensure appropriate prior authorizations of NEMT services, the Department will need to develop manual processes to ensure that NEMT services receive required authorization prior to paying the related claims. Lack of Department Monitoring of NEMT Services and Claims ? Insufficient methods to ensure appropriate payment and collect necessary documentation from providers that bypass the statewide brokerage. Although the Department reviewed NEMT provider supporting documentation for NEMT services in 2019, the Department did not do so in 2020 or 2021, and had no process to require the providers that bypassed the statewide brokerage to submit documentation to support their NEMT claims before they were paid. According to the Department, in September 2021, it plans to require providers in nine counties covered by the IntelliRide brokerage contract to provide and submit claims through IntelliRide; however, NEMT providers in the remaining 55 counties will be submitting NEMT claims directly to the Department. Therefore, it is important that the Department develop a process to ensure that providers in these 55 counties maintain required documentation for each claim. ? Lack of monitoring to ensure Intelliride submits accurate mileage claims and collects necessary documentation. The Department does not conduct reviews of IntelliRide?s documentation in EcoLane to ensure it submits claims for accurate mileage and maintains support for claims submitted to or paid by the Department. For example, the Department does not reconcile its NEMT claims data from interChange and IntelliRide?s EcoLane system data to ensure each claim is supported. Furthermore, the Department has never completed a file review of IntelliRide?s supporting documentation for NEMT claims, such as when the Department contracted with IntelliRide to be a regional broker prior to becoming the statewide broker. ? No method to ensure NEMT service claims are for rides for medical treatment and the least costly. The Department does not conduct any reconciliation of its interChange data on NEMT trip claims to its interChange data on Medicaid medical claims to ensure NEMT claims are only paid for recipients to access medical care. The Department also does not require confirmation from medical providers that recipients used NEMT to access necessary medical care. For example, NEMT providers told us that before the start of the IntelliRide statewide brokerage contract, they either called medical providers to confirm that the recipients? NEMT trips were to access medical appointments or collected medical providers? signatures for each NEMT trip. In addition, the Department has no controls to ensure providers that submit claims directly to the Department are providing the least costly NEMT service appropriate to each recipient, such as public transportation when it is accessible and appropriate. For example, IntelliRide instructs its staff to attempt to schedule the lowest-cost NEMT service based on recipients? mobility needs and access to public transportation; however, the Department has no such method to ensure services are the least costly when NEMT providers schedule services for recipients. As of September 2021, the Department plans to have the recipients who live in the 55 counties not served by IntelliRide begin scheduling their rides directly with the NEMT providers of their choosing, yet the Department has not developed a method to ensure recipients in these areas receive the lowest-cost services appropriate for their needs. ? Potentially insufficient Department staffing to monitor NEMT claims effectively. For Fiscal Year 2021, the Department was appropriated three full-time equivalent (FTE) staff to oversee NEMT claims; however, the Department had two vacancies in these positions from July 2020 through May 2021 that it did not fill, so there was only one Department staff overseeing NEMT and the IntelliRide statewide contract during the audit time period. In June 2021, the Department added an additional FTE staff member to assist in administering the NEMT benefit. Why do these problems matter? Likely federal recovery of funds used for improper payments. Section 25.5-4-301(2), C.R.S., states that any overpayments of claims to providers are recoverable and ?are recoverable regardless of whether the overpayment is the result of an error by the state department? an entity acting on behalf of [the department], or the provider or any agent of the provider.? Our audit identified $291,597 in known questioned costs, of which about $145,797 is the federal portion of funds that the federal government may recover. We also identified $5,180,962 in likely questioned costs, of which $2,590,480 is the federal portion of funds that could be recovered if the payments are determined to have not been appropriate. The following table shows the questioned costs and federal portions for each problem we identified. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote When providers bypass broker controls, service quality is not monitored. When the Department allows some NEMT providers to bypass the IntelliRide broker, and does not obtain documentation to support their claims, the Department is unable to monitor the services of these providers. Additionally, when the Department does not monitor providers that bypass the statewide broker, the Department is applying different and possibly inadequate standards for the providers that bypass compared to the providers that work with IntelliRide. Although the Department plans for IntelliRide to no longer be the statewide NEMT broker for all 64 counties beginning September 2021, IntelliRide will continue to administer NEMT trips for nine Front Range counties that account for the majority of NEMT trips. It is important that all NEMT trips in these counties be brokered through IntelliRide so that the Department can monitor the quality of the trips and IntelliRide?s oversight of them. Risk of fraud, waste, and abuse. When the Department pays NEMT claims that are not supported by documentation of the service, medical documentation showing NEMT was for medical treatment, or the required prior authorizations, there is a significant risk of misappropriation of federal and state funds by providers and/or recipients. In addition, the eight providers not permitted as taxis that submitted taxi claims appear to have set their own rates of payment at a significantly higher rate, since the PUC did not permit or set rates for these providers. While we did not identify confirmed fraud by recipients or providers due to a lack of supporting documentation for claims, the problems identified demonstrate waste of public funds and potential abuse of the Medicaid program. When the Department overpays Medicaid funds and pays for unallowable services, there are fewer funds available to service the recipients who need them. In addition, there is no federal or state limit on payments for NEMT services, so it is important that the Department ensure Medicaid recipients receive appropriate transportation to medical treatment, while also ensuring the Department is acting as a good steward of federal and state funds. See Schedule of Findings and Questioned Costs for chart/table Character Limit Exceeded See Statewide Single Audit Report
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-045 Payments for Non-Emergent Medical Transportation ClaimsPrior to July 2020, in 55 counties, the Department worked with various county offices to have them broker Non-Emergent Medical Transportation (NEMT) services for Medicaid recipients, including rides to and from Medicaid medical appointments, personal mileage reimbursement, and trip-related meals and lodging. For example, these counties arranged the rides with transportation providers, submitted the claims or had providers submit claims for reimbursement to the Department, and passed on reimbursements to providers as needed. For the remaining nine counties, the Department contracted with IntelliRide to serve as the NEMT broker for services in those areas. From July 1, 2020, to August 31, 2021, when the Department contracted with IntelliRide to be the statewide broker, most recipients throughout the state scheduled NEMT rides by contacting IntelliRide through its call center, website chat function, or smartphone applications. IntelliRide scheduled rides and assigned transportation providers to them, and had providers upload trip information into IntelliRide?s EcoLane transportation scheduling system. EcoLane maintains information related to recipients? requests for rides and provider trip information, such as the trip date and time, names of the recipient and driver, and scheduled pick-up and destination addresses. IntelliRide submitted claims through the Department?s interChange system (interChange) requesting payments for providers? NEMT services, paid providers for their services, and received reimbursement from the Department. In addition, the Department paid NEMT claims submitted directly by NEMT providers. In Fiscal Year 2021, from July 1, 2020, through February 28, 2021 (the audit period), the Department paid 362,110 claims for NEMT services totaling about $33.2 million, as shown in the following table. In September 2021, the Department plans to transition back to IntelliRide brokering services in nine counties, while the NEMT providers in the remaining counties will broker their own services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote What audit work was performed and how were the results measured? The purpose of the audit work was to determine whether the Department has ensured that NEMT claims adhere to the following federal and state requirements. ? NEMT trips were to be brokered through, and all claims submitted by, the statewide broker, Intelliride. According to state regulations and the Department?s NEMT Billing Manual, all NEMT trips during Fiscal Year 2021 had to be authorized by the statewide broker, IntelliRide [10 CCR 2505-10 8.014.7.A]. This means that each recipient?s NEMT ride request should have been sent to IntelliRide for approval or authorization before the trip, and any unauthorized trips should ?not be reimbursed or paid? [Billing Manual]. According to the Department, it allowed NEMT providers time to transition to working with IntelliRide because some providers were reluctant to join the statewide brokerage and the Department needed time to onboard providers. By Fall 2020, most providers should have been working with IntelliRide to schedule NEMT rides. The Department told us that six NEMT providers received its express permission to bypass IntelliRide to schedule rides and submit claims directly to the Department because the providers are unique, such as only serving recipients with disabilities or receiving federal grant funding to provide NEMT. To assess whether IntelliRide brokered most NEMT services in the State and submitted the related claims in line with regulations and its contract, we reviewed the Department?s aggregate data for the 128,998 NEMT claims paid from December 2020 through February 2021. ? The Department must pay claims based on accurate service rates and trip mileage. Non-taxi NEMT services, such as wheelchair and mobility vehicle services, have base rates and mileage rates set by the Department. IntelliRide tracks the mileage of each NEMT trip in EcoLane and submits mileage claims to the Department?s interChange system. The Public Utilities Commission (PUC) sets the rate for each permitted taxi provider, which generally includes a rate for the first trip mile and a different rate for each additional mile. According to the Department?s NEMT Billing Manual and NEMT Rate Schedule for Fiscal Year 2021, taxi claims should have been paid at the rate set by the PUC. For example, if a taxi company?s PUC rate was $4 for the first mile and $2 for each additional mile, the Department should have paid $6 for a two-mile NEMT trip claim. To verify that the Department paid NEMT claims based on the correct trip mileage and rates, we reviewed the trip mileage and rates for 362,110 NEMT claims paid from July 2020 through February 2021, and PUC documentation on the taxi rates for permitted taxi companies. ? Claims must be supported with accurate and complete documentation confirming the service provided. Both IntelliRide and providers that submit claims for NEMT services must keep and be able to furnish accurate, complete supporting documentation for all claims [42 USC 1396a(27), 42 CFR ?? 431.17 and 433.32, and 10 CCR 2505-10 8.014.3.C and 8.014.6.B]. For example, a claim must be supported by medical documentation showing that the type of vehicle was needed to transport the recipient, and documentation from the transportation provider showing the trip occurred and when the recipient was picked-up and dropped-off. IntelliRide should only submit a claim to the Department after IntelliRide confirms the trip has been completed and marks the status complete in EcoLane [IntelliRide Policies and Procedures]. If an NEMT provider does not show up for a trip, IntelliRide should mark the trip as ?cancelled? in EcoLane. Payments for Medicaid claims that lack supporting documentation for the services provided are unallowable, meaning they should not be paid. IntelliRide or the Department must maintain documentation from recipients? medical providers showing why certain NEMT services, like transportation in a wheelchair van or with an escort, are medically necessary [10 CCR 2505-10 8.014.7.B and 8.014.5.D.1; Billing Manual]. To verify that there was support for NEMT claims, we reviewed IntelliRide data in EcoLane for all 362,110 NEMT claims paid from July 2020 through February 2021, and Department documentation for a sample of 85 NEMT paid claims?75 selected randomly from the four NEMT service areas of the state, and 10 that were the highest paid NEMT claims. ? NEMT services must be medically necessary. NEMT services shall only be provided to recipients with no other means to attend medically necessary, non-emergency treatment covered by Medicaid [42 USC 1396a(70); 42 CFR 431.53; 10 CCR 2505-10 8.014.5.B]. To verify that NEMT claims were only paid for recipients to access medical care, we reviewed the Department?s data on paid medical claims to determine if the recipients related to 22 sampled NEMT claims paid in December 2020 had a corresponding medical appointment. For another 61 paid NEMT claims that involved IntelliRide scheduling and submitting claims for trips every day in December for two recipients, we reviewed whether the recipients had paid medical claims corresponding with the trips. ? Prior authorization is required for air ambulance. The Department must grant prior authorization for the use of an NEMT air ambulance before the trip occurs in order for the claim to be paid [10 CCR 2505-10 8.014.7.D.1.b]. To verify that the Department granted prior authorization for air ambulance trips, we reviewed the use of air ambulances in 11 paid claims from July 2020 to February 2021. ? Recipients are to receive the least-costly NEMT transportation option appropriate for their medical condition. For example, recipients should only ride in a vehicle for recipients with mobility needs when they have a mobility issue or if there is a lack of access to public transportation [10 CCR 2505-10 8.014.6.B, 42 USC 1396(a(70), and 42 CFR 440.170(a)(4)]. Higher-cost NEMT services, such as ambulance and wheelchair van services, must be supported with documentation of the recipient?s need for the specific higher-cost services [10 CCR 2505-10 8.014.5.B.1.b]. To determine whether recipients received the least costly NEMT services to meet their needs, we reviewed documentation submitted by medical or transportation providers to IntelliRide or the Department for the 85 sampled NEMT claims. ? Taxi providers must be permitted by the PUC to provide NEMT taxi rides. To provide NEMT rides by taxi and receive payment for them, the provider must maintain a common carrier permit issued by the PUC [10 CCR 2505-10 8.014.3.B.4.a]. To verify that the providers that were paid for taxi claims had been permitted to provide taxi services, we reviewed the 33,791 NEMT claims for taxi services from July 2020 to February 2021. What problems were identified? The Department paid $3.5 million directly to 66 NEMT providers for claims that were not brokered by Intelliride. From December 2020 through February 2021, 26,890 of the approximately 129,000 NEMT claims paid by the Department (21 percent), totaling about $3.5 million, were not brokered through IntelliRide, which violated state regulations requiring all NEMT services to be brokered through the statewide brokerage in effect at the time. The following chart shows the amounts the Department paid for claims submitted directly by NEMT providers compared to its payments for claims submitted by IntelliRide from July 2020 through February 2021. During these months, the number of claims that providers submitted directly to the Department decreased as providers transitioned to working with IntelliRide to broker NEMT rides; however, as of February 2021, the Department was still paying about $1 million in monthly claims that were submitted directly by providers. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote The Department paid 36,910 NEMT claims totaling $5.5 million, which either violated or may have violated federal and/or state regulations. The claims were for unallowable services or were overpaid, and resulted in $291,597 in known questioned costs and $5,180,962 in likely questioned costs for Medicaid. A questioned cost is a payment that ?resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds? or ?the costs, at the time of the audit, [that] are not supported by adequate documentation?? [2 CFR 200.84]. A known questioned cost reflects a violation that the auditor confirmed; a likely questioned cost is the auditor?s best estimate of a potential violation [2 CFR 200.516(a)(3)]. Known and likely questioned costs should be investigated by the Department and recovered, as appropriate, because Medicaid overpayments are recoverable regardless of whether they occurred due to an error by the Department, entity acting on behalf of the Department, or a provider [Section 25.5-4-301(2), C.R.S.]. We found the following problems resulting in $291,597 in known questioned costs: ? Claims paid with no support that services were provided. For 3,958 of the 362,110 NEMT claims (1 percent), which totaled $258,115 paid from July 2020 to February 2021, IntelliRide or providers submitted the claims without any documentation showing that recipients received the NEMT services from the providers listed in the claim. The $258,115 is known questioned costs and includes: o 3,323 claims totaling $163,985 submitted by IntelliRide with no documentation in EcoLane of a ride being scheduled or provided. o 619 claims totaling $61,431 submitted by IntelliRide for which EcoLane showed the scheduled ride was cancelled. o 16 sampled claims totaling $32,699 submitted by providers directly to the Department had no documentation that an NEMT service occurred because the providers did not send the Department documentation for their claims. Upon our request, the Department attempted to obtain supporting documentation from providers for these claims but was unable to obtain any. ? Overpayments due to incorrect mileage and taxi rates. For 466 of the 321,099 mileage and taxi claims (less than 1 percent), the Department overpaid IntelliRide. Specifically, for 50 of the 287,308 mileage claims (less than 1 percent), the mileage submitted by IntelliRide that the Department paid was more than the ride mileage that IntelliRide documented in EcoLane. For 416 of the 33,791 (1 percent) claims submitted by IntelliRide on behalf of providers that were permitted to operate as taxis, the Department paid a higher rate than the providers? set PUC rate. The following table breaks out the overpayments that we identified, which totaled $6,759 in known questioned costs. We did not find issues with the rate amounts that the Department paid for non-mileage and non-taxi services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Examples of these overpayments include: o An overpayment of $48 for a claim submitted by IntelliRide for a taxi provider that billed the wrong taxi rate. The Department paid $60 for a 4-mile trip, when it should have paid $12 based on the PUC rate of $3 per mile. o An overpayment of $79 for a claim submitted by IntelliRide on behalf of a provider because the claim showed the trip was 76 miles, but the EcoLane data showed the trip was 38 miles. The Department paid $157, when it should have paid $78. ? Unallowable rides, not for medical appointments. For 61 claims showing NEMT trips every day in December 2020 for two recipients, there were no medical claims corresponding to their trips, so it appears that either NEMT was used repeatedly to transport these recipients to unallowable destinations or the provider did not provide the trips claimed. The NEMT provider reported to IntelliRide that these trips were completed even though the recipients did not attend any medical appointments that month. IntelliRide submitted the 61 NEMT claims and its EcoLane data showed that the NEMT providers self-reported that the trips were completed. However, IntelliRide confirmed that these trips were not used to access medical care. The issues we identified resulted in $2,674 of known questioned costs. ? Air ambulance claims paid without prior authorization. None of the 11 air ambulance NEMT claims had supporting documentation that the provider requested or received prior authorization from the Department before the trip occurred. These 11 claims to three providers resulted in $23,122 in known questioned costs. ? Claims paid for trips that were not the least costly, medically necessary, and/or for approved escorts. For seven of the 85 sampled claims (8 percent), IntelliRide submitted the claims without having required documentation from medical providers. Specifically, four claims lacked documentation to support the medical necessity for the type of vehicle used (either mobility vehicle, taxi, or wheelchair van); the other three claims lacked documentation of the recipient?s need for an escort to support the associated cost, which indicates that the three sampled NEMT trips were provided to an escort ineligible to ride with the recipient. The issues we identified for the seven claims resulted in $927 of known questioned costs. In addition, we found the following problems resulting in $5,180,962 in likely questioned costs, which are estimated potential violations of federal requirements that we could not confirm due to a lack of documentation: ? $4.8 million paid for taxi claims without mileage. For 29,049 taxi claims totaling $4,763,071, the Department paid the claims without ensuring taxi providers were paid at their PUC per-mile rate. These claims were submitted directly to the Department by 10 permitted taxi providers. The Department required providers to submit claims showing only the number of one-way trips driven, not the number of miles driven. As a result, the Department could not ensure that these taxi claims were paid at the correct PUC rates, as required in its Billing Manual and Rate Schedule. The Department paid the full amount that each taxi provider requested, as long as the claim was not more than $1,000 per one-way trip. For example, the Department paid $4,000 to one taxi provider for a claim showing four one-way trips for a recipient on a single day. Based on the claim amount, the taxi provider would have had to have driven the recipient on four 400-mile, one-way trips that day to justify this amount, because the taxi provider?s PUC rate is $4 for the first mile and $2.50 for each additional mile. Since the Department did not obtain the miles driven for each one-way trip from taxi providers for these 29,049 claims, we could not determine whether the payments were accurate based on each provider?s PUC rate, as required. ? $409,575 paid for taxi claims for providers not permitted as taxis. For 3,284 NEMT claims for taxi services from eight providers, the providers were not permitted by the PUC to operate as taxis. For example, one provider was paid for an NEMT taxi claim for $5,875 for 12 trips, or $490 per trip. Since these providers were not permitted as taxis, they did not have PUC-set taxi rates, so we could not determine how much these providers should have been paid. ? $4,718 paid for trips that may not have been to attend medical services. As of April 2021, 13 of the 22 sampled NEMT claims (59 percent) for trips in December 2020 had no medical claims for dates corresponding to the NEMT trips. Department staff told us that Medicaid medical claims are typically submitted and paid within 3 months of the date of service, but that there is a possibility that medical providers had not yet submitted medical claims for the recipients since federal regulations technically allow providers up to 12 months to submit claims [42 CFR 447.45(d)(1)]. In addition, six of these 13 recipients had both Medicaid and other types of medical insurance, such as Medicare. According to the Department, it is possible that the six recipients used NEMT trips to access medical services but the Department did not have a Medicaid claim for the services because they were paid by the other types of insurance, which is allowed by state regulations [10 CCR 2505-10 8.014.5.B.2]. Therefore, we could not determine whether the NEMT trips associated with the 13 claims had been for recipients to attend medical services. ? $3,598 paid for trips that may not have been completed. For 61 of the 362,110 paid claims (less than 1 percent), the scheduled trips were not marked as complete in EcoLane, so we could not determine whether they had been completed. Why did these problems occur? The Department lacks effective internal controls over NEMT claims to ensure they are appropriate and consistently comply with federal and state requirements. According to federal regulations [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls to provide reasonable assurance that federal funds are spent in compliance with federal requirements. We identified the following areas where Department controls are lacking for NEMT claims: Lack of Department information technology (IT) Controls in interChange ? No IT controls to prevent providers from bypassing broker. From December 2020 through February 2021, the Department paid NEMT providers directly for unsupported NEMT trips because the Department did not have IT controls in interChange to deny claims for trips that were not brokered through IntelliRide, as required at the time. As of September 1, 2021, the Department plans to require only the NEMT providers operating in nine metro-Denver counties to broker trips through IntelliRide, so the Department needs IT controls to ensure providers in these counties work with IntelliRide to schedule all trips and submit related claims. ? Lack of IT and other controls to ensure proper payments for NEMT taxi services. InterChange is programmed to pay each NEMT taxi claim based on one-way trips, but the Department has not implemented an IT or other control to ensure that NEMT taxi claims are paid at the providers? current PUC-approved per-mile rates, and that the Department only pays taxi rates when the provider is permitted by the PUC to operate as a taxi. Department staff stated that the only IT control the Department has built into interChange to help ensure proper payment of taxi claims is limiting payments for taxi claims to no more than $1,000 per one-way trip, and that this control is in accordance with the NEMT Billing Manual and Rate Schedule. However, Department staff also acknowledged that there is a conflict within the Billing Manual that requires taxi claims to be based on the number of one-way trips, but also paid based on per-mile PUC rates. By setting the limit based only on the number of one-way trips instead of providers? PUC per-mile rate, this Department IT control is not effective at ensuring taxi claims are paid properly. To ensure accurate payments for NEMT taxi claims, the Department will need methods, such as IT controls in interChange, and clarification in the Billing Manual and Rate Schedule, to ensure taxi providers are paid based on set rates, and ensure each taxi provider is permitted. ? No IT controls to ensure required prior authorizations. Air ambulance services were paid without the Department?s prior authorization for the services because the Department does not have IT controls to ensure prior authorization before payment. If the Department does not implement IT controls to ensure appropriate prior authorizations of NEMT services, the Department will need to develop manual processes to ensure that NEMT services receive required authorization prior to paying the related claims. Lack of Department Monitoring of NEMT Services and Claims ? Insufficient methods to ensure appropriate payment and collect necessary documentation from providers that bypass the statewide brokerage. Although the Department reviewed NEMT provider supporting documentation for NEMT services in 2019, the Department did not do so in 2020 or 2021, and had no process to require the providers that bypassed the statewide brokerage to submit documentation to support their NEMT claims before they were paid. According to the Department, in September 2021, it plans to require providers in nine counties covered by the IntelliRide brokerage contract to provide and submit claims through IntelliRide; however, NEMT providers in the remaining 55 counties will be submitting NEMT claims directly to the Department. Therefore, it is important that the Department develop a process to ensure that providers in these 55 counties maintain required documentation for each claim. ? Lack of monitoring to ensure Intelliride submits accurate mileage claims and collects necessary documentation. The Department does not conduct reviews of IntelliRide?s documentation in EcoLane to ensure it submits claims for accurate mileage and maintains support for claims submitted to or paid by the Department. For example, the Department does not reconcile its NEMT claims data from interChange and IntelliRide?s EcoLane system data to ensure each claim is supported. Furthermore, the Department has never completed a file review of IntelliRide?s supporting documentation for NEMT claims, such as when the Department contracted with IntelliRide to be a regional broker prior to becoming the statewide broker. ? No method to ensure NEMT service claims are for rides for medical treatment and the least costly. The Department does not conduct any reconciliation of its interChange data on NEMT trip claims to its interChange data on Medicaid medical claims to ensure NEMT claims are only paid for recipients to access medical care. The Department also does not require confirmation from medical providers that recipients used NEMT to access necessary medical care. For example, NEMT providers told us that before the start of the IntelliRide statewide brokerage contract, they either called medical providers to confirm that the recipients? NEMT trips were to access medical appointments or collected medical providers? signatures for each NEMT trip. In addition, the Department has no controls to ensure providers that submit claims directly to the Department are providing the least costly NEMT service appropriate to each recipient, such as public transportation when it is accessible and appropriate. For example, IntelliRide instructs its staff to attempt to schedule the lowest-cost NEMT service based on recipients? mobility needs and access to public transportation; however, the Department has no such method to ensure services are the least costly when NEMT providers schedule services for recipients. As of September 2021, the Department plans to have the recipients who live in the 55 counties not served by IntelliRide begin scheduling their rides directly with the NEMT providers of their choosing, yet the Department has not developed a method to ensure recipients in these areas receive the lowest-cost services appropriate for their needs. ? Potentially insufficient Department staffing to monitor NEMT claims effectively. For Fiscal Year 2021, the Department was appropriated three full-time equivalent (FTE) staff to oversee NEMT claims; however, the Department had two vacancies in these positions from July 2020 through May 2021 that it did not fill, so there was only one Department staff overseeing NEMT and the IntelliRide statewide contract during the audit time period. In June 2021, the Department added an additional FTE staff member to assist in administering the NEMT benefit. Why do these problems matter? Likely federal recovery of funds used for improper payments. Section 25.5-4-301(2), C.R.S., states that any overpayments of claims to providers are recoverable and ?are recoverable regardless of whether the overpayment is the result of an error by the state department? an entity acting on behalf of [the department], or the provider or any agent of the provider.? Our audit identified $291,597 in known questioned costs, of which about $145,797 is the federal portion of funds that the federal government may recover. We also identified $5,180,962 in likely questioned costs, of which $2,590,480 is the federal portion of funds that could be recovered if the payments are determined to have not been appropriate. The following table shows the questioned costs and federal portions for each problem we identified. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote When providers bypass broker controls, service quality is not monitored. When the Department allows some NEMT providers to bypass the IntelliRide broker, and does not obtain documentation to support their claims, the Department is unable to monitor the services of these providers. Additionally, when the Department does not monitor providers that bypass the statewide broker, the Department is applying different and possibly inadequate standards for the providers that bypass compared to the providers that work with IntelliRide. Although the Department plans for IntelliRide to no longer be the statewide NEMT broker for all 64 counties beginning September 2021, IntelliRide will continue to administer NEMT trips for nine Front Range counties that account for the majority of NEMT trips. It is important that all NEMT trips in these counties be brokered through IntelliRide so that the Department can monitor the quality of the trips and IntelliRide?s oversight of them. Risk of fraud, waste, and abuse. When the Department pays NEMT claims that are not supported by documentation of the service, medical documentation showing NEMT was for medical treatment, or the required prior authorizations, there is a significant risk of misappropriation of federal and state funds by providers and/or recipients. In addition, the eight providers not permitted as taxis that submitted taxi claims appear to have set their own rates of payment at a significantly higher rate, since the PUC did not permit or set rates for these providers. While we did not identify confirmed fraud by recipients or providers due to a lack of supporting documentation for claims, the problems identified demonstrate waste of public funds and potential abuse of the Medicaid program. When the Department overpays Medicaid funds and pays for unallowable services, there are fewer funds available to service the recipients who need them. In addition, there is no federal or state limit on payments for NEMT services, so it is important that the Department ensure Medicaid recipients receive appropriate transportation to medical treatment, while also ensuring the Department is acting as a good steward of federal and state funds. See Schedule of Findings and Questioned Costs for chart/table Character Limit Exceeded See Statewide Single Audit Report
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-045 Payments for Non-Emergent Medical Transportation ClaimsPrior to July 2020, in 55 counties, the Department worked with various county offices to have them broker Non-Emergent Medical Transportation (NEMT) services for Medicaid recipients, including rides to and from Medicaid medical appointments, personal mileage reimbursement, and trip-related meals and lodging. For example, these counties arranged the rides with transportation providers, submitted the claims or had providers submit claims for reimbursement to the Department, and passed on reimbursements to providers as needed. For the remaining nine counties, the Department contracted with IntelliRide to serve as the NEMT broker for services in those areas. From July 1, 2020, to August 31, 2021, when the Department contracted with IntelliRide to be the statewide broker, most recipients throughout the state scheduled NEMT rides by contacting IntelliRide through its call center, website chat function, or smartphone applications. IntelliRide scheduled rides and assigned transportation providers to them, and had providers upload trip information into IntelliRide?s EcoLane transportation scheduling system. EcoLane maintains information related to recipients? requests for rides and provider trip information, such as the trip date and time, names of the recipient and driver, and scheduled pick-up and destination addresses. IntelliRide submitted claims through the Department?s interChange system (interChange) requesting payments for providers? NEMT services, paid providers for their services, and received reimbursement from the Department. In addition, the Department paid NEMT claims submitted directly by NEMT providers. In Fiscal Year 2021, from July 1, 2020, through February 28, 2021 (the audit period), the Department paid 362,110 claims for NEMT services totaling about $33.2 million, as shown in the following table. In September 2021, the Department plans to transition back to IntelliRide brokering services in nine counties, while the NEMT providers in the remaining counties will broker their own services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote What audit work was performed and how were the results measured? The purpose of the audit work was to determine whether the Department has ensured that NEMT claims adhere to the following federal and state requirements. ? NEMT trips were to be brokered through, and all claims submitted by, the statewide broker, Intelliride. According to state regulations and the Department?s NEMT Billing Manual, all NEMT trips during Fiscal Year 2021 had to be authorized by the statewide broker, IntelliRide [10 CCR 2505-10 8.014.7.A]. This means that each recipient?s NEMT ride request should have been sent to IntelliRide for approval or authorization before the trip, and any unauthorized trips should ?not be reimbursed or paid? [Billing Manual]. According to the Department, it allowed NEMT providers time to transition to working with IntelliRide because some providers were reluctant to join the statewide brokerage and the Department needed time to onboard providers. By Fall 2020, most providers should have been working with IntelliRide to schedule NEMT rides. The Department told us that six NEMT providers received its express permission to bypass IntelliRide to schedule rides and submit claims directly to the Department because the providers are unique, such as only serving recipients with disabilities or receiving federal grant funding to provide NEMT. To assess whether IntelliRide brokered most NEMT services in the State and submitted the related claims in line with regulations and its contract, we reviewed the Department?s aggregate data for the 128,998 NEMT claims paid from December 2020 through February 2021. ? The Department must pay claims based on accurate service rates and trip mileage. Non-taxi NEMT services, such as wheelchair and mobility vehicle services, have base rates and mileage rates set by the Department. IntelliRide tracks the mileage of each NEMT trip in EcoLane and submits mileage claims to the Department?s interChange system. The Public Utilities Commission (PUC) sets the rate for each permitted taxi provider, which generally includes a rate for the first trip mile and a different rate for each additional mile. According to the Department?s NEMT Billing Manual and NEMT Rate Schedule for Fiscal Year 2021, taxi claims should have been paid at the rate set by the PUC. For example, if a taxi company?s PUC rate was $4 for the first mile and $2 for each additional mile, the Department should have paid $6 for a two-mile NEMT trip claim. To verify that the Department paid NEMT claims based on the correct trip mileage and rates, we reviewed the trip mileage and rates for 362,110 NEMT claims paid from July 2020 through February 2021, and PUC documentation on the taxi rates for permitted taxi companies. ? Claims must be supported with accurate and complete documentation confirming the service provided. Both IntelliRide and providers that submit claims for NEMT services must keep and be able to furnish accurate, complete supporting documentation for all claims [42 USC 1396a(27), 42 CFR ?? 431.17 and 433.32, and 10 CCR 2505-10 8.014.3.C and 8.014.6.B]. For example, a claim must be supported by medical documentation showing that the type of vehicle was needed to transport the recipient, and documentation from the transportation provider showing the trip occurred and when the recipient was picked-up and dropped-off. IntelliRide should only submit a claim to the Department after IntelliRide confirms the trip has been completed and marks the status complete in EcoLane [IntelliRide Policies and Procedures]. If an NEMT provider does not show up for a trip, IntelliRide should mark the trip as ?cancelled? in EcoLane. Payments for Medicaid claims that lack supporting documentation for the services provided are unallowable, meaning they should not be paid. IntelliRide or the Department must maintain documentation from recipients? medical providers showing why certain NEMT services, like transportation in a wheelchair van or with an escort, are medically necessary [10 CCR 2505-10 8.014.7.B and 8.014.5.D.1; Billing Manual]. To verify that there was support for NEMT claims, we reviewed IntelliRide data in EcoLane for all 362,110 NEMT claims paid from July 2020 through February 2021, and Department documentation for a sample of 85 NEMT paid claims?75 selected randomly from the four NEMT service areas of the state, and 10 that were the highest paid NEMT claims. ? NEMT services must be medically necessary. NEMT services shall only be provided to recipients with no other means to attend medically necessary, non-emergency treatment covered by Medicaid [42 USC 1396a(70); 42 CFR 431.53; 10 CCR 2505-10 8.014.5.B]. To verify that NEMT claims were only paid for recipients to access medical care, we reviewed the Department?s data on paid medical claims to determine if the recipients related to 22 sampled NEMT claims paid in December 2020 had a corresponding medical appointment. For another 61 paid NEMT claims that involved IntelliRide scheduling and submitting claims for trips every day in December for two recipients, we reviewed whether the recipients had paid medical claims corresponding with the trips. ? Prior authorization is required for air ambulance. The Department must grant prior authorization for the use of an NEMT air ambulance before the trip occurs in order for the claim to be paid [10 CCR 2505-10 8.014.7.D.1.b]. To verify that the Department granted prior authorization for air ambulance trips, we reviewed the use of air ambulances in 11 paid claims from July 2020 to February 2021. ? Recipients are to receive the least-costly NEMT transportation option appropriate for their medical condition. For example, recipients should only ride in a vehicle for recipients with mobility needs when they have a mobility issue or if there is a lack of access to public transportation [10 CCR 2505-10 8.014.6.B, 42 USC 1396(a(70), and 42 CFR 440.170(a)(4)]. Higher-cost NEMT services, such as ambulance and wheelchair van services, must be supported with documentation of the recipient?s need for the specific higher-cost services [10 CCR 2505-10 8.014.5.B.1.b]. To determine whether recipients received the least costly NEMT services to meet their needs, we reviewed documentation submitted by medical or transportation providers to IntelliRide or the Department for the 85 sampled NEMT claims. ? Taxi providers must be permitted by the PUC to provide NEMT taxi rides. To provide NEMT rides by taxi and receive payment for them, the provider must maintain a common carrier permit issued by the PUC [10 CCR 2505-10 8.014.3.B.4.a]. To verify that the providers that were paid for taxi claims had been permitted to provide taxi services, we reviewed the 33,791 NEMT claims for taxi services from July 2020 to February 2021. What problems were identified? The Department paid $3.5 million directly to 66 NEMT providers for claims that were not brokered by Intelliride. From December 2020 through February 2021, 26,890 of the approximately 129,000 NEMT claims paid by the Department (21 percent), totaling about $3.5 million, were not brokered through IntelliRide, which violated state regulations requiring all NEMT services to be brokered through the statewide brokerage in effect at the time. The following chart shows the amounts the Department paid for claims submitted directly by NEMT providers compared to its payments for claims submitted by IntelliRide from July 2020 through February 2021. During these months, the number of claims that providers submitted directly to the Department decreased as providers transitioned to working with IntelliRide to broker NEMT rides; however, as of February 2021, the Department was still paying about $1 million in monthly claims that were submitted directly by providers. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote The Department paid 36,910 NEMT claims totaling $5.5 million, which either violated or may have violated federal and/or state regulations. The claims were for unallowable services or were overpaid, and resulted in $291,597 in known questioned costs and $5,180,962 in likely questioned costs for Medicaid. A questioned cost is a payment that ?resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds? or ?the costs, at the time of the audit, [that] are not supported by adequate documentation?? [2 CFR 200.84]. A known questioned cost reflects a violation that the auditor confirmed; a likely questioned cost is the auditor?s best estimate of a potential violation [2 CFR 200.516(a)(3)]. Known and likely questioned costs should be investigated by the Department and recovered, as appropriate, because Medicaid overpayments are recoverable regardless of whether they occurred due to an error by the Department, entity acting on behalf of the Department, or a provider [Section 25.5-4-301(2), C.R.S.]. We found the following problems resulting in $291,597 in known questioned costs: ? Claims paid with no support that services were provided. For 3,958 of the 362,110 NEMT claims (1 percent), which totaled $258,115 paid from July 2020 to February 2021, IntelliRide or providers submitted the claims without any documentation showing that recipients received the NEMT services from the providers listed in the claim. The $258,115 is known questioned costs and includes: o 3,323 claims totaling $163,985 submitted by IntelliRide with no documentation in EcoLane of a ride being scheduled or provided. o 619 claims totaling $61,431 submitted by IntelliRide for which EcoLane showed the scheduled ride was cancelled. o 16 sampled claims totaling $32,699 submitted by providers directly to the Department had no documentation that an NEMT service occurred because the providers did not send the Department documentation for their claims. Upon our request, the Department attempted to obtain supporting documentation from providers for these claims but was unable to obtain any. ? Overpayments due to incorrect mileage and taxi rates. For 466 of the 321,099 mileage and taxi claims (less than 1 percent), the Department overpaid IntelliRide. Specifically, for 50 of the 287,308 mileage claims (less than 1 percent), the mileage submitted by IntelliRide that the Department paid was more than the ride mileage that IntelliRide documented in EcoLane. For 416 of the 33,791 (1 percent) claims submitted by IntelliRide on behalf of providers that were permitted to operate as taxis, the Department paid a higher rate than the providers? set PUC rate. The following table breaks out the overpayments that we identified, which totaled $6,759 in known questioned costs. We did not find issues with the rate amounts that the Department paid for non-mileage and non-taxi services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Examples of these overpayments include: o An overpayment of $48 for a claim submitted by IntelliRide for a taxi provider that billed the wrong taxi rate. The Department paid $60 for a 4-mile trip, when it should have paid $12 based on the PUC rate of $3 per mile. o An overpayment of $79 for a claim submitted by IntelliRide on behalf of a provider because the claim showed the trip was 76 miles, but the EcoLane data showed the trip was 38 miles. The Department paid $157, when it should have paid $78. ? Unallowable rides, not for medical appointments. For 61 claims showing NEMT trips every day in December 2020 for two recipients, there were no medical claims corresponding to their trips, so it appears that either NEMT was used repeatedly to transport these recipients to unallowable destinations or the provider did not provide the trips claimed. The NEMT provider reported to IntelliRide that these trips were completed even though the recipients did not attend any medical appointments that month. IntelliRide submitted the 61 NEMT claims and its EcoLane data showed that the NEMT providers self-reported that the trips were completed. However, IntelliRide confirmed that these trips were not used to access medical care. The issues we identified resulted in $2,674 of known questioned costs. ? Air ambulance claims paid without prior authorization. None of the 11 air ambulance NEMT claims had supporting documentation that the provider requested or received prior authorization from the Department before the trip occurred. These 11 claims to three providers resulted in $23,122 in known questioned costs. ? Claims paid for trips that were not the least costly, medically necessary, and/or for approved escorts. For seven of the 85 sampled claims (8 percent), IntelliRide submitted the claims without having required documentation from medical providers. Specifically, four claims lacked documentation to support the medical necessity for the type of vehicle used (either mobility vehicle, taxi, or wheelchair van); the other three claims lacked documentation of the recipient?s need for an escort to support the associated cost, which indicates that the three sampled NEMT trips were provided to an escort ineligible to ride with the recipient. The issues we identified for the seven claims resulted in $927 of known questioned costs. In addition, we found the following problems resulting in $5,180,962 in likely questioned costs, which are estimated potential violations of federal requirements that we could not confirm due to a lack of documentation: ? $4.8 million paid for taxi claims without mileage. For 29,049 taxi claims totaling $4,763,071, the Department paid the claims without ensuring taxi providers were paid at their PUC per-mile rate. These claims were submitted directly to the Department by 10 permitted taxi providers. The Department required providers to submit claims showing only the number of one-way trips driven, not the number of miles driven. As a result, the Department could not ensure that these taxi claims were paid at the correct PUC rates, as required in its Billing Manual and Rate Schedule. The Department paid the full amount that each taxi provider requested, as long as the claim was not more than $1,000 per one-way trip. For example, the Department paid $4,000 to one taxi provider for a claim showing four one-way trips for a recipient on a single day. Based on the claim amount, the taxi provider would have had to have driven the recipient on four 400-mile, one-way trips that day to justify this amount, because the taxi provider?s PUC rate is $4 for the first mile and $2.50 for each additional mile. Since the Department did not obtain the miles driven for each one-way trip from taxi providers for these 29,049 claims, we could not determine whether the payments were accurate based on each provider?s PUC rate, as required. ? $409,575 paid for taxi claims for providers not permitted as taxis. For 3,284 NEMT claims for taxi services from eight providers, the providers were not permitted by the PUC to operate as taxis. For example, one provider was paid for an NEMT taxi claim for $5,875 for 12 trips, or $490 per trip. Since these providers were not permitted as taxis, they did not have PUC-set taxi rates, so we could not determine how much these providers should have been paid. ? $4,718 paid for trips that may not have been to attend medical services. As of April 2021, 13 of the 22 sampled NEMT claims (59 percent) for trips in December 2020 had no medical claims for dates corresponding to the NEMT trips. Department staff told us that Medicaid medical claims are typically submitted and paid within 3 months of the date of service, but that there is a possibility that medical providers had not yet submitted medical claims for the recipients since federal regulations technically allow providers up to 12 months to submit claims [42 CFR 447.45(d)(1)]. In addition, six of these 13 recipients had both Medicaid and other types of medical insurance, such as Medicare. According to the Department, it is possible that the six recipients used NEMT trips to access medical services but the Department did not have a Medicaid claim for the services because they were paid by the other types of insurance, which is allowed by state regulations [10 CCR 2505-10 8.014.5.B.2]. Therefore, we could not determine whether the NEMT trips associated with the 13 claims had been for recipients to attend medical services. ? $3,598 paid for trips that may not have been completed. For 61 of the 362,110 paid claims (less than 1 percent), the scheduled trips were not marked as complete in EcoLane, so we could not determine whether they had been completed. Why did these problems occur? The Department lacks effective internal controls over NEMT claims to ensure they are appropriate and consistently comply with federal and state requirements. According to federal regulations [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls to provide reasonable assurance that federal funds are spent in compliance with federal requirements. We identified the following areas where Department controls are lacking for NEMT claims: Lack of Department information technology (IT) Controls in interChange ? No IT controls to prevent providers from bypassing broker. From December 2020 through February 2021, the Department paid NEMT providers directly for unsupported NEMT trips because the Department did not have IT controls in interChange to deny claims for trips that were not brokered through IntelliRide, as required at the time. As of September 1, 2021, the Department plans to require only the NEMT providers operating in nine metro-Denver counties to broker trips through IntelliRide, so the Department needs IT controls to ensure providers in these counties work with IntelliRide to schedule all trips and submit related claims. ? Lack of IT and other controls to ensure proper payments for NEMT taxi services. InterChange is programmed to pay each NEMT taxi claim based on one-way trips, but the Department has not implemented an IT or other control to ensure that NEMT taxi claims are paid at the providers? current PUC-approved per-mile rates, and that the Department only pays taxi rates when the provider is permitted by the PUC to operate as a taxi. Department staff stated that the only IT control the Department has built into interChange to help ensure proper payment of taxi claims is limiting payments for taxi claims to no more than $1,000 per one-way trip, and that this control is in accordance with the NEMT Billing Manual and Rate Schedule. However, Department staff also acknowledged that there is a conflict within the Billing Manual that requires taxi claims to be based on the number of one-way trips, but also paid based on per-mile PUC rates. By setting the limit based only on the number of one-way trips instead of providers? PUC per-mile rate, this Department IT control is not effective at ensuring taxi claims are paid properly. To ensure accurate payments for NEMT taxi claims, the Department will need methods, such as IT controls in interChange, and clarification in the Billing Manual and Rate Schedule, to ensure taxi providers are paid based on set rates, and ensure each taxi provider is permitted. ? No IT controls to ensure required prior authorizations. Air ambulance services were paid without the Department?s prior authorization for the services because the Department does not have IT controls to ensure prior authorization before payment. If the Department does not implement IT controls to ensure appropriate prior authorizations of NEMT services, the Department will need to develop manual processes to ensure that NEMT services receive required authorization prior to paying the related claims. Lack of Department Monitoring of NEMT Services and Claims ? Insufficient methods to ensure appropriate payment and collect necessary documentation from providers that bypass the statewide brokerage. Although the Department reviewed NEMT provider supporting documentation for NEMT services in 2019, the Department did not do so in 2020 or 2021, and had no process to require the providers that bypassed the statewide brokerage to submit documentation to support their NEMT claims before they were paid. According to the Department, in September 2021, it plans to require providers in nine counties covered by the IntelliRide brokerage contract to provide and submit claims through IntelliRide; however, NEMT providers in the remaining 55 counties will be submitting NEMT claims directly to the Department. Therefore, it is important that the Department develop a process to ensure that providers in these 55 counties maintain required documentation for each claim. ? Lack of monitoring to ensure Intelliride submits accurate mileage claims and collects necessary documentation. The Department does not conduct reviews of IntelliRide?s documentation in EcoLane to ensure it submits claims for accurate mileage and maintains support for claims submitted to or paid by the Department. For example, the Department does not reconcile its NEMT claims data from interChange and IntelliRide?s EcoLane system data to ensure each claim is supported. Furthermore, the Department has never completed a file review of IntelliRide?s supporting documentation for NEMT claims, such as when the Department contracted with IntelliRide to be a regional broker prior to becoming the statewide broker. ? No method to ensure NEMT service claims are for rides for medical treatment and the least costly. The Department does not conduct any reconciliation of its interChange data on NEMT trip claims to its interChange data on Medicaid medical claims to ensure NEMT claims are only paid for recipients to access medical care. The Department also does not require confirmation from medical providers that recipients used NEMT to access necessary medical care. For example, NEMT providers told us that before the start of the IntelliRide statewide brokerage contract, they either called medical providers to confirm that the recipients? NEMT trips were to access medical appointments or collected medical providers? signatures for each NEMT trip. In addition, the Department has no controls to ensure providers that submit claims directly to the Department are providing the least costly NEMT service appropriate to each recipient, such as public transportation when it is accessible and appropriate. For example, IntelliRide instructs its staff to attempt to schedule the lowest-cost NEMT service based on recipients? mobility needs and access to public transportation; however, the Department has no such method to ensure services are the least costly when NEMT providers schedule services for recipients. As of September 2021, the Department plans to have the recipients who live in the 55 counties not served by IntelliRide begin scheduling their rides directly with the NEMT providers of their choosing, yet the Department has not developed a method to ensure recipients in these areas receive the lowest-cost services appropriate for their needs. ? Potentially insufficient Department staffing to monitor NEMT claims effectively. For Fiscal Year 2021, the Department was appropriated three full-time equivalent (FTE) staff to oversee NEMT claims; however, the Department had two vacancies in these positions from July 2020 through May 2021 that it did not fill, so there was only one Department staff overseeing NEMT and the IntelliRide statewide contract during the audit time period. In June 2021, the Department added an additional FTE staff member to assist in administering the NEMT benefit. Why do these problems matter? Likely federal recovery of funds used for improper payments. Section 25.5-4-301(2), C.R.S., states that any overpayments of claims to providers are recoverable and ?are recoverable regardless of whether the overpayment is the result of an error by the state department? an entity acting on behalf of [the department], or the provider or any agent of the provider.? Our audit identified $291,597 in known questioned costs, of which about $145,797 is the federal portion of funds that the federal government may recover. We also identified $5,180,962 in likely questioned costs, of which $2,590,480 is the federal portion of funds that could be recovered if the payments are determined to have not been appropriate. The following table shows the questioned costs and federal portions for each problem we identified. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote When providers bypass broker controls, service quality is not monitored. When the Department allows some NEMT providers to bypass the IntelliRide broker, and does not obtain documentation to support their claims, the Department is unable to monitor the services of these providers. Additionally, when the Department does not monitor providers that bypass the statewide broker, the Department is applying different and possibly inadequate standards for the providers that bypass compared to the providers that work with IntelliRide. Although the Department plans for IntelliRide to no longer be the statewide NEMT broker for all 64 counties beginning September 2021, IntelliRide will continue to administer NEMT trips for nine Front Range counties that account for the majority of NEMT trips. It is important that all NEMT trips in these counties be brokered through IntelliRide so that the Department can monitor the quality of the trips and IntelliRide?s oversight of them. Risk of fraud, waste, and abuse. When the Department pays NEMT claims that are not supported by documentation of the service, medical documentation showing NEMT was for medical treatment, or the required prior authorizations, there is a significant risk of misappropriation of federal and state funds by providers and/or recipients. In addition, the eight providers not permitted as taxis that submitted taxi claims appear to have set their own rates of payment at a significantly higher rate, since the PUC did not permit or set rates for these providers. While we did not identify confirmed fraud by recipients or providers due to a lack of supporting documentation for claims, the problems identified demonstrate waste of public funds and potential abuse of the Medicaid program. When the Department overpays Medicaid funds and pays for unallowable services, there are fewer funds available to service the recipients who need them. In addition, there is no federal or state limit on payments for NEMT services, so it is important that the Department ensure Medicaid recipients receive appropriate transportation to medical treatment, while also ensuring the Department is acting as a good steward of federal and state funds. See Schedule of Findings and Questioned Costs for chart/table Character Limit Exceeded See Statewide Single Audit Report
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-045 Payments for Non-Emergent Medical Transportation ClaimsPrior to July 2020, in 55 counties, the Department worked with various county offices to have them broker Non-Emergent Medical Transportation (NEMT) services for Medicaid recipients, including rides to and from Medicaid medical appointments, personal mileage reimbursement, and trip-related meals and lodging. For example, these counties arranged the rides with transportation providers, submitted the claims or had providers submit claims for reimbursement to the Department, and passed on reimbursements to providers as needed. For the remaining nine counties, the Department contracted with IntelliRide to serve as the NEMT broker for services in those areas. From July 1, 2020, to August 31, 2021, when the Department contracted with IntelliRide to be the statewide broker, most recipients throughout the state scheduled NEMT rides by contacting IntelliRide through its call center, website chat function, or smartphone applications. IntelliRide scheduled rides and assigned transportation providers to them, and had providers upload trip information into IntelliRide?s EcoLane transportation scheduling system. EcoLane maintains information related to recipients? requests for rides and provider trip information, such as the trip date and time, names of the recipient and driver, and scheduled pick-up and destination addresses. IntelliRide submitted claims through the Department?s interChange system (interChange) requesting payments for providers? NEMT services, paid providers for their services, and received reimbursement from the Department. In addition, the Department paid NEMT claims submitted directly by NEMT providers. In Fiscal Year 2021, from July 1, 2020, through February 28, 2021 (the audit period), the Department paid 362,110 claims for NEMT services totaling about $33.2 million, as shown in the following table. In September 2021, the Department plans to transition back to IntelliRide brokering services in nine counties, while the NEMT providers in the remaining counties will broker their own services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote What audit work was performed and how were the results measured? The purpose of the audit work was to determine whether the Department has ensured that NEMT claims adhere to the following federal and state requirements. ? NEMT trips were to be brokered through, and all claims submitted by, the statewide broker, Intelliride. According to state regulations and the Department?s NEMT Billing Manual, all NEMT trips during Fiscal Year 2021 had to be authorized by the statewide broker, IntelliRide [10 CCR 2505-10 8.014.7.A]. This means that each recipient?s NEMT ride request should have been sent to IntelliRide for approval or authorization before the trip, and any unauthorized trips should ?not be reimbursed or paid? [Billing Manual]. According to the Department, it allowed NEMT providers time to transition to working with IntelliRide because some providers were reluctant to join the statewide brokerage and the Department needed time to onboard providers. By Fall 2020, most providers should have been working with IntelliRide to schedule NEMT rides. The Department told us that six NEMT providers received its express permission to bypass IntelliRide to schedule rides and submit claims directly to the Department because the providers are unique, such as only serving recipients with disabilities or receiving federal grant funding to provide NEMT. To assess whether IntelliRide brokered most NEMT services in the State and submitted the related claims in line with regulations and its contract, we reviewed the Department?s aggregate data for the 128,998 NEMT claims paid from December 2020 through February 2021. ? The Department must pay claims based on accurate service rates and trip mileage. Non-taxi NEMT services, such as wheelchair and mobility vehicle services, have base rates and mileage rates set by the Department. IntelliRide tracks the mileage of each NEMT trip in EcoLane and submits mileage claims to the Department?s interChange system. The Public Utilities Commission (PUC) sets the rate for each permitted taxi provider, which generally includes a rate for the first trip mile and a different rate for each additional mile. According to the Department?s NEMT Billing Manual and NEMT Rate Schedule for Fiscal Year 2021, taxi claims should have been paid at the rate set by the PUC. For example, if a taxi company?s PUC rate was $4 for the first mile and $2 for each additional mile, the Department should have paid $6 for a two-mile NEMT trip claim. To verify that the Department paid NEMT claims based on the correct trip mileage and rates, we reviewed the trip mileage and rates for 362,110 NEMT claims paid from July 2020 through February 2021, and PUC documentation on the taxi rates for permitted taxi companies. ? Claims must be supported with accurate and complete documentation confirming the service provided. Both IntelliRide and providers that submit claims for NEMT services must keep and be able to furnish accurate, complete supporting documentation for all claims [42 USC 1396a(27), 42 CFR ?? 431.17 and 433.32, and 10 CCR 2505-10 8.014.3.C and 8.014.6.B]. For example, a claim must be supported by medical documentation showing that the type of vehicle was needed to transport the recipient, and documentation from the transportation provider showing the trip occurred and when the recipient was picked-up and dropped-off. IntelliRide should only submit a claim to the Department after IntelliRide confirms the trip has been completed and marks the status complete in EcoLane [IntelliRide Policies and Procedures]. If an NEMT provider does not show up for a trip, IntelliRide should mark the trip as ?cancelled? in EcoLane. Payments for Medicaid claims that lack supporting documentation for the services provided are unallowable, meaning they should not be paid. IntelliRide or the Department must maintain documentation from recipients? medical providers showing why certain NEMT services, like transportation in a wheelchair van or with an escort, are medically necessary [10 CCR 2505-10 8.014.7.B and 8.014.5.D.1; Billing Manual]. To verify that there was support for NEMT claims, we reviewed IntelliRide data in EcoLane for all 362,110 NEMT claims paid from July 2020 through February 2021, and Department documentation for a sample of 85 NEMT paid claims?75 selected randomly from the four NEMT service areas of the state, and 10 that were the highest paid NEMT claims. ? NEMT services must be medically necessary. NEMT services shall only be provided to recipients with no other means to attend medically necessary, non-emergency treatment covered by Medicaid [42 USC 1396a(70); 42 CFR 431.53; 10 CCR 2505-10 8.014.5.B]. To verify that NEMT claims were only paid for recipients to access medical care, we reviewed the Department?s data on paid medical claims to determine if the recipients related to 22 sampled NEMT claims paid in December 2020 had a corresponding medical appointment. For another 61 paid NEMT claims that involved IntelliRide scheduling and submitting claims for trips every day in December for two recipients, we reviewed whether the recipients had paid medical claims corresponding with the trips. ? Prior authorization is required for air ambulance. The Department must grant prior authorization for the use of an NEMT air ambulance before the trip occurs in order for the claim to be paid [10 CCR 2505-10 8.014.7.D.1.b]. To verify that the Department granted prior authorization for air ambulance trips, we reviewed the use of air ambulances in 11 paid claims from July 2020 to February 2021. ? Recipients are to receive the least-costly NEMT transportation option appropriate for their medical condition. For example, recipients should only ride in a vehicle for recipients with mobility needs when they have a mobility issue or if there is a lack of access to public transportation [10 CCR 2505-10 8.014.6.B, 42 USC 1396(a(70), and 42 CFR 440.170(a)(4)]. Higher-cost NEMT services, such as ambulance and wheelchair van services, must be supported with documentation of the recipient?s need for the specific higher-cost services [10 CCR 2505-10 8.014.5.B.1.b]. To determine whether recipients received the least costly NEMT services to meet their needs, we reviewed documentation submitted by medical or transportation providers to IntelliRide or the Department for the 85 sampled NEMT claims. ? Taxi providers must be permitted by the PUC to provide NEMT taxi rides. To provide NEMT rides by taxi and receive payment for them, the provider must maintain a common carrier permit issued by the PUC [10 CCR 2505-10 8.014.3.B.4.a]. To verify that the providers that were paid for taxi claims had been permitted to provide taxi services, we reviewed the 33,791 NEMT claims for taxi services from July 2020 to February 2021. What problems were identified? The Department paid $3.5 million directly to 66 NEMT providers for claims that were not brokered by Intelliride. From December 2020 through February 2021, 26,890 of the approximately 129,000 NEMT claims paid by the Department (21 percent), totaling about $3.5 million, were not brokered through IntelliRide, which violated state regulations requiring all NEMT services to be brokered through the statewide brokerage in effect at the time. The following chart shows the amounts the Department paid for claims submitted directly by NEMT providers compared to its payments for claims submitted by IntelliRide from July 2020 through February 2021. During these months, the number of claims that providers submitted directly to the Department decreased as providers transitioned to working with IntelliRide to broker NEMT rides; however, as of February 2021, the Department was still paying about $1 million in monthly claims that were submitted directly by providers. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote The Department paid 36,910 NEMT claims totaling $5.5 million, which either violated or may have violated federal and/or state regulations. The claims were for unallowable services or were overpaid, and resulted in $291,597 in known questioned costs and $5,180,962 in likely questioned costs for Medicaid. A questioned cost is a payment that ?resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds? or ?the costs, at the time of the audit, [that] are not supported by adequate documentation?? [2 CFR 200.84]. A known questioned cost reflects a violation that the auditor confirmed; a likely questioned cost is the auditor?s best estimate of a potential violation [2 CFR 200.516(a)(3)]. Known and likely questioned costs should be investigated by the Department and recovered, as appropriate, because Medicaid overpayments are recoverable regardless of whether they occurred due to an error by the Department, entity acting on behalf of the Department, or a provider [Section 25.5-4-301(2), C.R.S.]. We found the following problems resulting in $291,597 in known questioned costs: ? Claims paid with no support that services were provided. For 3,958 of the 362,110 NEMT claims (1 percent), which totaled $258,115 paid from July 2020 to February 2021, IntelliRide or providers submitted the claims without any documentation showing that recipients received the NEMT services from the providers listed in the claim. The $258,115 is known questioned costs and includes: o 3,323 claims totaling $163,985 submitted by IntelliRide with no documentation in EcoLane of a ride being scheduled or provided. o 619 claims totaling $61,431 submitted by IntelliRide for which EcoLane showed the scheduled ride was cancelled. o 16 sampled claims totaling $32,699 submitted by providers directly to the Department had no documentation that an NEMT service occurred because the providers did not send the Department documentation for their claims. Upon our request, the Department attempted to obtain supporting documentation from providers for these claims but was unable to obtain any. ? Overpayments due to incorrect mileage and taxi rates. For 466 of the 321,099 mileage and taxi claims (less than 1 percent), the Department overpaid IntelliRide. Specifically, for 50 of the 287,308 mileage claims (less than 1 percent), the mileage submitted by IntelliRide that the Department paid was more than the ride mileage that IntelliRide documented in EcoLane. For 416 of the 33,791 (1 percent) claims submitted by IntelliRide on behalf of providers that were permitted to operate as taxis, the Department paid a higher rate than the providers? set PUC rate. The following table breaks out the overpayments that we identified, which totaled $6,759 in known questioned costs. We did not find issues with the rate amounts that the Department paid for non-mileage and non-taxi services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Examples of these overpayments include: o An overpayment of $48 for a claim submitted by IntelliRide for a taxi provider that billed the wrong taxi rate. The Department paid $60 for a 4-mile trip, when it should have paid $12 based on the PUC rate of $3 per mile. o An overpayment of $79 for a claim submitted by IntelliRide on behalf of a provider because the claim showed the trip was 76 miles, but the EcoLane data showed the trip was 38 miles. The Department paid $157, when it should have paid $78. ? Unallowable rides, not for medical appointments. For 61 claims showing NEMT trips every day in December 2020 for two recipients, there were no medical claims corresponding to their trips, so it appears that either NEMT was used repeatedly to transport these recipients to unallowable destinations or the provider did not provide the trips claimed. The NEMT provider reported to IntelliRide that these trips were completed even though the recipients did not attend any medical appointments that month. IntelliRide submitted the 61 NEMT claims and its EcoLane data showed that the NEMT providers self-reported that the trips were completed. However, IntelliRide confirmed that these trips were not used to access medical care. The issues we identified resulted in $2,674 of known questioned costs. ? Air ambulance claims paid without prior authorization. None of the 11 air ambulance NEMT claims had supporting documentation that the provider requested or received prior authorization from the Department before the trip occurred. These 11 claims to three providers resulted in $23,122 in known questioned costs. ? Claims paid for trips that were not the least costly, medically necessary, and/or for approved escorts. For seven of the 85 sampled claims (8 percent), IntelliRide submitted the claims without having required documentation from medical providers. Specifically, four claims lacked documentation to support the medical necessity for the type of vehicle used (either mobility vehicle, taxi, or wheelchair van); the other three claims lacked documentation of the recipient?s need for an escort to support the associated cost, which indicates that the three sampled NEMT trips were provided to an escort ineligible to ride with the recipient. The issues we identified for the seven claims resulted in $927 of known questioned costs. In addition, we found the following problems resulting in $5,180,962 in likely questioned costs, which are estimated potential violations of federal requirements that we could not confirm due to a lack of documentation: ? $4.8 million paid for taxi claims without mileage. For 29,049 taxi claims totaling $4,763,071, the Department paid the claims without ensuring taxi providers were paid at their PUC per-mile rate. These claims were submitted directly to the Department by 10 permitted taxi providers. The Department required providers to submit claims showing only the number of one-way trips driven, not the number of miles driven. As a result, the Department could not ensure that these taxi claims were paid at the correct PUC rates, as required in its Billing Manual and Rate Schedule. The Department paid the full amount that each taxi provider requested, as long as the claim was not more than $1,000 per one-way trip. For example, the Department paid $4,000 to one taxi provider for a claim showing four one-way trips for a recipient on a single day. Based on the claim amount, the taxi provider would have had to have driven the recipient on four 400-mile, one-way trips that day to justify this amount, because the taxi provider?s PUC rate is $4 for the first mile and $2.50 for each additional mile. Since the Department did not obtain the miles driven for each one-way trip from taxi providers for these 29,049 claims, we could not determine whether the payments were accurate based on each provider?s PUC rate, as required. ? $409,575 paid for taxi claims for providers not permitted as taxis. For 3,284 NEMT claims for taxi services from eight providers, the providers were not permitted by the PUC to operate as taxis. For example, one provider was paid for an NEMT taxi claim for $5,875 for 12 trips, or $490 per trip. Since these providers were not permitted as taxis, they did not have PUC-set taxi rates, so we could not determine how much these providers should have been paid. ? $4,718 paid for trips that may not have been to attend medical services. As of April 2021, 13 of the 22 sampled NEMT claims (59 percent) for trips in December 2020 had no medical claims for dates corresponding to the NEMT trips. Department staff told us that Medicaid medical claims are typically submitted and paid within 3 months of the date of service, but that there is a possibility that medical providers had not yet submitted medical claims for the recipients since federal regulations technically allow providers up to 12 months to submit claims [42 CFR 447.45(d)(1)]. In addition, six of these 13 recipients had both Medicaid and other types of medical insurance, such as Medicare. According to the Department, it is possible that the six recipients used NEMT trips to access medical services but the Department did not have a Medicaid claim for the services because they were paid by the other types of insurance, which is allowed by state regulations [10 CCR 2505-10 8.014.5.B.2]. Therefore, we could not determine whether the NEMT trips associated with the 13 claims had been for recipients to attend medical services. ? $3,598 paid for trips that may not have been completed. For 61 of the 362,110 paid claims (less than 1 percent), the scheduled trips were not marked as complete in EcoLane, so we could not determine whether they had been completed. Why did these problems occur? The Department lacks effective internal controls over NEMT claims to ensure they are appropriate and consistently comply with federal and state requirements. According to federal regulations [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls to provide reasonable assurance that federal funds are spent in compliance with federal requirements. We identified the following areas where Department controls are lacking for NEMT claims: Lack of Department information technology (IT) Controls in interChange ? No IT controls to prevent providers from bypassing broker. From December 2020 through February 2021, the Department paid NEMT providers directly for unsupported NEMT trips because the Department did not have IT controls in interChange to deny claims for trips that were not brokered through IntelliRide, as required at the time. As of September 1, 2021, the Department plans to require only the NEMT providers operating in nine metro-Denver counties to broker trips through IntelliRide, so the Department needs IT controls to ensure providers in these counties work with IntelliRide to schedule all trips and submit related claims. ? Lack of IT and other controls to ensure proper payments for NEMT taxi services. InterChange is programmed to pay each NEMT taxi claim based on one-way trips, but the Department has not implemented an IT or other control to ensure that NEMT taxi claims are paid at the providers? current PUC-approved per-mile rates, and that the Department only pays taxi rates when the provider is permitted by the PUC to operate as a taxi. Department staff stated that the only IT control the Department has built into interChange to help ensure proper payment of taxi claims is limiting payments for taxi claims to no more than $1,000 per one-way trip, and that this control is in accordance with the NEMT Billing Manual and Rate Schedule. However, Department staff also acknowledged that there is a conflict within the Billing Manual that requires taxi claims to be based on the number of one-way trips, but also paid based on per-mile PUC rates. By setting the limit based only on the number of one-way trips instead of providers? PUC per-mile rate, this Department IT control is not effective at ensuring taxi claims are paid properly. To ensure accurate payments for NEMT taxi claims, the Department will need methods, such as IT controls in interChange, and clarification in the Billing Manual and Rate Schedule, to ensure taxi providers are paid based on set rates, and ensure each taxi provider is permitted. ? No IT controls to ensure required prior authorizations. Air ambulance services were paid without the Department?s prior authorization for the services because the Department does not have IT controls to ensure prior authorization before payment. If the Department does not implement IT controls to ensure appropriate prior authorizations of NEMT services, the Department will need to develop manual processes to ensure that NEMT services receive required authorization prior to paying the related claims. Lack of Department Monitoring of NEMT Services and Claims ? Insufficient methods to ensure appropriate payment and collect necessary documentation from providers that bypass the statewide brokerage. Although the Department reviewed NEMT provider supporting documentation for NEMT services in 2019, the Department did not do so in 2020 or 2021, and had no process to require the providers that bypassed the statewide brokerage to submit documentation to support their NEMT claims before they were paid. According to the Department, in September 2021, it plans to require providers in nine counties covered by the IntelliRide brokerage contract to provide and submit claims through IntelliRide; however, NEMT providers in the remaining 55 counties will be submitting NEMT claims directly to the Department. Therefore, it is important that the Department develop a process to ensure that providers in these 55 counties maintain required documentation for each claim. ? Lack of monitoring to ensure Intelliride submits accurate mileage claims and collects necessary documentation. The Department does not conduct reviews of IntelliRide?s documentation in EcoLane to ensure it submits claims for accurate mileage and maintains support for claims submitted to or paid by the Department. For example, the Department does not reconcile its NEMT claims data from interChange and IntelliRide?s EcoLane system data to ensure each claim is supported. Furthermore, the Department has never completed a file review of IntelliRide?s supporting documentation for NEMT claims, such as when the Department contracted with IntelliRide to be a regional broker prior to becoming the statewide broker. ? No method to ensure NEMT service claims are for rides for medical treatment and the least costly. The Department does not conduct any reconciliation of its interChange data on NEMT trip claims to its interChange data on Medicaid medical claims to ensure NEMT claims are only paid for recipients to access medical care. The Department also does not require confirmation from medical providers that recipients used NEMT to access necessary medical care. For example, NEMT providers told us that before the start of the IntelliRide statewide brokerage contract, they either called medical providers to confirm that the recipients? NEMT trips were to access medical appointments or collected medical providers? signatures for each NEMT trip. In addition, the Department has no controls to ensure providers that submit claims directly to the Department are providing the least costly NEMT service appropriate to each recipient, such as public transportation when it is accessible and appropriate. For example, IntelliRide instructs its staff to attempt to schedule the lowest-cost NEMT service based on recipients? mobility needs and access to public transportation; however, the Department has no such method to ensure services are the least costly when NEMT providers schedule services for recipients. As of September 2021, the Department plans to have the recipients who live in the 55 counties not served by IntelliRide begin scheduling their rides directly with the NEMT providers of their choosing, yet the Department has not developed a method to ensure recipients in these areas receive the lowest-cost services appropriate for their needs. ? Potentially insufficient Department staffing to monitor NEMT claims effectively. For Fiscal Year 2021, the Department was appropriated three full-time equivalent (FTE) staff to oversee NEMT claims; however, the Department had two vacancies in these positions from July 2020 through May 2021 that it did not fill, so there was only one Department staff overseeing NEMT and the IntelliRide statewide contract during the audit time period. In June 2021, the Department added an additional FTE staff member to assist in administering the NEMT benefit. Why do these problems matter? Likely federal recovery of funds used for improper payments. Section 25.5-4-301(2), C.R.S., states that any overpayments of claims to providers are recoverable and ?are recoverable regardless of whether the overpayment is the result of an error by the state department? an entity acting on behalf of [the department], or the provider or any agent of the provider.? Our audit identified $291,597 in known questioned costs, of which about $145,797 is the federal portion of funds that the federal government may recover. We also identified $5,180,962 in likely questioned costs, of which $2,590,480 is the federal portion of funds that could be recovered if the payments are determined to have not been appropriate. The following table shows the questioned costs and federal portions for each problem we identified. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote When providers bypass broker controls, service quality is not monitored. When the Department allows some NEMT providers to bypass the IntelliRide broker, and does not obtain documentation to support their claims, the Department is unable to monitor the services of these providers. Additionally, when the Department does not monitor providers that bypass the statewide broker, the Department is applying different and possibly inadequate standards for the providers that bypass compared to the providers that work with IntelliRide. Although the Department plans for IntelliRide to no longer be the statewide NEMT broker for all 64 counties beginning September 2021, IntelliRide will continue to administer NEMT trips for nine Front Range counties that account for the majority of NEMT trips. It is important that all NEMT trips in these counties be brokered through IntelliRide so that the Department can monitor the quality of the trips and IntelliRide?s oversight of them. Risk of fraud, waste, and abuse. When the Department pays NEMT claims that are not supported by documentation of the service, medical documentation showing NEMT was for medical treatment, or the required prior authorizations, there is a significant risk of misappropriation of federal and state funds by providers and/or recipients. In addition, the eight providers not permitted as taxis that submitted taxi claims appear to have set their own rates of payment at a significantly higher rate, since the PUC did not permit or set rates for these providers. While we did not identify confirmed fraud by recipients or providers due to a lack of supporting documentation for claims, the problems identified demonstrate waste of public funds and potential abuse of the Medicaid program. When the Department overpays Medicaid funds and pays for unallowable services, there are fewer funds available to service the recipients who need them. In addition, there is no federal or state limit on payments for NEMT services, so it is important that the Department ensure Medicaid recipients receive appropriate transportation to medical treatment, while also ensuring the Department is acting as a good steward of federal and state funds. See Schedule of Findings and Questioned Costs for chart/table Character Limit Exceeded See Statewide Single Audit Report
The following findings and recommendations relating to internal control deficiencies classified as Material Weaknesses and a Significant Deficiency were communicated to the Department of Health Care Policy and Financing (Department) in previous years and have not been remediated as of June 30, 2022 because the original implementation dates provided by the Department were in a subsequent fiscal year. These complete findings and recommendations can be found within the original report and the complete recommendations can be found within Section IV: Prior Audit Recommendations of this report. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Finding 2021-045 Payments for Non-Emergent Medical Transportation ClaimsPrior to July 2020, in 55 counties, the Department worked with various county offices to have them broker Non-Emergent Medical Transportation (NEMT) services for Medicaid recipients, including rides to and from Medicaid medical appointments, personal mileage reimbursement, and trip-related meals and lodging. For example, these counties arranged the rides with transportation providers, submitted the claims or had providers submit claims for reimbursement to the Department, and passed on reimbursements to providers as needed. For the remaining nine counties, the Department contracted with IntelliRide to serve as the NEMT broker for services in those areas. From July 1, 2020, to August 31, 2021, when the Department contracted with IntelliRide to be the statewide broker, most recipients throughout the state scheduled NEMT rides by contacting IntelliRide through its call center, website chat function, or smartphone applications. IntelliRide scheduled rides and assigned transportation providers to them, and had providers upload trip information into IntelliRide?s EcoLane transportation scheduling system. EcoLane maintains information related to recipients? requests for rides and provider trip information, such as the trip date and time, names of the recipient and driver, and scheduled pick-up and destination addresses. IntelliRide submitted claims through the Department?s interChange system (interChange) requesting payments for providers? NEMT services, paid providers for their services, and received reimbursement from the Department. In addition, the Department paid NEMT claims submitted directly by NEMT providers. In Fiscal Year 2021, from July 1, 2020, through February 28, 2021 (the audit period), the Department paid 362,110 claims for NEMT services totaling about $33.2 million, as shown in the following table. In September 2021, the Department plans to transition back to IntelliRide brokering services in nine counties, while the NEMT providers in the remaining counties will broker their own services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote What audit work was performed and how were the results measured? The purpose of the audit work was to determine whether the Department has ensured that NEMT claims adhere to the following federal and state requirements. ? NEMT trips were to be brokered through, and all claims submitted by, the statewide broker, Intelliride. According to state regulations and the Department?s NEMT Billing Manual, all NEMT trips during Fiscal Year 2021 had to be authorized by the statewide broker, IntelliRide [10 CCR 2505-10 8.014.7.A]. This means that each recipient?s NEMT ride request should have been sent to IntelliRide for approval or authorization before the trip, and any unauthorized trips should ?not be reimbursed or paid? [Billing Manual]. According to the Department, it allowed NEMT providers time to transition to working with IntelliRide because some providers were reluctant to join the statewide brokerage and the Department needed time to onboard providers. By Fall 2020, most providers should have been working with IntelliRide to schedule NEMT rides. The Department told us that six NEMT providers received its express permission to bypass IntelliRide to schedule rides and submit claims directly to the Department because the providers are unique, such as only serving recipients with disabilities or receiving federal grant funding to provide NEMT. To assess whether IntelliRide brokered most NEMT services in the State and submitted the related claims in line with regulations and its contract, we reviewed the Department?s aggregate data for the 128,998 NEMT claims paid from December 2020 through February 2021. ? The Department must pay claims based on accurate service rates and trip mileage. Non-taxi NEMT services, such as wheelchair and mobility vehicle services, have base rates and mileage rates set by the Department. IntelliRide tracks the mileage of each NEMT trip in EcoLane and submits mileage claims to the Department?s interChange system. The Public Utilities Commission (PUC) sets the rate for each permitted taxi provider, which generally includes a rate for the first trip mile and a different rate for each additional mile. According to the Department?s NEMT Billing Manual and NEMT Rate Schedule for Fiscal Year 2021, taxi claims should have been paid at the rate set by the PUC. For example, if a taxi company?s PUC rate was $4 for the first mile and $2 for each additional mile, the Department should have paid $6 for a two-mile NEMT trip claim. To verify that the Department paid NEMT claims based on the correct trip mileage and rates, we reviewed the trip mileage and rates for 362,110 NEMT claims paid from July 2020 through February 2021, and PUC documentation on the taxi rates for permitted taxi companies. ? Claims must be supported with accurate and complete documentation confirming the service provided. Both IntelliRide and providers that submit claims for NEMT services must keep and be able to furnish accurate, complete supporting documentation for all claims [42 USC 1396a(27), 42 CFR ?? 431.17 and 433.32, and 10 CCR 2505-10 8.014.3.C and 8.014.6.B]. For example, a claim must be supported by medical documentation showing that the type of vehicle was needed to transport the recipient, and documentation from the transportation provider showing the trip occurred and when the recipient was picked-up and dropped-off. IntelliRide should only submit a claim to the Department after IntelliRide confirms the trip has been completed and marks the status complete in EcoLane [IntelliRide Policies and Procedures]. If an NEMT provider does not show up for a trip, IntelliRide should mark the trip as ?cancelled? in EcoLane. Payments for Medicaid claims that lack supporting documentation for the services provided are unallowable, meaning they should not be paid. IntelliRide or the Department must maintain documentation from recipients? medical providers showing why certain NEMT services, like transportation in a wheelchair van or with an escort, are medically necessary [10 CCR 2505-10 8.014.7.B and 8.014.5.D.1; Billing Manual]. To verify that there was support for NEMT claims, we reviewed IntelliRide data in EcoLane for all 362,110 NEMT claims paid from July 2020 through February 2021, and Department documentation for a sample of 85 NEMT paid claims?75 selected randomly from the four NEMT service areas of the state, and 10 that were the highest paid NEMT claims. ? NEMT services must be medically necessary. NEMT services shall only be provided to recipients with no other means to attend medically necessary, non-emergency treatment covered by Medicaid [42 USC 1396a(70); 42 CFR 431.53; 10 CCR 2505-10 8.014.5.B]. To verify that NEMT claims were only paid for recipients to access medical care, we reviewed the Department?s data on paid medical claims to determine if the recipients related to 22 sampled NEMT claims paid in December 2020 had a corresponding medical appointment. For another 61 paid NEMT claims that involved IntelliRide scheduling and submitting claims for trips every day in December for two recipients, we reviewed whether the recipients had paid medical claims corresponding with the trips. ? Prior authorization is required for air ambulance. The Department must grant prior authorization for the use of an NEMT air ambulance before the trip occurs in order for the claim to be paid [10 CCR 2505-10 8.014.7.D.1.b]. To verify that the Department granted prior authorization for air ambulance trips, we reviewed the use of air ambulances in 11 paid claims from July 2020 to February 2021. ? Recipients are to receive the least-costly NEMT transportation option appropriate for their medical condition. For example, recipients should only ride in a vehicle for recipients with mobility needs when they have a mobility issue or if there is a lack of access to public transportation [10 CCR 2505-10 8.014.6.B, 42 USC 1396(a(70), and 42 CFR 440.170(a)(4)]. Higher-cost NEMT services, such as ambulance and wheelchair van services, must be supported with documentation of the recipient?s need for the specific higher-cost services [10 CCR 2505-10 8.014.5.B.1.b]. To determine whether recipients received the least costly NEMT services to meet their needs, we reviewed documentation submitted by medical or transportation providers to IntelliRide or the Department for the 85 sampled NEMT claims. ? Taxi providers must be permitted by the PUC to provide NEMT taxi rides. To provide NEMT rides by taxi and receive payment for them, the provider must maintain a common carrier permit issued by the PUC [10 CCR 2505-10 8.014.3.B.4.a]. To verify that the providers that were paid for taxi claims had been permitted to provide taxi services, we reviewed the 33,791 NEMT claims for taxi services from July 2020 to February 2021. What problems were identified? The Department paid $3.5 million directly to 66 NEMT providers for claims that were not brokered by Intelliride. From December 2020 through February 2021, 26,890 of the approximately 129,000 NEMT claims paid by the Department (21 percent), totaling about $3.5 million, were not brokered through IntelliRide, which violated state regulations requiring all NEMT services to be brokered through the statewide brokerage in effect at the time. The following chart shows the amounts the Department paid for claims submitted directly by NEMT providers compared to its payments for claims submitted by IntelliRide from July 2020 through February 2021. During these months, the number of claims that providers submitted directly to the Department decreased as providers transitioned to working with IntelliRide to broker NEMT rides; however, as of February 2021, the Department was still paying about $1 million in monthly claims that were submitted directly by providers. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote The Department paid 36,910 NEMT claims totaling $5.5 million, which either violated or may have violated federal and/or state regulations. The claims were for unallowable services or were overpaid, and resulted in $291,597 in known questioned costs and $5,180,962 in likely questioned costs for Medicaid. A questioned cost is a payment that ?resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a Federal award, including for funds used to match Federal funds? or ?the costs, at the time of the audit, [that] are not supported by adequate documentation?? [2 CFR 200.84]. A known questioned cost reflects a violation that the auditor confirmed; a likely questioned cost is the auditor?s best estimate of a potential violation [2 CFR 200.516(a)(3)]. Known and likely questioned costs should be investigated by the Department and recovered, as appropriate, because Medicaid overpayments are recoverable regardless of whether they occurred due to an error by the Department, entity acting on behalf of the Department, or a provider [Section 25.5-4-301(2), C.R.S.]. We found the following problems resulting in $291,597 in known questioned costs: ? Claims paid with no support that services were provided. For 3,958 of the 362,110 NEMT claims (1 percent), which totaled $258,115 paid from July 2020 to February 2021, IntelliRide or providers submitted the claims without any documentation showing that recipients received the NEMT services from the providers listed in the claim. The $258,115 is known questioned costs and includes: o 3,323 claims totaling $163,985 submitted by IntelliRide with no documentation in EcoLane of a ride being scheduled or provided. o 619 claims totaling $61,431 submitted by IntelliRide for which EcoLane showed the scheduled ride was cancelled. o 16 sampled claims totaling $32,699 submitted by providers directly to the Department had no documentation that an NEMT service occurred because the providers did not send the Department documentation for their claims. Upon our request, the Department attempted to obtain supporting documentation from providers for these claims but was unable to obtain any. ? Overpayments due to incorrect mileage and taxi rates. For 466 of the 321,099 mileage and taxi claims (less than 1 percent), the Department overpaid IntelliRide. Specifically, for 50 of the 287,308 mileage claims (less than 1 percent), the mileage submitted by IntelliRide that the Department paid was more than the ride mileage that IntelliRide documented in EcoLane. For 416 of the 33,791 (1 percent) claims submitted by IntelliRide on behalf of providers that were permitted to operate as taxis, the Department paid a higher rate than the providers? set PUC rate. The following table breaks out the overpayments that we identified, which totaled $6,759 in known questioned costs. We did not find issues with the rate amounts that the Department paid for non-mileage and non-taxi services. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote Examples of these overpayments include: o An overpayment of $48 for a claim submitted by IntelliRide for a taxi provider that billed the wrong taxi rate. The Department paid $60 for a 4-mile trip, when it should have paid $12 based on the PUC rate of $3 per mile. o An overpayment of $79 for a claim submitted by IntelliRide on behalf of a provider because the claim showed the trip was 76 miles, but the EcoLane data showed the trip was 38 miles. The Department paid $157, when it should have paid $78. ? Unallowable rides, not for medical appointments. For 61 claims showing NEMT trips every day in December 2020 for two recipients, there were no medical claims corresponding to their trips, so it appears that either NEMT was used repeatedly to transport these recipients to unallowable destinations or the provider did not provide the trips claimed. The NEMT provider reported to IntelliRide that these trips were completed even though the recipients did not attend any medical appointments that month. IntelliRide submitted the 61 NEMT claims and its EcoLane data showed that the NEMT providers self-reported that the trips were completed. However, IntelliRide confirmed that these trips were not used to access medical care. The issues we identified resulted in $2,674 of known questioned costs. ? Air ambulance claims paid without prior authorization. None of the 11 air ambulance NEMT claims had supporting documentation that the provider requested or received prior authorization from the Department before the trip occurred. These 11 claims to three providers resulted in $23,122 in known questioned costs. ? Claims paid for trips that were not the least costly, medically necessary, and/or for approved escorts. For seven of the 85 sampled claims (8 percent), IntelliRide submitted the claims without having required documentation from medical providers. Specifically, four claims lacked documentation to support the medical necessity for the type of vehicle used (either mobility vehicle, taxi, or wheelchair van); the other three claims lacked documentation of the recipient?s need for an escort to support the associated cost, which indicates that the three sampled NEMT trips were provided to an escort ineligible to ride with the recipient. The issues we identified for the seven claims resulted in $927 of known questioned costs. In addition, we found the following problems resulting in $5,180,962 in likely questioned costs, which are estimated potential violations of federal requirements that we could not confirm due to a lack of documentation: ? $4.8 million paid for taxi claims without mileage. For 29,049 taxi claims totaling $4,763,071, the Department paid the claims without ensuring taxi providers were paid at their PUC per-mile rate. These claims were submitted directly to the Department by 10 permitted taxi providers. The Department required providers to submit claims showing only the number of one-way trips driven, not the number of miles driven. As a result, the Department could not ensure that these taxi claims were paid at the correct PUC rates, as required in its Billing Manual and Rate Schedule. The Department paid the full amount that each taxi provider requested, as long as the claim was not more than $1,000 per one-way trip. For example, the Department paid $4,000 to one taxi provider for a claim showing four one-way trips for a recipient on a single day. Based on the claim amount, the taxi provider would have had to have driven the recipient on four 400-mile, one-way trips that day to justify this amount, because the taxi provider?s PUC rate is $4 for the first mile and $2.50 for each additional mile. Since the Department did not obtain the miles driven for each one-way trip from taxi providers for these 29,049 claims, we could not determine whether the payments were accurate based on each provider?s PUC rate, as required. ? $409,575 paid for taxi claims for providers not permitted as taxis. For 3,284 NEMT claims for taxi services from eight providers, the providers were not permitted by the PUC to operate as taxis. For example, one provider was paid for an NEMT taxi claim for $5,875 for 12 trips, or $490 per trip. Since these providers were not permitted as taxis, they did not have PUC-set taxi rates, so we could not determine how much these providers should have been paid. ? $4,718 paid for trips that may not have been to attend medical services. As of April 2021, 13 of the 22 sampled NEMT claims (59 percent) for trips in December 2020 had no medical claims for dates corresponding to the NEMT trips. Department staff told us that Medicaid medical claims are typically submitted and paid within 3 months of the date of service, but that there is a possibility that medical providers had not yet submitted medical claims for the recipients since federal regulations technically allow providers up to 12 months to submit claims [42 CFR 447.45(d)(1)]. In addition, six of these 13 recipients had both Medicaid and other types of medical insurance, such as Medicare. According to the Department, it is possible that the six recipients used NEMT trips to access medical services but the Department did not have a Medicaid claim for the services because they were paid by the other types of insurance, which is allowed by state regulations [10 CCR 2505-10 8.014.5.B.2]. Therefore, we could not determine whether the NEMT trips associated with the 13 claims had been for recipients to attend medical services. ? $3,598 paid for trips that may not have been completed. For 61 of the 362,110 paid claims (less than 1 percent), the scheduled trips were not marked as complete in EcoLane, so we could not determine whether they had been completed. Why did these problems occur? The Department lacks effective internal controls over NEMT claims to ensure they are appropriate and consistently comply with federal and state requirements. According to federal regulations [2 CFR 200.303(a)], the Department, as a recipient of federal funds, must establish and maintain effective internal controls to provide reasonable assurance that federal funds are spent in compliance with federal requirements. We identified the following areas where Department controls are lacking for NEMT claims: Lack of Department information technology (IT) Controls in interChange ? No IT controls to prevent providers from bypassing broker. From December 2020 through February 2021, the Department paid NEMT providers directly for unsupported NEMT trips because the Department did not have IT controls in interChange to deny claims for trips that were not brokered through IntelliRide, as required at the time. As of September 1, 2021, the Department plans to require only the NEMT providers operating in nine metro-Denver counties to broker trips through IntelliRide, so the Department needs IT controls to ensure providers in these counties work with IntelliRide to schedule all trips and submit related claims. ? Lack of IT and other controls to ensure proper payments for NEMT taxi services. InterChange is programmed to pay each NEMT taxi claim based on one-way trips, but the Department has not implemented an IT or other control to ensure that NEMT taxi claims are paid at the providers? current PUC-approved per-mile rates, and that the Department only pays taxi rates when the provider is permitted by the PUC to operate as a taxi. Department staff stated that the only IT control the Department has built into interChange to help ensure proper payment of taxi claims is limiting payments for taxi claims to no more than $1,000 per one-way trip, and that this control is in accordance with the NEMT Billing Manual and Rate Schedule. However, Department staff also acknowledged that there is a conflict within the Billing Manual that requires taxi claims to be based on the number of one-way trips, but also paid based on per-mile PUC rates. By setting the limit based only on the number of one-way trips instead of providers? PUC per-mile rate, this Department IT control is not effective at ensuring taxi claims are paid properly. To ensure accurate payments for NEMT taxi claims, the Department will need methods, such as IT controls in interChange, and clarification in the Billing Manual and Rate Schedule, to ensure taxi providers are paid based on set rates, and ensure each taxi provider is permitted. ? No IT controls to ensure required prior authorizations. Air ambulance services were paid without the Department?s prior authorization for the services because the Department does not have IT controls to ensure prior authorization before payment. If the Department does not implement IT controls to ensure appropriate prior authorizations of NEMT services, the Department will need to develop manual processes to ensure that NEMT services receive required authorization prior to paying the related claims. Lack of Department Monitoring of NEMT Services and Claims ? Insufficient methods to ensure appropriate payment and collect necessary documentation from providers that bypass the statewide brokerage. Although the Department reviewed NEMT provider supporting documentation for NEMT services in 2019, the Department did not do so in 2020 or 2021, and had no process to require the providers that bypassed the statewide brokerage to submit documentation to support their NEMT claims before they were paid. According to the Department, in September 2021, it plans to require providers in nine counties covered by the IntelliRide brokerage contract to provide and submit claims through IntelliRide; however, NEMT providers in the remaining 55 counties will be submitting NEMT claims directly to the Department. Therefore, it is important that the Department develop a process to ensure that providers in these 55 counties maintain required documentation for each claim. ? Lack of monitoring to ensure Intelliride submits accurate mileage claims and collects necessary documentation. The Department does not conduct reviews of IntelliRide?s documentation in EcoLane to ensure it submits claims for accurate mileage and maintains support for claims submitted to or paid by the Department. For example, the Department does not reconcile its NEMT claims data from interChange and IntelliRide?s EcoLane system data to ensure each claim is supported. Furthermore, the Department has never completed a file review of IntelliRide?s supporting documentation for NEMT claims, such as when the Department contracted with IntelliRide to be a regional broker prior to becoming the statewide broker. ? No method to ensure NEMT service claims are for rides for medical treatment and the least costly. The Department does not conduct any reconciliation of its interChange data on NEMT trip claims to its interChange data on Medicaid medical claims to ensure NEMT claims are only paid for recipients to access medical care. The Department also does not require confirmation from medical providers that recipients used NEMT to access necessary medical care. For example, NEMT providers told us that before the start of the IntelliRide statewide brokerage contract, they either called medical providers to confirm that the recipients? NEMT trips were to access medical appointments or collected medical providers? signatures for each NEMT trip. In addition, the Department has no controls to ensure providers that submit claims directly to the Department are providing the least costly NEMT service appropriate to each recipient, such as public transportation when it is accessible and appropriate. For example, IntelliRide instructs its staff to attempt to schedule the lowest-cost NEMT service based on recipients? mobility needs and access to public transportation; however, the Department has no such method to ensure services are the least costly when NEMT providers schedule services for recipients. As of September 2021, the Department plans to have the recipients who live in the 55 counties not served by IntelliRide begin scheduling their rides directly with the NEMT providers of their choosing, yet the Department has not developed a method to ensure recipients in these areas receive the lowest-cost services appropriate for their needs. ? Potentially insufficient Department staffing to monitor NEMT claims effectively. For Fiscal Year 2021, the Department was appropriated three full-time equivalent (FTE) staff to oversee NEMT claims; however, the Department had two vacancies in these positions from July 2020 through May 2021 that it did not fill, so there was only one Department staff overseeing NEMT and the IntelliRide statewide contract during the audit time period. In June 2021, the Department added an additional FTE staff member to assist in administering the NEMT benefit. Why do these problems matter? Likely federal recovery of funds used for improper payments. Section 25.5-4-301(2), C.R.S., states that any overpayments of claims to providers are recoverable and ?are recoverable regardless of whether the overpayment is the result of an error by the state department? an entity acting on behalf of [the department], or the provider or any agent of the provider.? Our audit identified $291,597 in known questioned costs, of which about $145,797 is the federal portion of funds that the federal government may recover. We also identified $5,180,962 in likely questioned costs, of which $2,590,480 is the federal portion of funds that could be recovered if the payments are determined to have not been appropriate. The following table shows the questioned costs and federal portions for each problem we identified. See Schedule of Findings and Questioned Costs for chart/table See Schedule of Findings and Questioned Costs for footnote When providers bypass broker controls, service quality is not monitored. When the Department allows some NEMT providers to bypass the IntelliRide broker, and does not obtain documentation to support their claims, the Department is unable to monitor the services of these providers. Additionally, when the Department does not monitor providers that bypass the statewide broker, the Department is applying different and possibly inadequate standards for the providers that bypass compared to the providers that work with IntelliRide. Although the Department plans for IntelliRide to no longer be the statewide NEMT broker for all 64 counties beginning September 2021, IntelliRide will continue to administer NEMT trips for nine Front Range counties that account for the majority of NEMT trips. It is important that all NEMT trips in these counties be brokered through IntelliRide so that the Department can monitor the quality of the trips and IntelliRide?s oversight of them. Risk of fraud, waste, and abuse. When the Department pays NEMT claims that are not supported by documentation of the service, medical documentation showing NEMT was for medical treatment, or the required prior authorizations, there is a significant risk of misappropriation of federal and state funds by providers and/or recipients. In addition, the eight providers not permitted as taxis that submitted taxi claims appear to have set their own rates of payment at a significantly higher rate, since the PUC did not permit or set rates for these providers. While we did not identify confirmed fraud by recipients or providers due to a lack of supporting documentation for claims, the problems identified demonstrate waste of public funds and potential abuse of the Medicaid program. When the Department overpays Medicaid funds and pays for unallowable services, there are fewer funds available to service the recipients who need them. In addition, there is no federal or state limit on payments for NEMT services, so it is important that the Department ensure Medicaid recipients receive appropriate transportation to medical treatment, while also ensuring the Department is acting as a good steward of federal and state funds. See Schedule of Findings and Questioned Costs for chart/table Character Limit Exceeded See Statewide Single Audit Report
2 CFR § 2900.4 gives regulatory effect to the Department of Labor for 2 CFR § 200 Subpart E which outlines allowable cost principles. 2 CFR § 200.403 provides, in part, that except where otherwise authorized by statute, costs must meet the following criteria to be allowable under Federal awards: Be necessary and reasonable for the performance of the Federal award and be allocable thereto under these principles and be adequately documented. Due to a lack of internal control over expenditures and documentation, testing of expenditures identified a payment charged twice to the WIOA Cluster accounting system. As such, the second entry for the payment had no invoice support and was not valid. The total amount tested that had no invoice support was $369,757 and was determined to be unallowable. Failure to maintain adequate support documentation for federal expenditures could result in costs being disallowed by the grantor. Policies and procedures over documentation of expenditures should be developed and implemented. Support should be maintained for all expenditures to ensure that each expenditure charged to the program is for an allowable activity/cost. The expenditure amount is in excess of $25,000 and therefore is considered questioned costs under 2 CFR § 200.516. In addition to this issue, we could not determine if the expenditures in total for this program were supported by the accounting system records since we could not reconcile between the accounting system and the federal schedule. See Finding 2022-004 above for this issue in detail.
2 CFR § 2900.4 gives regulatory effect to the Department of Labor for 2 CFR § 200 Subpart E which outlines allowable cost principles. 2 CFR § 200.403 provides, in part, that except where otherwise authorized by statute, costs must meet the following criteria to be allowable under Federal awards: Be necessary and reasonable for the performance of the Federal award and be allocable thereto under these principles and be adequately documented. Due to a lack of internal control over expenditures and documentation, testing of expenditures identified a payment charged twice to the WIOA Cluster accounting system. As such, the second entry for the payment had no invoice support and was not valid. The total amount tested that had no invoice support was $369,757 and was determined to be unallowable. Failure to maintain adequate support documentation for federal expenditures could result in costs being disallowed by the grantor. Policies and procedures over documentation of expenditures should be developed and implemented. Support should be maintained for all expenditures to ensure that each expenditure charged to the program is for an allowable activity/cost. The expenditure amount is in excess of $25,000 and therefore is considered questioned costs under 2 CFR § 200.516. In addition to this issue, we could not determine if the expenditures in total for this program were supported by the accounting system records since we could not reconcile between the accounting system and the federal schedule. See Finding 2022-004 above for this issue in detail.
2 CFR § 2900.4 gives regulatory effect to the Department of Labor for 2 CFR § 200 Subpart E which outlines allowable cost principles. 2 CFR § 200.403 provides, in part, that except where otherwise authorized by statute, costs must meet the following criteria to be allowable under Federal awards: Be necessary and reasonable for the performance of the Federal award and be allocable thereto under these principles and be adequately documented. Due to a lack of internal control over expenditures and documentation, testing of expenditures identified a payment charged twice to the WIOA Cluster accounting system. As such, the second entry for the payment had no invoice support and was not valid. The total amount tested that had no invoice support was $369,757 and was determined to be unallowable. Failure to maintain adequate support documentation for federal expenditures could result in costs being disallowed by the grantor. Policies and procedures over documentation of expenditures should be developed and implemented. Support should be maintained for all expenditures to ensure that each expenditure charged to the program is for an allowable activity/cost. The expenditure amount is in excess of $25,000 and therefore is considered questioned costs under 2 CFR § 200.516. In addition to this issue, we could not determine if the expenditures in total for this program were supported by the accounting system records since we could not reconcile between the accounting system and the federal schedule. See Finding 2022-004 above for this issue in detail.
2 CFR § 2900.4 gives regulatory effect to the Department of Labor for 2 CFR § 200 Subpart E which outlines allowable cost principles. 2 CFR § 200.403 provides, in part, that except where otherwise authorized by statute, costs must meet the following criteria to be allowable under Federal awards: Be necessary and reasonable for the performance of the Federal award and be allocable thereto under these principles and be adequately documented. Due to a lack of internal control over expenditures and documentation, testing of expenditures identified a payment charged twice to the WIOA Cluster accounting system. As such, the second entry for the payment had no invoice support and was not valid. The total amount tested that had no invoice support was $369,757 and was determined to be unallowable. Failure to maintain adequate support documentation for federal expenditures could result in costs being disallowed by the grantor. Policies and procedures over documentation of expenditures should be developed and implemented. Support should be maintained for all expenditures to ensure that each expenditure charged to the program is for an allowable activity/cost. The expenditure amount is in excess of $25,000 and therefore is considered questioned costs under 2 CFR § 200.516. In addition to this issue, we could not determine if the expenditures in total for this program were supported by the accounting system records since we could not reconcile between the accounting system and the federal schedule. See Finding 2022-004 above for this issue in detail.
2 CFR § 2900.4 gives regulatory effect to the Department of Labor for 2 CFR § 200 Subpart E which outlines allowable cost principles. 2 CFR § 200.403 provides, in part, that except where otherwise authorized by statute, costs must meet the following criteria to be allowable under Federal awards: Be necessary and reasonable for the performance of the Federal award and be allocable thereto under these principles and be adequately documented. Due to a lack of internal control over expenditures and documentation, testing of expenditures identified a payment charged twice to the WIOA Cluster accounting system. As such, the second entry for the payment had no invoice support and was not valid. The total amount tested that had no invoice support was $369,757 and was determined to be unallowable. Failure to maintain adequate support documentation for federal expenditures could result in costs being disallowed by the grantor. Policies and procedures over documentation of expenditures should be developed and implemented. Support should be maintained for all expenditures to ensure that each expenditure charged to the program is for an allowable activity/cost. The expenditure amount is in excess of $25,000 and therefore is considered questioned costs under 2 CFR § 200.516. In addition to this issue, we could not determine if the expenditures in total for this program were supported by the accounting system records since we could not reconcile between the accounting system and the federal schedule. See Finding 2022-004 above for this issue in detail.
2 CFR § 2900.4 gives regulatory effect to the Department of Labor for 2 CFR § 200 Subpart E which outlines allowable cost principles. 2 CFR § 200.403 provides, in part, that except where otherwise authorized by statute, costs must meet the following criteria to be allowable under Federal awards: Be necessary and reasonable for the performance of the Federal award and be allocable thereto under these principles and be adequately documented. We further noted that 20 CFR § 671.140 states the following as allowable activities: (a) National emergency grants may provide adjustment assistance for eligible dislocated workers, described at WIA section 173(c)(2) or (d)(2). (b) Adjustment assistance includes the core, intensive, and training services authorized at WIA sections 134(d) and 173. The scope of services to be provided in a particular project are negotiated between the Department and the grantee, taking into account the needs of the target population covered by the grant. The scope of services may be changed through grant modifications, if necessary. (c) National emergency grants may provide for supportive services to help workers who require such assistance to participate in activities provided for in the grant. Needs-related payments, in support of other employment and training assistance, may be available for the purpose of enabling dislocated workers who are eligible for such payments to participate in programs of training services. Generally, the terms of a grant must be consistent with Local Board policies governing such financial assistance with formula funds (including the payment levels and duration of payments). However, the terms of the grant agreement may diverge from established Local Board policies, in the following instances: (1) If unemployed dislocated workers served by the project are not able to meet the 13 or 8 weeks enrollment in training requirement at WIA section 134(e)(3)(B) because of the lack of formula or emergency grant funds in the State or local area at the time of dislocation, such individuals may be eligible for needs-related payments if they are enrolled in training by the end of the 6th week following the date of the emergency grant award; (2) Trade-impacted workers who are not eligible for trade readjustment assistance under NAFTA-TAA may be eligible for needs-related payments under a national emergency grant if the worker is enrolled in training by the end of the 16th week following layoff; and (3) Under other circumstances as specified in the national emergency grant application guidelines. (d) A national emergency grant to respond to a declared emergency or natural disaster, as defined at § 671.110(e), may provide short-term disaster relief employment for: Individuals who are temporarily or permanently laid off as a consequence of the disaster; Dislocated workers; and Long-term unemployed individuals. (e) Temporary employment assistance is authorized on disaster projects that provide food, clothing, shelter and other humanitarian assistance for disaster victims; and on projects that perform demolition, cleaning, repair, renovation and reconstruction of damaged and destroyed structures, facilities and lands located within the disaster area. For such temporary jobs, each eligible worker is limited to no more than six months of employment for each single disaster. The amounts, duration and other limitations on wages will be negotiated for each grant. (f) Additional requirements that apply to national emergency grants, including natural disaster grants, are contained in the application instructions. Due to a lack of internal control over expenditures and documentation, testing of expenditures identified a payment charged to the NEG Federal Program twice in the accounting system. As such, the second entry for the payment had no invoice support and was not valid. The total amount tested that had no invoice support was $191,416 and was determined to be unallowable. Failure to maintain adequate support documentation for federal expenditures could result in costs being disallowed by the grantor. Policies and procedures over documentation of expenditures should be developed and implemented. Support should be maintained for all expenditures to ensure that each expenditure charged to the program is for an allowable activity/cost. The expenditure amount is in excess of $25,000 and therefore is considered questioned costs under 2 CFR § 200.516. In addition to this issue, we could not determine if the expenditures in total for this program were supported by the accounting system records since we could not reconcile between the accounting system and the federal schedule. See Finding 2022-004 above for this issue in detail.
COVID-19 Coronavirus Relief Fund (21.019) Agency: Department of Treasury Federal Award Number/Year: 2020 Program & ALN: COVID-19 Coronavirus Relief Fund - 21.019 Pass-through Entities: Virginia Department of Accounts Compliance Requirement: Reporting Finding Type: Finding reported in accordance with 2 CFR section 200.516(a) and material weakness of internal controls surrounding reporting requirements. Criteria: Per single audit requirements, prime recipients (i.e. the Commonwealth of Virginia) are required to submit quarterly Financial Progress reports. To assist with the reporting requirement, the Commonwealth required quarterly reports from its subrecipients (the County). Condition: The County did not file a required quarterly report for the quarter ended September 30, 2021. Cause: The County did not have a proper reporting and review process of federal grants and failed to submit the required report. Effect: The amounts reported by the County to the Commonwealth are understated resulting in an error in reporting by the Commonwealth to the federal government. Recommendation: Management should establish a reconciliation process and reports should be reviewed by someone other than the preparer prior to submission to ensure accuracy of reporting. Views of Responsible Officials and Planned Corrective Action: The County concurs with the finding. The County corrected activity with the final reporting filed for the period ended December 31, 2021.
A. Summary of Auditor's Results 1. The auditor's report expresses a unmodified opinion on whether the financial statements of Geneva Avenue Elderly Housing, Inc. were prepared in accordance with generally accepted accounting principles. 2. No significant deficiencies related to the audit of the financial statements were reported in the Independent Auditor's Report on Internal Control over Financial Reporting and on Compliance and Other Matters Based on an Audit of Financial Statements Performed in Accordance with Government Auditing Standards. No material weaknesses were reported. 3. One instance of noncompliance material to the financial statements of Geneva Avenue Elderly Housing, Inc., which would be required to be reported in accordance with Government Auditing Standards, was disclosed during the audit. 4. One significant deficiency in internal control over major federal award programs was disclosed during the audit and reported in the Independent Auditor's Report on Compliance for the Major Federal Program and on Internal Control over Compliance Required by the Uniform Guidance. No material weaknesses were reported. 5. The auditor's report on compliance for the major federal award programs for Geneva Avenue Elderly Housing, Inc. expresses a qualified opinion on all major federal programs. 6. There is one audit finding required to be reported in accordance with 2 CFR Section 200.516(a) in this Schedule. 7. The programs tested as major programs included: CFDA Number Name of Federal Program 14.157 HUD Section 202 (Capital Advance) 8. The threshold for distinguishing between Type A and B programs was $750,000. 9. Geneva Avenue Elderly Housing, Inc. was determined to be a low risk auditee. B. Financial Statement Findings None reported C. Federal Award Findings and Questioned Costs Department of Housing and Urban Development Finding No. 2022-001; Assistance Listing No. 14.157 Support Housing for the Elderly (Section 202) Criteria Tenant lease files are required to be maintained and tenant eligibility determined in accordance with HUD Handbook 4571.3, Section 202 Supportive Housing for the Elderly. Condition In connection with our lease file testing, we noted that six tenant files out of the six tenant files tested did not have the EIV completed timely for the most recent annual recertification. Cause There was an administrative error involving personnel involved in the annual recertification process resulting in the EIV reports not being run in accordance with the HUD program guidelines. Effect or Potential Effect The Corporation is not in compliance with HUD Program guidelines. Recommendation The Corporation should ensure that EIV reports are run timely in connection with the annual recertification in accordance with the HUD Program guidelines, and it should monitor its compliance with those policies and procedures. Auditor Noncompliance Code: R - Section 8 program administration Reporting Views of Responsible Officials: Management concurs with the finding. Management has communicated with the staff the importance of completing EIV reports in accordance with HUD Program guidelines, and on a go forward basis will enhance its monitoring of compliance with this requirement to ensure that EIV's are run within an appropriate time frame.
THIS FINDING IS: New FINDING TYPE: Internal Control DEFICIENCY TYPE: Significant Deficiency Federal Program Name and Year: Education Stabilization Fund - 2022 Project No.: 20-4998-ER AL No.: 84.425D Passed Through: Illinois State Board of Education Federal Agency: U.S. Department of Education Criteria or specific requirement (including statutory, regulatory, or other citation): The District is required to report grant expenditures in accordance with the Illinois State Board of Education State and Federal Grant Administration Policy and Fiscal Requirements and Procedures and the ISBE Illinois Program Account Manual, which is consistent with the provisions of the Uniform Guidance. According to Uniform Guidance, Title 2 CFR 200.516, the District is required to maintain internal control over Federal programs that provide reasonable assurance that the Auditee is managing Federal awards in compliance with laws, regulations, and provisions of contracts or grant agreements that could have a material effect on each of its Federal programs. Under Uniform Guidance, Title 2 CFR 200.501, a non-Federal entity that expends $750,000 or more during the entity's fiscal year in Federal awards must have a single audit conducted for that year. Condition: The District overstated expenditures on the ESSER I June 30, 2021 expenditure report. Questioned Costs: The ESSER I 2020 project year's June 30, 2021 expenditure report included $10,678 of questioned costs. Purchased Services were overstated by $2,300, Supplies and Materials were overstated by $6,035, and Capital Outlay was overstated by $2,343 when compared to the accounting records. Context: The ESSER I 2020 project year's June 30, 2021 expenditure report included $10,678 of questioned costs. Purchased Services were overstated by $2,300, Supplies and Materials were overstated by $6,035, and Capital Outlay was overstated by $2,343 when compared to the accounting records. Effect: Expenditures reported on the final project expenditure report were overstated by $10,678. Excluding the $10,678 of overstated expenditures from the calculation of over all expenditures of federal awards resulted in the district expending less than $750,000 of federal awards during the year ended June 30, 2021 and thereby not being subject to the Uniform Guidance/Single Audit provisions. Cause: ESSER I 2020 project year's final expenditures were reported in error. Recommendation: Grant expenditures should be reviewed and reconciled back to the accounting records prior to submitting final reports; ISBE grants division should be contacted regarding this discrepancy. Management's response: The District agrees that the expenditures claimed on the June 30, 2021 expenditure report was overstated by $10,678 and in the future will review and reconcile the expenditure reports to the accounting records before submitting to ISBE.
2022-028 The University of Washington did not establish adequate internal controls to ensure payments to contractors and subrecipients for the Global AIDS program were allowable, properly supported and within the period of performance. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs / Cost Principles Period of Performance Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. To achieve the performance goals of the program, the Seattle headquarters of I-TECH (Seattle HQ) provides funding to subrecipients and contractors. Invoices submitted by contractors directly to Seattle HQ are reviewed and approved for payment by budget managers who have delegated authority from the Principal Investigator. Invoices submitted by subrecipients are reviewed and approved for payment by a Principal Investigator. Principal Investigators are also responsible for monitoring the subrecipient?s technical progress and performance. Seattle HQ also provides funding to country offices operating within the University?s global network. The country offices incur costs associated with furnishing supplies and equipment to address the HIV/AIDS epidemic, as well as staffing resources and acquiring goods and services from contractors to carry out the objectives of the program. Payments made by country offices are approved by Country Directors and Country Representatives as delegated by the University. Under the University?s policies, country offices are reimbursed for locally incurred expenses at least monthly. An invoice, accompanied by a schedule of expenses incurred, is submitted and approved by the Country Director and then by the Director of Finance at Seattle HQ, prior to payment. Country offices also responsible for obtaining and retaining supporting documentation for costs incurred and paid on each project. Monthly, Budget Managers review and approve a Budget Activity Report (BAR) that details the expenses charged to the project for the previous month to ensure accurate posting of already approved expenses. This review is also to determine whether the work performed during the billing period reconciles to costs claimed within the contractor?s invoice so that payment may be authorized. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls to ensure payments to contractors and subrecipients of the Global AIDS program were allowable properly supported and within the period of performance. Payments to country offices We used a statistical sampling method to randomly select and examine 58 out of 1,644 transactions for country offices. Of the 58 payments examined, we identified one payment (1.7 percent) that was not approved by the Country Director and the corresponding Budget Activity Report was not approved by the Director of Finance. Payments to contractors We used a statistical sampling method to randomly select and review 58 out of 3,040 payments to contractors. We found: ? Invoices for three payments (5 percent) were not approved by a Budget Manager ? Monthly Budget Activity Reports were not approved for 12 payments (20 percent) Subrecipient reimbursements We used a statistical sampling method to randomly select and review 55 out of 438 payments to subrecipients. We found the assigned Budget Manager did not review and approve the monthly Budget Activity Reports for 52 payments (94 percent). We consider these internal control deficiencies to be a material weakness. This issue was not reported as a finding in the prior audit. Cause of Condition Program management did not require supporting documentation for each payment to be forwarded to and reviewed by headquarters personnel prior to payment authorization. Management also did not monitor the submission of invoices and Budget Activity Reports to ensure they were approved by the responsible Budget Manager, as required. Effect of Condition Without establishing adequate internal controls, the University cannot reasonably ensure it is using federal funds for allowable purposes and that expenditures of federal funds are supported by adequate documentation. Recommendations We recommend the University: ? Improve its internal controls to ensure invoices are properly approved by Principal Investigators, as required ? Improve its internal controls to ensure Budget Mangers review and approve monthly Budget Activity Reports before authorizing payments for projects incurring reimbursement requests ? Ensure it retains supporting documentation sufficient to show costs incurred and paid by the program are allowable, and to demonstrate the required managerial reviews have occurred prior to issuing payment University?s Response In response to the findings for the Global Aids Program, we would like to clarify the following: General Clarification: The draft finding inaccurately represents the role of BARS approvals as part of the internal controls to ensure payments to country offices, contractors and subrecipients are allowable, properly supported and within the period of performance. This is not the role of the BARS review process. Compliance, Budget Manager and PI reviews are the controls that ensure allowability of payments and BARS approvals are after-the-fact validations of accurate posting of already approved expenditures. We provided edits to the Background section to reflect our process. We request in light of this that the description of condition, cause of condition and recommendation sections of this finding be updated accordingly. Payments to country offices I-TECH country offices are not contractors; the offices are an extension of the University of Washington. Your review identified one of fifty-eight samples (1.7%) did not meet the approval requirements set forth in I-TECH?s standard operating procedure. Based on the error percentage, we disagree with this finding. Payments to contractors Payments to contractors have multiple approvals. Upon receipt, individual invoices are approved by the program/budget manager either by signature or email. Invoices are then sent to the I-TECH Accounts Payable Administrator for input to the University?s procurement system, ARIBA, which requires compliance approval from the Accounts Payable Supervisor or other manager, as well as funding approval from the budget manager prior to payment. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to contractors, they are reviews of the monthly expenses posted to the budget and the program manager?s concurrence that the expenses are as expected. The exceptions noted were payments made to country offices instead of contractors. The support for approvals were provided to the State Auditors on April 26, 2023, prior to the completion of fieldwork. We therefore disagree with this finding. We also request that the finding be adjusted to omit the 20% of missing BARS approvals as this is not related to the contractor payments. Subrecipient reimbursements Each subrecipient invoice is reviewed for reasonableness, allowability and allocability by the contracts manager and approved by both budget managers and principal investigators prior to being processed for payment in ARIBA. PI approvals were provided and verified for each subrecipient selection with no omissions noted by the auditors. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to subrecipients, they are after-the-fact reviews of the monthly expenses posted to the budget, intended as documentation of the program manager?s concurrence that the expenses are posted as expected. We acknowledge the instances detailed in the finding where we were unable to produce related BARS approvals for 52 of the transactions; however, we request that the finding be adjusted as these BARS approvals are not related to subrecipient invoice review and approvals. Our record keeping process for BARS approvals was to save the emails in a folder within our Finance Team mailbox. We learned during this review that emails beyond a certain date are deleted but maintained in the MS360 file. We?ve searched for the missing BARS approvals but have not yet been able to locate them. We have since begun saving the approvals to our server to ensure we have access to the data going forward. Auditor?s Remarks The University?s I-TECH Global Operations Manual stipulates that BARs will be generated, reviewed and approved monthly by the Budget Manager and management team. This information was provided to our Office as part of the University?s overall design of internal controls over payments to contractors, subrecipients and country offices. The University responded to our Office on April 20, 2023 adding that ?BAR review is the University?s key post payment control designed to ensure charges are accurately processed, coded and allowable on the budget charged.? We interpret this response to indicate the BAR review process is a monitoring control, and the University asserted on multiple occasions this is a key internal control, which is why we tested it. On January 5, our Office notified University management in writing that the BAR review process would be tested as a key control over the cost principles and period of performance requirements for Global AIDS expenditures. We received no additional inquiry or concerns from University management regarding this internal control until the draft finding was issued on April 14. We provided the University with a final written summary of our fieldwork in this area on April 6, 2023, after fieldwork had concluded. On April 7, the Finance Director responded to our Office in writing confirming they had no further questions or concerns regarding our testing results. It was not until after the University received this finding that additional documentation supporting expenditures tested during the audit were ultimately given to our Office. The basis for this audit finding is the key internal control failure rate of BAR approvals that exceeds our established materiality threshold of five percent, and constitutes a material weakness in internal control, which under the Uniform Guidance is required to be reported as an audit finding in accordance with 2 CFR 200.516 ? Audit findings. We reaffirm our finding and will follow up on the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 02 ? Acceptance of Sponsored Program Awards and Fiscal Compliance on Sponsored Program Accounts (Budget Numbers), states in part: Responsibilities Principal Investigator ? Supervises expenditure of sponsored program funds and approves sub-recipient invoices (see GIM 8) to assure: o That funds are used only for purposes that directly relate to and benefit the activity supported in the award. o That expenditures are consistent with all special terms, conditions, or limitations that apply to expenditures under the particular grant or contract. o That expenditures do not exceed the total funds authorized for a given period under the grant or contract. GIM 07 ? Sponsored Program Subaward Administration, states in part: Principal Investigator ? Review and approve subaward invoices. GIM 08 ? Subrecipient Monitoring, states in part: Roles & Responsibilities PI / Department Responsibilities Project level monitoring of subrecipient including: o Reviews that expenses are necessary, reasonable, and allocable to the work completed and are aligned with technical progress. o Approve invoices for payment. Subrecipient Monitoring ? Project Level Subrecipient invoices are reviewed and approved in accordance with the requirements of GIM 2 in the manner and frequency stated in the subaward. The University of Washington I-TECH Global Operations Manual (GRef 2.3), Section 2, Finance, Accounting Policy and Procedure Requirements, states in part: In addition to the Fiscal Guidelines set forth in the I-TECH Field Operations Manual, these country specific policies are implemented at I-TECH. 10. Budget Management and Reporting f. Reports that show the variance between the budget plan and the activity for each region and activity code will be generated, reviewed and approved by the budget managers and the Management Team each month.
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward
2022-028 The University of Washington did not establish adequate internal controls to ensure payments to contractors and subrecipients for the Global AIDS program were allowable, properly supported and within the period of performance. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs / Cost Principles Period of Performance Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. To achieve the performance goals of the program, the Seattle headquarters of I-TECH (Seattle HQ) provides funding to subrecipients and contractors. Invoices submitted by contractors directly to Seattle HQ are reviewed and approved for payment by budget managers who have delegated authority from the Principal Investigator. Invoices submitted by subrecipients are reviewed and approved for payment by a Principal Investigator. Principal Investigators are also responsible for monitoring the subrecipient?s technical progress and performance. Seattle HQ also provides funding to country offices operating within the University?s global network. The country offices incur costs associated with furnishing supplies and equipment to address the HIV/AIDS epidemic, as well as staffing resources and acquiring goods and services from contractors to carry out the objectives of the program. Payments made by country offices are approved by Country Directors and Country Representatives as delegated by the University. Under the University?s policies, country offices are reimbursed for locally incurred expenses at least monthly. An invoice, accompanied by a schedule of expenses incurred, is submitted and approved by the Country Director and then by the Director of Finance at Seattle HQ, prior to payment. Country offices also responsible for obtaining and retaining supporting documentation for costs incurred and paid on each project. Monthly, Budget Managers review and approve a Budget Activity Report (BAR) that details the expenses charged to the project for the previous month to ensure accurate posting of already approved expenses. This review is also to determine whether the work performed during the billing period reconciles to costs claimed within the contractor?s invoice so that payment may be authorized. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls to ensure payments to contractors and subrecipients of the Global AIDS program were allowable properly supported and within the period of performance. Payments to country offices We used a statistical sampling method to randomly select and examine 58 out of 1,644 transactions for country offices. Of the 58 payments examined, we identified one payment (1.7 percent) that was not approved by the Country Director and the corresponding Budget Activity Report was not approved by the Director of Finance. Payments to contractors We used a statistical sampling method to randomly select and review 58 out of 3,040 payments to contractors. We found: ? Invoices for three payments (5 percent) were not approved by a Budget Manager ? Monthly Budget Activity Reports were not approved for 12 payments (20 percent) Subrecipient reimbursements We used a statistical sampling method to randomly select and review 55 out of 438 payments to subrecipients. We found the assigned Budget Manager did not review and approve the monthly Budget Activity Reports for 52 payments (94 percent). We consider these internal control deficiencies to be a material weakness. This issue was not reported as a finding in the prior audit. Cause of Condition Program management did not require supporting documentation for each payment to be forwarded to and reviewed by headquarters personnel prior to payment authorization. Management also did not monitor the submission of invoices and Budget Activity Reports to ensure they were approved by the responsible Budget Manager, as required. Effect of Condition Without establishing adequate internal controls, the University cannot reasonably ensure it is using federal funds for allowable purposes and that expenditures of federal funds are supported by adequate documentation. Recommendations We recommend the University: ? Improve its internal controls to ensure invoices are properly approved by Principal Investigators, as required ? Improve its internal controls to ensure Budget Mangers review and approve monthly Budget Activity Reports before authorizing payments for projects incurring reimbursement requests ? Ensure it retains supporting documentation sufficient to show costs incurred and paid by the program are allowable, and to demonstrate the required managerial reviews have occurred prior to issuing payment University?s Response In response to the findings for the Global Aids Program, we would like to clarify the following: General Clarification: The draft finding inaccurately represents the role of BARS approvals as part of the internal controls to ensure payments to country offices, contractors and subrecipients are allowable, properly supported and within the period of performance. This is not the role of the BARS review process. Compliance, Budget Manager and PI reviews are the controls that ensure allowability of payments and BARS approvals are after-the-fact validations of accurate posting of already approved expenditures. We provided edits to the Background section to reflect our process. We request in light of this that the description of condition, cause of condition and recommendation sections of this finding be updated accordingly. Payments to country offices I-TECH country offices are not contractors; the offices are an extension of the University of Washington. Your review identified one of fifty-eight samples (1.7%) did not meet the approval requirements set forth in I-TECH?s standard operating procedure. Based on the error percentage, we disagree with this finding. Payments to contractors Payments to contractors have multiple approvals. Upon receipt, individual invoices are approved by the program/budget manager either by signature or email. Invoices are then sent to the I-TECH Accounts Payable Administrator for input to the University?s procurement system, ARIBA, which requires compliance approval from the Accounts Payable Supervisor or other manager, as well as funding approval from the budget manager prior to payment. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to contractors, they are reviews of the monthly expenses posted to the budget and the program manager?s concurrence that the expenses are as expected. The exceptions noted were payments made to country offices instead of contractors. The support for approvals were provided to the State Auditors on April 26, 2023, prior to the completion of fieldwork. We therefore disagree with this finding. We also request that the finding be adjusted to omit the 20% of missing BARS approvals as this is not related to the contractor payments. Subrecipient reimbursements Each subrecipient invoice is reviewed for reasonableness, allowability and allocability by the contracts manager and approved by both budget managers and principal investigators prior to being processed for payment in ARIBA. PI approvals were provided and verified for each subrecipient selection with no omissions noted by the auditors. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to subrecipients, they are after-the-fact reviews of the monthly expenses posted to the budget, intended as documentation of the program manager?s concurrence that the expenses are posted as expected. We acknowledge the instances detailed in the finding where we were unable to produce related BARS approvals for 52 of the transactions; however, we request that the finding be adjusted as these BARS approvals are not related to subrecipient invoice review and approvals. Our record keeping process for BARS approvals was to save the emails in a folder within our Finance Team mailbox. We learned during this review that emails beyond a certain date are deleted but maintained in the MS360 file. We?ve searched for the missing BARS approvals but have not yet been able to locate them. We have since begun saving the approvals to our server to ensure we have access to the data going forward. Auditor?s Remarks The University?s I-TECH Global Operations Manual stipulates that BARs will be generated, reviewed and approved monthly by the Budget Manager and management team. This information was provided to our Office as part of the University?s overall design of internal controls over payments to contractors, subrecipients and country offices. The University responded to our Office on April 20, 2023 adding that ?BAR review is the University?s key post payment control designed to ensure charges are accurately processed, coded and allowable on the budget charged.? We interpret this response to indicate the BAR review process is a monitoring control, and the University asserted on multiple occasions this is a key internal control, which is why we tested it. On January 5, our Office notified University management in writing that the BAR review process would be tested as a key control over the cost principles and period of performance requirements for Global AIDS expenditures. We received no additional inquiry or concerns from University management regarding this internal control until the draft finding was issued on April 14. We provided the University with a final written summary of our fieldwork in this area on April 6, 2023, after fieldwork had concluded. On April 7, the Finance Director responded to our Office in writing confirming they had no further questions or concerns regarding our testing results. It was not until after the University received this finding that additional documentation supporting expenditures tested during the audit were ultimately given to our Office. The basis for this audit finding is the key internal control failure rate of BAR approvals that exceeds our established materiality threshold of five percent, and constitutes a material weakness in internal control, which under the Uniform Guidance is required to be reported as an audit finding in accordance with 2 CFR 200.516 ? Audit findings. We reaffirm our finding and will follow up on the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 02 ? Acceptance of Sponsored Program Awards and Fiscal Compliance on Sponsored Program Accounts (Budget Numbers), states in part: Responsibilities Principal Investigator ? Supervises expenditure of sponsored program funds and approves sub-recipient invoices (see GIM 8) to assure: o That funds are used only for purposes that directly relate to and benefit the activity supported in the award. o That expenditures are consistent with all special terms, conditions, or limitations that apply to expenditures under the particular grant or contract. o That expenditures do not exceed the total funds authorized for a given period under the grant or contract. GIM 07 ? Sponsored Program Subaward Administration, states in part: Principal Investigator ? Review and approve subaward invoices. GIM 08 ? Subrecipient Monitoring, states in part: Roles & Responsibilities PI / Department Responsibilities Project level monitoring of subrecipient including: o Reviews that expenses are necessary, reasonable, and allocable to the work completed and are aligned with technical progress. o Approve invoices for payment. Subrecipient Monitoring ? Project Level Subrecipient invoices are reviewed and approved in accordance with the requirements of GIM 2 in the manner and frequency stated in the subaward. The University of Washington I-TECH Global Operations Manual (GRef 2.3), Section 2, Finance, Accounting Policy and Procedure Requirements, states in part: In addition to the Fiscal Guidelines set forth in the I-TECH Field Operations Manual, these country specific policies are implemented at I-TECH. 10. Budget Management and Reporting f. Reports that show the variance between the budget plan and the activity for each region and activity code will be generated, reviewed and approved by the budget managers and the Management Team each month.
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward
2022-028 The University of Washington did not establish adequate internal controls to ensure payments to contractors and subrecipients for the Global AIDS program were allowable, properly supported and within the period of performance. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs / Cost Principles Period of Performance Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. To achieve the performance goals of the program, the Seattle headquarters of I-TECH (Seattle HQ) provides funding to subrecipients and contractors. Invoices submitted by contractors directly to Seattle HQ are reviewed and approved for payment by budget managers who have delegated authority from the Principal Investigator. Invoices submitted by subrecipients are reviewed and approved for payment by a Principal Investigator. Principal Investigators are also responsible for monitoring the subrecipient?s technical progress and performance. Seattle HQ also provides funding to country offices operating within the University?s global network. The country offices incur costs associated with furnishing supplies and equipment to address the HIV/AIDS epidemic, as well as staffing resources and acquiring goods and services from contractors to carry out the objectives of the program. Payments made by country offices are approved by Country Directors and Country Representatives as delegated by the University. Under the University?s policies, country offices are reimbursed for locally incurred expenses at least monthly. An invoice, accompanied by a schedule of expenses incurred, is submitted and approved by the Country Director and then by the Director of Finance at Seattle HQ, prior to payment. Country offices also responsible for obtaining and retaining supporting documentation for costs incurred and paid on each project. Monthly, Budget Managers review and approve a Budget Activity Report (BAR) that details the expenses charged to the project for the previous month to ensure accurate posting of already approved expenses. This review is also to determine whether the work performed during the billing period reconciles to costs claimed within the contractor?s invoice so that payment may be authorized. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls to ensure payments to contractors and subrecipients of the Global AIDS program were allowable properly supported and within the period of performance. Payments to country offices We used a statistical sampling method to randomly select and examine 58 out of 1,644 transactions for country offices. Of the 58 payments examined, we identified one payment (1.7 percent) that was not approved by the Country Director and the corresponding Budget Activity Report was not approved by the Director of Finance. Payments to contractors We used a statistical sampling method to randomly select and review 58 out of 3,040 payments to contractors. We found: ? Invoices for three payments (5 percent) were not approved by a Budget Manager ? Monthly Budget Activity Reports were not approved for 12 payments (20 percent) Subrecipient reimbursements We used a statistical sampling method to randomly select and review 55 out of 438 payments to subrecipients. We found the assigned Budget Manager did not review and approve the monthly Budget Activity Reports for 52 payments (94 percent). We consider these internal control deficiencies to be a material weakness. This issue was not reported as a finding in the prior audit. Cause of Condition Program management did not require supporting documentation for each payment to be forwarded to and reviewed by headquarters personnel prior to payment authorization. Management also did not monitor the submission of invoices and Budget Activity Reports to ensure they were approved by the responsible Budget Manager, as required. Effect of Condition Without establishing adequate internal controls, the University cannot reasonably ensure it is using federal funds for allowable purposes and that expenditures of federal funds are supported by adequate documentation. Recommendations We recommend the University: ? Improve its internal controls to ensure invoices are properly approved by Principal Investigators, as required ? Improve its internal controls to ensure Budget Mangers review and approve monthly Budget Activity Reports before authorizing payments for projects incurring reimbursement requests ? Ensure it retains supporting documentation sufficient to show costs incurred and paid by the program are allowable, and to demonstrate the required managerial reviews have occurred prior to issuing payment University?s Response In response to the findings for the Global Aids Program, we would like to clarify the following: General Clarification: The draft finding inaccurately represents the role of BARS approvals as part of the internal controls to ensure payments to country offices, contractors and subrecipients are allowable, properly supported and within the period of performance. This is not the role of the BARS review process. Compliance, Budget Manager and PI reviews are the controls that ensure allowability of payments and BARS approvals are after-the-fact validations of accurate posting of already approved expenditures. We provided edits to the Background section to reflect our process. We request in light of this that the description of condition, cause of condition and recommendation sections of this finding be updated accordingly. Payments to country offices I-TECH country offices are not contractors; the offices are an extension of the University of Washington. Your review identified one of fifty-eight samples (1.7%) did not meet the approval requirements set forth in I-TECH?s standard operating procedure. Based on the error percentage, we disagree with this finding. Payments to contractors Payments to contractors have multiple approvals. Upon receipt, individual invoices are approved by the program/budget manager either by signature or email. Invoices are then sent to the I-TECH Accounts Payable Administrator for input to the University?s procurement system, ARIBA, which requires compliance approval from the Accounts Payable Supervisor or other manager, as well as funding approval from the budget manager prior to payment. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to contractors, they are reviews of the monthly expenses posted to the budget and the program manager?s concurrence that the expenses are as expected. The exceptions noted were payments made to country offices instead of contractors. The support for approvals were provided to the State Auditors on April 26, 2023, prior to the completion of fieldwork. We therefore disagree with this finding. We also request that the finding be adjusted to omit the 20% of missing BARS approvals as this is not related to the contractor payments. Subrecipient reimbursements Each subrecipient invoice is reviewed for reasonableness, allowability and allocability by the contracts manager and approved by both budget managers and principal investigators prior to being processed for payment in ARIBA. PI approvals were provided and verified for each subrecipient selection with no omissions noted by the auditors. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to subrecipients, they are after-the-fact reviews of the monthly expenses posted to the budget, intended as documentation of the program manager?s concurrence that the expenses are posted as expected. We acknowledge the instances detailed in the finding where we were unable to produce related BARS approvals for 52 of the transactions; however, we request that the finding be adjusted as these BARS approvals are not related to subrecipient invoice review and approvals. Our record keeping process for BARS approvals was to save the emails in a folder within our Finance Team mailbox. We learned during this review that emails beyond a certain date are deleted but maintained in the MS360 file. We?ve searched for the missing BARS approvals but have not yet been able to locate them. We have since begun saving the approvals to our server to ensure we have access to the data going forward. Auditor?s Remarks The University?s I-TECH Global Operations Manual stipulates that BARs will be generated, reviewed and approved monthly by the Budget Manager and management team. This information was provided to our Office as part of the University?s overall design of internal controls over payments to contractors, subrecipients and country offices. The University responded to our Office on April 20, 2023 adding that ?BAR review is the University?s key post payment control designed to ensure charges are accurately processed, coded and allowable on the budget charged.? We interpret this response to indicate the BAR review process is a monitoring control, and the University asserted on multiple occasions this is a key internal control, which is why we tested it. On January 5, our Office notified University management in writing that the BAR review process would be tested as a key control over the cost principles and period of performance requirements for Global AIDS expenditures. We received no additional inquiry or concerns from University management regarding this internal control until the draft finding was issued on April 14. We provided the University with a final written summary of our fieldwork in this area on April 6, 2023, after fieldwork had concluded. On April 7, the Finance Director responded to our Office in writing confirming they had no further questions or concerns regarding our testing results. It was not until after the University received this finding that additional documentation supporting expenditures tested during the audit were ultimately given to our Office. The basis for this audit finding is the key internal control failure rate of BAR approvals that exceeds our established materiality threshold of five percent, and constitutes a material weakness in internal control, which under the Uniform Guidance is required to be reported as an audit finding in accordance with 2 CFR 200.516 ? Audit findings. We reaffirm our finding and will follow up on the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 02 ? Acceptance of Sponsored Program Awards and Fiscal Compliance on Sponsored Program Accounts (Budget Numbers), states in part: Responsibilities Principal Investigator ? Supervises expenditure of sponsored program funds and approves sub-recipient invoices (see GIM 8) to assure: o That funds are used only for purposes that directly relate to and benefit the activity supported in the award. o That expenditures are consistent with all special terms, conditions, or limitations that apply to expenditures under the particular grant or contract. o That expenditures do not exceed the total funds authorized for a given period under the grant or contract. GIM 07 ? Sponsored Program Subaward Administration, states in part: Principal Investigator ? Review and approve subaward invoices. GIM 08 ? Subrecipient Monitoring, states in part: Roles & Responsibilities PI / Department Responsibilities Project level monitoring of subrecipient including: o Reviews that expenses are necessary, reasonable, and allocable to the work completed and are aligned with technical progress. o Approve invoices for payment. Subrecipient Monitoring ? Project Level Subrecipient invoices are reviewed and approved in accordance with the requirements of GIM 2 in the manner and frequency stated in the subaward. The University of Washington I-TECH Global Operations Manual (GRef 2.3), Section 2, Finance, Accounting Policy and Procedure Requirements, states in part: In addition to the Fiscal Guidelines set forth in the I-TECH Field Operations Manual, these country specific policies are implemented at I-TECH. 10. Budget Management and Reporting f. Reports that show the variance between the budget plan and the activity for each region and activity code will be generated, reviewed and approved by the budget managers and the Management Team each month.
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward
2022-028 The University of Washington did not establish adequate internal controls to ensure payments to contractors and subrecipients for the Global AIDS program were allowable, properly supported and within the period of performance. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs / Cost Principles Period of Performance Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. To achieve the performance goals of the program, the Seattle headquarters of I-TECH (Seattle HQ) provides funding to subrecipients and contractors. Invoices submitted by contractors directly to Seattle HQ are reviewed and approved for payment by budget managers who have delegated authority from the Principal Investigator. Invoices submitted by subrecipients are reviewed and approved for payment by a Principal Investigator. Principal Investigators are also responsible for monitoring the subrecipient?s technical progress and performance. Seattle HQ also provides funding to country offices operating within the University?s global network. The country offices incur costs associated with furnishing supplies and equipment to address the HIV/AIDS epidemic, as well as staffing resources and acquiring goods and services from contractors to carry out the objectives of the program. Payments made by country offices are approved by Country Directors and Country Representatives as delegated by the University. Under the University?s policies, country offices are reimbursed for locally incurred expenses at least monthly. An invoice, accompanied by a schedule of expenses incurred, is submitted and approved by the Country Director and then by the Director of Finance at Seattle HQ, prior to payment. Country offices also responsible for obtaining and retaining supporting documentation for costs incurred and paid on each project. Monthly, Budget Managers review and approve a Budget Activity Report (BAR) that details the expenses charged to the project for the previous month to ensure accurate posting of already approved expenses. This review is also to determine whether the work performed during the billing period reconciles to costs claimed within the contractor?s invoice so that payment may be authorized. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls to ensure payments to contractors and subrecipients of the Global AIDS program were allowable properly supported and within the period of performance. Payments to country offices We used a statistical sampling method to randomly select and examine 58 out of 1,644 transactions for country offices. Of the 58 payments examined, we identified one payment (1.7 percent) that was not approved by the Country Director and the corresponding Budget Activity Report was not approved by the Director of Finance. Payments to contractors We used a statistical sampling method to randomly select and review 58 out of 3,040 payments to contractors. We found: ? Invoices for three payments (5 percent) were not approved by a Budget Manager ? Monthly Budget Activity Reports were not approved for 12 payments (20 percent) Subrecipient reimbursements We used a statistical sampling method to randomly select and review 55 out of 438 payments to subrecipients. We found the assigned Budget Manager did not review and approve the monthly Budget Activity Reports for 52 payments (94 percent). We consider these internal control deficiencies to be a material weakness. This issue was not reported as a finding in the prior audit. Cause of Condition Program management did not require supporting documentation for each payment to be forwarded to and reviewed by headquarters personnel prior to payment authorization. Management also did not monitor the submission of invoices and Budget Activity Reports to ensure they were approved by the responsible Budget Manager, as required. Effect of Condition Without establishing adequate internal controls, the University cannot reasonably ensure it is using federal funds for allowable purposes and that expenditures of federal funds are supported by adequate documentation. Recommendations We recommend the University: ? Improve its internal controls to ensure invoices are properly approved by Principal Investigators, as required ? Improve its internal controls to ensure Budget Mangers review and approve monthly Budget Activity Reports before authorizing payments for projects incurring reimbursement requests ? Ensure it retains supporting documentation sufficient to show costs incurred and paid by the program are allowable, and to demonstrate the required managerial reviews have occurred prior to issuing payment University?s Response In response to the findings for the Global Aids Program, we would like to clarify the following: General Clarification: The draft finding inaccurately represents the role of BARS approvals as part of the internal controls to ensure payments to country offices, contractors and subrecipients are allowable, properly supported and within the period of performance. This is not the role of the BARS review process. Compliance, Budget Manager and PI reviews are the controls that ensure allowability of payments and BARS approvals are after-the-fact validations of accurate posting of already approved expenditures. We provided edits to the Background section to reflect our process. We request in light of this that the description of condition, cause of condition and recommendation sections of this finding be updated accordingly. Payments to country offices I-TECH country offices are not contractors; the offices are an extension of the University of Washington. Your review identified one of fifty-eight samples (1.7%) did not meet the approval requirements set forth in I-TECH?s standard operating procedure. Based on the error percentage, we disagree with this finding. Payments to contractors Payments to contractors have multiple approvals. Upon receipt, individual invoices are approved by the program/budget manager either by signature or email. Invoices are then sent to the I-TECH Accounts Payable Administrator for input to the University?s procurement system, ARIBA, which requires compliance approval from the Accounts Payable Supervisor or other manager, as well as funding approval from the budget manager prior to payment. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to contractors, they are reviews of the monthly expenses posted to the budget and the program manager?s concurrence that the expenses are as expected. The exceptions noted were payments made to country offices instead of contractors. The support for approvals were provided to the State Auditors on April 26, 2023, prior to the completion of fieldwork. We therefore disagree with this finding. We also request that the finding be adjusted to omit the 20% of missing BARS approvals as this is not related to the contractor payments. Subrecipient reimbursements Each subrecipient invoice is reviewed for reasonableness, allowability and allocability by the contracts manager and approved by both budget managers and principal investigators prior to being processed for payment in ARIBA. PI approvals were provided and verified for each subrecipient selection with no omissions noted by the auditors. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to subrecipients, they are after-the-fact reviews of the monthly expenses posted to the budget, intended as documentation of the program manager?s concurrence that the expenses are posted as expected. We acknowledge the instances detailed in the finding where we were unable to produce related BARS approvals for 52 of the transactions; however, we request that the finding be adjusted as these BARS approvals are not related to subrecipient invoice review and approvals. Our record keeping process for BARS approvals was to save the emails in a folder within our Finance Team mailbox. We learned during this review that emails beyond a certain date are deleted but maintained in the MS360 file. We?ve searched for the missing BARS approvals but have not yet been able to locate them. We have since begun saving the approvals to our server to ensure we have access to the data going forward. Auditor?s Remarks The University?s I-TECH Global Operations Manual stipulates that BARs will be generated, reviewed and approved monthly by the Budget Manager and management team. This information was provided to our Office as part of the University?s overall design of internal controls over payments to contractors, subrecipients and country offices. The University responded to our Office on April 20, 2023 adding that ?BAR review is the University?s key post payment control designed to ensure charges are accurately processed, coded and allowable on the budget charged.? We interpret this response to indicate the BAR review process is a monitoring control, and the University asserted on multiple occasions this is a key internal control, which is why we tested it. On January 5, our Office notified University management in writing that the BAR review process would be tested as a key control over the cost principles and period of performance requirements for Global AIDS expenditures. We received no additional inquiry or concerns from University management regarding this internal control until the draft finding was issued on April 14. We provided the University with a final written summary of our fieldwork in this area on April 6, 2023, after fieldwork had concluded. On April 7, the Finance Director responded to our Office in writing confirming they had no further questions or concerns regarding our testing results. It was not until after the University received this finding that additional documentation supporting expenditures tested during the audit were ultimately given to our Office. The basis for this audit finding is the key internal control failure rate of BAR approvals that exceeds our established materiality threshold of five percent, and constitutes a material weakness in internal control, which under the Uniform Guidance is required to be reported as an audit finding in accordance with 2 CFR 200.516 ? Audit findings. We reaffirm our finding and will follow up on the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 02 ? Acceptance of Sponsored Program Awards and Fiscal Compliance on Sponsored Program Accounts (Budget Numbers), states in part: Responsibilities Principal Investigator ? Supervises expenditure of sponsored program funds and approves sub-recipient invoices (see GIM 8) to assure: o That funds are used only for purposes that directly relate to and benefit the activity supported in the award. o That expenditures are consistent with all special terms, conditions, or limitations that apply to expenditures under the particular grant or contract. o That expenditures do not exceed the total funds authorized for a given period under the grant or contract. GIM 07 ? Sponsored Program Subaward Administration, states in part: Principal Investigator ? Review and approve subaward invoices. GIM 08 ? Subrecipient Monitoring, states in part: Roles & Responsibilities PI / Department Responsibilities Project level monitoring of subrecipient including: o Reviews that expenses are necessary, reasonable, and allocable to the work completed and are aligned with technical progress. o Approve invoices for payment. Subrecipient Monitoring ? Project Level Subrecipient invoices are reviewed and approved in accordance with the requirements of GIM 2 in the manner and frequency stated in the subaward. The University of Washington I-TECH Global Operations Manual (GRef 2.3), Section 2, Finance, Accounting Policy and Procedure Requirements, states in part: In addition to the Fiscal Guidelines set forth in the I-TECH Field Operations Manual, these country specific policies are implemented at I-TECH. 10. Budget Management and Reporting f. Reports that show the variance between the budget plan and the activity for each region and activity code will be generated, reviewed and approved by the budget managers and the Management Team each month.
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward
2022-028 The University of Washington did not establish adequate internal controls to ensure payments to contractors and subrecipients for the Global AIDS program were allowable, properly supported and within the period of performance. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs / Cost Principles Period of Performance Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. To achieve the performance goals of the program, the Seattle headquarters of I-TECH (Seattle HQ) provides funding to subrecipients and contractors. Invoices submitted by contractors directly to Seattle HQ are reviewed and approved for payment by budget managers who have delegated authority from the Principal Investigator. Invoices submitted by subrecipients are reviewed and approved for payment by a Principal Investigator. Principal Investigators are also responsible for monitoring the subrecipient?s technical progress and performance. Seattle HQ also provides funding to country offices operating within the University?s global network. The country offices incur costs associated with furnishing supplies and equipment to address the HIV/AIDS epidemic, as well as staffing resources and acquiring goods and services from contractors to carry out the objectives of the program. Payments made by country offices are approved by Country Directors and Country Representatives as delegated by the University. Under the University?s policies, country offices are reimbursed for locally incurred expenses at least monthly. An invoice, accompanied by a schedule of expenses incurred, is submitted and approved by the Country Director and then by the Director of Finance at Seattle HQ, prior to payment. Country offices also responsible for obtaining and retaining supporting documentation for costs incurred and paid on each project. Monthly, Budget Managers review and approve a Budget Activity Report (BAR) that details the expenses charged to the project for the previous month to ensure accurate posting of already approved expenses. This review is also to determine whether the work performed during the billing period reconciles to costs claimed within the contractor?s invoice so that payment may be authorized. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls to ensure payments to contractors and subrecipients of the Global AIDS program were allowable properly supported and within the period of performance. Payments to country offices We used a statistical sampling method to randomly select and examine 58 out of 1,644 transactions for country offices. Of the 58 payments examined, we identified one payment (1.7 percent) that was not approved by the Country Director and the corresponding Budget Activity Report was not approved by the Director of Finance. Payments to contractors We used a statistical sampling method to randomly select and review 58 out of 3,040 payments to contractors. We found: ? Invoices for three payments (5 percent) were not approved by a Budget Manager ? Monthly Budget Activity Reports were not approved for 12 payments (20 percent) Subrecipient reimbursements We used a statistical sampling method to randomly select and review 55 out of 438 payments to subrecipients. We found the assigned Budget Manager did not review and approve the monthly Budget Activity Reports for 52 payments (94 percent). We consider these internal control deficiencies to be a material weakness. This issue was not reported as a finding in the prior audit. Cause of Condition Program management did not require supporting documentation for each payment to be forwarded to and reviewed by headquarters personnel prior to payment authorization. Management also did not monitor the submission of invoices and Budget Activity Reports to ensure they were approved by the responsible Budget Manager, as required. Effect of Condition Without establishing adequate internal controls, the University cannot reasonably ensure it is using federal funds for allowable purposes and that expenditures of federal funds are supported by adequate documentation. Recommendations We recommend the University: ? Improve its internal controls to ensure invoices are properly approved by Principal Investigators, as required ? Improve its internal controls to ensure Budget Mangers review and approve monthly Budget Activity Reports before authorizing payments for projects incurring reimbursement requests ? Ensure it retains supporting documentation sufficient to show costs incurred and paid by the program are allowable, and to demonstrate the required managerial reviews have occurred prior to issuing payment University?s Response In response to the findings for the Global Aids Program, we would like to clarify the following: General Clarification: The draft finding inaccurately represents the role of BARS approvals as part of the internal controls to ensure payments to country offices, contractors and subrecipients are allowable, properly supported and within the period of performance. This is not the role of the BARS review process. Compliance, Budget Manager and PI reviews are the controls that ensure allowability of payments and BARS approvals are after-the-fact validations of accurate posting of already approved expenditures. We provided edits to the Background section to reflect our process. We request in light of this that the description of condition, cause of condition and recommendation sections of this finding be updated accordingly. Payments to country offices I-TECH country offices are not contractors; the offices are an extension of the University of Washington. Your review identified one of fifty-eight samples (1.7%) did not meet the approval requirements set forth in I-TECH?s standard operating procedure. Based on the error percentage, we disagree with this finding. Payments to contractors Payments to contractors have multiple approvals. Upon receipt, individual invoices are approved by the program/budget manager either by signature or email. Invoices are then sent to the I-TECH Accounts Payable Administrator for input to the University?s procurement system, ARIBA, which requires compliance approval from the Accounts Payable Supervisor or other manager, as well as funding approval from the budget manager prior to payment. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to contractors, they are reviews of the monthly expenses posted to the budget and the program manager?s concurrence that the expenses are as expected. The exceptions noted were payments made to country offices instead of contractors. The support for approvals were provided to the State Auditors on April 26, 2023, prior to the completion of fieldwork. We therefore disagree with this finding. We also request that the finding be adjusted to omit the 20% of missing BARS approvals as this is not related to the contractor payments. Subrecipient reimbursements Each subrecipient invoice is reviewed for reasonableness, allowability and allocability by the contracts manager and approved by both budget managers and principal investigators prior to being processed for payment in ARIBA. PI approvals were provided and verified for each subrecipient selection with no omissions noted by the auditors. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to subrecipients, they are after-the-fact reviews of the monthly expenses posted to the budget, intended as documentation of the program manager?s concurrence that the expenses are posted as expected. We acknowledge the instances detailed in the finding where we were unable to produce related BARS approvals for 52 of the transactions; however, we request that the finding be adjusted as these BARS approvals are not related to subrecipient invoice review and approvals. Our record keeping process for BARS approvals was to save the emails in a folder within our Finance Team mailbox. We learned during this review that emails beyond a certain date are deleted but maintained in the MS360 file. We?ve searched for the missing BARS approvals but have not yet been able to locate them. We have since begun saving the approvals to our server to ensure we have access to the data going forward. Auditor?s Remarks The University?s I-TECH Global Operations Manual stipulates that BARs will be generated, reviewed and approved monthly by the Budget Manager and management team. This information was provided to our Office as part of the University?s overall design of internal controls over payments to contractors, subrecipients and country offices. The University responded to our Office on April 20, 2023 adding that ?BAR review is the University?s key post payment control designed to ensure charges are accurately processed, coded and allowable on the budget charged.? We interpret this response to indicate the BAR review process is a monitoring control, and the University asserted on multiple occasions this is a key internal control, which is why we tested it. On January 5, our Office notified University management in writing that the BAR review process would be tested as a key control over the cost principles and period of performance requirements for Global AIDS expenditures. We received no additional inquiry or concerns from University management regarding this internal control until the draft finding was issued on April 14. We provided the University with a final written summary of our fieldwork in this area on April 6, 2023, after fieldwork had concluded. On April 7, the Finance Director responded to our Office in writing confirming they had no further questions or concerns regarding our testing results. It was not until after the University received this finding that additional documentation supporting expenditures tested during the audit were ultimately given to our Office. The basis for this audit finding is the key internal control failure rate of BAR approvals that exceeds our established materiality threshold of five percent, and constitutes a material weakness in internal control, which under the Uniform Guidance is required to be reported as an audit finding in accordance with 2 CFR 200.516 ? Audit findings. We reaffirm our finding and will follow up on the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 02 ? Acceptance of Sponsored Program Awards and Fiscal Compliance on Sponsored Program Accounts (Budget Numbers), states in part: Responsibilities Principal Investigator ? Supervises expenditure of sponsored program funds and approves sub-recipient invoices (see GIM 8) to assure: o That funds are used only for purposes that directly relate to and benefit the activity supported in the award. o That expenditures are consistent with all special terms, conditions, or limitations that apply to expenditures under the particular grant or contract. o That expenditures do not exceed the total funds authorized for a given period under the grant or contract. GIM 07 ? Sponsored Program Subaward Administration, states in part: Principal Investigator ? Review and approve subaward invoices. GIM 08 ? Subrecipient Monitoring, states in part: Roles & Responsibilities PI / Department Responsibilities Project level monitoring of subrecipient including: o Reviews that expenses are necessary, reasonable, and allocable to the work completed and are aligned with technical progress. o Approve invoices for payment. Subrecipient Monitoring ? Project Level Subrecipient invoices are reviewed and approved in accordance with the requirements of GIM 2 in the manner and frequency stated in the subaward. The University of Washington I-TECH Global Operations Manual (GRef 2.3), Section 2, Finance, Accounting Policy and Procedure Requirements, states in part: In addition to the Fiscal Guidelines set forth in the I-TECH Field Operations Manual, these country specific policies are implemented at I-TECH. 10. Budget Management and Reporting f. Reports that show the variance between the budget plan and the activity for each region and activity code will be generated, reviewed and approved by the budget managers and the Management Team each month.
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward
2022-028 The University of Washington did not establish adequate internal controls to ensure payments to contractors and subrecipients for the Global AIDS program were allowable, properly supported and within the period of performance. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs / Cost Principles Period of Performance Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. To achieve the performance goals of the program, the Seattle headquarters of I-TECH (Seattle HQ) provides funding to subrecipients and contractors. Invoices submitted by contractors directly to Seattle HQ are reviewed and approved for payment by budget managers who have delegated authority from the Principal Investigator. Invoices submitted by subrecipients are reviewed and approved for payment by a Principal Investigator. Principal Investigators are also responsible for monitoring the subrecipient?s technical progress and performance. Seattle HQ also provides funding to country offices operating within the University?s global network. The country offices incur costs associated with furnishing supplies and equipment to address the HIV/AIDS epidemic, as well as staffing resources and acquiring goods and services from contractors to carry out the objectives of the program. Payments made by country offices are approved by Country Directors and Country Representatives as delegated by the University. Under the University?s policies, country offices are reimbursed for locally incurred expenses at least monthly. An invoice, accompanied by a schedule of expenses incurred, is submitted and approved by the Country Director and then by the Director of Finance at Seattle HQ, prior to payment. Country offices also responsible for obtaining and retaining supporting documentation for costs incurred and paid on each project. Monthly, Budget Managers review and approve a Budget Activity Report (BAR) that details the expenses charged to the project for the previous month to ensure accurate posting of already approved expenses. This review is also to determine whether the work performed during the billing period reconciles to costs claimed within the contractor?s invoice so that payment may be authorized. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls to ensure payments to contractors and subrecipients of the Global AIDS program were allowable properly supported and within the period of performance. Payments to country offices We used a statistical sampling method to randomly select and examine 58 out of 1,644 transactions for country offices. Of the 58 payments examined, we identified one payment (1.7 percent) that was not approved by the Country Director and the corresponding Budget Activity Report was not approved by the Director of Finance. Payments to contractors We used a statistical sampling method to randomly select and review 58 out of 3,040 payments to contractors. We found: ? Invoices for three payments (5 percent) were not approved by a Budget Manager ? Monthly Budget Activity Reports were not approved for 12 payments (20 percent) Subrecipient reimbursements We used a statistical sampling method to randomly select and review 55 out of 438 payments to subrecipients. We found the assigned Budget Manager did not review and approve the monthly Budget Activity Reports for 52 payments (94 percent). We consider these internal control deficiencies to be a material weakness. This issue was not reported as a finding in the prior audit. Cause of Condition Program management did not require supporting documentation for each payment to be forwarded to and reviewed by headquarters personnel prior to payment authorization. Management also did not monitor the submission of invoices and Budget Activity Reports to ensure they were approved by the responsible Budget Manager, as required. Effect of Condition Without establishing adequate internal controls, the University cannot reasonably ensure it is using federal funds for allowable purposes and that expenditures of federal funds are supported by adequate documentation. Recommendations We recommend the University: ? Improve its internal controls to ensure invoices are properly approved by Principal Investigators, as required ? Improve its internal controls to ensure Budget Mangers review and approve monthly Budget Activity Reports before authorizing payments for projects incurring reimbursement requests ? Ensure it retains supporting documentation sufficient to show costs incurred and paid by the program are allowable, and to demonstrate the required managerial reviews have occurred prior to issuing payment University?s Response In response to the findings for the Global Aids Program, we would like to clarify the following: General Clarification: The draft finding inaccurately represents the role of BARS approvals as part of the internal controls to ensure payments to country offices, contractors and subrecipients are allowable, properly supported and within the period of performance. This is not the role of the BARS review process. Compliance, Budget Manager and PI reviews are the controls that ensure allowability of payments and BARS approvals are after-the-fact validations of accurate posting of already approved expenditures. We provided edits to the Background section to reflect our process. We request in light of this that the description of condition, cause of condition and recommendation sections of this finding be updated accordingly. Payments to country offices I-TECH country offices are not contractors; the offices are an extension of the University of Washington. Your review identified one of fifty-eight samples (1.7%) did not meet the approval requirements set forth in I-TECH?s standard operating procedure. Based on the error percentage, we disagree with this finding. Payments to contractors Payments to contractors have multiple approvals. Upon receipt, individual invoices are approved by the program/budget manager either by signature or email. Invoices are then sent to the I-TECH Accounts Payable Administrator for input to the University?s procurement system, ARIBA, which requires compliance approval from the Accounts Payable Supervisor or other manager, as well as funding approval from the budget manager prior to payment. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to contractors, they are reviews of the monthly expenses posted to the budget and the program manager?s concurrence that the expenses are as expected. The exceptions noted were payments made to country offices instead of contractors. The support for approvals were provided to the State Auditors on April 26, 2023, prior to the completion of fieldwork. We therefore disagree with this finding. We also request that the finding be adjusted to omit the 20% of missing BARS approvals as this is not related to the contractor payments. Subrecipient reimbursements Each subrecipient invoice is reviewed for reasonableness, allowability and allocability by the contracts manager and approved by both budget managers and principal investigators prior to being processed for payment in ARIBA. PI approvals were provided and verified for each subrecipient selection with no omissions noted by the auditors. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to subrecipients, they are after-the-fact reviews of the monthly expenses posted to the budget, intended as documentation of the program manager?s concurrence that the expenses are posted as expected. We acknowledge the instances detailed in the finding where we were unable to produce related BARS approvals for 52 of the transactions; however, we request that the finding be adjusted as these BARS approvals are not related to subrecipient invoice review and approvals. Our record keeping process for BARS approvals was to save the emails in a folder within our Finance Team mailbox. We learned during this review that emails beyond a certain date are deleted but maintained in the MS360 file. We?ve searched for the missing BARS approvals but have not yet been able to locate them. We have since begun saving the approvals to our server to ensure we have access to the data going forward. Auditor?s Remarks The University?s I-TECH Global Operations Manual stipulates that BARs will be generated, reviewed and approved monthly by the Budget Manager and management team. This information was provided to our Office as part of the University?s overall design of internal controls over payments to contractors, subrecipients and country offices. The University responded to our Office on April 20, 2023 adding that ?BAR review is the University?s key post payment control designed to ensure charges are accurately processed, coded and allowable on the budget charged.? We interpret this response to indicate the BAR review process is a monitoring control, and the University asserted on multiple occasions this is a key internal control, which is why we tested it. On January 5, our Office notified University management in writing that the BAR review process would be tested as a key control over the cost principles and period of performance requirements for Global AIDS expenditures. We received no additional inquiry or concerns from University management regarding this internal control until the draft finding was issued on April 14. We provided the University with a final written summary of our fieldwork in this area on April 6, 2023, after fieldwork had concluded. On April 7, the Finance Director responded to our Office in writing confirming they had no further questions or concerns regarding our testing results. It was not until after the University received this finding that additional documentation supporting expenditures tested during the audit were ultimately given to our Office. The basis for this audit finding is the key internal control failure rate of BAR approvals that exceeds our established materiality threshold of five percent, and constitutes a material weakness in internal control, which under the Uniform Guidance is required to be reported as an audit finding in accordance with 2 CFR 200.516 ? Audit findings. We reaffirm our finding and will follow up on the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 02 ? Acceptance of Sponsored Program Awards and Fiscal Compliance on Sponsored Program Accounts (Budget Numbers), states in part: Responsibilities Principal Investigator ? Supervises expenditure of sponsored program funds and approves sub-recipient invoices (see GIM 8) to assure: o That funds are used only for purposes that directly relate to and benefit the activity supported in the award. o That expenditures are consistent with all special terms, conditions, or limitations that apply to expenditures under the particular grant or contract. o That expenditures do not exceed the total funds authorized for a given period under the grant or contract. GIM 07 ? Sponsored Program Subaward Administration, states in part: Principal Investigator ? Review and approve subaward invoices. GIM 08 ? Subrecipient Monitoring, states in part: Roles & Responsibilities PI / Department Responsibilities Project level monitoring of subrecipient including: o Reviews that expenses are necessary, reasonable, and allocable to the work completed and are aligned with technical progress. o Approve invoices for payment. Subrecipient Monitoring ? Project Level Subrecipient invoices are reviewed and approved in accordance with the requirements of GIM 2 in the manner and frequency stated in the subaward. The University of Washington I-TECH Global Operations Manual (GRef 2.3), Section 2, Finance, Accounting Policy and Procedure Requirements, states in part: In addition to the Fiscal Guidelines set forth in the I-TECH Field Operations Manual, these country specific policies are implemented at I-TECH. 10. Budget Management and Reporting f. Reports that show the variance between the budget plan and the activity for each region and activity code will be generated, reviewed and approved by the budget managers and the Management Team each month.
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward
2022-028 The University of Washington did not establish adequate internal controls to ensure payments to contractors and subrecipients for the Global AIDS program were allowable, properly supported and within the period of performance. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs / Cost Principles Period of Performance Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. To achieve the performance goals of the program, the Seattle headquarters of I-TECH (Seattle HQ) provides funding to subrecipients and contractors. Invoices submitted by contractors directly to Seattle HQ are reviewed and approved for payment by budget managers who have delegated authority from the Principal Investigator. Invoices submitted by subrecipients are reviewed and approved for payment by a Principal Investigator. Principal Investigators are also responsible for monitoring the subrecipient?s technical progress and performance. Seattle HQ also provides funding to country offices operating within the University?s global network. The country offices incur costs associated with furnishing supplies and equipment to address the HIV/AIDS epidemic, as well as staffing resources and acquiring goods and services from contractors to carry out the objectives of the program. Payments made by country offices are approved by Country Directors and Country Representatives as delegated by the University. Under the University?s policies, country offices are reimbursed for locally incurred expenses at least monthly. An invoice, accompanied by a schedule of expenses incurred, is submitted and approved by the Country Director and then by the Director of Finance at Seattle HQ, prior to payment. Country offices also responsible for obtaining and retaining supporting documentation for costs incurred and paid on each project. Monthly, Budget Managers review and approve a Budget Activity Report (BAR) that details the expenses charged to the project for the previous month to ensure accurate posting of already approved expenses. This review is also to determine whether the work performed during the billing period reconciles to costs claimed within the contractor?s invoice so that payment may be authorized. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls to ensure payments to contractors and subrecipients of the Global AIDS program were allowable properly supported and within the period of performance. Payments to country offices We used a statistical sampling method to randomly select and examine 58 out of 1,644 transactions for country offices. Of the 58 payments examined, we identified one payment (1.7 percent) that was not approved by the Country Director and the corresponding Budget Activity Report was not approved by the Director of Finance. Payments to contractors We used a statistical sampling method to randomly select and review 58 out of 3,040 payments to contractors. We found: ? Invoices for three payments (5 percent) were not approved by a Budget Manager ? Monthly Budget Activity Reports were not approved for 12 payments (20 percent) Subrecipient reimbursements We used a statistical sampling method to randomly select and review 55 out of 438 payments to subrecipients. We found the assigned Budget Manager did not review and approve the monthly Budget Activity Reports for 52 payments (94 percent). We consider these internal control deficiencies to be a material weakness. This issue was not reported as a finding in the prior audit. Cause of Condition Program management did not require supporting documentation for each payment to be forwarded to and reviewed by headquarters personnel prior to payment authorization. Management also did not monitor the submission of invoices and Budget Activity Reports to ensure they were approved by the responsible Budget Manager, as required. Effect of Condition Without establishing adequate internal controls, the University cannot reasonably ensure it is using federal funds for allowable purposes and that expenditures of federal funds are supported by adequate documentation. Recommendations We recommend the University: ? Improve its internal controls to ensure invoices are properly approved by Principal Investigators, as required ? Improve its internal controls to ensure Budget Mangers review and approve monthly Budget Activity Reports before authorizing payments for projects incurring reimbursement requests ? Ensure it retains supporting documentation sufficient to show costs incurred and paid by the program are allowable, and to demonstrate the required managerial reviews have occurred prior to issuing payment University?s Response In response to the findings for the Global Aids Program, we would like to clarify the following: General Clarification: The draft finding inaccurately represents the role of BARS approvals as part of the internal controls to ensure payments to country offices, contractors and subrecipients are allowable, properly supported and within the period of performance. This is not the role of the BARS review process. Compliance, Budget Manager and PI reviews are the controls that ensure allowability of payments and BARS approvals are after-the-fact validations of accurate posting of already approved expenditures. We provided edits to the Background section to reflect our process. We request in light of this that the description of condition, cause of condition and recommendation sections of this finding be updated accordingly. Payments to country offices I-TECH country offices are not contractors; the offices are an extension of the University of Washington. Your review identified one of fifty-eight samples (1.7%) did not meet the approval requirements set forth in I-TECH?s standard operating procedure. Based on the error percentage, we disagree with this finding. Payments to contractors Payments to contractors have multiple approvals. Upon receipt, individual invoices are approved by the program/budget manager either by signature or email. Invoices are then sent to the I-TECH Accounts Payable Administrator for input to the University?s procurement system, ARIBA, which requires compliance approval from the Accounts Payable Supervisor or other manager, as well as funding approval from the budget manager prior to payment. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to contractors, they are reviews of the monthly expenses posted to the budget and the program manager?s concurrence that the expenses are as expected. The exceptions noted were payments made to country offices instead of contractors. The support for approvals were provided to the State Auditors on April 26, 2023, prior to the completion of fieldwork. We therefore disagree with this finding. We also request that the finding be adjusted to omit the 20% of missing BARS approvals as this is not related to the contractor payments. Subrecipient reimbursements Each subrecipient invoice is reviewed for reasonableness, allowability and allocability by the contracts manager and approved by both budget managers and principal investigators prior to being processed for payment in ARIBA. PI approvals were provided and verified for each subrecipient selection with no omissions noted by the auditors. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to subrecipients, they are after-the-fact reviews of the monthly expenses posted to the budget, intended as documentation of the program manager?s concurrence that the expenses are posted as expected. We acknowledge the instances detailed in the finding where we were unable to produce related BARS approvals for 52 of the transactions; however, we request that the finding be adjusted as these BARS approvals are not related to subrecipient invoice review and approvals. Our record keeping process for BARS approvals was to save the emails in a folder within our Finance Team mailbox. We learned during this review that emails beyond a certain date are deleted but maintained in the MS360 file. We?ve searched for the missing BARS approvals but have not yet been able to locate them. We have since begun saving the approvals to our server to ensure we have access to the data going forward. Auditor?s Remarks The University?s I-TECH Global Operations Manual stipulates that BARs will be generated, reviewed and approved monthly by the Budget Manager and management team. This information was provided to our Office as part of the University?s overall design of internal controls over payments to contractors, subrecipients and country offices. The University responded to our Office on April 20, 2023 adding that ?BAR review is the University?s key post payment control designed to ensure charges are accurately processed, coded and allowable on the budget charged.? We interpret this response to indicate the BAR review process is a monitoring control, and the University asserted on multiple occasions this is a key internal control, which is why we tested it. On January 5, our Office notified University management in writing that the BAR review process would be tested as a key control over the cost principles and period of performance requirements for Global AIDS expenditures. We received no additional inquiry or concerns from University management regarding this internal control until the draft finding was issued on April 14. We provided the University with a final written summary of our fieldwork in this area on April 6, 2023, after fieldwork had concluded. On April 7, the Finance Director responded to our Office in writing confirming they had no further questions or concerns regarding our testing results. It was not until after the University received this finding that additional documentation supporting expenditures tested during the audit were ultimately given to our Office. The basis for this audit finding is the key internal control failure rate of BAR approvals that exceeds our established materiality threshold of five percent, and constitutes a material weakness in internal control, which under the Uniform Guidance is required to be reported as an audit finding in accordance with 2 CFR 200.516 ? Audit findings. We reaffirm our finding and will follow up on the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 02 ? Acceptance of Sponsored Program Awards and Fiscal Compliance on Sponsored Program Accounts (Budget Numbers), states in part: Responsibilities Principal Investigator ? Supervises expenditure of sponsored program funds and approves sub-recipient invoices (see GIM 8) to assure: o That funds are used only for purposes that directly relate to and benefit the activity supported in the award. o That expenditures are consistent with all special terms, conditions, or limitations that apply to expenditures under the particular grant or contract. o That expenditures do not exceed the total funds authorized for a given period under the grant or contract. GIM 07 ? Sponsored Program Subaward Administration, states in part: Principal Investigator ? Review and approve subaward invoices. GIM 08 ? Subrecipient Monitoring, states in part: Roles & Responsibilities PI / Department Responsibilities Project level monitoring of subrecipient including: o Reviews that expenses are necessary, reasonable, and allocable to the work completed and are aligned with technical progress. o Approve invoices for payment. Subrecipient Monitoring ? Project Level Subrecipient invoices are reviewed and approved in accordance with the requirements of GIM 2 in the manner and frequency stated in the subaward. The University of Washington I-TECH Global Operations Manual (GRef 2.3), Section 2, Finance, Accounting Policy and Procedure Requirements, states in part: In addition to the Fiscal Guidelines set forth in the I-TECH Field Operations Manual, these country specific policies are implemented at I-TECH. 10. Budget Management and Reporting f. Reports that show the variance between the budget plan and the activity for each region and activity code will be generated, reviewed and approved by the budget managers and the Management Team each month.
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward
2022-028 The University of Washington did not establish adequate internal controls to ensure payments to contractors and subrecipients for the Global AIDS program were allowable, properly supported and within the period of performance. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs / Cost Principles Period of Performance Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. To achieve the performance goals of the program, the Seattle headquarters of I-TECH (Seattle HQ) provides funding to subrecipients and contractors. Invoices submitted by contractors directly to Seattle HQ are reviewed and approved for payment by budget managers who have delegated authority from the Principal Investigator. Invoices submitted by subrecipients are reviewed and approved for payment by a Principal Investigator. Principal Investigators are also responsible for monitoring the subrecipient?s technical progress and performance. Seattle HQ also provides funding to country offices operating within the University?s global network. The country offices incur costs associated with furnishing supplies and equipment to address the HIV/AIDS epidemic, as well as staffing resources and acquiring goods and services from contractors to carry out the objectives of the program. Payments made by country offices are approved by Country Directors and Country Representatives as delegated by the University. Under the University?s policies, country offices are reimbursed for locally incurred expenses at least monthly. An invoice, accompanied by a schedule of expenses incurred, is submitted and approved by the Country Director and then by the Director of Finance at Seattle HQ, prior to payment. Country offices also responsible for obtaining and retaining supporting documentation for costs incurred and paid on each project. Monthly, Budget Managers review and approve a Budget Activity Report (BAR) that details the expenses charged to the project for the previous month to ensure accurate posting of already approved expenses. This review is also to determine whether the work performed during the billing period reconciles to costs claimed within the contractor?s invoice so that payment may be authorized. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls to ensure payments to contractors and subrecipients of the Global AIDS program were allowable properly supported and within the period of performance. Payments to country offices We used a statistical sampling method to randomly select and examine 58 out of 1,644 transactions for country offices. Of the 58 payments examined, we identified one payment (1.7 percent) that was not approved by the Country Director and the corresponding Budget Activity Report was not approved by the Director of Finance. Payments to contractors We used a statistical sampling method to randomly select and review 58 out of 3,040 payments to contractors. We found: ? Invoices for three payments (5 percent) were not approved by a Budget Manager ? Monthly Budget Activity Reports were not approved for 12 payments (20 percent) Subrecipient reimbursements We used a statistical sampling method to randomly select and review 55 out of 438 payments to subrecipients. We found the assigned Budget Manager did not review and approve the monthly Budget Activity Reports for 52 payments (94 percent). We consider these internal control deficiencies to be a material weakness. This issue was not reported as a finding in the prior audit. Cause of Condition Program management did not require supporting documentation for each payment to be forwarded to and reviewed by headquarters personnel prior to payment authorization. Management also did not monitor the submission of invoices and Budget Activity Reports to ensure they were approved by the responsible Budget Manager, as required. Effect of Condition Without establishing adequate internal controls, the University cannot reasonably ensure it is using federal funds for allowable purposes and that expenditures of federal funds are supported by adequate documentation. Recommendations We recommend the University: ? Improve its internal controls to ensure invoices are properly approved by Principal Investigators, as required ? Improve its internal controls to ensure Budget Mangers review and approve monthly Budget Activity Reports before authorizing payments for projects incurring reimbursement requests ? Ensure it retains supporting documentation sufficient to show costs incurred and paid by the program are allowable, and to demonstrate the required managerial reviews have occurred prior to issuing payment University?s Response In response to the findings for the Global Aids Program, we would like to clarify the following: General Clarification: The draft finding inaccurately represents the role of BARS approvals as part of the internal controls to ensure payments to country offices, contractors and subrecipients are allowable, properly supported and within the period of performance. This is not the role of the BARS review process. Compliance, Budget Manager and PI reviews are the controls that ensure allowability of payments and BARS approvals are after-the-fact validations of accurate posting of already approved expenditures. We provided edits to the Background section to reflect our process. We request in light of this that the description of condition, cause of condition and recommendation sections of this finding be updated accordingly. Payments to country offices I-TECH country offices are not contractors; the offices are an extension of the University of Washington. Your review identified one of fifty-eight samples (1.7%) did not meet the approval requirements set forth in I-TECH?s standard operating procedure. Based on the error percentage, we disagree with this finding. Payments to contractors Payments to contractors have multiple approvals. Upon receipt, individual invoices are approved by the program/budget manager either by signature or email. Invoices are then sent to the I-TECH Accounts Payable Administrator for input to the University?s procurement system, ARIBA, which requires compliance approval from the Accounts Payable Supervisor or other manager, as well as funding approval from the budget manager prior to payment. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to contractors, they are reviews of the monthly expenses posted to the budget and the program manager?s concurrence that the expenses are as expected. The exceptions noted were payments made to country offices instead of contractors. The support for approvals were provided to the State Auditors on April 26, 2023, prior to the completion of fieldwork. We therefore disagree with this finding. We also request that the finding be adjusted to omit the 20% of missing BARS approvals as this is not related to the contractor payments. Subrecipient reimbursements Each subrecipient invoice is reviewed for reasonableness, allowability and allocability by the contracts manager and approved by both budget managers and principal investigators prior to being processed for payment in ARIBA. PI approvals were provided and verified for each subrecipient selection with no omissions noted by the auditors. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to subrecipients, they are after-the-fact reviews of the monthly expenses posted to the budget, intended as documentation of the program manager?s concurrence that the expenses are posted as expected. We acknowledge the instances detailed in the finding where we were unable to produce related BARS approvals for 52 of the transactions; however, we request that the finding be adjusted as these BARS approvals are not related to subrecipient invoice review and approvals. Our record keeping process for BARS approvals was to save the emails in a folder within our Finance Team mailbox. We learned during this review that emails beyond a certain date are deleted but maintained in the MS360 file. We?ve searched for the missing BARS approvals but have not yet been able to locate them. We have since begun saving the approvals to our server to ensure we have access to the data going forward. Auditor?s Remarks The University?s I-TECH Global Operations Manual stipulates that BARs will be generated, reviewed and approved monthly by the Budget Manager and management team. This information was provided to our Office as part of the University?s overall design of internal controls over payments to contractors, subrecipients and country offices. The University responded to our Office on April 20, 2023 adding that ?BAR review is the University?s key post payment control designed to ensure charges are accurately processed, coded and allowable on the budget charged.? We interpret this response to indicate the BAR review process is a monitoring control, and the University asserted on multiple occasions this is a key internal control, which is why we tested it. On January 5, our Office notified University management in writing that the BAR review process would be tested as a key control over the cost principles and period of performance requirements for Global AIDS expenditures. We received no additional inquiry or concerns from University management regarding this internal control until the draft finding was issued on April 14. We provided the University with a final written summary of our fieldwork in this area on April 6, 2023, after fieldwork had concluded. On April 7, the Finance Director responded to our Office in writing confirming they had no further questions or concerns regarding our testing results. It was not until after the University received this finding that additional documentation supporting expenditures tested during the audit were ultimately given to our Office. The basis for this audit finding is the key internal control failure rate of BAR approvals that exceeds our established materiality threshold of five percent, and constitutes a material weakness in internal control, which under the Uniform Guidance is required to be reported as an audit finding in accordance with 2 CFR 200.516 ? Audit findings. We reaffirm our finding and will follow up on the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 02 ? Acceptance of Sponsored Program Awards and Fiscal Compliance on Sponsored Program Accounts (Budget Numbers), states in part: Responsibilities Principal Investigator ? Supervises expenditure of sponsored program funds and approves sub-recipient invoices (see GIM 8) to assure: o That funds are used only for purposes that directly relate to and benefit the activity supported in the award. o That expenditures are consistent with all special terms, conditions, or limitations that apply to expenditures under the particular grant or contract. o That expenditures do not exceed the total funds authorized for a given period under the grant or contract. GIM 07 ? Sponsored Program Subaward Administration, states in part: Principal Investigator ? Review and approve subaward invoices. GIM 08 ? Subrecipient Monitoring, states in part: Roles & Responsibilities PI / Department Responsibilities Project level monitoring of subrecipient including: o Reviews that expenses are necessary, reasonable, and allocable to the work completed and are aligned with technical progress. o Approve invoices for payment. Subrecipient Monitoring ? Project Level Subrecipient invoices are reviewed and approved in accordance with the requirements of GIM 2 in the manner and frequency stated in the subaward. The University of Washington I-TECH Global Operations Manual (GRef 2.3), Section 2, Finance, Accounting Policy and Procedure Requirements, states in part: In addition to the Fiscal Guidelines set forth in the I-TECH Field Operations Manual, these country specific policies are implemented at I-TECH. 10. Budget Management and Reporting f. Reports that show the variance between the budget plan and the activity for each region and activity code will be generated, reviewed and approved by the budget managers and the Management Team each month.
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward
2022-028 The University of Washington did not establish adequate internal controls to ensure payments to contractors and subrecipients for the Global AIDS program were allowable, properly supported and within the period of performance. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs / Cost Principles Period of Performance Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. To achieve the performance goals of the program, the Seattle headquarters of I-TECH (Seattle HQ) provides funding to subrecipients and contractors. Invoices submitted by contractors directly to Seattle HQ are reviewed and approved for payment by budget managers who have delegated authority from the Principal Investigator. Invoices submitted by subrecipients are reviewed and approved for payment by a Principal Investigator. Principal Investigators are also responsible for monitoring the subrecipient?s technical progress and performance. Seattle HQ also provides funding to country offices operating within the University?s global network. The country offices incur costs associated with furnishing supplies and equipment to address the HIV/AIDS epidemic, as well as staffing resources and acquiring goods and services from contractors to carry out the objectives of the program. Payments made by country offices are approved by Country Directors and Country Representatives as delegated by the University. Under the University?s policies, country offices are reimbursed for locally incurred expenses at least monthly. An invoice, accompanied by a schedule of expenses incurred, is submitted and approved by the Country Director and then by the Director of Finance at Seattle HQ, prior to payment. Country offices also responsible for obtaining and retaining supporting documentation for costs incurred and paid on each project. Monthly, Budget Managers review and approve a Budget Activity Report (BAR) that details the expenses charged to the project for the previous month to ensure accurate posting of already approved expenses. This review is also to determine whether the work performed during the billing period reconciles to costs claimed within the contractor?s invoice so that payment may be authorized. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls to ensure payments to contractors and subrecipients of the Global AIDS program were allowable properly supported and within the period of performance. Payments to country offices We used a statistical sampling method to randomly select and examine 58 out of 1,644 transactions for country offices. Of the 58 payments examined, we identified one payment (1.7 percent) that was not approved by the Country Director and the corresponding Budget Activity Report was not approved by the Director of Finance. Payments to contractors We used a statistical sampling method to randomly select and review 58 out of 3,040 payments to contractors. We found: ? Invoices for three payments (5 percent) were not approved by a Budget Manager ? Monthly Budget Activity Reports were not approved for 12 payments (20 percent) Subrecipient reimbursements We used a statistical sampling method to randomly select and review 55 out of 438 payments to subrecipients. We found the assigned Budget Manager did not review and approve the monthly Budget Activity Reports for 52 payments (94 percent). We consider these internal control deficiencies to be a material weakness. This issue was not reported as a finding in the prior audit. Cause of Condition Program management did not require supporting documentation for each payment to be forwarded to and reviewed by headquarters personnel prior to payment authorization. Management also did not monitor the submission of invoices and Budget Activity Reports to ensure they were approved by the responsible Budget Manager, as required. Effect of Condition Without establishing adequate internal controls, the University cannot reasonably ensure it is using federal funds for allowable purposes and that expenditures of federal funds are supported by adequate documentation. Recommendations We recommend the University: ? Improve its internal controls to ensure invoices are properly approved by Principal Investigators, as required ? Improve its internal controls to ensure Budget Mangers review and approve monthly Budget Activity Reports before authorizing payments for projects incurring reimbursement requests ? Ensure it retains supporting documentation sufficient to show costs incurred and paid by the program are allowable, and to demonstrate the required managerial reviews have occurred prior to issuing payment University?s Response In response to the findings for the Global Aids Program, we would like to clarify the following: General Clarification: The draft finding inaccurately represents the role of BARS approvals as part of the internal controls to ensure payments to country offices, contractors and subrecipients are allowable, properly supported and within the period of performance. This is not the role of the BARS review process. Compliance, Budget Manager and PI reviews are the controls that ensure allowability of payments and BARS approvals are after-the-fact validations of accurate posting of already approved expenditures. We provided edits to the Background section to reflect our process. We request in light of this that the description of condition, cause of condition and recommendation sections of this finding be updated accordingly. Payments to country offices I-TECH country offices are not contractors; the offices are an extension of the University of Washington. Your review identified one of fifty-eight samples (1.7%) did not meet the approval requirements set forth in I-TECH?s standard operating procedure. Based on the error percentage, we disagree with this finding. Payments to contractors Payments to contractors have multiple approvals. Upon receipt, individual invoices are approved by the program/budget manager either by signature or email. Invoices are then sent to the I-TECH Accounts Payable Administrator for input to the University?s procurement system, ARIBA, which requires compliance approval from the Accounts Payable Supervisor or other manager, as well as funding approval from the budget manager prior to payment. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to contractors, they are reviews of the monthly expenses posted to the budget and the program manager?s concurrence that the expenses are as expected. The exceptions noted were payments made to country offices instead of contractors. The support for approvals were provided to the State Auditors on April 26, 2023, prior to the completion of fieldwork. We therefore disagree with this finding. We also request that the finding be adjusted to omit the 20% of missing BARS approvals as this is not related to the contractor payments. Subrecipient reimbursements Each subrecipient invoice is reviewed for reasonableness, allowability and allocability by the contracts manager and approved by both budget managers and principal investigators prior to being processed for payment in ARIBA. PI approvals were provided and verified for each subrecipient selection with no omissions noted by the auditors. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to subrecipients, they are after-the-fact reviews of the monthly expenses posted to the budget, intended as documentation of the program manager?s concurrence that the expenses are posted as expected. We acknowledge the instances detailed in the finding where we were unable to produce related BARS approvals for 52 of the transactions; however, we request that the finding be adjusted as these BARS approvals are not related to subrecipient invoice review and approvals. Our record keeping process for BARS approvals was to save the emails in a folder within our Finance Team mailbox. We learned during this review that emails beyond a certain date are deleted but maintained in the MS360 file. We?ve searched for the missing BARS approvals but have not yet been able to locate them. We have since begun saving the approvals to our server to ensure we have access to the data going forward. Auditor?s Remarks The University?s I-TECH Global Operations Manual stipulates that BARs will be generated, reviewed and approved monthly by the Budget Manager and management team. This information was provided to our Office as part of the University?s overall design of internal controls over payments to contractors, subrecipients and country offices. The University responded to our Office on April 20, 2023 adding that ?BAR review is the University?s key post payment control designed to ensure charges are accurately processed, coded and allowable on the budget charged.? We interpret this response to indicate the BAR review process is a monitoring control, and the University asserted on multiple occasions this is a key internal control, which is why we tested it. On January 5, our Office notified University management in writing that the BAR review process would be tested as a key control over the cost principles and period of performance requirements for Global AIDS expenditures. We received no additional inquiry or concerns from University management regarding this internal control until the draft finding was issued on April 14. We provided the University with a final written summary of our fieldwork in this area on April 6, 2023, after fieldwork had concluded. On April 7, the Finance Director responded to our Office in writing confirming they had no further questions or concerns regarding our testing results. It was not until after the University received this finding that additional documentation supporting expenditures tested during the audit were ultimately given to our Office. The basis for this audit finding is the key internal control failure rate of BAR approvals that exceeds our established materiality threshold of five percent, and constitutes a material weakness in internal control, which under the Uniform Guidance is required to be reported as an audit finding in accordance with 2 CFR 200.516 ? Audit findings. We reaffirm our finding and will follow up on the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 02 ? Acceptance of Sponsored Program Awards and Fiscal Compliance on Sponsored Program Accounts (Budget Numbers), states in part: Responsibilities Principal Investigator ? Supervises expenditure of sponsored program funds and approves sub-recipient invoices (see GIM 8) to assure: o That funds are used only for purposes that directly relate to and benefit the activity supported in the award. o That expenditures are consistent with all special terms, conditions, or limitations that apply to expenditures under the particular grant or contract. o That expenditures do not exceed the total funds authorized for a given period under the grant or contract. GIM 07 ? Sponsored Program Subaward Administration, states in part: Principal Investigator ? Review and approve subaward invoices. GIM 08 ? Subrecipient Monitoring, states in part: Roles & Responsibilities PI / Department Responsibilities Project level monitoring of subrecipient including: o Reviews that expenses are necessary, reasonable, and allocable to the work completed and are aligned with technical progress. o Approve invoices for payment. Subrecipient Monitoring ? Project Level Subrecipient invoices are reviewed and approved in accordance with the requirements of GIM 2 in the manner and frequency stated in the subaward. The University of Washington I-TECH Global Operations Manual (GRef 2.3), Section 2, Finance, Accounting Policy and Procedure Requirements, states in part: In addition to the Fiscal Guidelines set forth in the I-TECH Field Operations Manual, these country specific policies are implemented at I-TECH. 10. Budget Management and Reporting f. Reports that show the variance between the budget plan and the activity for each region and activity code will be generated, reviewed and approved by the budget managers and the Management Team each month.
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward
2022-028 The University of Washington did not establish adequate internal controls to ensure payments to contractors and subrecipients for the Global AIDS program were allowable, properly supported and within the period of performance. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs / Cost Principles Period of Performance Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. To achieve the performance goals of the program, the Seattle headquarters of I-TECH (Seattle HQ) provides funding to subrecipients and contractors. Invoices submitted by contractors directly to Seattle HQ are reviewed and approved for payment by budget managers who have delegated authority from the Principal Investigator. Invoices submitted by subrecipients are reviewed and approved for payment by a Principal Investigator. Principal Investigators are also responsible for monitoring the subrecipient?s technical progress and performance. Seattle HQ also provides funding to country offices operating within the University?s global network. The country offices incur costs associated with furnishing supplies and equipment to address the HIV/AIDS epidemic, as well as staffing resources and acquiring goods and services from contractors to carry out the objectives of the program. Payments made by country offices are approved by Country Directors and Country Representatives as delegated by the University. Under the University?s policies, country offices are reimbursed for locally incurred expenses at least monthly. An invoice, accompanied by a schedule of expenses incurred, is submitted and approved by the Country Director and then by the Director of Finance at Seattle HQ, prior to payment. Country offices also responsible for obtaining and retaining supporting documentation for costs incurred and paid on each project. Monthly, Budget Managers review and approve a Budget Activity Report (BAR) that details the expenses charged to the project for the previous month to ensure accurate posting of already approved expenses. This review is also to determine whether the work performed during the billing period reconciles to costs claimed within the contractor?s invoice so that payment may be authorized. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls to ensure payments to contractors and subrecipients of the Global AIDS program were allowable properly supported and within the period of performance. Payments to country offices We used a statistical sampling method to randomly select and examine 58 out of 1,644 transactions for country offices. Of the 58 payments examined, we identified one payment (1.7 percent) that was not approved by the Country Director and the corresponding Budget Activity Report was not approved by the Director of Finance. Payments to contractors We used a statistical sampling method to randomly select and review 58 out of 3,040 payments to contractors. We found: ? Invoices for three payments (5 percent) were not approved by a Budget Manager ? Monthly Budget Activity Reports were not approved for 12 payments (20 percent) Subrecipient reimbursements We used a statistical sampling method to randomly select and review 55 out of 438 payments to subrecipients. We found the assigned Budget Manager did not review and approve the monthly Budget Activity Reports for 52 payments (94 percent). We consider these internal control deficiencies to be a material weakness. This issue was not reported as a finding in the prior audit. Cause of Condition Program management did not require supporting documentation for each payment to be forwarded to and reviewed by headquarters personnel prior to payment authorization. Management also did not monitor the submission of invoices and Budget Activity Reports to ensure they were approved by the responsible Budget Manager, as required. Effect of Condition Without establishing adequate internal controls, the University cannot reasonably ensure it is using federal funds for allowable purposes and that expenditures of federal funds are supported by adequate documentation. Recommendations We recommend the University: ? Improve its internal controls to ensure invoices are properly approved by Principal Investigators, as required ? Improve its internal controls to ensure Budget Mangers review and approve monthly Budget Activity Reports before authorizing payments for projects incurring reimbursement requests ? Ensure it retains supporting documentation sufficient to show costs incurred and paid by the program are allowable, and to demonstrate the required managerial reviews have occurred prior to issuing payment University?s Response In response to the findings for the Global Aids Program, we would like to clarify the following: General Clarification: The draft finding inaccurately represents the role of BARS approvals as part of the internal controls to ensure payments to country offices, contractors and subrecipients are allowable, properly supported and within the period of performance. This is not the role of the BARS review process. Compliance, Budget Manager and PI reviews are the controls that ensure allowability of payments and BARS approvals are after-the-fact validations of accurate posting of already approved expenditures. We provided edits to the Background section to reflect our process. We request in light of this that the description of condition, cause of condition and recommendation sections of this finding be updated accordingly. Payments to country offices I-TECH country offices are not contractors; the offices are an extension of the University of Washington. Your review identified one of fifty-eight samples (1.7%) did not meet the approval requirements set forth in I-TECH?s standard operating procedure. Based on the error percentage, we disagree with this finding. Payments to contractors Payments to contractors have multiple approvals. Upon receipt, individual invoices are approved by the program/budget manager either by signature or email. Invoices are then sent to the I-TECH Accounts Payable Administrator for input to the University?s procurement system, ARIBA, which requires compliance approval from the Accounts Payable Supervisor or other manager, as well as funding approval from the budget manager prior to payment. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to contractors, they are reviews of the monthly expenses posted to the budget and the program manager?s concurrence that the expenses are as expected. The exceptions noted were payments made to country offices instead of contractors. The support for approvals were provided to the State Auditors on April 26, 2023, prior to the completion of fieldwork. We therefore disagree with this finding. We also request that the finding be adjusted to omit the 20% of missing BARS approvals as this is not related to the contractor payments. Subrecipient reimbursements Each subrecipient invoice is reviewed for reasonableness, allowability and allocability by the contracts manager and approved by both budget managers and principal investigators prior to being processed for payment in ARIBA. PI approvals were provided and verified for each subrecipient selection with no omissions noted by the auditors. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to subrecipients, they are after-the-fact reviews of the monthly expenses posted to the budget, intended as documentation of the program manager?s concurrence that the expenses are posted as expected. We acknowledge the instances detailed in the finding where we were unable to produce related BARS approvals for 52 of the transactions; however, we request that the finding be adjusted as these BARS approvals are not related to subrecipient invoice review and approvals. Our record keeping process for BARS approvals was to save the emails in a folder within our Finance Team mailbox. We learned during this review that emails beyond a certain date are deleted but maintained in the MS360 file. We?ve searched for the missing BARS approvals but have not yet been able to locate them. We have since begun saving the approvals to our server to ensure we have access to the data going forward. Auditor?s Remarks The University?s I-TECH Global Operations Manual stipulates that BARs will be generated, reviewed and approved monthly by the Budget Manager and management team. This information was provided to our Office as part of the University?s overall design of internal controls over payments to contractors, subrecipients and country offices. The University responded to our Office on April 20, 2023 adding that ?BAR review is the University?s key post payment control designed to ensure charges are accurately processed, coded and allowable on the budget charged.? We interpret this response to indicate the BAR review process is a monitoring control, and the University asserted on multiple occasions this is a key internal control, which is why we tested it. On January 5, our Office notified University management in writing that the BAR review process would be tested as a key control over the cost principles and period of performance requirements for Global AIDS expenditures. We received no additional inquiry or concerns from University management regarding this internal control until the draft finding was issued on April 14. We provided the University with a final written summary of our fieldwork in this area on April 6, 2023, after fieldwork had concluded. On April 7, the Finance Director responded to our Office in writing confirming they had no further questions or concerns regarding our testing results. It was not until after the University received this finding that additional documentation supporting expenditures tested during the audit were ultimately given to our Office. The basis for this audit finding is the key internal control failure rate of BAR approvals that exceeds our established materiality threshold of five percent, and constitutes a material weakness in internal control, which under the Uniform Guidance is required to be reported as an audit finding in accordance with 2 CFR 200.516 ? Audit findings. We reaffirm our finding and will follow up on the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 02 ? Acceptance of Sponsored Program Awards and Fiscal Compliance on Sponsored Program Accounts (Budget Numbers), states in part: Responsibilities Principal Investigator ? Supervises expenditure of sponsored program funds and approves sub-recipient invoices (see GIM 8) to assure: o That funds are used only for purposes that directly relate to and benefit the activity supported in the award. o That expenditures are consistent with all special terms, conditions, or limitations that apply to expenditures under the particular grant or contract. o That expenditures do not exceed the total funds authorized for a given period under the grant or contract. GIM 07 ? Sponsored Program Subaward Administration, states in part: Principal Investigator ? Review and approve subaward invoices. GIM 08 ? Subrecipient Monitoring, states in part: Roles & Responsibilities PI / Department Responsibilities Project level monitoring of subrecipient including: o Reviews that expenses are necessary, reasonable, and allocable to the work completed and are aligned with technical progress. o Approve invoices for payment. Subrecipient Monitoring ? Project Level Subrecipient invoices are reviewed and approved in accordance with the requirements of GIM 2 in the manner and frequency stated in the subaward. The University of Washington I-TECH Global Operations Manual (GRef 2.3), Section 2, Finance, Accounting Policy and Procedure Requirements, states in part: In addition to the Fiscal Guidelines set forth in the I-TECH Field Operations Manual, these country specific policies are implemented at I-TECH. 10. Budget Management and Reporting f. Reports that show the variance between the budget plan and the activity for each region and activity code will be generated, reviewed and approved by the budget managers and the Management Team each month.
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward
2022-028 The University of Washington did not establish adequate internal controls to ensure payments to contractors and subrecipients for the Global AIDS program were allowable, properly supported and within the period of performance. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs / Cost Principles Period of Performance Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. To achieve the performance goals of the program, the Seattle headquarters of I-TECH (Seattle HQ) provides funding to subrecipients and contractors. Invoices submitted by contractors directly to Seattle HQ are reviewed and approved for payment by budget managers who have delegated authority from the Principal Investigator. Invoices submitted by subrecipients are reviewed and approved for payment by a Principal Investigator. Principal Investigators are also responsible for monitoring the subrecipient?s technical progress and performance. Seattle HQ also provides funding to country offices operating within the University?s global network. The country offices incur costs associated with furnishing supplies and equipment to address the HIV/AIDS epidemic, as well as staffing resources and acquiring goods and services from contractors to carry out the objectives of the program. Payments made by country offices are approved by Country Directors and Country Representatives as delegated by the University. Under the University?s policies, country offices are reimbursed for locally incurred expenses at least monthly. An invoice, accompanied by a schedule of expenses incurred, is submitted and approved by the Country Director and then by the Director of Finance at Seattle HQ, prior to payment. Country offices also responsible for obtaining and retaining supporting documentation for costs incurred and paid on each project. Monthly, Budget Managers review and approve a Budget Activity Report (BAR) that details the expenses charged to the project for the previous month to ensure accurate posting of already approved expenses. This review is also to determine whether the work performed during the billing period reconciles to costs claimed within the contractor?s invoice so that payment may be authorized. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls to ensure payments to contractors and subrecipients of the Global AIDS program were allowable properly supported and within the period of performance. Payments to country offices We used a statistical sampling method to randomly select and examine 58 out of 1,644 transactions for country offices. Of the 58 payments examined, we identified one payment (1.7 percent) that was not approved by the Country Director and the corresponding Budget Activity Report was not approved by the Director of Finance. Payments to contractors We used a statistical sampling method to randomly select and review 58 out of 3,040 payments to contractors. We found: ? Invoices for three payments (5 percent) were not approved by a Budget Manager ? Monthly Budget Activity Reports were not approved for 12 payments (20 percent) Subrecipient reimbursements We used a statistical sampling method to randomly select and review 55 out of 438 payments to subrecipients. We found the assigned Budget Manager did not review and approve the monthly Budget Activity Reports for 52 payments (94 percent). We consider these internal control deficiencies to be a material weakness. This issue was not reported as a finding in the prior audit. Cause of Condition Program management did not require supporting documentation for each payment to be forwarded to and reviewed by headquarters personnel prior to payment authorization. Management also did not monitor the submission of invoices and Budget Activity Reports to ensure they were approved by the responsible Budget Manager, as required. Effect of Condition Without establishing adequate internal controls, the University cannot reasonably ensure it is using federal funds for allowable purposes and that expenditures of federal funds are supported by adequate documentation. Recommendations We recommend the University: ? Improve its internal controls to ensure invoices are properly approved by Principal Investigators, as required ? Improve its internal controls to ensure Budget Mangers review and approve monthly Budget Activity Reports before authorizing payments for projects incurring reimbursement requests ? Ensure it retains supporting documentation sufficient to show costs incurred and paid by the program are allowable, and to demonstrate the required managerial reviews have occurred prior to issuing payment University?s Response In response to the findings for the Global Aids Program, we would like to clarify the following: General Clarification: The draft finding inaccurately represents the role of BARS approvals as part of the internal controls to ensure payments to country offices, contractors and subrecipients are allowable, properly supported and within the period of performance. This is not the role of the BARS review process. Compliance, Budget Manager and PI reviews are the controls that ensure allowability of payments and BARS approvals are after-the-fact validations of accurate posting of already approved expenditures. We provided edits to the Background section to reflect our process. We request in light of this that the description of condition, cause of condition and recommendation sections of this finding be updated accordingly. Payments to country offices I-TECH country offices are not contractors; the offices are an extension of the University of Washington. Your review identified one of fifty-eight samples (1.7%) did not meet the approval requirements set forth in I-TECH?s standard operating procedure. Based on the error percentage, we disagree with this finding. Payments to contractors Payments to contractors have multiple approvals. Upon receipt, individual invoices are approved by the program/budget manager either by signature or email. Invoices are then sent to the I-TECH Accounts Payable Administrator for input to the University?s procurement system, ARIBA, which requires compliance approval from the Accounts Payable Supervisor or other manager, as well as funding approval from the budget manager prior to payment. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to contractors, they are reviews of the monthly expenses posted to the budget and the program manager?s concurrence that the expenses are as expected. The exceptions noted were payments made to country offices instead of contractors. The support for approvals were provided to the State Auditors on April 26, 2023, prior to the completion of fieldwork. We therefore disagree with this finding. We also request that the finding be adjusted to omit the 20% of missing BARS approvals as this is not related to the contractor payments. Subrecipient reimbursements Each subrecipient invoice is reviewed for reasonableness, allowability and allocability by the contracts manager and approved by both budget managers and principal investigators prior to being processed for payment in ARIBA. PI approvals were provided and verified for each subrecipient selection with no omissions noted by the auditors. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to subrecipients, they are after-the-fact reviews of the monthly expenses posted to the budget, intended as documentation of the program manager?s concurrence that the expenses are posted as expected. We acknowledge the instances detailed in the finding where we were unable to produce related BARS approvals for 52 of the transactions; however, we request that the finding be adjusted as these BARS approvals are not related to subrecipient invoice review and approvals. Our record keeping process for BARS approvals was to save the emails in a folder within our Finance Team mailbox. We learned during this review that emails beyond a certain date are deleted but maintained in the MS360 file. We?ve searched for the missing BARS approvals but have not yet been able to locate them. We have since begun saving the approvals to our server to ensure we have access to the data going forward. Auditor?s Remarks The University?s I-TECH Global Operations Manual stipulates that BARs will be generated, reviewed and approved monthly by the Budget Manager and management team. This information was provided to our Office as part of the University?s overall design of internal controls over payments to contractors, subrecipients and country offices. The University responded to our Office on April 20, 2023 adding that ?BAR review is the University?s key post payment control designed to ensure charges are accurately processed, coded and allowable on the budget charged.? We interpret this response to indicate the BAR review process is a monitoring control, and the University asserted on multiple occasions this is a key internal control, which is why we tested it. On January 5, our Office notified University management in writing that the BAR review process would be tested as a key control over the cost principles and period of performance requirements for Global AIDS expenditures. We received no additional inquiry or concerns from University management regarding this internal control until the draft finding was issued on April 14. We provided the University with a final written summary of our fieldwork in this area on April 6, 2023, after fieldwork had concluded. On April 7, the Finance Director responded to our Office in writing confirming they had no further questions or concerns regarding our testing results. It was not until after the University received this finding that additional documentation supporting expenditures tested during the audit were ultimately given to our Office. The basis for this audit finding is the key internal control failure rate of BAR approvals that exceeds our established materiality threshold of five percent, and constitutes a material weakness in internal control, which under the Uniform Guidance is required to be reported as an audit finding in accordance with 2 CFR 200.516 ? Audit findings. We reaffirm our finding and will follow up on the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 02 ? Acceptance of Sponsored Program Awards and Fiscal Compliance on Sponsored Program Accounts (Budget Numbers), states in part: Responsibilities Principal Investigator ? Supervises expenditure of sponsored program funds and approves sub-recipient invoices (see GIM 8) to assure: o That funds are used only for purposes that directly relate to and benefit the activity supported in the award. o That expenditures are consistent with all special terms, conditions, or limitations that apply to expenditures under the particular grant or contract. o That expenditures do not exceed the total funds authorized for a given period under the grant or contract. GIM 07 ? Sponsored Program Subaward Administration, states in part: Principal Investigator ? Review and approve subaward invoices. GIM 08 ? Subrecipient Monitoring, states in part: Roles & Responsibilities PI / Department Responsibilities Project level monitoring of subrecipient including: o Reviews that expenses are necessary, reasonable, and allocable to the work completed and are aligned with technical progress. o Approve invoices for payment. Subrecipient Monitoring ? Project Level Subrecipient invoices are reviewed and approved in accordance with the requirements of GIM 2 in the manner and frequency stated in the subaward. The University of Washington I-TECH Global Operations Manual (GRef 2.3), Section 2, Finance, Accounting Policy and Procedure Requirements, states in part: In addition to the Fiscal Guidelines set forth in the I-TECH Field Operations Manual, these country specific policies are implemented at I-TECH. 10. Budget Management and Reporting f. Reports that show the variance between the budget plan and the activity for each region and activity code will be generated, reviewed and approved by the budget managers and the Management Team each month.
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward
2022-028 The University of Washington did not establish adequate internal controls to ensure payments to contractors and subrecipients for the Global AIDS program were allowable, properly supported and within the period of performance. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs / Cost Principles Period of Performance Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. To achieve the performance goals of the program, the Seattle headquarters of I-TECH (Seattle HQ) provides funding to subrecipients and contractors. Invoices submitted by contractors directly to Seattle HQ are reviewed and approved for payment by budget managers who have delegated authority from the Principal Investigator. Invoices submitted by subrecipients are reviewed and approved for payment by a Principal Investigator. Principal Investigators are also responsible for monitoring the subrecipient?s technical progress and performance. Seattle HQ also provides funding to country offices operating within the University?s global network. The country offices incur costs associated with furnishing supplies and equipment to address the HIV/AIDS epidemic, as well as staffing resources and acquiring goods and services from contractors to carry out the objectives of the program. Payments made by country offices are approved by Country Directors and Country Representatives as delegated by the University. Under the University?s policies, country offices are reimbursed for locally incurred expenses at least monthly. An invoice, accompanied by a schedule of expenses incurred, is submitted and approved by the Country Director and then by the Director of Finance at Seattle HQ, prior to payment. Country offices also responsible for obtaining and retaining supporting documentation for costs incurred and paid on each project. Monthly, Budget Managers review and approve a Budget Activity Report (BAR) that details the expenses charged to the project for the previous month to ensure accurate posting of already approved expenses. This review is also to determine whether the work performed during the billing period reconciles to costs claimed within the contractor?s invoice so that payment may be authorized. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls to ensure payments to contractors and subrecipients of the Global AIDS program were allowable properly supported and within the period of performance. Payments to country offices We used a statistical sampling method to randomly select and examine 58 out of 1,644 transactions for country offices. Of the 58 payments examined, we identified one payment (1.7 percent) that was not approved by the Country Director and the corresponding Budget Activity Report was not approved by the Director of Finance. Payments to contractors We used a statistical sampling method to randomly select and review 58 out of 3,040 payments to contractors. We found: ? Invoices for three payments (5 percent) were not approved by a Budget Manager ? Monthly Budget Activity Reports were not approved for 12 payments (20 percent) Subrecipient reimbursements We used a statistical sampling method to randomly select and review 55 out of 438 payments to subrecipients. We found the assigned Budget Manager did not review and approve the monthly Budget Activity Reports for 52 payments (94 percent). We consider these internal control deficiencies to be a material weakness. This issue was not reported as a finding in the prior audit. Cause of Condition Program management did not require supporting documentation for each payment to be forwarded to and reviewed by headquarters personnel prior to payment authorization. Management also did not monitor the submission of invoices and Budget Activity Reports to ensure they were approved by the responsible Budget Manager, as required. Effect of Condition Without establishing adequate internal controls, the University cannot reasonably ensure it is using federal funds for allowable purposes and that expenditures of federal funds are supported by adequate documentation. Recommendations We recommend the University: ? Improve its internal controls to ensure invoices are properly approved by Principal Investigators, as required ? Improve its internal controls to ensure Budget Mangers review and approve monthly Budget Activity Reports before authorizing payments for projects incurring reimbursement requests ? Ensure it retains supporting documentation sufficient to show costs incurred and paid by the program are allowable, and to demonstrate the required managerial reviews have occurred prior to issuing payment University?s Response In response to the findings for the Global Aids Program, we would like to clarify the following: General Clarification: The draft finding inaccurately represents the role of BARS approvals as part of the internal controls to ensure payments to country offices, contractors and subrecipients are allowable, properly supported and within the period of performance. This is not the role of the BARS review process. Compliance, Budget Manager and PI reviews are the controls that ensure allowability of payments and BARS approvals are after-the-fact validations of accurate posting of already approved expenditures. We provided edits to the Background section to reflect our process. We request in light of this that the description of condition, cause of condition and recommendation sections of this finding be updated accordingly. Payments to country offices I-TECH country offices are not contractors; the offices are an extension of the University of Washington. Your review identified one of fifty-eight samples (1.7%) did not meet the approval requirements set forth in I-TECH?s standard operating procedure. Based on the error percentage, we disagree with this finding. Payments to contractors Payments to contractors have multiple approvals. Upon receipt, individual invoices are approved by the program/budget manager either by signature or email. Invoices are then sent to the I-TECH Accounts Payable Administrator for input to the University?s procurement system, ARIBA, which requires compliance approval from the Accounts Payable Supervisor or other manager, as well as funding approval from the budget manager prior to payment. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to contractors, they are reviews of the monthly expenses posted to the budget and the program manager?s concurrence that the expenses are as expected. The exceptions noted were payments made to country offices instead of contractors. The support for approvals were provided to the State Auditors on April 26, 2023, prior to the completion of fieldwork. We therefore disagree with this finding. We also request that the finding be adjusted to omit the 20% of missing BARS approvals as this is not related to the contractor payments. Subrecipient reimbursements Each subrecipient invoice is reviewed for reasonableness, allowability and allocability by the contracts manager and approved by both budget managers and principal investigators prior to being processed for payment in ARIBA. PI approvals were provided and verified for each subrecipient selection with no omissions noted by the auditors. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to subrecipients, they are after-the-fact reviews of the monthly expenses posted to the budget, intended as documentation of the program manager?s concurrence that the expenses are posted as expected. We acknowledge the instances detailed in the finding where we were unable to produce related BARS approvals for 52 of the transactions; however, we request that the finding be adjusted as these BARS approvals are not related to subrecipient invoice review and approvals. Our record keeping process for BARS approvals was to save the emails in a folder within our Finance Team mailbox. We learned during this review that emails beyond a certain date are deleted but maintained in the MS360 file. We?ve searched for the missing BARS approvals but have not yet been able to locate them. We have since begun saving the approvals to our server to ensure we have access to the data going forward. Auditor?s Remarks The University?s I-TECH Global Operations Manual stipulates that BARs will be generated, reviewed and approved monthly by the Budget Manager and management team. This information was provided to our Office as part of the University?s overall design of internal controls over payments to contractors, subrecipients and country offices. The University responded to our Office on April 20, 2023 adding that ?BAR review is the University?s key post payment control designed to ensure charges are accurately processed, coded and allowable on the budget charged.? We interpret this response to indicate the BAR review process is a monitoring control, and the University asserted on multiple occasions this is a key internal control, which is why we tested it. On January 5, our Office notified University management in writing that the BAR review process would be tested as a key control over the cost principles and period of performance requirements for Global AIDS expenditures. We received no additional inquiry or concerns from University management regarding this internal control until the draft finding was issued on April 14. We provided the University with a final written summary of our fieldwork in this area on April 6, 2023, after fieldwork had concluded. On April 7, the Finance Director responded to our Office in writing confirming they had no further questions or concerns regarding our testing results. It was not until after the University received this finding that additional documentation supporting expenditures tested during the audit were ultimately given to our Office. The basis for this audit finding is the key internal control failure rate of BAR approvals that exceeds our established materiality threshold of five percent, and constitutes a material weakness in internal control, which under the Uniform Guidance is required to be reported as an audit finding in accordance with 2 CFR 200.516 ? Audit findings. We reaffirm our finding and will follow up on the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 02 ? Acceptance of Sponsored Program Awards and Fiscal Compliance on Sponsored Program Accounts (Budget Numbers), states in part: Responsibilities Principal Investigator ? Supervises expenditure of sponsored program funds and approves sub-recipient invoices (see GIM 8) to assure: o That funds are used only for purposes that directly relate to and benefit the activity supported in the award. o That expenditures are consistent with all special terms, conditions, or limitations that apply to expenditures under the particular grant or contract. o That expenditures do not exceed the total funds authorized for a given period under the grant or contract. GIM 07 ? Sponsored Program Subaward Administration, states in part: Principal Investigator ? Review and approve subaward invoices. GIM 08 ? Subrecipient Monitoring, states in part: Roles & Responsibilities PI / Department Responsibilities Project level monitoring of subrecipient including: o Reviews that expenses are necessary, reasonable, and allocable to the work completed and are aligned with technical progress. o Approve invoices for payment. Subrecipient Monitoring ? Project Level Subrecipient invoices are reviewed and approved in accordance with the requirements of GIM 2 in the manner and frequency stated in the subaward. The University of Washington I-TECH Global Operations Manual (GRef 2.3), Section 2, Finance, Accounting Policy and Procedure Requirements, states in part: In addition to the Fiscal Guidelines set forth in the I-TECH Field Operations Manual, these country specific policies are implemented at I-TECH. 10. Budget Management and Reporting f. Reports that show the variance between the budget plan and the activity for each region and activity code will be generated, reviewed and approved by the budget managers and the Management Team each month.
2022-030 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients? activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor?s report or nine months after the end of the subrecipient?s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report?s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: ? Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed ? Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 21 subrecipients. We found the University did not adequately monitor one subrecipient (14 percent) to ensure it received a required single or program-specific audit. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition Staff in the University?s Office of Sponsored Programs (OSP) used a spreadsheet to track subrecipient certifications and responses, and reviewed annual certifications from the subrecipient to monitor its audit status. However, OSP did not correctly interpret the subrecipient?s response and, therefore, did not require it to provide documentation of a single or program-specific audit. Additionally, management did not review the subrecipient?s federal assistance expenditures to detect that it required an audit and, therefore, also failed to adequately follow up to ensure any reported findings were resolved with appropriate corrective action, if required. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: ? Follow policies and procedures to ensure subrecipients receive required single or program-specific audits ? Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required ? Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations ? Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations ? Issue a written management decision for all applicable audit findings, if necessary University?s Response The University of Washington has established internal controls to carry out a risk assessment per Uniform Guidance, 2 CFR ? 200.332, Requirements for pass-through entities, and our UW Grants Information Memorandum (GIM) 8. This involves using various factors to assess risk. Part of our process to obtain the information needed from each subrecipient is through a certification process. The certification was obtained from the subrecipient, along with additional documentation from the subrecipient, such as an audited financial statement. We made a risk assessment using our standard risk criteria. We did misinterpret the response provided from the subrecipient regarding whether it expended $750,000 or more in federal awards during a fiscal year in order to obtain a single or program-specific audit from this subrecipient. While this was not obtained and reviewed, a risk assessment using our standard criteria was performed with the subrecipient rated as a medium risk, and subject to monitoring throughout the project, per GIM 8. The monitoring at the program level occurred during the period in question. We will be improving our required communications with subrecipients to have clear questions and responses regarding whether the subrecipient expended $750,000 or more in federal awards during the fiscal year in order to obtain a single or program-specific audit, follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations, and issue a written management decision for all applicable audit findings, if necessary. Auditor?s Remarks We thank the University for its cooperation and assistance during the audit. Whether the University performed a risk assessment for the subrecipient is not being questioned. The University did not adequately monitor the subrecipient to ensure it detected whether the subrecipient was required to receive a single audit, or program-specific audit in accordance with 2 CFR ?200.332(f). There is no other mechanism for the Federal government to monitor subrecipients of the University and, because a single audit of the subrecipient was not performed, neither the federal grantor nor the University had reasonable assurance of the subrecipient?s compliance with federal award requirements. We reaffirm our finding and will follow up on the status of the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200, Uniform Guidance, establishes the following applicable requirements: Section 200.332 Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by ? 200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient?s cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section ? 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. (f) Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient?s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set for the in ?200.501 Audit requirements. Section 200.339 Remedies for noncompliance, states: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in ? 200.208. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the Federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances: (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. Section 200.501 Audit requirements, states in part: (a) Audit required. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part. (b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity?s fiscal year in Federal awards must have a single audit conducted in accordance with ? 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section. Section 200.521 Management decision, states in part: (a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements which are required to be reported in accordance with GAGAS. (c) Pass-through entity. As provided in ? 200.332(d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. (e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with ? 200.516(c). The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 8 ? Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients? risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW?s subrecipient monitoring requirements are comprised, at a minimum, of the following: ? Completion of the UW?s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring ? Entity Level Entity level monitoring consists of a combination of the following: ? Initial Subrecipient Certification Form completion and assurance by subrecipient?s authorized official ? Annual audit assurance through an annual audit certification form ? Maintenance of a subrecipient profile list, which includes information on the entity?s past audit information and certifications ? Risk assessment carried out at each annual renewal of a subaward
2022-028 The University of Washington did not establish adequate internal controls to ensure payments to contractors and subrecipients for the Global AIDS program were allowable, properly supported and within the period of performance. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: NU2GGH001430; NU2GGH001968; NU2GGH002038; NU2GGH002116; NU2GGH002242; NUGGH002360; NU2GGH002157; NU2GGH002298; NU2GGH002374 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs / Cost Principles Period of Performance Known Questioned Cost Amount: None Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President?s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University?s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2022, the University spent more than $66 million in federal program funds, about $44 million of which it passed through to subrecipients. To achieve the performance goals of the program, the Seattle headquarters of I-TECH (Seattle HQ) provides funding to subrecipients and contractors. Invoices submitted by contractors directly to Seattle HQ are reviewed and approved for payment by budget managers who have delegated authority from the Principal Investigator. Invoices submitted by subrecipients are reviewed and approved for payment by a Principal Investigator. Principal Investigators are also responsible for monitoring the subrecipient?s technical progress and performance. Seattle HQ also provides funding to country offices operating within the University?s global network. The country offices incur costs associated with furnishing supplies and equipment to address the HIV/AIDS epidemic, as well as staffing resources and acquiring goods and services from contractors to carry out the objectives of the program. Payments made by country offices are approved by Country Directors and Country Representatives as delegated by the University. Under the University?s policies, country offices are reimbursed for locally incurred expenses at least monthly. An invoice, accompanied by a schedule of expenses incurred, is submitted and approved by the Country Director and then by the Director of Finance at Seattle HQ, prior to payment. Country offices also responsible for obtaining and retaining supporting documentation for costs incurred and paid on each project. Monthly, Budget Managers review and approve a Budget Activity Report (BAR) that details the expenses charged to the project for the previous month to ensure accurate posting of already approved expenses. This review is also to determine whether the work performed during the billing period reconciles to costs claimed within the contractor?s invoice so that payment may be authorized. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The University did not have adequate internal controls to ensure payments to contractors and subrecipients of the Global AIDS program were allowable properly supported and within the period of performance. Payments to country offices We used a statistical sampling method to randomly select and examine 58 out of 1,644 transactions for country offices. Of the 58 payments examined, we identified one payment (1.7 percent) that was not approved by the Country Director and the corresponding Budget Activity Report was not approved by the Director of Finance. Payments to contractors We used a statistical sampling method to randomly select and review 58 out of 3,040 payments to contractors. We found: ? Invoices for three payments (5 percent) were not approved by a Budget Manager ? Monthly Budget Activity Reports were not approved for 12 payments (20 percent) Subrecipient reimbursements We used a statistical sampling method to randomly select and review 55 out of 438 payments to subrecipients. We found the assigned Budget Manager did not review and approve the monthly Budget Activity Reports for 52 payments (94 percent). We consider these internal control deficiencies to be a material weakness. This issue was not reported as a finding in the prior audit. Cause of Condition Program management did not require supporting documentation for each payment to be forwarded to and reviewed by headquarters personnel prior to payment authorization. Management also did not monitor the submission of invoices and Budget Activity Reports to ensure they were approved by the responsible Budget Manager, as required. Effect of Condition Without establishing adequate internal controls, the University cannot reasonably ensure it is using federal funds for allowable purposes and that expenditures of federal funds are supported by adequate documentation. Recommendations We recommend the University: ? Improve its internal controls to ensure invoices are properly approved by Principal Investigators, as required ? Improve its internal controls to ensure Budget Mangers review and approve monthly Budget Activity Reports before authorizing payments for projects incurring reimbursement requests ? Ensure it retains supporting documentation sufficient to show costs incurred and paid by the program are allowable, and to demonstrate the required managerial reviews have occurred prior to issuing payment University?s Response In response to the findings for the Global Aids Program, we would like to clarify the following: General Clarification: The draft finding inaccurately represents the role of BARS approvals as part of the internal controls to ensure payments to country offices, contractors and subrecipients are allowable, properly supported and within the period of performance. This is not the role of the BARS review process. Compliance, Budget Manager and PI reviews are the controls that ensure allowability of payments and BARS approvals are after-the-fact validations of accurate posting of already approved expenditures. We provided edits to the Background section to reflect our process. We request in light of this that the description of condition, cause of condition and recommendation sections of this finding be updated accordingly. Payments to country offices I-TECH country offices are not contractors; the offices are an extension of the University of Washington. Your review identified one of fifty-eight samples (1.7%) did not meet the approval requirements set forth in I-TECH?s standard operating procedure. Based on the error percentage, we disagree with this finding. Payments to contractors Payments to contractors have multiple approvals. Upon receipt, individual invoices are approved by the program/budget manager either by signature or email. Invoices are then sent to the I-TECH Accounts Payable Administrator for input to the University?s procurement system, ARIBA, which requires compliance approval from the Accounts Payable Supervisor or other manager, as well as funding approval from the budget manager prior to payment. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to contractors, they are reviews of the monthly expenses posted to the budget and the program manager?s concurrence that the expenses are as expected. The exceptions noted were payments made to country offices instead of contractors. The support for approvals were provided to the State Auditors on April 26, 2023, prior to the completion of fieldwork. We therefore disagree with this finding. We also request that the finding be adjusted to omit the 20% of missing BARS approvals as this is not related to the contractor payments. Subrecipient reimbursements Each subrecipient invoice is reviewed for reasonableness, allowability and allocability by the contracts manager and approved by both budget managers and principal investigators prior to being processed for payment in ARIBA. PI approvals were provided and verified for each subrecipient selection with no omissions noted by the auditors. Approvals of Budget Activity Reports (BARS) are not approval of individual payments to subrecipients, they are after-the-fact reviews of the monthly expenses posted to the budget, intended as documentation of the program manager?s concurrence that the expenses are posted as expected. We acknowledge the instances detailed in the finding where we were unable to produce related BARS approvals for 52 of the transactions; however, we request that the finding be adjusted as these BARS approvals are not related to subrecipient invoice review and approvals. Our record keeping process for BARS approvals was to save the emails in a folder within our Finance Team mailbox. We learned during this review that emails beyond a certain date are deleted but maintained in the MS360 file. We?ve searched for the missing BARS approvals but have not yet been able to locate them. We have since begun saving the approvals to our server to ensure we have access to the data going forward. Auditor?s Remarks The University?s I-TECH Global Operations Manual stipulates that BARs will be generated, reviewed and approved monthly by the Budget Manager and management team. This information was provided to our Office as part of the University?s overall design of internal controls over payments to contractors, subrecipients and country offices. The University responded to our Office on April 20, 2023 adding that ?BAR review is the University?s key post payment control designed to ensure charges are accurately processed, coded and allowable on the budget charged.? We interpret this response to indicate the BAR review process is a monitoring control, and the University asserted on multiple occasions this is a key internal control, which is why we tested it. On January 5, our Office notified University management in writing that the BAR review process would be tested as a key control over the cost principles and period of performance requirements for Global AIDS expenditures. We received no additional inquiry or concerns from University management regarding this internal control until the draft finding was issued on April 14. We provided the University with a final written summary of our fieldwork in this area on April 6, 2023, after fieldwork had concluded. On April 7, the Finance Director responded to our Office in writing confirming they had no further questions or concerns regarding our testing results. It was not until after the University received this finding that additional documentation supporting expenditures tested during the audit were ultimately given to our Office. The basis for this audit finding is the key internal control failure rate of BAR approvals that exceeds our established materiality threshold of five percent, and constitutes a material weakness in internal control, which under the Uniform Guidance is required to be reported as an audit finding in accordance with 2 CFR 200.516 ? Audit findings. We reaffirm our finding and will follow up on the University?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington?s Policies, Procedures and Guidance (UW Research), GIM 02 ? Acceptance of Sponsored Program Awards and Fiscal Compliance on Sponsored Program Accounts (Budget Numbers), states in part: Responsibilities Principal Investigator ? Supervises expenditure of sponsored program funds and approves sub-recipient invoices (see GIM 8) to assure: o That funds are used only for purposes that directly relate to and benefit the activity supported in the award. o That expenditures are consistent with all special terms, conditions, or limitations that apply to expenditures under the particular grant or contract. o That expenditures do not exceed the total funds authorized for a given period under the grant or contract. GIM 07 ? Sponsored Program Subaward Administration, states in part: Principal Investigator ? Review and approve subaward invoices. GIM 08 ? Subrecipient Monitoring, states in part: Roles & Responsibilities PI / Department Responsibilities Project level monitoring of subrecipient including: o Reviews that expenses are necessary, reasonable, and allocable to the work completed and are aligned with technical progress. o Approve invoices for payment. Subrecipient Monitoring ? Project Level Subrecipient invoices are reviewed and approved in accordance with the requirements of GIM 2 in the manner and frequency stated in the subaward. The University of Washington I-TECH Global Operations Manual (GRef 2.3), Section 2, Finance, Accounting Policy and Procedure Requirements, states in part: In addition to the Fiscal Guidelines set forth in the I-TECH Field Operations Manual, these country specific policies are implemented at I-TECH. 10. Budget Management and Reporting f. Reports that show the variance between the budget plan and the activity for each region and activity code will be generated, reviewed and approved by the budget managers and the Management Team each month.