Reference Number: 2023-021 Prior Year Finding: No Federal Agency: U.S. Department of Health and Human Services State Agency: Department of Human Services Federal Program: CCDF Cluster, COVID-19 – CCDF Cluster Assistance Listing Number: 93.575, 93.596 Award Number and Year: 2301NJCCDD (10/1/2022 – 9/30/2025) 2301NJCCDF (10/1/2022 – 9/30/2025) 2201NJCCDF (10/1/2021 – 9/30/2024) 2201NJCCDD (10/1/2021 – 9/30/2024) 2101NJCCDF (10/1/2020 – 9/30/2023) 2101NJCCDF (10/1/2020 – 9/30/2023) 2101NJCCDF (10/1/2019 – 9/30/2022) 2001NJCCDF (10/1/2019 – 9/30/2022) 2101NJCSC6 (10/1/2020 – 9/30/2023) 2101NJCDC6 (10/1/2020 – 9/30/2024) Compliance Requirement: Subrecipient Monitoring Type of Finding Significant Deficiency in Internal Control Over Compliance, Other Matters Criteria or specific requirement: Compliance – Per 2 CFR section 200.332(a), all pass-through entities must ensure that every subaward is clearly identified to the subrecipient as a subaward and includes information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. 2 CFR section 200.332(d) states that pass-through entities must monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (4) Reviewing financial and performance reports required by the pass-through entity. (5) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. (6) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity as required by § 200.521 Management decision. Section III – Federal Award Findings and Questioned Costs (Continued) Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The Department of Human Services (Department) did not comply with subrecipient monitoring requirements for the program. Context: Eight subawards were selected for testing and the following exceptions were noted: • For 2 of 8 subawards selected for testing, the subaward did not include all required Federal Award information. The subawards were missing the Federal Award Date of award to the recipient by the Federal agency. • For 1 of 8 subawards selected for testing, the Department did not conduct an annual desk review for the award as required by the Department’s procedures. Questioned costs: None noted. Cause: The Department’s procedures were not effective to ensure that subawards were issued in compliance with Federal requirements, nor that subrecipient monitoring was performed timely in accordance with Departmental procedures. Internal controls did not prevent or detect the errors. Effect: Excluding the required federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete Schedules of Expenditures of Federal Awards (SEFA) in their Single Audit reports, and federal funds may not be properly audited at the subrecipient level in accordance with the Uniform Guidance. Not conducting during the award monitoring may result in a failure of the Division to detect that its subrecipients used subawards for unauthorized purposes, managed them in violation of the terms and conditions of the subawards, or that subaward performance goals were not achieved. Recommendation: The Department should review and enhance internal controls and procedures to ensure that all required information is included in subaward agreements and that proper subrecipient monitoring is performed. Section III – Federal Award Findings and Questioned Costs (Continued) Views of responsible officials: In accordance with the audit finding recommendation, the Department of Human Services’ Division of Family Development (DFD) will ensure that the applicable federal award date will be included with the contract award information as required by Uniform Guidance pass-through entity requirements. Subrecipient monitoring was performed in a timely manner in compliance with DHS Contract Policy with the exception of one subrecipient, NJSACC. NJSACC’s fiscal review documents are due back to DFD on April 15, 2024. Once received, DFD will schedule a fiscal review meeting with the agency and the entire process should be completed within one (1) month of receipt. In addition, DFD will review the current policy for clarity, reasonableness, and to ensure compliance.
Federal Awarding Agency: USDOT Impact: Significant Deficiency, Noncompliance AL Number and Title: 20.509 FGRA Federal Award Number: AK-2022-027 Applicable Compliance Requirement: Subrecipient Monitoring Condition: DOTPF management did not issue a management decision for the one single audit finding requiring follow-up in FY 23 within six months as required by federal law. Context: Under federal regulations, pass-through entities are responsible for issuing a management decision for audit findings relating to federal awards provided to subrecipients. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the adequacy of the subrecipient’s proposed corrective actions to address the finding. If the subrecipient has not completed corrective action, a timetable for follow-up should be given. Cause: DOTPF has no procedures to ensure a management decision is issued in a timely manner for a subrecipient’s single audit finding. DOTPF management believed it was not necessary to track subrecipients that require single audit follow-up as there was only one subrecipient with a finding during FY 23. Criteria: Title 2 CFR 200.332(d)(3) states that pass-through entities’ monitoring of subrecipients must include issuing a management decision for audit findings that relate to the federal award provided to the subrecipient from the pass-through entity. Title 2 CFR 200.521(d) states a management decision must be issued within six months of acceptance of the audit report by the federal audit clearinghouse. Title 2 CFR 200.303(a) requires the State to establish and maintain effective internal controls over federal awards that provide reasonable assurance that the State is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Effect: Untimely management decisions may result in the subrecipient not taking appropriate corrective action on findings. Noncompliance with federal regulations may result in the federal awarding agency imposing additional conditions or taking corrective action, including additional reporting requirements or withholding/terminating funding. Questioned Costs: None Recommendation: DOTPF’s Division of Administrative Services (DAS) director should develop and implement procedures to ensure management decisions for all subrecipient single audit findings are issued within six months of the audit report’s acceptance by the federal audit clearinghouse. View of Responsible Officials: Management agrees with this finding.
Federal Awarding Agency: USDOT Impact: Significant Deficiency, Noncompliance AL Number and Title: 20.509 FGRA Federal Award Number: AK-2022-027 Applicable Compliance Requirement: Subrecipient Monitoring Condition: DOTPF management did not issue a management decision for the one single audit finding requiring follow-up in FY 23 within six months as required by federal law. Context: Under federal regulations, pass-through entities are responsible for issuing a management decision for audit findings relating to federal awards provided to subrecipients. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the adequacy of the subrecipient’s proposed corrective actions to address the finding. If the subrecipient has not completed corrective action, a timetable for follow-up should be given. Cause: DOTPF has no procedures to ensure a management decision is issued in a timely manner for a subrecipient’s single audit finding. DOTPF management believed it was not necessary to track subrecipients that require single audit follow-up as there was only one subrecipient with a finding during FY 23. Criteria: Title 2 CFR 200.332(d)(3) states that pass-through entities’ monitoring of subrecipients must include issuing a management decision for audit findings that relate to the federal award provided to the subrecipient from the pass-through entity. Title 2 CFR 200.521(d) states a management decision must be issued within six months of acceptance of the audit report by the federal audit clearinghouse. Title 2 CFR 200.303(a) requires the State to establish and maintain effective internal controls over federal awards that provide reasonable assurance that the State is managing federal awards in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Effect: Untimely management decisions may result in the subrecipient not taking appropriate corrective action on findings. Noncompliance with federal regulations may result in the federal awarding agency imposing additional conditions or taking corrective action, including additional reporting requirements or withholding/terminating funding. Questioned Costs: None Recommendation: DOTPF’s Division of Administrative Services (DAS) director should develop and implement procedures to ensure management decisions for all subrecipient single audit findings are issued within six months of the audit report’s acceptance by the federal audit clearinghouse. View of Responsible Officials: Management agrees with this finding.
2023-043 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S Department of Health and Human Services Federal Award/Contract Number: NU2GGH002038; NU2GGH002116; NU2GGH002157; NU2GGH002242; NU2GGH002298; NU2GGH002360; NU2GGH002374; NU2GGH002423 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Prior Year Audit Finding: Yes, Finding 2022-030 Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President’s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University’s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2023, the University spent almost $70 million in federal program funds, about $42 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients’ activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor’s report or nine months after the end of the subrecipient’s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report’s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In the prior audit, we reported the University did not establish adequate internal controls over and did not comply with federal requirements for subrecipient monitoring. The prior finding number was 2022-030. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: • Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed • Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 19 subrecipients. We found the University did not adequately monitor four subrecipients (57 percent) to ensure they received a required single or program-specific audit. Additionally, we found three of the four subrecipients received audit findings for the Global AIDS program, but the University did not issue a written management decision to the subrecipients and ensure appropriate corrective actions would be taken to correct the deficiencies reported, as required. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition The University’s Office of Sponsored Programs used a spreadsheet to track subrecipient certifications and whether they were subject to a single or program audit. However, the University did not obtain updated annual audit certifications from these subrecipients to determine if they required an audit and, therefore, did not require the subrecipients to provide documentation of a single or program-specific audit. In addition, University management did not follow up with the subrecipients to verify that audits were performed. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: • Follow policies and procedures to ensure subrecipients receive required single or program-specific audits • Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required • Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations • Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations • Issue a written management decision for all applicable audit findings, if necessary University’s Response In the prior audit, it was found the University did not establish adequate internal controls over and did not comply with federal requirements for subrecipient monitoring. The prior finding number was 2022-030. As a result of that finding, the University took corrective action, which was conveyed in November 2023, but given the significant enterprise-wide financial system replacement and implementation, the work to implement all corrective action steps, including single audit verification, has been interrupted and audit certification was not performed consistently during FY23. The University uses a certification process to obtain information and documentation needed to assess each subrecipient. As part of corrective action from finding 2022-030, the University updated the certification process with all subrecipients to confirm if federal expenditures during a fiscal year exceed the $750,000 threshold to require a single or program-specific audit by revising the initial certification form used to gather information and carry out a risk assessment. However, the University is still working on enhancing the annual certification process to confirm subrecipients receive required single or program-specific audits each year, to review such audit reports, and issue written management decisions, as required, including that subrecipient develop and perform acceptable corrective actions to address all applicable audit recommendations. Auditor’s Remarks We thank the University for its cooperation and assistance throughout the audit. We will review the status of the University's corrective action during our next audit. Applicable Laws and Regulations Title 45 U.S. Code of Federal Regulations (CFR) Part 75, section 303, Internal Controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 45 CFR Part 75, Section 516, Audit findings, establishes reporting requirements for audit findings. Title 45 CFR Part 75, section 352, Requirements for pass-through entities, establishes requirements for pass through entities including monitoring of subrecipients. Title 45 CFR Part 75, section 501, Audit requirements, establishes the single audit requirements for recipients of federal assistance. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington’s Policies, Procedures and Guidance (UW Research), GIM 8 – Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients’ risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW’s subrecipient monitoring requirements are comprised, at a minimum, of the following: • Completion of the UW’s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring – Entity Level Entity level monitoring consists of a combination of the following: • Initial Subrecipient Certification Form completion and assurance by subrecipient’s authorized official • Annual audit assurance through an annual audit certification form • Maintenance of a subrecipient profile list, which includes information on the entity’s past audit information and certificationsRisk assessment carried out at each annual renewal of a subaward.
2023-043 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S Department of Health and Human Services Federal Award/Contract Number: NU2GGH002038; NU2GGH002116; NU2GGH002157; NU2GGH002242; NU2GGH002298; NU2GGH002360; NU2GGH002374; NU2GGH002423 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Prior Year Audit Finding: Yes, Finding 2022-030 Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President’s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University’s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2023, the University spent almost $70 million in federal program funds, about $42 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients’ activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor’s report or nine months after the end of the subrecipient’s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report’s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In the prior audit, we reported the University did not establish adequate internal controls over and did not comply with federal requirements for subrecipient monitoring. The prior finding number was 2022-030. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: • Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed • Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 19 subrecipients. We found the University did not adequately monitor four subrecipients (57 percent) to ensure they received a required single or program-specific audit. Additionally, we found three of the four subrecipients received audit findings for the Global AIDS program, but the University did not issue a written management decision to the subrecipients and ensure appropriate corrective actions would be taken to correct the deficiencies reported, as required. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition The University’s Office of Sponsored Programs used a spreadsheet to track subrecipient certifications and whether they were subject to a single or program audit. However, the University did not obtain updated annual audit certifications from these subrecipients to determine if they required an audit and, therefore, did not require the subrecipients to provide documentation of a single or program-specific audit. In addition, University management did not follow up with the subrecipients to verify that audits were performed. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: • Follow policies and procedures to ensure subrecipients receive required single or program-specific audits • Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required • Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations • Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations • Issue a written management decision for all applicable audit findings, if necessary University’s Response In the prior audit, it was found the University did not establish adequate internal controls over and did not comply with federal requirements for subrecipient monitoring. The prior finding number was 2022-030. As a result of that finding, the University took corrective action, which was conveyed in November 2023, but given the significant enterprise-wide financial system replacement and implementation, the work to implement all corrective action steps, including single audit verification, has been interrupted and audit certification was not performed consistently during FY23. The University uses a certification process to obtain information and documentation needed to assess each subrecipient. As part of corrective action from finding 2022-030, the University updated the certification process with all subrecipients to confirm if federal expenditures during a fiscal year exceed the $750,000 threshold to require a single or program-specific audit by revising the initial certification form used to gather information and carry out a risk assessment. However, the University is still working on enhancing the annual certification process to confirm subrecipients receive required single or program-specific audits each year, to review such audit reports, and issue written management decisions, as required, including that subrecipient develop and perform acceptable corrective actions to address all applicable audit recommendations. Auditor’s Remarks We thank the University for its cooperation and assistance throughout the audit. We will review the status of the University's corrective action during our next audit. Applicable Laws and Regulations Title 45 U.S. Code of Federal Regulations (CFR) Part 75, section 303, Internal Controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 45 CFR Part 75, Section 516, Audit findings, establishes reporting requirements for audit findings. Title 45 CFR Part 75, section 352, Requirements for pass-through entities, establishes requirements for pass through entities including monitoring of subrecipients. Title 45 CFR Part 75, section 501, Audit requirements, establishes the single audit requirements for recipients of federal assistance. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington’s Policies, Procedures and Guidance (UW Research), GIM 8 – Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients’ risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW’s subrecipient monitoring requirements are comprised, at a minimum, of the following: • Completion of the UW’s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring – Entity Level Entity level monitoring consists of a combination of the following: • Initial Subrecipient Certification Form completion and assurance by subrecipient’s authorized official • Annual audit assurance through an annual audit certification form • Maintenance of a subrecipient profile list, which includes information on the entity’s past audit information and certificationsRisk assessment carried out at each annual renewal of a subaward.
2023-043 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S Department of Health and Human Services Federal Award/Contract Number: NU2GGH002038; NU2GGH002116; NU2GGH002157; NU2GGH002242; NU2GGH002298; NU2GGH002360; NU2GGH002374; NU2GGH002423 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Prior Year Audit Finding: Yes, Finding 2022-030 Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President’s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University’s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2023, the University spent almost $70 million in federal program funds, about $42 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients’ activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor’s report or nine months after the end of the subrecipient’s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report’s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In the prior audit, we reported the University did not establish adequate internal controls over and did not comply with federal requirements for subrecipient monitoring. The prior finding number was 2022-030. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: • Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed • Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 19 subrecipients. We found the University did not adequately monitor four subrecipients (57 percent) to ensure they received a required single or program-specific audit. Additionally, we found three of the four subrecipients received audit findings for the Global AIDS program, but the University did not issue a written management decision to the subrecipients and ensure appropriate corrective actions would be taken to correct the deficiencies reported, as required. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition The University’s Office of Sponsored Programs used a spreadsheet to track subrecipient certifications and whether they were subject to a single or program audit. However, the University did not obtain updated annual audit certifications from these subrecipients to determine if they required an audit and, therefore, did not require the subrecipients to provide documentation of a single or program-specific audit. In addition, University management did not follow up with the subrecipients to verify that audits were performed. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: • Follow policies and procedures to ensure subrecipients receive required single or program-specific audits • Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required • Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations • Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations • Issue a written management decision for all applicable audit findings, if necessary University’s Response In the prior audit, it was found the University did not establish adequate internal controls over and did not comply with federal requirements for subrecipient monitoring. The prior finding number was 2022-030. As a result of that finding, the University took corrective action, which was conveyed in November 2023, but given the significant enterprise-wide financial system replacement and implementation, the work to implement all corrective action steps, including single audit verification, has been interrupted and audit certification was not performed consistently during FY23. The University uses a certification process to obtain information and documentation needed to assess each subrecipient. As part of corrective action from finding 2022-030, the University updated the certification process with all subrecipients to confirm if federal expenditures during a fiscal year exceed the $750,000 threshold to require a single or program-specific audit by revising the initial certification form used to gather information and carry out a risk assessment. However, the University is still working on enhancing the annual certification process to confirm subrecipients receive required single or program-specific audits each year, to review such audit reports, and issue written management decisions, as required, including that subrecipient develop and perform acceptable corrective actions to address all applicable audit recommendations. Auditor’s Remarks We thank the University for its cooperation and assistance throughout the audit. We will review the status of the University's corrective action during our next audit. Applicable Laws and Regulations Title 45 U.S. Code of Federal Regulations (CFR) Part 75, section 303, Internal Controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 45 CFR Part 75, Section 516, Audit findings, establishes reporting requirements for audit findings. Title 45 CFR Part 75, section 352, Requirements for pass-through entities, establishes requirements for pass through entities including monitoring of subrecipients. Title 45 CFR Part 75, section 501, Audit requirements, establishes the single audit requirements for recipients of federal assistance. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington’s Policies, Procedures and Guidance (UW Research), GIM 8 – Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients’ risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW’s subrecipient monitoring requirements are comprised, at a minimum, of the following: • Completion of the UW’s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring – Entity Level Entity level monitoring consists of a combination of the following: • Initial Subrecipient Certification Form completion and assurance by subrecipient’s authorized official • Annual audit assurance through an annual audit certification form • Maintenance of a subrecipient profile list, which includes information on the entity’s past audit information and certificationsRisk assessment carried out at each annual renewal of a subaward.
2023-043 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S Department of Health and Human Services Federal Award/Contract Number: NU2GGH002038; NU2GGH002116; NU2GGH002157; NU2GGH002242; NU2GGH002298; NU2GGH002360; NU2GGH002374; NU2GGH002423 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Prior Year Audit Finding: Yes, Finding 2022-030 Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President’s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University’s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2023, the University spent almost $70 million in federal program funds, about $42 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients’ activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor’s report or nine months after the end of the subrecipient’s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report’s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In the prior audit, we reported the University did not establish adequate internal controls over and did not comply with federal requirements for subrecipient monitoring. The prior finding number was 2022-030. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: • Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed • Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 19 subrecipients. We found the University did not adequately monitor four subrecipients (57 percent) to ensure they received a required single or program-specific audit. Additionally, we found three of the four subrecipients received audit findings for the Global AIDS program, but the University did not issue a written management decision to the subrecipients and ensure appropriate corrective actions would be taken to correct the deficiencies reported, as required. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition The University’s Office of Sponsored Programs used a spreadsheet to track subrecipient certifications and whether they were subject to a single or program audit. However, the University did not obtain updated annual audit certifications from these subrecipients to determine if they required an audit and, therefore, did not require the subrecipients to provide documentation of a single or program-specific audit. In addition, University management did not follow up with the subrecipients to verify that audits were performed. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: • Follow policies and procedures to ensure subrecipients receive required single or program-specific audits • Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required • Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations • Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations • Issue a written management decision for all applicable audit findings, if necessary University’s Response In the prior audit, it was found the University did not establish adequate internal controls over and did not comply with federal requirements for subrecipient monitoring. The prior finding number was 2022-030. As a result of that finding, the University took corrective action, which was conveyed in November 2023, but given the significant enterprise-wide financial system replacement and implementation, the work to implement all corrective action steps, including single audit verification, has been interrupted and audit certification was not performed consistently during FY23. The University uses a certification process to obtain information and documentation needed to assess each subrecipient. As part of corrective action from finding 2022-030, the University updated the certification process with all subrecipients to confirm if federal expenditures during a fiscal year exceed the $750,000 threshold to require a single or program-specific audit by revising the initial certification form used to gather information and carry out a risk assessment. However, the University is still working on enhancing the annual certification process to confirm subrecipients receive required single or program-specific audits each year, to review such audit reports, and issue written management decisions, as required, including that subrecipient develop and perform acceptable corrective actions to address all applicable audit recommendations. Auditor’s Remarks We thank the University for its cooperation and assistance throughout the audit. We will review the status of the University's corrective action during our next audit. Applicable Laws and Regulations Title 45 U.S. Code of Federal Regulations (CFR) Part 75, section 303, Internal Controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 45 CFR Part 75, Section 516, Audit findings, establishes reporting requirements for audit findings. Title 45 CFR Part 75, section 352, Requirements for pass-through entities, establishes requirements for pass through entities including monitoring of subrecipients. Title 45 CFR Part 75, section 501, Audit requirements, establishes the single audit requirements for recipients of federal assistance. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington’s Policies, Procedures and Guidance (UW Research), GIM 8 – Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients’ risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW’s subrecipient monitoring requirements are comprised, at a minimum, of the following: • Completion of the UW’s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring – Entity Level Entity level monitoring consists of a combination of the following: • Initial Subrecipient Certification Form completion and assurance by subrecipient’s authorized official • Annual audit assurance through an annual audit certification form • Maintenance of a subrecipient profile list, which includes information on the entity’s past audit information and certificationsRisk assessment carried out at each annual renewal of a subaward.
2023-043 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S Department of Health and Human Services Federal Award/Contract Number: NU2GGH002038; NU2GGH002116; NU2GGH002157; NU2GGH002242; NU2GGH002298; NU2GGH002360; NU2GGH002374; NU2GGH002423 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Prior Year Audit Finding: Yes, Finding 2022-030 Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President’s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University’s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2023, the University spent almost $70 million in federal program funds, about $42 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients’ activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor’s report or nine months after the end of the subrecipient’s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report’s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In the prior audit, we reported the University did not establish adequate internal controls over and did not comply with federal requirements for subrecipient monitoring. The prior finding number was 2022-030. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: • Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed • Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 19 subrecipients. We found the University did not adequately monitor four subrecipients (57 percent) to ensure they received a required single or program-specific audit. Additionally, we found three of the four subrecipients received audit findings for the Global AIDS program, but the University did not issue a written management decision to the subrecipients and ensure appropriate corrective actions would be taken to correct the deficiencies reported, as required. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition The University’s Office of Sponsored Programs used a spreadsheet to track subrecipient certifications and whether they were subject to a single or program audit. However, the University did not obtain updated annual audit certifications from these subrecipients to determine if they required an audit and, therefore, did not require the subrecipients to provide documentation of a single or program-specific audit. In addition, University management did not follow up with the subrecipients to verify that audits were performed. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: • Follow policies and procedures to ensure subrecipients receive required single or program-specific audits • Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required • Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations • Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations • Issue a written management decision for all applicable audit findings, if necessary University’s Response In the prior audit, it was found the University did not establish adequate internal controls over and did not comply with federal requirements for subrecipient monitoring. The prior finding number was 2022-030. As a result of that finding, the University took corrective action, which was conveyed in November 2023, but given the significant enterprise-wide financial system replacement and implementation, the work to implement all corrective action steps, including single audit verification, has been interrupted and audit certification was not performed consistently during FY23. The University uses a certification process to obtain information and documentation needed to assess each subrecipient. As part of corrective action from finding 2022-030, the University updated the certification process with all subrecipients to confirm if federal expenditures during a fiscal year exceed the $750,000 threshold to require a single or program-specific audit by revising the initial certification form used to gather information and carry out a risk assessment. However, the University is still working on enhancing the annual certification process to confirm subrecipients receive required single or program-specific audits each year, to review such audit reports, and issue written management decisions, as required, including that subrecipient develop and perform acceptable corrective actions to address all applicable audit recommendations. Auditor’s Remarks We thank the University for its cooperation and assistance throughout the audit. We will review the status of the University's corrective action during our next audit. Applicable Laws and Regulations Title 45 U.S. Code of Federal Regulations (CFR) Part 75, section 303, Internal Controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 45 CFR Part 75, Section 516, Audit findings, establishes reporting requirements for audit findings. Title 45 CFR Part 75, section 352, Requirements for pass-through entities, establishes requirements for pass through entities including monitoring of subrecipients. Title 45 CFR Part 75, section 501, Audit requirements, establishes the single audit requirements for recipients of federal assistance. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington’s Policies, Procedures and Guidance (UW Research), GIM 8 – Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients’ risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW’s subrecipient monitoring requirements are comprised, at a minimum, of the following: • Completion of the UW’s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring – Entity Level Entity level monitoring consists of a combination of the following: • Initial Subrecipient Certification Form completion and assurance by subrecipient’s authorized official • Annual audit assurance through an annual audit certification form • Maintenance of a subrecipient profile list, which includes information on the entity’s past audit information and certificationsRisk assessment carried out at each annual renewal of a subaward.
2023-043 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S Department of Health and Human Services Federal Award/Contract Number: NU2GGH002038; NU2GGH002116; NU2GGH002157; NU2GGH002242; NU2GGH002298; NU2GGH002360; NU2GGH002374; NU2GGH002423 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Prior Year Audit Finding: Yes, Finding 2022-030 Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President’s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University’s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2023, the University spent almost $70 million in federal program funds, about $42 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients’ activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor’s report or nine months after the end of the subrecipient’s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report’s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In the prior audit, we reported the University did not establish adequate internal controls over and did not comply with federal requirements for subrecipient monitoring. The prior finding number was 2022-030. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: • Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed • Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 19 subrecipients. We found the University did not adequately monitor four subrecipients (57 percent) to ensure they received a required single or program-specific audit. Additionally, we found three of the four subrecipients received audit findings for the Global AIDS program, but the University did not issue a written management decision to the subrecipients and ensure appropriate corrective actions would be taken to correct the deficiencies reported, as required. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition The University’s Office of Sponsored Programs used a spreadsheet to track subrecipient certifications and whether they were subject to a single or program audit. However, the University did not obtain updated annual audit certifications from these subrecipients to determine if they required an audit and, therefore, did not require the subrecipients to provide documentation of a single or program-specific audit. In addition, University management did not follow up with the subrecipients to verify that audits were performed. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: • Follow policies and procedures to ensure subrecipients receive required single or program-specific audits • Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required • Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations • Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations • Issue a written management decision for all applicable audit findings, if necessary University’s Response In the prior audit, it was found the University did not establish adequate internal controls over and did not comply with federal requirements for subrecipient monitoring. The prior finding number was 2022-030. As a result of that finding, the University took corrective action, which was conveyed in November 2023, but given the significant enterprise-wide financial system replacement and implementation, the work to implement all corrective action steps, including single audit verification, has been interrupted and audit certification was not performed consistently during FY23. The University uses a certification process to obtain information and documentation needed to assess each subrecipient. As part of corrective action from finding 2022-030, the University updated the certification process with all subrecipients to confirm if federal expenditures during a fiscal year exceed the $750,000 threshold to require a single or program-specific audit by revising the initial certification form used to gather information and carry out a risk assessment. However, the University is still working on enhancing the annual certification process to confirm subrecipients receive required single or program-specific audits each year, to review such audit reports, and issue written management decisions, as required, including that subrecipient develop and perform acceptable corrective actions to address all applicable audit recommendations. Auditor’s Remarks We thank the University for its cooperation and assistance throughout the audit. We will review the status of the University's corrective action during our next audit. Applicable Laws and Regulations Title 45 U.S. Code of Federal Regulations (CFR) Part 75, section 303, Internal Controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 45 CFR Part 75, Section 516, Audit findings, establishes reporting requirements for audit findings. Title 45 CFR Part 75, section 352, Requirements for pass-through entities, establishes requirements for pass through entities including monitoring of subrecipients. Title 45 CFR Part 75, section 501, Audit requirements, establishes the single audit requirements for recipients of federal assistance. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington’s Policies, Procedures and Guidance (UW Research), GIM 8 – Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients’ risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW’s subrecipient monitoring requirements are comprised, at a minimum, of the following: • Completion of the UW’s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring – Entity Level Entity level monitoring consists of a combination of the following: • Initial Subrecipient Certification Form completion and assurance by subrecipient’s authorized official • Annual audit assurance through an annual audit certification form • Maintenance of a subrecipient profile list, which includes information on the entity’s past audit information and certificationsRisk assessment carried out at each annual renewal of a subaward.
2023-043 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S Department of Health and Human Services Federal Award/Contract Number: NU2GGH002038; NU2GGH002116; NU2GGH002157; NU2GGH002242; NU2GGH002298; NU2GGH002360; NU2GGH002374; NU2GGH002423 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Prior Year Audit Finding: Yes, Finding 2022-030 Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President’s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University’s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2023, the University spent almost $70 million in federal program funds, about $42 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients’ activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor’s report or nine months after the end of the subrecipient’s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report’s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In the prior audit, we reported the University did not establish adequate internal controls over and did not comply with federal requirements for subrecipient monitoring. The prior finding number was 2022-030. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: • Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed • Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 19 subrecipients. We found the University did not adequately monitor four subrecipients (57 percent) to ensure they received a required single or program-specific audit. Additionally, we found three of the four subrecipients received audit findings for the Global AIDS program, but the University did not issue a written management decision to the subrecipients and ensure appropriate corrective actions would be taken to correct the deficiencies reported, as required. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition The University’s Office of Sponsored Programs used a spreadsheet to track subrecipient certifications and whether they were subject to a single or program audit. However, the University did not obtain updated annual audit certifications from these subrecipients to determine if they required an audit and, therefore, did not require the subrecipients to provide documentation of a single or program-specific audit. In addition, University management did not follow up with the subrecipients to verify that audits were performed. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: • Follow policies and procedures to ensure subrecipients receive required single or program-specific audits • Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required • Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations • Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations • Issue a written management decision for all applicable audit findings, if necessary University’s Response In the prior audit, it was found the University did not establish adequate internal controls over and did not comply with federal requirements for subrecipient monitoring. The prior finding number was 2022-030. As a result of that finding, the University took corrective action, which was conveyed in November 2023, but given the significant enterprise-wide financial system replacement and implementation, the work to implement all corrective action steps, including single audit verification, has been interrupted and audit certification was not performed consistently during FY23. The University uses a certification process to obtain information and documentation needed to assess each subrecipient. As part of corrective action from finding 2022-030, the University updated the certification process with all subrecipients to confirm if federal expenditures during a fiscal year exceed the $750,000 threshold to require a single or program-specific audit by revising the initial certification form used to gather information and carry out a risk assessment. However, the University is still working on enhancing the annual certification process to confirm subrecipients receive required single or program-specific audits each year, to review such audit reports, and issue written management decisions, as required, including that subrecipient develop and perform acceptable corrective actions to address all applicable audit recommendations. Auditor’s Remarks We thank the University for its cooperation and assistance throughout the audit. We will review the status of the University's corrective action during our next audit. Applicable Laws and Regulations Title 45 U.S. Code of Federal Regulations (CFR) Part 75, section 303, Internal Controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 45 CFR Part 75, Section 516, Audit findings, establishes reporting requirements for audit findings. Title 45 CFR Part 75, section 352, Requirements for pass-through entities, establishes requirements for pass through entities including monitoring of subrecipients. Title 45 CFR Part 75, section 501, Audit requirements, establishes the single audit requirements for recipients of federal assistance. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington’s Policies, Procedures and Guidance (UW Research), GIM 8 – Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients’ risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW’s subrecipient monitoring requirements are comprised, at a minimum, of the following: • Completion of the UW’s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring – Entity Level Entity level monitoring consists of a combination of the following: • Initial Subrecipient Certification Form completion and assurance by subrecipient’s authorized official • Annual audit assurance through an annual audit certification form • Maintenance of a subrecipient profile list, which includes information on the entity’s past audit information and certificationsRisk assessment carried out at each annual renewal of a subaward.
2023-043 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S Department of Health and Human Services Federal Award/Contract Number: NU2GGH002038; NU2GGH002116; NU2GGH002157; NU2GGH002242; NU2GGH002298; NU2GGH002360; NU2GGH002374; NU2GGH002423 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Prior Year Audit Finding: Yes, Finding 2022-030 Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President’s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University’s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2023, the University spent almost $70 million in federal program funds, about $42 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients’ activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor’s report or nine months after the end of the subrecipient’s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report’s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In the prior audit, we reported the University did not establish adequate internal controls over and did not comply with federal requirements for subrecipient monitoring. The prior finding number was 2022-030. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: • Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed • Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 19 subrecipients. We found the University did not adequately monitor four subrecipients (57 percent) to ensure they received a required single or program-specific audit. Additionally, we found three of the four subrecipients received audit findings for the Global AIDS program, but the University did not issue a written management decision to the subrecipients and ensure appropriate corrective actions would be taken to correct the deficiencies reported, as required. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition The University’s Office of Sponsored Programs used a spreadsheet to track subrecipient certifications and whether they were subject to a single or program audit. However, the University did not obtain updated annual audit certifications from these subrecipients to determine if they required an audit and, therefore, did not require the subrecipients to provide documentation of a single or program-specific audit. In addition, University management did not follow up with the subrecipients to verify that audits were performed. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: • Follow policies and procedures to ensure subrecipients receive required single or program-specific audits • Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required • Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations • Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations • Issue a written management decision for all applicable audit findings, if necessary University’s Response In the prior audit, it was found the University did not establish adequate internal controls over and did not comply with federal requirements for subrecipient monitoring. The prior finding number was 2022-030. As a result of that finding, the University took corrective action, which was conveyed in November 2023, but given the significant enterprise-wide financial system replacement and implementation, the work to implement all corrective action steps, including single audit verification, has been interrupted and audit certification was not performed consistently during FY23. The University uses a certification process to obtain information and documentation needed to assess each subrecipient. As part of corrective action from finding 2022-030, the University updated the certification process with all subrecipients to confirm if federal expenditures during a fiscal year exceed the $750,000 threshold to require a single or program-specific audit by revising the initial certification form used to gather information and carry out a risk assessment. However, the University is still working on enhancing the annual certification process to confirm subrecipients receive required single or program-specific audits each year, to review such audit reports, and issue written management decisions, as required, including that subrecipient develop and perform acceptable corrective actions to address all applicable audit recommendations. Auditor’s Remarks We thank the University for its cooperation and assistance throughout the audit. We will review the status of the University's corrective action during our next audit. Applicable Laws and Regulations Title 45 U.S. Code of Federal Regulations (CFR) Part 75, section 303, Internal Controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 45 CFR Part 75, Section 516, Audit findings, establishes reporting requirements for audit findings. Title 45 CFR Part 75, section 352, Requirements for pass-through entities, establishes requirements for pass through entities including monitoring of subrecipients. Title 45 CFR Part 75, section 501, Audit requirements, establishes the single audit requirements for recipients of federal assistance. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington’s Policies, Procedures and Guidance (UW Research), GIM 8 – Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients’ risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW’s subrecipient monitoring requirements are comprised, at a minimum, of the following: • Completion of the UW’s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring – Entity Level Entity level monitoring consists of a combination of the following: • Initial Subrecipient Certification Form completion and assurance by subrecipient’s authorized official • Annual audit assurance through an annual audit certification form • Maintenance of a subrecipient profile list, which includes information on the entity’s past audit information and certificationsRisk assessment carried out at each annual renewal of a subaward.
2023-043 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S Department of Health and Human Services Federal Award/Contract Number: NU2GGH002038; NU2GGH002116; NU2GGH002157; NU2GGH002242; NU2GGH002298; NU2GGH002360; NU2GGH002374; NU2GGH002423 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Prior Year Audit Finding: Yes, Finding 2022-030 Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President’s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University’s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2023, the University spent almost $70 million in federal program funds, about $42 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients’ activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor’s report or nine months after the end of the subrecipient’s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report’s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In the prior audit, we reported the University did not establish adequate internal controls over and did not comply with federal requirements for subrecipient monitoring. The prior finding number was 2022-030. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: • Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed • Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 19 subrecipients. We found the University did not adequately monitor four subrecipients (57 percent) to ensure they received a required single or program-specific audit. Additionally, we found three of the four subrecipients received audit findings for the Global AIDS program, but the University did not issue a written management decision to the subrecipients and ensure appropriate corrective actions would be taken to correct the deficiencies reported, as required. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition The University’s Office of Sponsored Programs used a spreadsheet to track subrecipient certifications and whether they were subject to a single or program audit. However, the University did not obtain updated annual audit certifications from these subrecipients to determine if they required an audit and, therefore, did not require the subrecipients to provide documentation of a single or program-specific audit. In addition, University management did not follow up with the subrecipients to verify that audits were performed. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: • Follow policies and procedures to ensure subrecipients receive required single or program-specific audits • Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required • Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations • Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations • Issue a written management decision for all applicable audit findings, if necessary University’s Response In the prior audit, it was found the University did not establish adequate internal controls over and did not comply with federal requirements for subrecipient monitoring. The prior finding number was 2022-030. As a result of that finding, the University took corrective action, which was conveyed in November 2023, but given the significant enterprise-wide financial system replacement and implementation, the work to implement all corrective action steps, including single audit verification, has been interrupted and audit certification was not performed consistently during FY23. The University uses a certification process to obtain information and documentation needed to assess each subrecipient. As part of corrective action from finding 2022-030, the University updated the certification process with all subrecipients to confirm if federal expenditures during a fiscal year exceed the $750,000 threshold to require a single or program-specific audit by revising the initial certification form used to gather information and carry out a risk assessment. However, the University is still working on enhancing the annual certification process to confirm subrecipients receive required single or program-specific audits each year, to review such audit reports, and issue written management decisions, as required, including that subrecipient develop and perform acceptable corrective actions to address all applicable audit recommendations. Auditor’s Remarks We thank the University for its cooperation and assistance throughout the audit. We will review the status of the University's corrective action during our next audit. Applicable Laws and Regulations Title 45 U.S. Code of Federal Regulations (CFR) Part 75, section 303, Internal Controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 45 CFR Part 75, Section 516, Audit findings, establishes reporting requirements for audit findings. Title 45 CFR Part 75, section 352, Requirements for pass-through entities, establishes requirements for pass through entities including monitoring of subrecipients. Title 45 CFR Part 75, section 501, Audit requirements, establishes the single audit requirements for recipients of federal assistance. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington’s Policies, Procedures and Guidance (UW Research), GIM 8 – Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients’ risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW’s subrecipient monitoring requirements are comprised, at a minimum, of the following: • Completion of the UW’s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring – Entity Level Entity level monitoring consists of a combination of the following: • Initial Subrecipient Certification Form completion and assurance by subrecipient’s authorized official • Annual audit assurance through an annual audit certification form • Maintenance of a subrecipient profile list, which includes information on the entity’s past audit information and certificationsRisk assessment carried out at each annual renewal of a subaward.
2023-043 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S Department of Health and Human Services Federal Award/Contract Number: NU2GGH002038; NU2GGH002116; NU2GGH002157; NU2GGH002242; NU2GGH002298; NU2GGH002360; NU2GGH002374; NU2GGH002423 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Prior Year Audit Finding: Yes, Finding 2022-030 Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President’s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University’s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2023, the University spent almost $70 million in federal program funds, about $42 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients’ activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor’s report or nine months after the end of the subrecipient’s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report’s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In the prior audit, we reported the University did not establish adequate internal controls over and did not comply with federal requirements for subrecipient monitoring. The prior finding number was 2022-030. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: • Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed • Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 19 subrecipients. We found the University did not adequately monitor four subrecipients (57 percent) to ensure they received a required single or program-specific audit. Additionally, we found three of the four subrecipients received audit findings for the Global AIDS program, but the University did not issue a written management decision to the subrecipients and ensure appropriate corrective actions would be taken to correct the deficiencies reported, as required. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition The University’s Office of Sponsored Programs used a spreadsheet to track subrecipient certifications and whether they were subject to a single or program audit. However, the University did not obtain updated annual audit certifications from these subrecipients to determine if they required an audit and, therefore, did not require the subrecipients to provide documentation of a single or program-specific audit. In addition, University management did not follow up with the subrecipients to verify that audits were performed. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: • Follow policies and procedures to ensure subrecipients receive required single or program-specific audits • Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required • Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations • Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations • Issue a written management decision for all applicable audit findings, if necessary University’s Response In the prior audit, it was found the University did not establish adequate internal controls over and did not comply with federal requirements for subrecipient monitoring. The prior finding number was 2022-030. As a result of that finding, the University took corrective action, which was conveyed in November 2023, but given the significant enterprise-wide financial system replacement and implementation, the work to implement all corrective action steps, including single audit verification, has been interrupted and audit certification was not performed consistently during FY23. The University uses a certification process to obtain information and documentation needed to assess each subrecipient. As part of corrective action from finding 2022-030, the University updated the certification process with all subrecipients to confirm if federal expenditures during a fiscal year exceed the $750,000 threshold to require a single or program-specific audit by revising the initial certification form used to gather information and carry out a risk assessment. However, the University is still working on enhancing the annual certification process to confirm subrecipients receive required single or program-specific audits each year, to review such audit reports, and issue written management decisions, as required, including that subrecipient develop and perform acceptable corrective actions to address all applicable audit recommendations. Auditor’s Remarks We thank the University for its cooperation and assistance throughout the audit. We will review the status of the University's corrective action during our next audit. Applicable Laws and Regulations Title 45 U.S. Code of Federal Regulations (CFR) Part 75, section 303, Internal Controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 45 CFR Part 75, Section 516, Audit findings, establishes reporting requirements for audit findings. Title 45 CFR Part 75, section 352, Requirements for pass-through entities, establishes requirements for pass through entities including monitoring of subrecipients. Title 45 CFR Part 75, section 501, Audit requirements, establishes the single audit requirements for recipients of federal assistance. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington’s Policies, Procedures and Guidance (UW Research), GIM 8 – Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients’ risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW’s subrecipient monitoring requirements are comprised, at a minimum, of the following: • Completion of the UW’s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring – Entity Level Entity level monitoring consists of a combination of the following: • Initial Subrecipient Certification Form completion and assurance by subrecipient’s authorized official • Annual audit assurance through an annual audit certification form • Maintenance of a subrecipient profile list, which includes information on the entity’s past audit information and certificationsRisk assessment carried out at each annual renewal of a subaward.
2023-043 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S Department of Health and Human Services Federal Award/Contract Number: NU2GGH002038; NU2GGH002116; NU2GGH002157; NU2GGH002242; NU2GGH002298; NU2GGH002360; NU2GGH002374; NU2GGH002423 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Prior Year Audit Finding: Yes, Finding 2022-030 Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President’s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University’s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2023, the University spent almost $70 million in federal program funds, about $42 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients’ activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor’s report or nine months after the end of the subrecipient’s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report’s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In the prior audit, we reported the University did not establish adequate internal controls over and did not comply with federal requirements for subrecipient monitoring. The prior finding number was 2022-030. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: • Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed • Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 19 subrecipients. We found the University did not adequately monitor four subrecipients (57 percent) to ensure they received a required single or program-specific audit. Additionally, we found three of the four subrecipients received audit findings for the Global AIDS program, but the University did not issue a written management decision to the subrecipients and ensure appropriate corrective actions would be taken to correct the deficiencies reported, as required. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition The University’s Office of Sponsored Programs used a spreadsheet to track subrecipient certifications and whether they were subject to a single or program audit. However, the University did not obtain updated annual audit certifications from these subrecipients to determine if they required an audit and, therefore, did not require the subrecipients to provide documentation of a single or program-specific audit. In addition, University management did not follow up with the subrecipients to verify that audits were performed. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: • Follow policies and procedures to ensure subrecipients receive required single or program-specific audits • Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required • Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations • Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations • Issue a written management decision for all applicable audit findings, if necessary University’s Response In the prior audit, it was found the University did not establish adequate internal controls over and did not comply with federal requirements for subrecipient monitoring. The prior finding number was 2022-030. As a result of that finding, the University took corrective action, which was conveyed in November 2023, but given the significant enterprise-wide financial system replacement and implementation, the work to implement all corrective action steps, including single audit verification, has been interrupted and audit certification was not performed consistently during FY23. The University uses a certification process to obtain information and documentation needed to assess each subrecipient. As part of corrective action from finding 2022-030, the University updated the certification process with all subrecipients to confirm if federal expenditures during a fiscal year exceed the $750,000 threshold to require a single or program-specific audit by revising the initial certification form used to gather information and carry out a risk assessment. However, the University is still working on enhancing the annual certification process to confirm subrecipients receive required single or program-specific audits each year, to review such audit reports, and issue written management decisions, as required, including that subrecipient develop and perform acceptable corrective actions to address all applicable audit recommendations. Auditor’s Remarks We thank the University for its cooperation and assistance throughout the audit. We will review the status of the University's corrective action during our next audit. Applicable Laws and Regulations Title 45 U.S. Code of Federal Regulations (CFR) Part 75, section 303, Internal Controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 45 CFR Part 75, Section 516, Audit findings, establishes reporting requirements for audit findings. Title 45 CFR Part 75, section 352, Requirements for pass-through entities, establishes requirements for pass through entities including monitoring of subrecipients. Title 45 CFR Part 75, section 501, Audit requirements, establishes the single audit requirements for recipients of federal assistance. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington’s Policies, Procedures and Guidance (UW Research), GIM 8 – Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients’ risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW’s subrecipient monitoring requirements are comprised, at a minimum, of the following: • Completion of the UW’s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring – Entity Level Entity level monitoring consists of a combination of the following: • Initial Subrecipient Certification Form completion and assurance by subrecipient’s authorized official • Annual audit assurance through an annual audit certification form • Maintenance of a subrecipient profile list, which includes information on the entity’s past audit information and certificationsRisk assessment carried out at each annual renewal of a subaward.
2023-043 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S Department of Health and Human Services Federal Award/Contract Number: NU2GGH002038; NU2GGH002116; NU2GGH002157; NU2GGH002242; NU2GGH002298; NU2GGH002360; NU2GGH002374; NU2GGH002423 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Prior Year Audit Finding: Yes, Finding 2022-030 Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President’s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University’s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2023, the University spent almost $70 million in federal program funds, about $42 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients’ activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor’s report or nine months after the end of the subrecipient’s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report’s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In the prior audit, we reported the University did not establish adequate internal controls over and did not comply with federal requirements for subrecipient monitoring. The prior finding number was 2022-030. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: • Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed • Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 19 subrecipients. We found the University did not adequately monitor four subrecipients (57 percent) to ensure they received a required single or program-specific audit. Additionally, we found three of the four subrecipients received audit findings for the Global AIDS program, but the University did not issue a written management decision to the subrecipients and ensure appropriate corrective actions would be taken to correct the deficiencies reported, as required. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition The University’s Office of Sponsored Programs used a spreadsheet to track subrecipient certifications and whether they were subject to a single or program audit. However, the University did not obtain updated annual audit certifications from these subrecipients to determine if they required an audit and, therefore, did not require the subrecipients to provide documentation of a single or program-specific audit. In addition, University management did not follow up with the subrecipients to verify that audits were performed. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: • Follow policies and procedures to ensure subrecipients receive required single or program-specific audits • Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required • Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations • Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations • Issue a written management decision for all applicable audit findings, if necessary University’s Response In the prior audit, it was found the University did not establish adequate internal controls over and did not comply with federal requirements for subrecipient monitoring. The prior finding number was 2022-030. As a result of that finding, the University took corrective action, which was conveyed in November 2023, but given the significant enterprise-wide financial system replacement and implementation, the work to implement all corrective action steps, including single audit verification, has been interrupted and audit certification was not performed consistently during FY23. The University uses a certification process to obtain information and documentation needed to assess each subrecipient. As part of corrective action from finding 2022-030, the University updated the certification process with all subrecipients to confirm if federal expenditures during a fiscal year exceed the $750,000 threshold to require a single or program-specific audit by revising the initial certification form used to gather information and carry out a risk assessment. However, the University is still working on enhancing the annual certification process to confirm subrecipients receive required single or program-specific audits each year, to review such audit reports, and issue written management decisions, as required, including that subrecipient develop and perform acceptable corrective actions to address all applicable audit recommendations. Auditor’s Remarks We thank the University for its cooperation and assistance throughout the audit. We will review the status of the University's corrective action during our next audit. Applicable Laws and Regulations Title 45 U.S. Code of Federal Regulations (CFR) Part 75, section 303, Internal Controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 45 CFR Part 75, Section 516, Audit findings, establishes reporting requirements for audit findings. Title 45 CFR Part 75, section 352, Requirements for pass-through entities, establishes requirements for pass through entities including monitoring of subrecipients. Title 45 CFR Part 75, section 501, Audit requirements, establishes the single audit requirements for recipients of federal assistance. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington’s Policies, Procedures and Guidance (UW Research), GIM 8 – Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients’ risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW’s subrecipient monitoring requirements are comprised, at a minimum, of the following: • Completion of the UW’s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring – Entity Level Entity level monitoring consists of a combination of the following: • Initial Subrecipient Certification Form completion and assurance by subrecipient’s authorized official • Annual audit assurance through an annual audit certification form • Maintenance of a subrecipient profile list, which includes information on the entity’s past audit information and certificationsRisk assessment carried out at each annual renewal of a subaward.
2023-043 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S Department of Health and Human Services Federal Award/Contract Number: NU2GGH002038; NU2GGH002116; NU2GGH002157; NU2GGH002242; NU2GGH002298; NU2GGH002360; NU2GGH002374; NU2GGH002423 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Prior Year Audit Finding: Yes, Finding 2022-030 Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President’s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University’s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2023, the University spent almost $70 million in federal program funds, about $42 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients’ activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor’s report or nine months after the end of the subrecipient’s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report’s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In the prior audit, we reported the University did not establish adequate internal controls over and did not comply with federal requirements for subrecipient monitoring. The prior finding number was 2022-030. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: • Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed • Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 19 subrecipients. We found the University did not adequately monitor four subrecipients (57 percent) to ensure they received a required single or program-specific audit. Additionally, we found three of the four subrecipients received audit findings for the Global AIDS program, but the University did not issue a written management decision to the subrecipients and ensure appropriate corrective actions would be taken to correct the deficiencies reported, as required. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition The University’s Office of Sponsored Programs used a spreadsheet to track subrecipient certifications and whether they were subject to a single or program audit. However, the University did not obtain updated annual audit certifications from these subrecipients to determine if they required an audit and, therefore, did not require the subrecipients to provide documentation of a single or program-specific audit. In addition, University management did not follow up with the subrecipients to verify that audits were performed. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: • Follow policies and procedures to ensure subrecipients receive required single or program-specific audits • Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required • Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations • Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations • Issue a written management decision for all applicable audit findings, if necessary University’s Response In the prior audit, it was found the University did not establish adequate internal controls over and did not comply with federal requirements for subrecipient monitoring. The prior finding number was 2022-030. As a result of that finding, the University took corrective action, which was conveyed in November 2023, but given the significant enterprise-wide financial system replacement and implementation, the work to implement all corrective action steps, including single audit verification, has been interrupted and audit certification was not performed consistently during FY23. The University uses a certification process to obtain information and documentation needed to assess each subrecipient. As part of corrective action from finding 2022-030, the University updated the certification process with all subrecipients to confirm if federal expenditures during a fiscal year exceed the $750,000 threshold to require a single or program-specific audit by revising the initial certification form used to gather information and carry out a risk assessment. However, the University is still working on enhancing the annual certification process to confirm subrecipients receive required single or program-specific audits each year, to review such audit reports, and issue written management decisions, as required, including that subrecipient develop and perform acceptable corrective actions to address all applicable audit recommendations. Auditor’s Remarks We thank the University for its cooperation and assistance throughout the audit. We will review the status of the University's corrective action during our next audit. Applicable Laws and Regulations Title 45 U.S. Code of Federal Regulations (CFR) Part 75, section 303, Internal Controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 45 CFR Part 75, Section 516, Audit findings, establishes reporting requirements for audit findings. Title 45 CFR Part 75, section 352, Requirements for pass-through entities, establishes requirements for pass through entities including monitoring of subrecipients. Title 45 CFR Part 75, section 501, Audit requirements, establishes the single audit requirements for recipients of federal assistance. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington’s Policies, Procedures and Guidance (UW Research), GIM 8 – Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients’ risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW’s subrecipient monitoring requirements are comprised, at a minimum, of the following: • Completion of the UW’s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring – Entity Level Entity level monitoring consists of a combination of the following: • Initial Subrecipient Certification Form completion and assurance by subrecipient’s authorized official • Annual audit assurance through an annual audit certification form • Maintenance of a subrecipient profile list, which includes information on the entity’s past audit information and certificationsRisk assessment carried out at each annual renewal of a subaward.
2023-043 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S Department of Health and Human Services Federal Award/Contract Number: NU2GGH002038; NU2GGH002116; NU2GGH002157; NU2GGH002242; NU2GGH002298; NU2GGH002360; NU2GGH002374; NU2GGH002423 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Prior Year Audit Finding: Yes, Finding 2022-030 Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President’s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University’s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2023, the University spent almost $70 million in federal program funds, about $42 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients’ activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor’s report or nine months after the end of the subrecipient’s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report’s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In the prior audit, we reported the University did not establish adequate internal controls over and did not comply with federal requirements for subrecipient monitoring. The prior finding number was 2022-030. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: • Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed • Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 19 subrecipients. We found the University did not adequately monitor four subrecipients (57 percent) to ensure they received a required single or program-specific audit. Additionally, we found three of the four subrecipients received audit findings for the Global AIDS program, but the University did not issue a written management decision to the subrecipients and ensure appropriate corrective actions would be taken to correct the deficiencies reported, as required. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition The University’s Office of Sponsored Programs used a spreadsheet to track subrecipient certifications and whether they were subject to a single or program audit. However, the University did not obtain updated annual audit certifications from these subrecipients to determine if they required an audit and, therefore, did not require the subrecipients to provide documentation of a single or program-specific audit. In addition, University management did not follow up with the subrecipients to verify that audits were performed. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: • Follow policies and procedures to ensure subrecipients receive required single or program-specific audits • Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required • Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations • Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations • Issue a written management decision for all applicable audit findings, if necessary University’s Response In the prior audit, it was found the University did not establish adequate internal controls over and did not comply with federal requirements for subrecipient monitoring. The prior finding number was 2022-030. As a result of that finding, the University took corrective action, which was conveyed in November 2023, but given the significant enterprise-wide financial system replacement and implementation, the work to implement all corrective action steps, including single audit verification, has been interrupted and audit certification was not performed consistently during FY23. The University uses a certification process to obtain information and documentation needed to assess each subrecipient. As part of corrective action from finding 2022-030, the University updated the certification process with all subrecipients to confirm if federal expenditures during a fiscal year exceed the $750,000 threshold to require a single or program-specific audit by revising the initial certification form used to gather information and carry out a risk assessment. However, the University is still working on enhancing the annual certification process to confirm subrecipients receive required single or program-specific audits each year, to review such audit reports, and issue written management decisions, as required, including that subrecipient develop and perform acceptable corrective actions to address all applicable audit recommendations. Auditor’s Remarks We thank the University for its cooperation and assistance throughout the audit. We will review the status of the University's corrective action during our next audit. Applicable Laws and Regulations Title 45 U.S. Code of Federal Regulations (CFR) Part 75, section 303, Internal Controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 45 CFR Part 75, Section 516, Audit findings, establishes reporting requirements for audit findings. Title 45 CFR Part 75, section 352, Requirements for pass-through entities, establishes requirements for pass through entities including monitoring of subrecipients. Title 45 CFR Part 75, section 501, Audit requirements, establishes the single audit requirements for recipients of federal assistance. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington’s Policies, Procedures and Guidance (UW Research), GIM 8 – Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients’ risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW’s subrecipient monitoring requirements are comprised, at a minimum, of the following: • Completion of the UW’s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring – Entity Level Entity level monitoring consists of a combination of the following: • Initial Subrecipient Certification Form completion and assurance by subrecipient’s authorized official • Annual audit assurance through an annual audit certification form • Maintenance of a subrecipient profile list, which includes information on the entity’s past audit information and certificationsRisk assessment carried out at each annual renewal of a subaward.
2023-043 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S Department of Health and Human Services Federal Award/Contract Number: NU2GGH002038; NU2GGH002116; NU2GGH002157; NU2GGH002242; NU2GGH002298; NU2GGH002360; NU2GGH002374; NU2GGH002423 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Prior Year Audit Finding: Yes, Finding 2022-030 Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President’s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University’s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2023, the University spent almost $70 million in federal program funds, about $42 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients’ activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor’s report or nine months after the end of the subrecipient’s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report’s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In the prior audit, we reported the University did not establish adequate internal controls over and did not comply with federal requirements for subrecipient monitoring. The prior finding number was 2022-030. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: • Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed • Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 19 subrecipients. We found the University did not adequately monitor four subrecipients (57 percent) to ensure they received a required single or program-specific audit. Additionally, we found three of the four subrecipients received audit findings for the Global AIDS program, but the University did not issue a written management decision to the subrecipients and ensure appropriate corrective actions would be taken to correct the deficiencies reported, as required. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition The University’s Office of Sponsored Programs used a spreadsheet to track subrecipient certifications and whether they were subject to a single or program audit. However, the University did not obtain updated annual audit certifications from these subrecipients to determine if they required an audit and, therefore, did not require the subrecipients to provide documentation of a single or program-specific audit. In addition, University management did not follow up with the subrecipients to verify that audits were performed. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: • Follow policies and procedures to ensure subrecipients receive required single or program-specific audits • Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required • Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations • Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations • Issue a written management decision for all applicable audit findings, if necessary University’s Response In the prior audit, it was found the University did not establish adequate internal controls over and did not comply with federal requirements for subrecipient monitoring. The prior finding number was 2022-030. As a result of that finding, the University took corrective action, which was conveyed in November 2023, but given the significant enterprise-wide financial system replacement and implementation, the work to implement all corrective action steps, including single audit verification, has been interrupted and audit certification was not performed consistently during FY23. The University uses a certification process to obtain information and documentation needed to assess each subrecipient. As part of corrective action from finding 2022-030, the University updated the certification process with all subrecipients to confirm if federal expenditures during a fiscal year exceed the $750,000 threshold to require a single or program-specific audit by revising the initial certification form used to gather information and carry out a risk assessment. However, the University is still working on enhancing the annual certification process to confirm subrecipients receive required single or program-specific audits each year, to review such audit reports, and issue written management decisions, as required, including that subrecipient develop and perform acceptable corrective actions to address all applicable audit recommendations. Auditor’s Remarks We thank the University for its cooperation and assistance throughout the audit. We will review the status of the University's corrective action during our next audit. Applicable Laws and Regulations Title 45 U.S. Code of Federal Regulations (CFR) Part 75, section 303, Internal Controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 45 CFR Part 75, Section 516, Audit findings, establishes reporting requirements for audit findings. Title 45 CFR Part 75, section 352, Requirements for pass-through entities, establishes requirements for pass through entities including monitoring of subrecipients. Title 45 CFR Part 75, section 501, Audit requirements, establishes the single audit requirements for recipients of federal assistance. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington’s Policies, Procedures and Guidance (UW Research), GIM 8 – Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients’ risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW’s subrecipient monitoring requirements are comprised, at a minimum, of the following: • Completion of the UW’s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring – Entity Level Entity level monitoring consists of a combination of the following: • Initial Subrecipient Certification Form completion and assurance by subrecipient’s authorized official • Annual audit assurance through an annual audit certification form • Maintenance of a subrecipient profile list, which includes information on the entity’s past audit information and certificationsRisk assessment carried out at each annual renewal of a subaward.
2023-043 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S Department of Health and Human Services Federal Award/Contract Number: NU2GGH002038; NU2GGH002116; NU2GGH002157; NU2GGH002242; NU2GGH002298; NU2GGH002360; NU2GGH002374; NU2GGH002423 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Prior Year Audit Finding: Yes, Finding 2022-030 Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President’s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University’s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2023, the University spent almost $70 million in federal program funds, about $42 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients’ activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor’s report or nine months after the end of the subrecipient’s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report’s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In the prior audit, we reported the University did not establish adequate internal controls over and did not comply with federal requirements for subrecipient monitoring. The prior finding number was 2022-030. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: • Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed • Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 19 subrecipients. We found the University did not adequately monitor four subrecipients (57 percent) to ensure they received a required single or program-specific audit. Additionally, we found three of the four subrecipients received audit findings for the Global AIDS program, but the University did not issue a written management decision to the subrecipients and ensure appropriate corrective actions would be taken to correct the deficiencies reported, as required. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition The University’s Office of Sponsored Programs used a spreadsheet to track subrecipient certifications and whether they were subject to a single or program audit. However, the University did not obtain updated annual audit certifications from these subrecipients to determine if they required an audit and, therefore, did not require the subrecipients to provide documentation of a single or program-specific audit. In addition, University management did not follow up with the subrecipients to verify that audits were performed. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: • Follow policies and procedures to ensure subrecipients receive required single or program-specific audits • Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required • Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations • Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations • Issue a written management decision for all applicable audit findings, if necessary University’s Response In the prior audit, it was found the University did not establish adequate internal controls over and did not comply with federal requirements for subrecipient monitoring. The prior finding number was 2022-030. As a result of that finding, the University took corrective action, which was conveyed in November 2023, but given the significant enterprise-wide financial system replacement and implementation, the work to implement all corrective action steps, including single audit verification, has been interrupted and audit certification was not performed consistently during FY23. The University uses a certification process to obtain information and documentation needed to assess each subrecipient. As part of corrective action from finding 2022-030, the University updated the certification process with all subrecipients to confirm if federal expenditures during a fiscal year exceed the $750,000 threshold to require a single or program-specific audit by revising the initial certification form used to gather information and carry out a risk assessment. However, the University is still working on enhancing the annual certification process to confirm subrecipients receive required single or program-specific audits each year, to review such audit reports, and issue written management decisions, as required, including that subrecipient develop and perform acceptable corrective actions to address all applicable audit recommendations. Auditor’s Remarks We thank the University for its cooperation and assistance throughout the audit. We will review the status of the University's corrective action during our next audit. Applicable Laws and Regulations Title 45 U.S. Code of Federal Regulations (CFR) Part 75, section 303, Internal Controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 45 CFR Part 75, Section 516, Audit findings, establishes reporting requirements for audit findings. Title 45 CFR Part 75, section 352, Requirements for pass-through entities, establishes requirements for pass through entities including monitoring of subrecipients. Title 45 CFR Part 75, section 501, Audit requirements, establishes the single audit requirements for recipients of federal assistance. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington’s Policies, Procedures and Guidance (UW Research), GIM 8 – Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients’ risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW’s subrecipient monitoring requirements are comprised, at a minimum, of the following: • Completion of the UW’s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring – Entity Level Entity level monitoring consists of a combination of the following: • Initial Subrecipient Certification Form completion and assurance by subrecipient’s authorized official • Annual audit assurance through an annual audit certification form • Maintenance of a subrecipient profile list, which includes information on the entity’s past audit information and certificationsRisk assessment carried out at each annual renewal of a subaward.
2023-043 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S Department of Health and Human Services Federal Award/Contract Number: NU2GGH002038; NU2GGH002116; NU2GGH002157; NU2GGH002242; NU2GGH002298; NU2GGH002360; NU2GGH002374; NU2GGH002423 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Prior Year Audit Finding: Yes, Finding 2022-030 Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President’s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University’s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2023, the University spent almost $70 million in federal program funds, about $42 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients’ activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor’s report or nine months after the end of the subrecipient’s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report’s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In the prior audit, we reported the University did not establish adequate internal controls over and did not comply with federal requirements for subrecipient monitoring. The prior finding number was 2022-030. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: • Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed • Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 19 subrecipients. We found the University did not adequately monitor four subrecipients (57 percent) to ensure they received a required single or program-specific audit. Additionally, we found three of the four subrecipients received audit findings for the Global AIDS program, but the University did not issue a written management decision to the subrecipients and ensure appropriate corrective actions would be taken to correct the deficiencies reported, as required. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition The University’s Office of Sponsored Programs used a spreadsheet to track subrecipient certifications and whether they were subject to a single or program audit. However, the University did not obtain updated annual audit certifications from these subrecipients to determine if they required an audit and, therefore, did not require the subrecipients to provide documentation of a single or program-specific audit. In addition, University management did not follow up with the subrecipients to verify that audits were performed. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: • Follow policies and procedures to ensure subrecipients receive required single or program-specific audits • Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required • Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations • Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations • Issue a written management decision for all applicable audit findings, if necessary University’s Response In the prior audit, it was found the University did not establish adequate internal controls over and did not comply with federal requirements for subrecipient monitoring. The prior finding number was 2022-030. As a result of that finding, the University took corrective action, which was conveyed in November 2023, but given the significant enterprise-wide financial system replacement and implementation, the work to implement all corrective action steps, including single audit verification, has been interrupted and audit certification was not performed consistently during FY23. The University uses a certification process to obtain information and documentation needed to assess each subrecipient. As part of corrective action from finding 2022-030, the University updated the certification process with all subrecipients to confirm if federal expenditures during a fiscal year exceed the $750,000 threshold to require a single or program-specific audit by revising the initial certification form used to gather information and carry out a risk assessment. However, the University is still working on enhancing the annual certification process to confirm subrecipients receive required single or program-specific audits each year, to review such audit reports, and issue written management decisions, as required, including that subrecipient develop and perform acceptable corrective actions to address all applicable audit recommendations. Auditor’s Remarks We thank the University for its cooperation and assistance throughout the audit. We will review the status of the University's corrective action during our next audit. Applicable Laws and Regulations Title 45 U.S. Code of Federal Regulations (CFR) Part 75, section 303, Internal Controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 45 CFR Part 75, Section 516, Audit findings, establishes reporting requirements for audit findings. Title 45 CFR Part 75, section 352, Requirements for pass-through entities, establishes requirements for pass through entities including monitoring of subrecipients. Title 45 CFR Part 75, section 501, Audit requirements, establishes the single audit requirements for recipients of federal assistance. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington’s Policies, Procedures and Guidance (UW Research), GIM 8 – Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients’ risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW’s subrecipient monitoring requirements are comprised, at a minimum, of the following: • Completion of the UW’s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring – Entity Level Entity level monitoring consists of a combination of the following: • Initial Subrecipient Certification Form completion and assurance by subrecipient’s authorized official • Annual audit assurance through an annual audit certification form • Maintenance of a subrecipient profile list, which includes information on the entity’s past audit information and certificationsRisk assessment carried out at each annual renewal of a subaward.
2023-043 The University of Washington did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it followed up on findings and issued management decisions. Assistance Listing Number and Title: 93.067 Global AIDS 93.067 COVID-19 Global AIDS Federal Grantor Name: U.S Department of Health and Human Services Federal Award/Contract Number: NU2GGH002038; NU2GGH002116; NU2GGH002157; NU2GGH002242; NU2GGH002298; NU2GGH002360; NU2GGH002374; NU2GGH002423 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Subrecipient Monitoring Known Questioned Cost Amount: None Prior Year Audit Finding: Yes, Finding 2022-030 Background The Global AIDS program is a federal initiative focused on treating and preventing the transmission of HIV/AIDS around the world. The program is authorized by Sections 307 and 317(k)(2) of the Public Health Service Act, the U.S. Leadership Against HIV/AIDS, Tuberculosis, and Malaria Acts of 2003 and 2008, and the U.S. President’s Emergency Plan for AIDS Relief. Since it was established in 2003, the federal government has invested more than $100 billion in the global HIV/AIDS response, providing testing and treatment for millions of people, preventing transmission among affected communities, and supporting numerous countries to achieve HIV epidemic control. The program distributes funding through public and private sector partnerships to reach the populations most vulnerable to HIV/AIDS epidemics. The University of Washington administers this grant for the state through its International Training and Education Center for Health (I-TECH). I-TECH is a center in the University’s Department of Global Health operated by more than 2,000 staff in offices located in Africa, Asia, the Caribbean, Eastern Europe and the United States. In fiscal year 2023, the University spent almost $70 million in federal program funds, about $42 million of which it passed through to subrecipients. Federal regulations require the University to monitor its subrecipients’ activities. This includes verifying that its subrecipients that spend $750,000 or more in federal awards during a fiscal year obtain a single or program-specific audit. For the Global AIDS program, the Centers for Disease Control and Prevention requires foreign subrecipients to submit their audits directly to the federal government and pass-through entity within 30 days after receiving the auditor’s report or nine months after the end of the subrecipient’s audit period, whichever is earlier. Additionally, for the awards it passes onto its subrecipients, the University must follow up and ensure the subrecipients take timely and appropriate corrective action on all deficiencies identified through audits. When a subrecipient receives an audit finding for a University-funded program, federal law requires the University to issue a management decision to the subrecipient within six months of the audit report’s acceptance by the federal government. The management decision must clearly state whether the audit finding is sustained, the reason for the decision, and the actions the subrecipient is expected to take, such as repaying unallowable costs or making financial adjustments. These requirements help ensure subrecipients use federal program funds for authorized purposes and within the provisions of contracts or grant agreements. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In the prior audit, we reported the University did not establish adequate internal controls over and did not comply with federal requirements for subrecipient monitoring. The prior finding number was 2022-030. Description of Condition The University did not have adequate internal controls over and did not comply with federal requirements to ensure subrecipients of the Global AIDS program received required single or program-specific audits, and that it appropriately followed up on findings and issued management decisions. We found the University did not have adequate internal controls in place to verify whether: • Subrecipients received required audits, if necessary, and appropriate remedies were taken if audits were not filed • Management decisions were required to be issued for subrecipients who required a single or program-specific audit We used a nonstatistical sampling method to randomly select and examine seven out of a total population of 19 subrecipients. We found the University did not adequately monitor four subrecipients (57 percent) to ensure they received a required single or program-specific audit. Additionally, we found three of the four subrecipients received audit findings for the Global AIDS program, but the University did not issue a written management decision to the subrecipients and ensure appropriate corrective actions would be taken to correct the deficiencies reported, as required. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition The University’s Office of Sponsored Programs used a spreadsheet to track subrecipient certifications and whether they were subject to a single or program audit. However, the University did not obtain updated annual audit certifications from these subrecipients to determine if they required an audit and, therefore, did not require the subrecipients to provide documentation of a single or program-specific audit. In addition, University management did not follow up with the subrecipients to verify that audits were performed. Effect of Condition Without establishing adequate internal controls, the University cannot ensure all subrecipients that required a single or program-specific audit received one. Furthermore, the University cannot ensure it is following up on subrecipient audit findings and communicating required management decisions to subrecipients. By failing to ensure subrecipients establish corrective actions and management monitors them for effectiveness where required, the University cannot determine whether subrecipients have sufficiently corrected issues identified in audit findings. Recommendations We recommend the University: • Follow policies and procedures to ensure subrecipients receive required single or program-specific audits • Establish and follow effective internal controls to ensure it reviews audit reports for its subrecipients and issues written management decisions, as required • Ensure subrecipients develop and perform acceptable corrective actions to adequately address all audit recommendations • Follow up with the subrecipient to ensure the required audit reports are received and reviewed to determine if the subrecipient is required to take corrective action to address audit recommendations • Issue a written management decision for all applicable audit findings, if necessary University’s Response In the prior audit, it was found the University did not establish adequate internal controls over and did not comply with federal requirements for subrecipient monitoring. The prior finding number was 2022-030. As a result of that finding, the University took corrective action, which was conveyed in November 2023, but given the significant enterprise-wide financial system replacement and implementation, the work to implement all corrective action steps, including single audit verification, has been interrupted and audit certification was not performed consistently during FY23. The University uses a certification process to obtain information and documentation needed to assess each subrecipient. As part of corrective action from finding 2022-030, the University updated the certification process with all subrecipients to confirm if federal expenditures during a fiscal year exceed the $750,000 threshold to require a single or program-specific audit by revising the initial certification form used to gather information and carry out a risk assessment. However, the University is still working on enhancing the annual certification process to confirm subrecipients receive required single or program-specific audits each year, to review such audit reports, and issue written management decisions, as required, including that subrecipient develop and perform acceptable corrective actions to address all applicable audit recommendations. Auditor’s Remarks We thank the University for its cooperation and assistance throughout the audit. We will review the status of the University's corrective action during our next audit. Applicable Laws and Regulations Title 45 U.S. Code of Federal Regulations (CFR) Part 75, section 303, Internal Controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 45 CFR Part 75, Section 516, Audit findings, establishes reporting requirements for audit findings. Title 45 CFR Part 75, section 352, Requirements for pass-through entities, establishes requirements for pass through entities including monitoring of subrecipients. Title 45 CFR Part 75, section 501, Audit requirements, establishes the single audit requirements for recipients of federal assistance. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. The University of Washington’s Policies, Procedures and Guidance (UW Research), GIM 8 – Subrecipient Monitoring, states in part: Background Additionally, per the Federal Uniform Guidance, UW must evaluate each subrecipients’ risk of noncompliance with federal regulations, include specific terms and conditions in the subaward as necessary, and monitor the activities of the subrecipient through various mechanisms. These mechanisms include: Training and technical assistance to subrecipients, on-site reviews, review of audit results, increased reporting requirements and enforcement action, if necessary. University Policy UW reviews each subrecipient entity according to an entity level comprehensive risk assessment prior to the issuance of a subaward. This risk assessment includes an entity level review of their fiscal systems, past audit activity, and if required, financial statements of the entity as well as the project specific activity proposed and that the required compliance approvals are obtained. When necessary, UW imposes limitations and requirements on the subrecipient through subaward terms and conditions per Federal Uniform Guidance, Section 200.521, prior to the issuance or renewal of a subaward. UW’s subrecipient monitoring requirements are comprised, at a minimum, of the following: • Completion of the UW’s entity level comprehensive risk assessment (Certs & Reps, Annual Audit Certification) Subrecipient Monitoring – Entity Level Entity level monitoring consists of a combination of the following: • Initial Subrecipient Certification Form completion and assurance by subrecipient’s authorized official • Annual audit assurance through an annual audit certification form • Maintenance of a subrecipient profile list, which includes information on the entity’s past audit information and certificationsRisk assessment carried out at each annual renewal of a subaward.
Subrecipient Monitoring Material Weakness in Internal Control over Subrecipient Monitoring and Material Noncompliance Research and Development Cluster Criteria: In accordance with 2 CFR 200.331, a pass-through entity must make a case-by-case determination whether each agreement it makes for the disbursement of federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor. Additionally, in accordance with 2 CFR 200.332(b), the pass-through entity must evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for the purpose of determining the appropriate subrecipient monitoring. In furtherance of this, the pass-through entity should inquire as to whether or not the subrecipient was subject to a Single Audit. If the subrecipient was subject to a Single Audit, the pass-through entity must request the Single Audit report and review for any findings or questioned costs. In accordance with 2 CFR 200.521, the pass-through entity should issue a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity as applicable. Condition: The Organization does not document its evaluation of each party that it engages in business with as to whether they are a contractor or a subrecipient. For three (3) of the three (3) such parties selected for testing, the Organization did not maintain documentation regarding whether the entity was a subrecipient or a contractor. Furthermore, as it relates to the monitoring of entities determined to be subrecipients, the Organization has not formally documented its subrecipient monitoring procedures to ensure that subrecipients are in compliance with federal statutes, regulations, and the terms and conditions of the subawards. For three (3) of the three (3) subrecipients selected for testing, the Organization did not inquire as to whether the entity was subject to a Single Audit. Consequently, the Organization did not request the Single Audit report nor did they review them for any findings pertinent to the federal award provided to the subrecipient from the pass-through entity. Cause: The Organization did not have an effective process in place to determine whether entities receiving pass-through funds are subrecipients or contractors. Furthermore, once that determination has been made, the Organization did not have a process in place for evaluating subrecipients and their compliance with the applicable requirements of the Uniform Guidance. Effect or potential effect: Lack of proper consideration of subrecipient or contractor status may result in the Organization improperly classifying a recipient of federal funds, which may impact the recipient’s compliance with the Uniform Guidance. Furthermore, by not performing adequate monitoring over subrecipients, the Organization is not appropriately monitoring whether subrecipients are compliance with grant requirements. Questioned costs: None. Context: Our sample was not intended to be statistically valid. Recommendation: The Organization should institute a process whereby all entities that receive federal funds have proper documentation supporting their classification as a subrecipient or a contractor for the entire year. Additionally, the Organization should maintain a standardized checklist for all such entities that support their rationale for the classification. This checklist should be prepared by an employee with knowledge of the grant and approved by a second individual. Furthermore, as it relates to subrecipient monitoring, the Organization should institute an annual process whereby all subrecipients are asked whether they received a Single Audit. If the subrecipient was subject to a Single Audit, the Organization should receive and review the Single Audit report. The reviewer should submit a memorandum of any findings relevant to their federal grant, which should then be submitted to the project manager or other designated person for approval. Views of responsible officials and planned corrective actions: Management's response is reported in "Management's Views and Corrective Action Plan" included at the end of this report. Identification of prior year finding: 2022-004
Subrecipient Monitoring Material Weakness in Internal Control over Subrecipient Monitoring and Material Noncompliance Research and Development Cluster Criteria: In accordance with 2 CFR 200.331, a pass-through entity must make a case-by-case determination whether each agreement it makes for the disbursement of federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor. Additionally, in accordance with 2 CFR 200.332(b), the pass-through entity must evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for the purpose of determining the appropriate subrecipient monitoring. In furtherance of this, the pass-through entity should inquire as to whether or not the subrecipient was subject to a Single Audit. If the subrecipient was subject to a Single Audit, the pass-through entity must request the Single Audit report and review for any findings or questioned costs. In accordance with 2 CFR 200.521, the pass-through entity should issue a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity as applicable. Condition: The Organization does not document its evaluation of each party that it engages in business with as to whether they are a contractor or a subrecipient. For three (3) of the three (3) such parties selected for testing, the Organization did not maintain documentation regarding whether the entity was a subrecipient or a contractor. Furthermore, as it relates to the monitoring of entities determined to be subrecipients, the Organization has not formally documented its subrecipient monitoring procedures to ensure that subrecipients are in compliance with federal statutes, regulations, and the terms and conditions of the subawards. For three (3) of the three (3) subrecipients selected for testing, the Organization did not inquire as to whether the entity was subject to a Single Audit. Consequently, the Organization did not request the Single Audit report nor did they review them for any findings pertinent to the federal award provided to the subrecipient from the pass-through entity. Cause: The Organization did not have an effective process in place to determine whether entities receiving pass-through funds are subrecipients or contractors. Furthermore, once that determination has been made, the Organization did not have a process in place for evaluating subrecipients and their compliance with the applicable requirements of the Uniform Guidance. Effect or potential effect: Lack of proper consideration of subrecipient or contractor status may result in the Organization improperly classifying a recipient of federal funds, which may impact the recipient’s compliance with the Uniform Guidance. Furthermore, by not performing adequate monitoring over subrecipients, the Organization is not appropriately monitoring whether subrecipients are compliance with grant requirements. Questioned costs: None. Context: Our sample was not intended to be statistically valid. Recommendation: The Organization should institute a process whereby all entities that receive federal funds have proper documentation supporting their classification as a subrecipient or a contractor for the entire year. Additionally, the Organization should maintain a standardized checklist for all such entities that support their rationale for the classification. This checklist should be prepared by an employee with knowledge of the grant and approved by a second individual. Furthermore, as it relates to subrecipient monitoring, the Organization should institute an annual process whereby all subrecipients are asked whether they received a Single Audit. If the subrecipient was subject to a Single Audit, the Organization should receive and review the Single Audit report. The reviewer should submit a memorandum of any findings relevant to their federal grant, which should then be submitted to the project manager or other designated person for approval. Views of responsible officials and planned corrective actions: Management's response is reported in "Management's Views and Corrective Action Plan" included at the end of this report. Identification of prior year finding: 2022-004
Subrecipient Monitoring Material Weakness in Internal Control over Subrecipient Monitoring and Material Noncompliance Research and Development Cluster Criteria: In accordance with 2 CFR 200.331, a pass-through entity must make a case-by-case determination whether each agreement it makes for the disbursement of federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor. Additionally, in accordance with 2 CFR 200.332(b), the pass-through entity must evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for the purpose of determining the appropriate subrecipient monitoring. In furtherance of this, the pass-through entity should inquire as to whether or not the subrecipient was subject to a Single Audit. If the subrecipient was subject to a Single Audit, the pass-through entity must request the Single Audit report and review for any findings or questioned costs. In accordance with 2 CFR 200.521, the pass-through entity should issue a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity as applicable. Condition: The Organization does not document its evaluation of each party that it engages in business with as to whether they are a contractor or a subrecipient. For three (3) of the three (3) such parties selected for testing, the Organization did not maintain documentation regarding whether the entity was a subrecipient or a contractor. Furthermore, as it relates to the monitoring of entities determined to be subrecipients, the Organization has not formally documented its subrecipient monitoring procedures to ensure that subrecipients are in compliance with federal statutes, regulations, and the terms and conditions of the subawards. For three (3) of the three (3) subrecipients selected for testing, the Organization did not inquire as to whether the entity was subject to a Single Audit. Consequently, the Organization did not request the Single Audit report nor did they review them for any findings pertinent to the federal award provided to the subrecipient from the pass-through entity. Cause: The Organization did not have an effective process in place to determine whether entities receiving pass-through funds are subrecipients or contractors. Furthermore, once that determination has been made, the Organization did not have a process in place for evaluating subrecipients and their compliance with the applicable requirements of the Uniform Guidance. Effect or potential effect: Lack of proper consideration of subrecipient or contractor status may result in the Organization improperly classifying a recipient of federal funds, which may impact the recipient’s compliance with the Uniform Guidance. Furthermore, by not performing adequate monitoring over subrecipients, the Organization is not appropriately monitoring whether subrecipients are compliance with grant requirements. Questioned costs: None. Context: Our sample was not intended to be statistically valid. Recommendation: The Organization should institute a process whereby all entities that receive federal funds have proper documentation supporting their classification as a subrecipient or a contractor for the entire year. Additionally, the Organization should maintain a standardized checklist for all such entities that support their rationale for the classification. This checklist should be prepared by an employee with knowledge of the grant and approved by a second individual. Furthermore, as it relates to subrecipient monitoring, the Organization should institute an annual process whereby all subrecipients are asked whether they received a Single Audit. If the subrecipient was subject to a Single Audit, the Organization should receive and review the Single Audit report. The reviewer should submit a memorandum of any findings relevant to their federal grant, which should then be submitted to the project manager or other designated person for approval. Views of responsible officials and planned corrective actions: Management's response is reported in "Management's Views and Corrective Action Plan" included at the end of this report. Identification of prior year finding: 2022-004
Subrecipient Monitoring Material Weakness in Internal Control over Subrecipient Monitoring and Material Noncompliance Research and Development Cluster Criteria: In accordance with 2 CFR 200.331, a pass-through entity must make a case-by-case determination whether each agreement it makes for the disbursement of federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor. Additionally, in accordance with 2 CFR 200.332(b), the pass-through entity must evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for the purpose of determining the appropriate subrecipient monitoring. In furtherance of this, the pass-through entity should inquire as to whether or not the subrecipient was subject to a Single Audit. If the subrecipient was subject to a Single Audit, the pass-through entity must request the Single Audit report and review for any findings or questioned costs. In accordance with 2 CFR 200.521, the pass-through entity should issue a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity as applicable. Condition: The Organization does not document its evaluation of each party that it engages in business with as to whether they are a contractor or a subrecipient. For three (3) of the three (3) such parties selected for testing, the Organization did not maintain documentation regarding whether the entity was a subrecipient or a contractor. Furthermore, as it relates to the monitoring of entities determined to be subrecipients, the Organization has not formally documented its subrecipient monitoring procedures to ensure that subrecipients are in compliance with federal statutes, regulations, and the terms and conditions of the subawards. For three (3) of the three (3) subrecipients selected for testing, the Organization did not inquire as to whether the entity was subject to a Single Audit. Consequently, the Organization did not request the Single Audit report nor did they review them for any findings pertinent to the federal award provided to the subrecipient from the pass-through entity. Cause: The Organization did not have an effective process in place to determine whether entities receiving pass-through funds are subrecipients or contractors. Furthermore, once that determination has been made, the Organization did not have a process in place for evaluating subrecipients and their compliance with the applicable requirements of the Uniform Guidance. Effect or potential effect: Lack of proper consideration of subrecipient or contractor status may result in the Organization improperly classifying a recipient of federal funds, which may impact the recipient’s compliance with the Uniform Guidance. Furthermore, by not performing adequate monitoring over subrecipients, the Organization is not appropriately monitoring whether subrecipients are compliance with grant requirements. Questioned costs: None. Context: Our sample was not intended to be statistically valid. Recommendation: The Organization should institute a process whereby all entities that receive federal funds have proper documentation supporting their classification as a subrecipient or a contractor for the entire year. Additionally, the Organization should maintain a standardized checklist for all such entities that support their rationale for the classification. This checklist should be prepared by an employee with knowledge of the grant and approved by a second individual. Furthermore, as it relates to subrecipient monitoring, the Organization should institute an annual process whereby all subrecipients are asked whether they received a Single Audit. If the subrecipient was subject to a Single Audit, the Organization should receive and review the Single Audit report. The reviewer should submit a memorandum of any findings relevant to their federal grant, which should then be submitted to the project manager or other designated person for approval. Views of responsible officials and planned corrective actions: Management's response is reported in "Management's Views and Corrective Action Plan" included at the end of this report. Identification of prior year finding: 2022-004
Subrecipient Monitoring Material Weakness in Internal Control over Subrecipient Monitoring and Material Noncompliance Research and Development Cluster Criteria: In accordance with 2 CFR 200.331, a pass-through entity must make a case-by-case determination whether each agreement it makes for the disbursement of federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor. Additionally, in accordance with 2 CFR 200.332(b), the pass-through entity must evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for the purpose of determining the appropriate subrecipient monitoring. In furtherance of this, the pass-through entity should inquire as to whether or not the subrecipient was subject to a Single Audit. If the subrecipient was subject to a Single Audit, the pass-through entity must request the Single Audit report and review for any findings or questioned costs. In accordance with 2 CFR 200.521, the pass-through entity should issue a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity as applicable. Condition: The Organization does not document its evaluation of each party that it engages in business with as to whether they are a contractor or a subrecipient. For three (3) of the three (3) such parties selected for testing, the Organization did not maintain documentation regarding whether the entity was a subrecipient or a contractor. Furthermore, as it relates to the monitoring of entities determined to be subrecipients, the Organization has not formally documented its subrecipient monitoring procedures to ensure that subrecipients are in compliance with federal statutes, regulations, and the terms and conditions of the subawards. For three (3) of the three (3) subrecipients selected for testing, the Organization did not inquire as to whether the entity was subject to a Single Audit. Consequently, the Organization did not request the Single Audit report nor did they review them for any findings pertinent to the federal award provided to the subrecipient from the pass-through entity. Cause: The Organization did not have an effective process in place to determine whether entities receiving pass-through funds are subrecipients or contractors. Furthermore, once that determination has been made, the Organization did not have a process in place for evaluating subrecipients and their compliance with the applicable requirements of the Uniform Guidance. Effect or potential effect: Lack of proper consideration of subrecipient or contractor status may result in the Organization improperly classifying a recipient of federal funds, which may impact the recipient’s compliance with the Uniform Guidance. Furthermore, by not performing adequate monitoring over subrecipients, the Organization is not appropriately monitoring whether subrecipients are compliance with grant requirements. Questioned costs: None. Context: Our sample was not intended to be statistically valid. Recommendation: The Organization should institute a process whereby all entities that receive federal funds have proper documentation supporting their classification as a subrecipient or a contractor for the entire year. Additionally, the Organization should maintain a standardized checklist for all such entities that support their rationale for the classification. This checklist should be prepared by an employee with knowledge of the grant and approved by a second individual. Furthermore, as it relates to subrecipient monitoring, the Organization should institute an annual process whereby all subrecipients are asked whether they received a Single Audit. If the subrecipient was subject to a Single Audit, the Organization should receive and review the Single Audit report. The reviewer should submit a memorandum of any findings relevant to their federal grant, which should then be submitted to the project manager or other designated person for approval. Views of responsible officials and planned corrective actions: Management's response is reported in "Management's Views and Corrective Action Plan" included at the end of this report. Identification of prior year finding: 2022-004
Subrecipient Monitoring Material Weakness in Internal Control over Subrecipient Monitoring and Material Noncompliance Research and Development Cluster Criteria: In accordance with 2 CFR 200.331, a pass-through entity must make a case-by-case determination whether each agreement it makes for the disbursement of federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor. Additionally, in accordance with 2 CFR 200.332(b), the pass-through entity must evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for the purpose of determining the appropriate subrecipient monitoring. In furtherance of this, the pass-through entity should inquire as to whether or not the subrecipient was subject to a Single Audit. If the subrecipient was subject to a Single Audit, the pass-through entity must request the Single Audit report and review for any findings or questioned costs. In accordance with 2 CFR 200.521, the pass-through entity should issue a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity as applicable. Condition: The Organization does not document its evaluation of each party that it engages in business with as to whether they are a contractor or a subrecipient. For three (3) of the three (3) such parties selected for testing, the Organization did not maintain documentation regarding whether the entity was a subrecipient or a contractor. Furthermore, as it relates to the monitoring of entities determined to be subrecipients, the Organization has not formally documented its subrecipient monitoring procedures to ensure that subrecipients are in compliance with federal statutes, regulations, and the terms and conditions of the subawards. For three (3) of the three (3) subrecipients selected for testing, the Organization did not inquire as to whether the entity was subject to a Single Audit. Consequently, the Organization did not request the Single Audit report nor did they review them for any findings pertinent to the federal award provided to the subrecipient from the pass-through entity. Cause: The Organization did not have an effective process in place to determine whether entities receiving pass-through funds are subrecipients or contractors. Furthermore, once that determination has been made, the Organization did not have a process in place for evaluating subrecipients and their compliance with the applicable requirements of the Uniform Guidance. Effect or potential effect: Lack of proper consideration of subrecipient or contractor status may result in the Organization improperly classifying a recipient of federal funds, which may impact the recipient’s compliance with the Uniform Guidance. Furthermore, by not performing adequate monitoring over subrecipients, the Organization is not appropriately monitoring whether subrecipients are compliance with grant requirements. Questioned costs: None. Context: Our sample was not intended to be statistically valid. Recommendation: The Organization should institute a process whereby all entities that receive federal funds have proper documentation supporting their classification as a subrecipient or a contractor for the entire year. Additionally, the Organization should maintain a standardized checklist for all such entities that support their rationale for the classification. This checklist should be prepared by an employee with knowledge of the grant and approved by a second individual. Furthermore, as it relates to subrecipient monitoring, the Organization should institute an annual process whereby all subrecipients are asked whether they received a Single Audit. If the subrecipient was subject to a Single Audit, the Organization should receive and review the Single Audit report. The reviewer should submit a memorandum of any findings relevant to their federal grant, which should then be submitted to the project manager or other designated person for approval. Views of responsible officials and planned corrective actions: Management's response is reported in "Management's Views and Corrective Action Plan" included at the end of this report. Identification of prior year finding: 2022-004
Subrecipient Monitoring Material Weakness in Internal Control over Subrecipient Monitoring and Material Noncompliance Research and Development Cluster Criteria: In accordance with 2 CFR 200.331, a pass-through entity must make a case-by-case determination whether each agreement it makes for the disbursement of federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor. Additionally, in accordance with 2 CFR 200.332(b), the pass-through entity must evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for the purpose of determining the appropriate subrecipient monitoring. In furtherance of this, the pass-through entity should inquire as to whether or not the subrecipient was subject to a Single Audit. If the subrecipient was subject to a Single Audit, the pass-through entity must request the Single Audit report and review for any findings or questioned costs. In accordance with 2 CFR 200.521, the pass-through entity should issue a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity as applicable. Condition: The Organization does not document its evaluation of each party that it engages in business with as to whether they are a contractor or a subrecipient. For three (3) of the three (3) such parties selected for testing, the Organization did not maintain documentation regarding whether the entity was a subrecipient or a contractor. Furthermore, as it relates to the monitoring of entities determined to be subrecipients, the Organization has not formally documented its subrecipient monitoring procedures to ensure that subrecipients are in compliance with federal statutes, regulations, and the terms and conditions of the subawards. For three (3) of the three (3) subrecipients selected for testing, the Organization did not inquire as to whether the entity was subject to a Single Audit. Consequently, the Organization did not request the Single Audit report nor did they review them for any findings pertinent to the federal award provided to the subrecipient from the pass-through entity. Cause: The Organization did not have an effective process in place to determine whether entities receiving pass-through funds are subrecipients or contractors. Furthermore, once that determination has been made, the Organization did not have a process in place for evaluating subrecipients and their compliance with the applicable requirements of the Uniform Guidance. Effect or potential effect: Lack of proper consideration of subrecipient or contractor status may result in the Organization improperly classifying a recipient of federal funds, which may impact the recipient’s compliance with the Uniform Guidance. Furthermore, by not performing adequate monitoring over subrecipients, the Organization is not appropriately monitoring whether subrecipients are compliance with grant requirements. Questioned costs: None. Context: Our sample was not intended to be statistically valid. Recommendation: The Organization should institute a process whereby all entities that receive federal funds have proper documentation supporting their classification as a subrecipient or a contractor for the entire year. Additionally, the Organization should maintain a standardized checklist for all such entities that support their rationale for the classification. This checklist should be prepared by an employee with knowledge of the grant and approved by a second individual. Furthermore, as it relates to subrecipient monitoring, the Organization should institute an annual process whereby all subrecipients are asked whether they received a Single Audit. If the subrecipient was subject to a Single Audit, the Organization should receive and review the Single Audit report. The reviewer should submit a memorandum of any findings relevant to their federal grant, which should then be submitted to the project manager or other designated person for approval. Views of responsible officials and planned corrective actions: Management's response is reported in "Management's Views and Corrective Action Plan" included at the end of this report. Identification of prior year finding: 2022-004
Subrecipient Monitoring Material Weakness in Internal Control over Subrecipient Monitoring and Material Noncompliance Research and Development Cluster Criteria: In accordance with 2 CFR 200.331, a pass-through entity must make a case-by-case determination whether each agreement it makes for the disbursement of federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor. Additionally, in accordance with 2 CFR 200.332(b), the pass-through entity must evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for the purpose of determining the appropriate subrecipient monitoring. In furtherance of this, the pass-through entity should inquire as to whether or not the subrecipient was subject to a Single Audit. If the subrecipient was subject to a Single Audit, the pass-through entity must request the Single Audit report and review for any findings or questioned costs. In accordance with 2 CFR 200.521, the pass-through entity should issue a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity as applicable. Condition: The Organization does not document its evaluation of each party that it engages in business with as to whether they are a contractor or a subrecipient. For three (3) of the three (3) such parties selected for testing, the Organization did not maintain documentation regarding whether the entity was a subrecipient or a contractor. Furthermore, as it relates to the monitoring of entities determined to be subrecipients, the Organization has not formally documented its subrecipient monitoring procedures to ensure that subrecipients are in compliance with federal statutes, regulations, and the terms and conditions of the subawards. For three (3) of the three (3) subrecipients selected for testing, the Organization did not inquire as to whether the entity was subject to a Single Audit. Consequently, the Organization did not request the Single Audit report nor did they review them for any findings pertinent to the federal award provided to the subrecipient from the pass-through entity. Cause: The Organization did not have an effective process in place to determine whether entities receiving pass-through funds are subrecipients or contractors. Furthermore, once that determination has been made, the Organization did not have a process in place for evaluating subrecipients and their compliance with the applicable requirements of the Uniform Guidance. Effect or potential effect: Lack of proper consideration of subrecipient or contractor status may result in the Organization improperly classifying a recipient of federal funds, which may impact the recipient’s compliance with the Uniform Guidance. Furthermore, by not performing adequate monitoring over subrecipients, the Organization is not appropriately monitoring whether subrecipients are compliance with grant requirements. Questioned costs: None. Context: Our sample was not intended to be statistically valid. Recommendation: The Organization should institute a process whereby all entities that receive federal funds have proper documentation supporting their classification as a subrecipient or a contractor for the entire year. Additionally, the Organization should maintain a standardized checklist for all such entities that support their rationale for the classification. This checklist should be prepared by an employee with knowledge of the grant and approved by a second individual. Furthermore, as it relates to subrecipient monitoring, the Organization should institute an annual process whereby all subrecipients are asked whether they received a Single Audit. If the subrecipient was subject to a Single Audit, the Organization should receive and review the Single Audit report. The reviewer should submit a memorandum of any findings relevant to their federal grant, which should then be submitted to the project manager or other designated person for approval. Views of responsible officials and planned corrective actions: Management's response is reported in "Management's Views and Corrective Action Plan" included at the end of this report. Identification of prior year finding: 2022-004
Subrecipient Monitoring Material Weakness in Internal Control over Subrecipient Monitoring and Material Noncompliance Research and Development Cluster Criteria: In accordance with 2 CFR 200.331, a pass-through entity must make a case-by-case determination whether each agreement it makes for the disbursement of federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor. Additionally, in accordance with 2 CFR 200.332(b), the pass-through entity must evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for the purpose of determining the appropriate subrecipient monitoring. In furtherance of this, the pass-through entity should inquire as to whether or not the subrecipient was subject to a Single Audit. If the subrecipient was subject to a Single Audit, the pass-through entity must request the Single Audit report and review for any findings or questioned costs. In accordance with 2 CFR 200.521, the pass-through entity should issue a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity as applicable. Condition: The Organization does not document its evaluation of each party that it engages in business with as to whether they are a contractor or a subrecipient. For three (3) of the three (3) such parties selected for testing, the Organization did not maintain documentation regarding whether the entity was a subrecipient or a contractor. Furthermore, as it relates to the monitoring of entities determined to be subrecipients, the Organization has not formally documented its subrecipient monitoring procedures to ensure that subrecipients are in compliance with federal statutes, regulations, and the terms and conditions of the subawards. For three (3) of the three (3) subrecipients selected for testing, the Organization did not inquire as to whether the entity was subject to a Single Audit. Consequently, the Organization did not request the Single Audit report nor did they review them for any findings pertinent to the federal award provided to the subrecipient from the pass-through entity. Cause: The Organization did not have an effective process in place to determine whether entities receiving pass-through funds are subrecipients or contractors. Furthermore, once that determination has been made, the Organization did not have a process in place for evaluating subrecipients and their compliance with the applicable requirements of the Uniform Guidance. Effect or potential effect: Lack of proper consideration of subrecipient or contractor status may result in the Organization improperly classifying a recipient of federal funds, which may impact the recipient’s compliance with the Uniform Guidance. Furthermore, by not performing adequate monitoring over subrecipients, the Organization is not appropriately monitoring whether subrecipients are compliance with grant requirements. Questioned costs: None. Context: Our sample was not intended to be statistically valid. Recommendation: The Organization should institute a process whereby all entities that receive federal funds have proper documentation supporting their classification as a subrecipient or a contractor for the entire year. Additionally, the Organization should maintain a standardized checklist for all such entities that support their rationale for the classification. This checklist should be prepared by an employee with knowledge of the grant and approved by a second individual. Furthermore, as it relates to subrecipient monitoring, the Organization should institute an annual process whereby all subrecipients are asked whether they received a Single Audit. If the subrecipient was subject to a Single Audit, the Organization should receive and review the Single Audit report. The reviewer should submit a memorandum of any findings relevant to their federal grant, which should then be submitted to the project manager or other designated person for approval. Views of responsible officials and planned corrective actions: Management's response is reported in "Management's Views and Corrective Action Plan" included at the end of this report. Identification of prior year finding: 2022-004
Subrecipient Monitoring Material Weakness in Internal Control over Subrecipient Monitoring and Material Noncompliance Research and Development Cluster Criteria: In accordance with 2 CFR 200.331, a pass-through entity must make a case-by-case determination whether each agreement it makes for the disbursement of federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor. Additionally, in accordance with 2 CFR 200.332(b), the pass-through entity must evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for the purpose of determining the appropriate subrecipient monitoring. In furtherance of this, the pass-through entity should inquire as to whether or not the subrecipient was subject to a Single Audit. If the subrecipient was subject to a Single Audit, the pass-through entity must request the Single Audit report and review for any findings or questioned costs. In accordance with 2 CFR 200.521, the pass-through entity should issue a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity as applicable. Condition: The Organization does not document its evaluation of each party that it engages in business with as to whether they are a contractor or a subrecipient. For three (3) of the three (3) such parties selected for testing, the Organization did not maintain documentation regarding whether the entity was a subrecipient or a contractor. Furthermore, as it relates to the monitoring of entities determined to be subrecipients, the Organization has not formally documented its subrecipient monitoring procedures to ensure that subrecipients are in compliance with federal statutes, regulations, and the terms and conditions of the subawards. For three (3) of the three (3) subrecipients selected for testing, the Organization did not inquire as to whether the entity was subject to a Single Audit. Consequently, the Organization did not request the Single Audit report nor did they review them for any findings pertinent to the federal award provided to the subrecipient from the pass-through entity. Cause: The Organization did not have an effective process in place to determine whether entities receiving pass-through funds are subrecipients or contractors. Furthermore, once that determination has been made, the Organization did not have a process in place for evaluating subrecipients and their compliance with the applicable requirements of the Uniform Guidance. Effect or potential effect: Lack of proper consideration of subrecipient or contractor status may result in the Organization improperly classifying a recipient of federal funds, which may impact the recipient’s compliance with the Uniform Guidance. Furthermore, by not performing adequate monitoring over subrecipients, the Organization is not appropriately monitoring whether subrecipients are compliance with grant requirements. Questioned costs: None. Context: Our sample was not intended to be statistically valid. Recommendation: The Organization should institute a process whereby all entities that receive federal funds have proper documentation supporting their classification as a subrecipient or a contractor for the entire year. Additionally, the Organization should maintain a standardized checklist for all such entities that support their rationale for the classification. This checklist should be prepared by an employee with knowledge of the grant and approved by a second individual. Furthermore, as it relates to subrecipient monitoring, the Organization should institute an annual process whereby all subrecipients are asked whether they received a Single Audit. If the subrecipient was subject to a Single Audit, the Organization should receive and review the Single Audit report. The reviewer should submit a memorandum of any findings relevant to their federal grant, which should then be submitted to the project manager or other designated person for approval. Views of responsible officials and planned corrective actions: Management's response is reported in "Management's Views and Corrective Action Plan" included at the end of this report. Identification of prior year finding: 2022-004
Subrecipient Monitoring Material Weakness in Internal Control over Subrecipient Monitoring and Material Noncompliance Research and Development Cluster Criteria: In accordance with 2 CFR 200.331, a pass-through entity must make a case-by-case determination whether each agreement it makes for the disbursement of federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor. Additionally, in accordance with 2 CFR 200.332(b), the pass-through entity must evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for the purpose of determining the appropriate subrecipient monitoring. In furtherance of this, the pass-through entity should inquire as to whether or not the subrecipient was subject to a Single Audit. If the subrecipient was subject to a Single Audit, the pass-through entity must request the Single Audit report and review for any findings or questioned costs. In accordance with 2 CFR 200.521, the pass-through entity should issue a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity as applicable. Condition: The Organization does not document its evaluation of each party that it engages in business with as to whether they are a contractor or a subrecipient. For three (3) of the three (3) such parties selected for testing, the Organization did not maintain documentation regarding whether the entity was a subrecipient or a contractor. Furthermore, as it relates to the monitoring of entities determined to be subrecipients, the Organization has not formally documented its subrecipient monitoring procedures to ensure that subrecipients are in compliance with federal statutes, regulations, and the terms and conditions of the subawards. For three (3) of the three (3) subrecipients selected for testing, the Organization did not inquire as to whether the entity was subject to a Single Audit. Consequently, the Organization did not request the Single Audit report nor did they review them for any findings pertinent to the federal award provided to the subrecipient from the pass-through entity. Cause: The Organization did not have an effective process in place to determine whether entities receiving pass-through funds are subrecipients or contractors. Furthermore, once that determination has been made, the Organization did not have a process in place for evaluating subrecipients and their compliance with the applicable requirements of the Uniform Guidance. Effect or potential effect: Lack of proper consideration of subrecipient or contractor status may result in the Organization improperly classifying a recipient of federal funds, which may impact the recipient’s compliance with the Uniform Guidance. Furthermore, by not performing adequate monitoring over subrecipients, the Organization is not appropriately monitoring whether subrecipients are compliance with grant requirements. Questioned costs: None. Context: Our sample was not intended to be statistically valid. Recommendation: The Organization should institute a process whereby all entities that receive federal funds have proper documentation supporting their classification as a subrecipient or a contractor for the entire year. Additionally, the Organization should maintain a standardized checklist for all such entities that support their rationale for the classification. This checklist should be prepared by an employee with knowledge of the grant and approved by a second individual. Furthermore, as it relates to subrecipient monitoring, the Organization should institute an annual process whereby all subrecipients are asked whether they received a Single Audit. If the subrecipient was subject to a Single Audit, the Organization should receive and review the Single Audit report. The reviewer should submit a memorandum of any findings relevant to their federal grant, which should then be submitted to the project manager or other designated person for approval. Views of responsible officials and planned corrective actions: Management's response is reported in "Management's Views and Corrective Action Plan" included at the end of this report. Identification of prior year finding: 2022-004
Subrecipient Monitoring Material Weakness in Internal Control over Subrecipient Monitoring and Material Noncompliance Research and Development Cluster Criteria: In accordance with 2 CFR 200.331, a pass-through entity must make a case-by-case determination whether each agreement it makes for the disbursement of federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor. Additionally, in accordance with 2 CFR 200.332(b), the pass-through entity must evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for the purpose of determining the appropriate subrecipient monitoring. In furtherance of this, the pass-through entity should inquire as to whether or not the subrecipient was subject to a Single Audit. If the subrecipient was subject to a Single Audit, the pass-through entity must request the Single Audit report and review for any findings or questioned costs. In accordance with 2 CFR 200.521, the pass-through entity should issue a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity as applicable. Condition: The Organization does not document its evaluation of each party that it engages in business with as to whether they are a contractor or a subrecipient. For three (3) of the three (3) such parties selected for testing, the Organization did not maintain documentation regarding whether the entity was a subrecipient or a contractor. Furthermore, as it relates to the monitoring of entities determined to be subrecipients, the Organization has not formally documented its subrecipient monitoring procedures to ensure that subrecipients are in compliance with federal statutes, regulations, and the terms and conditions of the subawards. For three (3) of the three (3) subrecipients selected for testing, the Organization did not inquire as to whether the entity was subject to a Single Audit. Consequently, the Organization did not request the Single Audit report nor did they review them for any findings pertinent to the federal award provided to the subrecipient from the pass-through entity. Cause: The Organization did not have an effective process in place to determine whether entities receiving pass-through funds are subrecipients or contractors. Furthermore, once that determination has been made, the Organization did not have a process in place for evaluating subrecipients and their compliance with the applicable requirements of the Uniform Guidance. Effect or potential effect: Lack of proper consideration of subrecipient or contractor status may result in the Organization improperly classifying a recipient of federal funds, which may impact the recipient’s compliance with the Uniform Guidance. Furthermore, by not performing adequate monitoring over subrecipients, the Organization is not appropriately monitoring whether subrecipients are compliance with grant requirements. Questioned costs: None. Context: Our sample was not intended to be statistically valid. Recommendation: The Organization should institute a process whereby all entities that receive federal funds have proper documentation supporting their classification as a subrecipient or a contractor for the entire year. Additionally, the Organization should maintain a standardized checklist for all such entities that support their rationale for the classification. This checklist should be prepared by an employee with knowledge of the grant and approved by a second individual. Furthermore, as it relates to subrecipient monitoring, the Organization should institute an annual process whereby all subrecipients are asked whether they received a Single Audit. If the subrecipient was subject to a Single Audit, the Organization should receive and review the Single Audit report. The reviewer should submit a memorandum of any findings relevant to their federal grant, which should then be submitted to the project manager or other designated person for approval. Views of responsible officials and planned corrective actions: Management's response is reported in "Management's Views and Corrective Action Plan" included at the end of this report. Identification of prior year finding: 2022-004
Subrecipient Monitoring Material Weakness in Internal Control over Subrecipient Monitoring and Material Noncompliance Research and Development Cluster Criteria: In accordance with 2 CFR 200.331, a pass-through entity must make a case-by-case determination whether each agreement it makes for the disbursement of federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor. Additionally, in accordance with 2 CFR 200.332(b), the pass-through entity must evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for the purpose of determining the appropriate subrecipient monitoring. In furtherance of this, the pass-through entity should inquire as to whether or not the subrecipient was subject to a Single Audit. If the subrecipient was subject to a Single Audit, the pass-through entity must request the Single Audit report and review for any findings or questioned costs. In accordance with 2 CFR 200.521, the pass-through entity should issue a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity as applicable. Condition: The Organization does not document its evaluation of each party that it engages in business with as to whether they are a contractor or a subrecipient. For three (3) of the three (3) such parties selected for testing, the Organization did not maintain documentation regarding whether the entity was a subrecipient or a contractor. Furthermore, as it relates to the monitoring of entities determined to be subrecipients, the Organization has not formally documented its subrecipient monitoring procedures to ensure that subrecipients are in compliance with federal statutes, regulations, and the terms and conditions of the subawards. For three (3) of the three (3) subrecipients selected for testing, the Organization did not inquire as to whether the entity was subject to a Single Audit. Consequently, the Organization did not request the Single Audit report nor did they review them for any findings pertinent to the federal award provided to the subrecipient from the pass-through entity. Cause: The Organization did not have an effective process in place to determine whether entities receiving pass-through funds are subrecipients or contractors. Furthermore, once that determination has been made, the Organization did not have a process in place for evaluating subrecipients and their compliance with the applicable requirements of the Uniform Guidance. Effect or potential effect: Lack of proper consideration of subrecipient or contractor status may result in the Organization improperly classifying a recipient of federal funds, which may impact the recipient’s compliance with the Uniform Guidance. Furthermore, by not performing adequate monitoring over subrecipients, the Organization is not appropriately monitoring whether subrecipients are compliance with grant requirements. Questioned costs: None. Context: Our sample was not intended to be statistically valid. Recommendation: The Organization should institute a process whereby all entities that receive federal funds have proper documentation supporting their classification as a subrecipient or a contractor for the entire year. Additionally, the Organization should maintain a standardized checklist for all such entities that support their rationale for the classification. This checklist should be prepared by an employee with knowledge of the grant and approved by a second individual. Furthermore, as it relates to subrecipient monitoring, the Organization should institute an annual process whereby all subrecipients are asked whether they received a Single Audit. If the subrecipient was subject to a Single Audit, the Organization should receive and review the Single Audit report. The reviewer should submit a memorandum of any findings relevant to their federal grant, which should then be submitted to the project manager or other designated person for approval. Views of responsible officials and planned corrective actions: Management's response is reported in "Management's Views and Corrective Action Plan" included at the end of this report. Identification of prior year finding: 2022-004
Subrecipient Monitoring Material Weakness in Internal Control over Subrecipient Monitoring and Material Noncompliance Research and Development Cluster Criteria: In accordance with 2 CFR 200.331, a pass-through entity must make a case-by-case determination whether each agreement it makes for the disbursement of federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor. Additionally, in accordance with 2 CFR 200.332(b), the pass-through entity must evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for the purpose of determining the appropriate subrecipient monitoring. In furtherance of this, the pass-through entity should inquire as to whether or not the subrecipient was subject to a Single Audit. If the subrecipient was subject to a Single Audit, the pass-through entity must request the Single Audit report and review for any findings or questioned costs. In accordance with 2 CFR 200.521, the pass-through entity should issue a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity as applicable. Condition: The Organization does not document its evaluation of each party that it engages in business with as to whether they are a contractor or a subrecipient. For three (3) of the three (3) such parties selected for testing, the Organization did not maintain documentation regarding whether the entity was a subrecipient or a contractor. Furthermore, as it relates to the monitoring of entities determined to be subrecipients, the Organization has not formally documented its subrecipient monitoring procedures to ensure that subrecipients are in compliance with federal statutes, regulations, and the terms and conditions of the subawards. For three (3) of the three (3) subrecipients selected for testing, the Organization did not inquire as to whether the entity was subject to a Single Audit. Consequently, the Organization did not request the Single Audit report nor did they review them for any findings pertinent to the federal award provided to the subrecipient from the pass-through entity. Cause: The Organization did not have an effective process in place to determine whether entities receiving pass-through funds are subrecipients or contractors. Furthermore, once that determination has been made, the Organization did not have a process in place for evaluating subrecipients and their compliance with the applicable requirements of the Uniform Guidance. Effect or potential effect: Lack of proper consideration of subrecipient or contractor status may result in the Organization improperly classifying a recipient of federal funds, which may impact the recipient’s compliance with the Uniform Guidance. Furthermore, by not performing adequate monitoring over subrecipients, the Organization is not appropriately monitoring whether subrecipients are compliance with grant requirements. Questioned costs: None. Context: Our sample was not intended to be statistically valid. Recommendation: The Organization should institute a process whereby all entities that receive federal funds have proper documentation supporting their classification as a subrecipient or a contractor for the entire year. Additionally, the Organization should maintain a standardized checklist for all such entities that support their rationale for the classification. This checklist should be prepared by an employee with knowledge of the grant and approved by a second individual. Furthermore, as it relates to subrecipient monitoring, the Organization should institute an annual process whereby all subrecipients are asked whether they received a Single Audit. If the subrecipient was subject to a Single Audit, the Organization should receive and review the Single Audit report. The reviewer should submit a memorandum of any findings relevant to their federal grant, which should then be submitted to the project manager or other designated person for approval. Views of responsible officials and planned corrective actions: Management's response is reported in "Management's Views and Corrective Action Plan" included at the end of this report. Identification of prior year finding: 2022-004
Subrecipient Monitoring Material Weakness in Internal Control over Subrecipient Monitoring and Material Noncompliance Research and Development Cluster Criteria: In accordance with 2 CFR 200.331, a pass-through entity must make a case-by-case determination whether each agreement it makes for the disbursement of federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor. Additionally, in accordance with 2 CFR 200.332(b), the pass-through entity must evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for the purpose of determining the appropriate subrecipient monitoring. In furtherance of this, the pass-through entity should inquire as to whether or not the subrecipient was subject to a Single Audit. If the subrecipient was subject to a Single Audit, the pass-through entity must request the Single Audit report and review for any findings or questioned costs. In accordance with 2 CFR 200.521, the pass-through entity should issue a management decision for audit findings pertaining to the federal award provided to the subrecipient from the pass-through entity as applicable. Condition: The Organization does not document its evaluation of each party that it engages in business with as to whether they are a contractor or a subrecipient. For three (3) of the three (3) such parties selected for testing, the Organization did not maintain documentation regarding whether the entity was a subrecipient or a contractor. Furthermore, as it relates to the monitoring of entities determined to be subrecipients, the Organization has not formally documented its subrecipient monitoring procedures to ensure that subrecipients are in compliance with federal statutes, regulations, and the terms and conditions of the subawards. For three (3) of the three (3) subrecipients selected for testing, the Organization did not inquire as to whether the entity was subject to a Single Audit. Consequently, the Organization did not request the Single Audit report nor did they review them for any findings pertinent to the federal award provided to the subrecipient from the pass-through entity. Cause: The Organization did not have an effective process in place to determine whether entities receiving pass-through funds are subrecipients or contractors. Furthermore, once that determination has been made, the Organization did not have a process in place for evaluating subrecipients and their compliance with the applicable requirements of the Uniform Guidance. Effect or potential effect: Lack of proper consideration of subrecipient or contractor status may result in the Organization improperly classifying a recipient of federal funds, which may impact the recipient’s compliance with the Uniform Guidance. Furthermore, by not performing adequate monitoring over subrecipients, the Organization is not appropriately monitoring whether subrecipients are compliance with grant requirements. Questioned costs: None. Context: Our sample was not intended to be statistically valid. Recommendation: The Organization should institute a process whereby all entities that receive federal funds have proper documentation supporting their classification as a subrecipient or a contractor for the entire year. Additionally, the Organization should maintain a standardized checklist for all such entities that support their rationale for the classification. This checklist should be prepared by an employee with knowledge of the grant and approved by a second individual. Furthermore, as it relates to subrecipient monitoring, the Organization should institute an annual process whereby all subrecipients are asked whether they received a Single Audit. If the subrecipient was subject to a Single Audit, the Organization should receive and review the Single Audit report. The reviewer should submit a memorandum of any findings relevant to their federal grant, which should then be submitted to the project manager or other designated person for approval. Views of responsible officials and planned corrective actions: Management's response is reported in "Management's Views and Corrective Action Plan" included at the end of this report. Identification of prior year finding: 2022-004
Reference Number: 2023-012 Prior Year Finding: 2022-013 Federal Agency: U.S. Department of Labor State Agency: Executive Office of Labor and Workforce Development Federal Program: WIOA Cluster, Employment Service Cluster Assistance Listing Number: 17.258, 17.259, 17.278, 17.207, 17.801 Award Number and Year: AA-38535-22-55-A-25 (7/1/2022 – 6/30/2025), AA-36325-21-55-A-25 (4/1/2021 – 6/30/2024), AA-34774-20-55-A-25 (4/1/2020 – 6/30/2023) ES333991955A25 (7/1/2019 – 9/30/2022), ES353492055A25 (7/1/2020 – 9/30/2023), ES367612155A25 (7/1/2021 – 9/30/2024), ES387362255A25 (7/1/2022 – 9/30/2025) DV-35786-21-55-5-25 (10/1/2020 – 12/31/2022), DV-37859-22-55-5-25 (10/1/2021 – 12/31/2023), 23555DV000008 (10/1/2022 – 12/31/2024) Compliance Requirement: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Control Over Compliance, Other Matters Criteria or Specific Requirement: Compliance: Per 2 CFR section 200.332 - Requirements for Pass-Through Entities states, in part, that all pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient's cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section § 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. Per 2 CFR section 200.331 - Subrecipient and contractor determinations states, in part, that a pass-through entity must make case-by-case determinations whether each agreement it makes for the disbursement of Federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor. Control: Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should comply with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The Executive Office of Labor and Workforce Development (Department) omitted required federal award information from subawards it issued from the programs and did not adequately monitor subrecipients. Context: WIOA Cluster: Six out of eighteen subrecipients were selected for testing. The following exceptions were noted: • For 6 of 6 subawards issued, the Federal Award Identification Number (FAIN) and Federal award date of award to the recipient by the Federal agency were not included on the subaward agreement. • For 1 of 6 subrecipients selected for testing, no subaward monitoring was performed during the audit period. • For 1 of 6 subrecipients selected for testing, subaward monitoring was not completed in accordance with the Department’s policy. • For 1 of 6 subrecipients selected for testing, a determination on whether the entity was a subrecipient was unable to be made based on the documentation provided. • One subrecipient was excluded from subrecipient testing based on auditor analysis that the entity did not meet the definition of a subrecipient. The Schedule of Expenditures of Federal Awards was not adjusted to reflect the classification change. Employment Service Cluster: Five out of sixteen subrecipients were selected for testing. The following exceptions were noted: • For 5 of 5 subawards issued, the Federal Award Identification Number (FAIN) and the Federal award date of award to the recipient by the Federal agency were not included on the subaward agreement. Cause: The Department’s procedures were not sufficient to ensure that subawards included all required information nor that subrecipient monitoring was completed in accordance with the requirements of the federal programs. Effect: Excluding required federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete Schedules of Expenditures of Federal Awards (SEFA) in their Single Audit reports, and federal funds may not be properly audited at the subrecipient level in accordance with the Uniform Guidance. Failure to conduct adequate subrecipient monitoring may result in a failure of the Department to detect that subawards were used for unauthorized purposes, were managed in violation of the terms and conditions of the subawards, or that subaward performance goals were not achieved. There is an increased risk that subrecipients could be inappropriately spending and/or inaccurately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by Department personnel on a timely basis. Questioned costs: WIOA Cluster: Undetermined Employment Service Cluster: None Recommendation: We recommend the Department review and enhance internal controls and procedures to ensure that required information is included in its subawards. We also recommend the Department review and enhance its internal controls and procedures to ensure subrecipient monitoring is performed in compliance with the requirements of the federal programs. Views of Responsible Officials: Management agrees with the finding.
Reference Number: 2023-012 Prior Year Finding: 2022-013 Federal Agency: U.S. Department of Labor State Agency: Executive Office of Labor and Workforce Development Federal Program: WIOA Cluster, Employment Service Cluster Assistance Listing Number: 17.258, 17.259, 17.278, 17.207, 17.801 Award Number and Year: AA-38535-22-55-A-25 (7/1/2022 – 6/30/2025), AA-36325-21-55-A-25 (4/1/2021 – 6/30/2024), AA-34774-20-55-A-25 (4/1/2020 – 6/30/2023) ES333991955A25 (7/1/2019 – 9/30/2022), ES353492055A25 (7/1/2020 – 9/30/2023), ES367612155A25 (7/1/2021 – 9/30/2024), ES387362255A25 (7/1/2022 – 9/30/2025) DV-35786-21-55-5-25 (10/1/2020 – 12/31/2022), DV-37859-22-55-5-25 (10/1/2021 – 12/31/2023), 23555DV000008 (10/1/2022 – 12/31/2024) Compliance Requirement: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Control Over Compliance, Other Matters Criteria or Specific Requirement: Compliance: Per 2 CFR section 200.332 - Requirements for Pass-Through Entities states, in part, that all pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient's cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section § 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. Per 2 CFR section 200.331 - Subrecipient and contractor determinations states, in part, that a pass-through entity must make case-by-case determinations whether each agreement it makes for the disbursement of Federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor. Control: Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should comply with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The Executive Office of Labor and Workforce Development (Department) omitted required federal award information from subawards it issued from the programs and did not adequately monitor subrecipients. Context: WIOA Cluster: Six out of eighteen subrecipients were selected for testing. The following exceptions were noted: • For 6 of 6 subawards issued, the Federal Award Identification Number (FAIN) and Federal award date of award to the recipient by the Federal agency were not included on the subaward agreement. • For 1 of 6 subrecipients selected for testing, no subaward monitoring was performed during the audit period. • For 1 of 6 subrecipients selected for testing, subaward monitoring was not completed in accordance with the Department’s policy. • For 1 of 6 subrecipients selected for testing, a determination on whether the entity was a subrecipient was unable to be made based on the documentation provided. • One subrecipient was excluded from subrecipient testing based on auditor analysis that the entity did not meet the definition of a subrecipient. The Schedule of Expenditures of Federal Awards was not adjusted to reflect the classification change. Employment Service Cluster: Five out of sixteen subrecipients were selected for testing. The following exceptions were noted: • For 5 of 5 subawards issued, the Federal Award Identification Number (FAIN) and the Federal award date of award to the recipient by the Federal agency were not included on the subaward agreement. Cause: The Department’s procedures were not sufficient to ensure that subawards included all required information nor that subrecipient monitoring was completed in accordance with the requirements of the federal programs. Effect: Excluding required federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete Schedules of Expenditures of Federal Awards (SEFA) in their Single Audit reports, and federal funds may not be properly audited at the subrecipient level in accordance with the Uniform Guidance. Failure to conduct adequate subrecipient monitoring may result in a failure of the Department to detect that subawards were used for unauthorized purposes, were managed in violation of the terms and conditions of the subawards, or that subaward performance goals were not achieved. There is an increased risk that subrecipients could be inappropriately spending and/or inaccurately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by Department personnel on a timely basis. Questioned costs: WIOA Cluster: Undetermined Employment Service Cluster: None Recommendation: We recommend the Department review and enhance internal controls and procedures to ensure that required information is included in its subawards. We also recommend the Department review and enhance its internal controls and procedures to ensure subrecipient monitoring is performed in compliance with the requirements of the federal programs. Views of Responsible Officials: Management agrees with the finding.
Reference Number: 2023-012 Prior Year Finding: 2022-013 Federal Agency: U.S. Department of Labor State Agency: Executive Office of Labor and Workforce Development Federal Program: WIOA Cluster, Employment Service Cluster Assistance Listing Number: 17.258, 17.259, 17.278, 17.207, 17.801 Award Number and Year: AA-38535-22-55-A-25 (7/1/2022 – 6/30/2025), AA-36325-21-55-A-25 (4/1/2021 – 6/30/2024), AA-34774-20-55-A-25 (4/1/2020 – 6/30/2023) ES333991955A25 (7/1/2019 – 9/30/2022), ES353492055A25 (7/1/2020 – 9/30/2023), ES367612155A25 (7/1/2021 – 9/30/2024), ES387362255A25 (7/1/2022 – 9/30/2025) DV-35786-21-55-5-25 (10/1/2020 – 12/31/2022), DV-37859-22-55-5-25 (10/1/2021 – 12/31/2023), 23555DV000008 (10/1/2022 – 12/31/2024) Compliance Requirement: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Control Over Compliance, Other Matters Criteria or Specific Requirement: Compliance: Per 2 CFR section 200.332 - Requirements for Pass-Through Entities states, in part, that all pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient's cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section § 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. Per 2 CFR section 200.331 - Subrecipient and contractor determinations states, in part, that a pass-through entity must make case-by-case determinations whether each agreement it makes for the disbursement of Federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor. Control: Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should comply with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The Executive Office of Labor and Workforce Development (Department) omitted required federal award information from subawards it issued from the programs and did not adequately monitor subrecipients. Context: WIOA Cluster: Six out of eighteen subrecipients were selected for testing. The following exceptions were noted: • For 6 of 6 subawards issued, the Federal Award Identification Number (FAIN) and Federal award date of award to the recipient by the Federal agency were not included on the subaward agreement. • For 1 of 6 subrecipients selected for testing, no subaward monitoring was performed during the audit period. • For 1 of 6 subrecipients selected for testing, subaward monitoring was not completed in accordance with the Department’s policy. • For 1 of 6 subrecipients selected for testing, a determination on whether the entity was a subrecipient was unable to be made based on the documentation provided. • One subrecipient was excluded from subrecipient testing based on auditor analysis that the entity did not meet the definition of a subrecipient. The Schedule of Expenditures of Federal Awards was not adjusted to reflect the classification change. Employment Service Cluster: Five out of sixteen subrecipients were selected for testing. The following exceptions were noted: • For 5 of 5 subawards issued, the Federal Award Identification Number (FAIN) and the Federal award date of award to the recipient by the Federal agency were not included on the subaward agreement. Cause: The Department’s procedures were not sufficient to ensure that subawards included all required information nor that subrecipient monitoring was completed in accordance with the requirements of the federal programs. Effect: Excluding required federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete Schedules of Expenditures of Federal Awards (SEFA) in their Single Audit reports, and federal funds may not be properly audited at the subrecipient level in accordance with the Uniform Guidance. Failure to conduct adequate subrecipient monitoring may result in a failure of the Department to detect that subawards were used for unauthorized purposes, were managed in violation of the terms and conditions of the subawards, or that subaward performance goals were not achieved. There is an increased risk that subrecipients could be inappropriately spending and/or inaccurately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by Department personnel on a timely basis. Questioned costs: WIOA Cluster: Undetermined Employment Service Cluster: None Recommendation: We recommend the Department review and enhance internal controls and procedures to ensure that required information is included in its subawards. We also recommend the Department review and enhance its internal controls and procedures to ensure subrecipient monitoring is performed in compliance with the requirements of the federal programs. Views of Responsible Officials: Management agrees with the finding.
Reference Number: 2023-012 Prior Year Finding: 2022-013 Federal Agency: U.S. Department of Labor State Agency: Executive Office of Labor and Workforce Development Federal Program: WIOA Cluster, Employment Service Cluster Assistance Listing Number: 17.258, 17.259, 17.278, 17.207, 17.801 Award Number and Year: AA-38535-22-55-A-25 (7/1/2022 – 6/30/2025), AA-36325-21-55-A-25 (4/1/2021 – 6/30/2024), AA-34774-20-55-A-25 (4/1/2020 – 6/30/2023) ES333991955A25 (7/1/2019 – 9/30/2022), ES353492055A25 (7/1/2020 – 9/30/2023), ES367612155A25 (7/1/2021 – 9/30/2024), ES387362255A25 (7/1/2022 – 9/30/2025) DV-35786-21-55-5-25 (10/1/2020 – 12/31/2022), DV-37859-22-55-5-25 (10/1/2021 – 12/31/2023), 23555DV000008 (10/1/2022 – 12/31/2024) Compliance Requirement: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Control Over Compliance, Other Matters Criteria or Specific Requirement: Compliance: Per 2 CFR section 200.332 - Requirements for Pass-Through Entities states, in part, that all pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient's cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section § 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. Per 2 CFR section 200.331 - Subrecipient and contractor determinations states, in part, that a pass-through entity must make case-by-case determinations whether each agreement it makes for the disbursement of Federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor. Control: Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should comply with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The Executive Office of Labor and Workforce Development (Department) omitted required federal award information from subawards it issued from the programs and did not adequately monitor subrecipients. Context: WIOA Cluster: Six out of eighteen subrecipients were selected for testing. The following exceptions were noted: • For 6 of 6 subawards issued, the Federal Award Identification Number (FAIN) and Federal award date of award to the recipient by the Federal agency were not included on the subaward agreement. • For 1 of 6 subrecipients selected for testing, no subaward monitoring was performed during the audit period. • For 1 of 6 subrecipients selected for testing, subaward monitoring was not completed in accordance with the Department’s policy. • For 1 of 6 subrecipients selected for testing, a determination on whether the entity was a subrecipient was unable to be made based on the documentation provided. • One subrecipient was excluded from subrecipient testing based on auditor analysis that the entity did not meet the definition of a subrecipient. The Schedule of Expenditures of Federal Awards was not adjusted to reflect the classification change. Employment Service Cluster: Five out of sixteen subrecipients were selected for testing. The following exceptions were noted: • For 5 of 5 subawards issued, the Federal Award Identification Number (FAIN) and the Federal award date of award to the recipient by the Federal agency were not included on the subaward agreement. Cause: The Department’s procedures were not sufficient to ensure that subawards included all required information nor that subrecipient monitoring was completed in accordance with the requirements of the federal programs. Effect: Excluding required federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete Schedules of Expenditures of Federal Awards (SEFA) in their Single Audit reports, and federal funds may not be properly audited at the subrecipient level in accordance with the Uniform Guidance. Failure to conduct adequate subrecipient monitoring may result in a failure of the Department to detect that subawards were used for unauthorized purposes, were managed in violation of the terms and conditions of the subawards, or that subaward performance goals were not achieved. There is an increased risk that subrecipients could be inappropriately spending and/or inaccurately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by Department personnel on a timely basis. Questioned costs: WIOA Cluster: Undetermined Employment Service Cluster: None Recommendation: We recommend the Department review and enhance internal controls and procedures to ensure that required information is included in its subawards. We also recommend the Department review and enhance its internal controls and procedures to ensure subrecipient monitoring is performed in compliance with the requirements of the federal programs. Views of Responsible Officials: Management agrees with the finding.
Reference Number: 2023-012 Prior Year Finding: 2022-013 Federal Agency: U.S. Department of Labor State Agency: Executive Office of Labor and Workforce Development Federal Program: WIOA Cluster, Employment Service Cluster Assistance Listing Number: 17.258, 17.259, 17.278, 17.207, 17.801 Award Number and Year: AA-38535-22-55-A-25 (7/1/2022 – 6/30/2025), AA-36325-21-55-A-25 (4/1/2021 – 6/30/2024), AA-34774-20-55-A-25 (4/1/2020 – 6/30/2023) ES333991955A25 (7/1/2019 – 9/30/2022), ES353492055A25 (7/1/2020 – 9/30/2023), ES367612155A25 (7/1/2021 – 9/30/2024), ES387362255A25 (7/1/2022 – 9/30/2025) DV-35786-21-55-5-25 (10/1/2020 – 12/31/2022), DV-37859-22-55-5-25 (10/1/2021 – 12/31/2023), 23555DV000008 (10/1/2022 – 12/31/2024) Compliance Requirement: Subrecipient Monitoring Type of Finding: Significant Deficiency in Internal Control Over Compliance, Other Matters Criteria or Specific Requirement: Compliance: Per 2 CFR section 200.332 - Requirements for Pass-Through Entities states, in part, that all pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521. (4) The pass-through entity is responsible for resolving audit findings specifically related to the subaward and not responsible for resolving crosscutting findings. If a subrecipient has a current Single Audit report posted in the Federal Audit Clearinghouse and has not otherwise been excluded from receipt of Federal funding (e.g., has been debarred or suspended), the pass-through entity may rely on the subrecipient's cognizant audit agency or cognizant oversight agency to perform audit follow-up and make management decisions related to cross-cutting findings in accordance with section § 200.513(a)(3)(vii). Such reliance does not eliminate the responsibility of the pass-through entity to issue subawards that conform to agency and award-specific requirements, to manage risk through ongoing subaward monitoring, and to monitor the status of the findings that are specifically related to the subaward. Per 2 CFR section 200.331 - Subrecipient and contractor determinations states, in part, that a pass-through entity must make case-by-case determinations whether each agreement it makes for the disbursement of Federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor. Control: Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should comply with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The Executive Office of Labor and Workforce Development (Department) omitted required federal award information from subawards it issued from the programs and did not adequately monitor subrecipients. Context: WIOA Cluster: Six out of eighteen subrecipients were selected for testing. The following exceptions were noted: • For 6 of 6 subawards issued, the Federal Award Identification Number (FAIN) and Federal award date of award to the recipient by the Federal agency were not included on the subaward agreement. • For 1 of 6 subrecipients selected for testing, no subaward monitoring was performed during the audit period. • For 1 of 6 subrecipients selected for testing, subaward monitoring was not completed in accordance with the Department’s policy. • For 1 of 6 subrecipients selected for testing, a determination on whether the entity was a subrecipient was unable to be made based on the documentation provided. • One subrecipient was excluded from subrecipient testing based on auditor analysis that the entity did not meet the definition of a subrecipient. The Schedule of Expenditures of Federal Awards was not adjusted to reflect the classification change. Employment Service Cluster: Five out of sixteen subrecipients were selected for testing. The following exceptions were noted: • For 5 of 5 subawards issued, the Federal Award Identification Number (FAIN) and the Federal award date of award to the recipient by the Federal agency were not included on the subaward agreement. Cause: The Department’s procedures were not sufficient to ensure that subawards included all required information nor that subrecipient monitoring was completed in accordance with the requirements of the federal programs. Effect: Excluding required federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete Schedules of Expenditures of Federal Awards (SEFA) in their Single Audit reports, and federal funds may not be properly audited at the subrecipient level in accordance with the Uniform Guidance. Failure to conduct adequate subrecipient monitoring may result in a failure of the Department to detect that subawards were used for unauthorized purposes, were managed in violation of the terms and conditions of the subawards, or that subaward performance goals were not achieved. There is an increased risk that subrecipients could be inappropriately spending and/or inaccurately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by Department personnel on a timely basis. Questioned costs: WIOA Cluster: Undetermined Employment Service Cluster: None Recommendation: We recommend the Department review and enhance internal controls and procedures to ensure that required information is included in its subawards. We also recommend the Department review and enhance its internal controls and procedures to ensure subrecipient monitoring is performed in compliance with the requirements of the federal programs. Views of Responsible Officials: Management agrees with the finding.
Reference Number: 2023-022 Prior Year Finding: No Federal Agency: U.S. Department of Health and Human Services State Agency: Executive Office of Elders Affairs Federal Program: Aging Cluster Assistance Listing Number: 93.044, 93.045, 93.053 Award Number and Year: 2101MASSC6, 2101MACMC6, 2101MAHDC6 and 2021 (COVID-19) 2001MAHDC3, 2001MASSC3 and 2020 (COVID-19) 2201MAOANS-03 and 2022 2301MAOANS-03 and 2023 2201MAOASS and 2022 2301MAOASS and 2023 2201MAOACM and 2022 2301MAOACM and 2023 2201MAOAHD and 2022 2301MAOAHD and 2023 Compliance Requirement: Subrecipient Monitoring- Subaward Agreement Type of Finding: Significant Deficiency in Internal Control Over Compliance, Other Matters Criteria or Specific Requirement: Compliance: 2 CFR section 200.332-Requirements for Pass-Through Entities states, in part, that all pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. (3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity as required by § 200.521 Management decision. Control: Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should comply with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The Executive Office of Elders Affairs’ (Department) subawards did not contain all required federal information. We noted that the Federal Award Identification Number (FAIN) and federal award dates were not provided to the subrecipients. Context: Seven of the seven subawards selected for testing did not contain the Federal Award Identification Number (FAIN) and Federal Award Date. Questioned costs: None noted. Cause: The Department utilizes a standard subaward that was not updated to include all federal subaward requirements. Effect: Excluding the required federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. Recommendation: The Department should review and enhance internal controls and procedures to ensure that all required information is included in all subaward agreements. Views of Responsible Officials: Management agrees with the finding.
Reference Number: 2023-022 Prior Year Finding: No Federal Agency: U.S. Department of Health and Human Services State Agency: Executive Office of Elders Affairs Federal Program: Aging Cluster Assistance Listing Number: 93.044, 93.045, 93.053 Award Number and Year: 2101MASSC6, 2101MACMC6, 2101MAHDC6 and 2021 (COVID-19) 2001MAHDC3, 2001MASSC3 and 2020 (COVID-19) 2201MAOANS-03 and 2022 2301MAOANS-03 and 2023 2201MAOASS and 2022 2301MAOASS and 2023 2201MAOACM and 2022 2301MAOACM and 2023 2201MAOAHD and 2022 2301MAOAHD and 2023 Compliance Requirement: Subrecipient Monitoring- Subaward Agreement Type of Finding: Significant Deficiency in Internal Control Over Compliance, Other Matters Criteria or Specific Requirement: Compliance: 2 CFR section 200.332-Requirements for Pass-Through Entities states, in part, that all pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. (3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity as required by § 200.521 Management decision. Control: Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should comply with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The Executive Office of Elders Affairs’ (Department) subawards did not contain all required federal information. We noted that the Federal Award Identification Number (FAIN) and federal award dates were not provided to the subrecipients. Context: Seven of the seven subawards selected for testing did not contain the Federal Award Identification Number (FAIN) and Federal Award Date. Questioned costs: None noted. Cause: The Department utilizes a standard subaward that was not updated to include all federal subaward requirements. Effect: Excluding the required federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. Recommendation: The Department should review and enhance internal controls and procedures to ensure that all required information is included in all subaward agreements. Views of Responsible Officials: Management agrees with the finding.
Reference Number: 2023-022 Prior Year Finding: No Federal Agency: U.S. Department of Health and Human Services State Agency: Executive Office of Elders Affairs Federal Program: Aging Cluster Assistance Listing Number: 93.044, 93.045, 93.053 Award Number and Year: 2101MASSC6, 2101MACMC6, 2101MAHDC6 and 2021 (COVID-19) 2001MAHDC3, 2001MASSC3 and 2020 (COVID-19) 2201MAOANS-03 and 2022 2301MAOANS-03 and 2023 2201MAOASS and 2022 2301MAOASS and 2023 2201MAOACM and 2022 2301MAOACM and 2023 2201MAOAHD and 2022 2301MAOAHD and 2023 Compliance Requirement: Subrecipient Monitoring- Subaward Agreement Type of Finding: Significant Deficiency in Internal Control Over Compliance, Other Matters Criteria or Specific Requirement: Compliance: 2 CFR section 200.332-Requirements for Pass-Through Entities states, in part, that all pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. (3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity as required by § 200.521 Management decision. Control: Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should comply with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The Executive Office of Elders Affairs’ (Department) subawards did not contain all required federal information. We noted that the Federal Award Identification Number (FAIN) and federal award dates were not provided to the subrecipients. Context: Seven of the seven subawards selected for testing did not contain the Federal Award Identification Number (FAIN) and Federal Award Date. Questioned costs: None noted. Cause: The Department utilizes a standard subaward that was not updated to include all federal subaward requirements. Effect: Excluding the required federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. Recommendation: The Department should review and enhance internal controls and procedures to ensure that all required information is included in all subaward agreements. Views of Responsible Officials: Management agrees with the finding.
Reference Number: 2023-022 Prior Year Finding: No Federal Agency: U.S. Department of Health and Human Services State Agency: Executive Office of Elders Affairs Federal Program: Aging Cluster Assistance Listing Number: 93.044, 93.045, 93.053 Award Number and Year: 2101MASSC6, 2101MACMC6, 2101MAHDC6 and 2021 (COVID-19) 2001MAHDC3, 2001MASSC3 and 2020 (COVID-19) 2201MAOANS-03 and 2022 2301MAOANS-03 and 2023 2201MAOASS and 2022 2301MAOASS and 2023 2201MAOACM and 2022 2301MAOACM and 2023 2201MAOAHD and 2022 2301MAOAHD and 2023 Compliance Requirement: Subrecipient Monitoring- Subaward Agreement Type of Finding: Significant Deficiency in Internal Control Over Compliance, Other Matters Criteria or Specific Requirement: Compliance: 2 CFR section 200.332-Requirements for Pass-Through Entities states, in part, that all pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. (3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity as required by § 200.521 Management decision. Control: Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should comply with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The Executive Office of Elders Affairs’ (Department) subawards did not contain all required federal information. We noted that the Federal Award Identification Number (FAIN) and federal award dates were not provided to the subrecipients. Context: Seven of the seven subawards selected for testing did not contain the Federal Award Identification Number (FAIN) and Federal Award Date. Questioned costs: None noted. Cause: The Department utilizes a standard subaward that was not updated to include all federal subaward requirements. Effect: Excluding the required federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. Recommendation: The Department should review and enhance internal controls and procedures to ensure that all required information is included in all subaward agreements. Views of Responsible Officials: Management agrees with the finding.
Reference Number: 2023-022 Prior Year Finding: No Federal Agency: U.S. Department of Health and Human Services State Agency: Executive Office of Elders Affairs Federal Program: Aging Cluster Assistance Listing Number: 93.044, 93.045, 93.053 Award Number and Year: 2101MASSC6, 2101MACMC6, 2101MAHDC6 and 2021 (COVID-19) 2001MAHDC3, 2001MASSC3 and 2020 (COVID-19) 2201MAOANS-03 and 2022 2301MAOANS-03 and 2023 2201MAOASS and 2022 2301MAOASS and 2023 2201MAOACM and 2022 2301MAOACM and 2023 2201MAOAHD and 2022 2301MAOAHD and 2023 Compliance Requirement: Subrecipient Monitoring- Subaward Agreement Type of Finding: Significant Deficiency in Internal Control Over Compliance, Other Matters Criteria or Specific Requirement: Compliance: 2 CFR section 200.332-Requirements for Pass-Through Entities states, in part, that all pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. (3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity as required by § 200.521 Management decision. Control: Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should comply with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The Executive Office of Elders Affairs’ (Department) subawards did not contain all required federal information. We noted that the Federal Award Identification Number (FAIN) and federal award dates were not provided to the subrecipients. Context: Seven of the seven subawards selected for testing did not contain the Federal Award Identification Number (FAIN) and Federal Award Date. Questioned costs: None noted. Cause: The Department utilizes a standard subaward that was not updated to include all federal subaward requirements. Effect: Excluding the required federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. Recommendation: The Department should review and enhance internal controls and procedures to ensure that all required information is included in all subaward agreements. Views of Responsible Officials: Management agrees with the finding.
Reference Number: 2023-024 Prior Year Finding: No Federal Agency: U.S. Department of Health and Human Services State Agency: Office for Refugees and Immigrants (ORI) Federal Program: Refugee and Entrant Assistance State Administered Programs Assistance Listing Number: 93.566 Award Number and Year: 2301MARCMA 00-02 and 10/1/2022-9/30/2023 2303MARCSSS 00-04 and 10/1/2022-9/30/2024 Compliance Requirement: Subrecipient Monitoring- Subaward Agreement Type of Finding: Significant Deficiency in Internal Control Over Compliance, Other Matters Criteria or Specific Requirement: Compliance: 2 CFR section 200.332-Requirements for Pass-Through Entities states, in part, that all pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. (3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity as required by § 200.521 Management decision. Control: Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should comply with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The Office for Refugees and Immigrants (ORI) subawards did not contain all required federal information. We noted that the Federal Award Identification Number (FAIN) was not provided to the subrecipients. Context: Ten of the ten subawards selected for testing did not contain the Federal Award Identification Number (FAIN). Questioned costs: Undetermined. Cause: The Department utilizes a standard subaward that was not updated to include all federal subaward requirements. Effect: Excluding the required federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. Recommendation: The Department should review and enhance internal controls and procedures to ensure that all required information is included in all subaward agreements. Views of Responsible Officials: Management agrees with the finding.
Reference Number: 2023-025 Prior Year Finding: No Federal Agency: U.S. Department of Health and Human Services State Agency: Department of Public Health (DPH) Federal Program: Refugee and Entrant Assistance State Administered Programs (Refugee) Opioid-STR Block Grants for Prevention and Treatment of Substance Abuse, COVID-19 - Block Grants for Prevention and Treatment of Substance Abuse (SABG) Assistance Listing Number: 93.566, 93.788, 93.959 Award Number and Year: Refugee: ISAORIRHAP0826DPH22D and 10/1/2021-9/30/22 ISAORIRHAP0826DPH23B and 10/1/2021-9/30/22 ISAORIRHAP0826DPH23C and 10/1/2021-6/30/23 ISAORIRHAP0826DPH23D and 12/4/2023-6/30/23 Opioid: 1H79TI083328 (9/30/2020 – 9/29/2021) 5H79TI083328 (9/30/2021 – 9/29/2022) 6H79TI083328 (9/30/2021 – 9/29/2023) 1H79TI085778 (9/30/2021 – 9/29/2023) SABG: 1B08TI083946-01 and 9/1/2021-9/30/2025 08TI08350200-01 and 3/15/2021-3/14/2024 1B08TI084650-01 and 10/1/2021-9/30/2023 1B08TI085812-01 and 10/1/2021-9/30/2024 1B08TI083455-01 and 10/1/2020-9/30/2022 Compliance Requirement: Subrecipient Monitoring- Subaward Agreement Type of Finding: Significant Deficiency in Internal Control Over Compliance, Other Matters Criteria or specific requirement: Compliance: 2 CFR section 200.332-Requirements for Pass-Through Entities states, in part, that all pass-through entities must: (b) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. (3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity as required by § 200.521 Management decision. Control: Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should comply with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The Department of Public Health (Department) subawards did not contain all required federal information. We noted that the Federal Award Identification Number (FAIN) and federal award date were not provided to the subrecipient. Context: Refugee: Five of the five subawards selected for testing did not contain the Federal Award Identification Number (FAIN) and Federal Award Date. Opioid: Twelve of the twelve subawards selected for testing were missing the Federal Award Identification Number (FAIN) and the Federal Award Date. SABG: Eleven of the eleven subawards selected for testing did not contain the Federal Award Identification Number (FAIN) and Federal Award Date. Questioned costs: None Cause: The Department utilizes a standard subaward that was not updated to include all federal subaward requirements. Effect: Excluding the required federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. Recommendation: The Department should review and enhance internal controls and procedures to ensure that all required information is included in all subaward agreements. Views of responsible officials: Management agrees with the finding.
Reference Number: 2023-025 Prior Year Finding: No Federal Agency: U.S. Department of Health and Human Services State Agency: Department of Public Health (DPH) Federal Program: Refugee and Entrant Assistance State Administered Programs (Refugee) Opioid-STR Block Grants for Prevention and Treatment of Substance Abuse, COVID-19 - Block Grants for Prevention and Treatment of Substance Abuse (SABG) Assistance Listing Number: 93.566, 93.788, 93.959 Award Number and Year: Refugee: ISAORIRHAP0826DPH22D and 10/1/2021-9/30/22 ISAORIRHAP0826DPH23B and 10/1/2021-9/30/22 ISAORIRHAP0826DPH23C and 10/1/2021-6/30/23 ISAORIRHAP0826DPH23D and 12/4/2023-6/30/23 Opioid: 1H79TI083328 (9/30/2020 – 9/29/2021) 5H79TI083328 (9/30/2021 – 9/29/2022) 6H79TI083328 (9/30/2021 – 9/29/2023) 1H79TI085778 (9/30/2021 – 9/29/2023) SABG: 1B08TI083946-01 and 9/1/2021-9/30/2025 08TI08350200-01 and 3/15/2021-3/14/2024 1B08TI084650-01 and 10/1/2021-9/30/2023 1B08TI085812-01 and 10/1/2021-9/30/2024 1B08TI083455-01 and 10/1/2020-9/30/2022 Compliance Requirement: Subrecipient Monitoring- Subaward Agreement Type of Finding: Significant Deficiency in Internal Control Over Compliance, Other Matters Criteria or specific requirement: Compliance: 2 CFR section 200.332-Requirements for Pass-Through Entities states, in part, that all pass-through entities must: (b) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. (3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity as required by § 200.521 Management decision. Control: Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should comply with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The Department of Public Health (Department) subawards did not contain all required federal information. We noted that the Federal Award Identification Number (FAIN) and federal award date were not provided to the subrecipient. Context: Refugee: Five of the five subawards selected for testing did not contain the Federal Award Identification Number (FAIN) and Federal Award Date. Opioid: Twelve of the twelve subawards selected for testing were missing the Federal Award Identification Number (FAIN) and the Federal Award Date. SABG: Eleven of the eleven subawards selected for testing did not contain the Federal Award Identification Number (FAIN) and Federal Award Date. Questioned costs: None Cause: The Department utilizes a standard subaward that was not updated to include all federal subaward requirements. Effect: Excluding the required federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. Recommendation: The Department should review and enhance internal controls and procedures to ensure that all required information is included in all subaward agreements. Views of responsible officials: Management agrees with the finding.
Reference Number: 2023-025 Prior Year Finding: No Federal Agency: U.S. Department of Health and Human Services State Agency: Department of Public Health (DPH) Federal Program: Refugee and Entrant Assistance State Administered Programs (Refugee) Opioid-STR Block Grants for Prevention and Treatment of Substance Abuse, COVID-19 - Block Grants for Prevention and Treatment of Substance Abuse (SABG) Assistance Listing Number: 93.566, 93.788, 93.959 Award Number and Year: Refugee: ISAORIRHAP0826DPH22D and 10/1/2021-9/30/22 ISAORIRHAP0826DPH23B and 10/1/2021-9/30/22 ISAORIRHAP0826DPH23C and 10/1/2021-6/30/23 ISAORIRHAP0826DPH23D and 12/4/2023-6/30/23 Opioid: 1H79TI083328 (9/30/2020 – 9/29/2021) 5H79TI083328 (9/30/2021 – 9/29/2022) 6H79TI083328 (9/30/2021 – 9/29/2023) 1H79TI085778 (9/30/2021 – 9/29/2023) SABG: 1B08TI083946-01 and 9/1/2021-9/30/2025 08TI08350200-01 and 3/15/2021-3/14/2024 1B08TI084650-01 and 10/1/2021-9/30/2023 1B08TI085812-01 and 10/1/2021-9/30/2024 1B08TI083455-01 and 10/1/2020-9/30/2022 Compliance Requirement: Subrecipient Monitoring- Subaward Agreement Type of Finding: Significant Deficiency in Internal Control Over Compliance, Other Matters Criteria or specific requirement: Compliance: 2 CFR section 200.332-Requirements for Pass-Through Entities states, in part, that all pass-through entities must: (b) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. (3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity as required by § 200.521 Management decision. Control: Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should comply with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: The Department of Public Health (Department) subawards did not contain all required federal information. We noted that the Federal Award Identification Number (FAIN) and federal award date were not provided to the subrecipient. Context: Refugee: Five of the five subawards selected for testing did not contain the Federal Award Identification Number (FAIN) and Federal Award Date. Opioid: Twelve of the twelve subawards selected for testing were missing the Federal Award Identification Number (FAIN) and the Federal Award Date. SABG: Eleven of the eleven subawards selected for testing did not contain the Federal Award Identification Number (FAIN) and Federal Award Date. Questioned costs: None Cause: The Department utilizes a standard subaward that was not updated to include all federal subaward requirements. Effect: Excluding the required federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. Recommendation: The Department should review and enhance internal controls and procedures to ensure that all required information is included in all subaward agreements. Views of responsible officials: Management agrees with the finding.