FAC Explorer

Finding 1075294 (2023-001)

Material Weakness Repeat Finding
Requirement
AELN
Questioned Costs
-
Year
2023
Accepted
2024-09-27
Audit: 321602
Organization: Bjc Healthcare (MO)
Auditor: Ernst & Young LLP

AI Summary

  • Core Issue: BJC HealthCare did not fully implement necessary Logical Access and Change Management controls for the Banner application, impacting the reliability of IT general controls.
  • Impacted Requirements: This finding relates to Section 200.303 of Title 2 U.S. Code, which mandates effective internal controls for managing federal awards.
  • Recommended Follow-Up: Management should improve user access reviews, provisioning, termination processes, and ensure documentation is retained to support control operations.

Finding Text

Finding 2023-001 – Information Technology General Controls Identification of the federal program: Federal Program: Student Financial Assistance Cluster: Federal Pell Grant Program (Assistance Listing No. 84.063) and Federal Direct Student Loans (Assistance Listing No. 84.268) Federal Agency: United States Department of Education BJC HealthCare Location: Goldfarb School of Nursing (GSON) Award Periods: January 1, 2023 through June 30, 2023 (included in award year July 1, 2022 through June 30, 2023), and July 1, 2023 through December 31, 2023 (included in award year July 1, 2023 through June 30, 2024) Criteria or specific requirement (including statutory, regulatory or other citation): Section 200.303 of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance) states the following regarding the auditee and internal control: “The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: BJC HealthCare (BJC) did not fully implement all Logical Access and Change Management controls to support effective information technology general controls (ITGCs) for the Banner application. The controls that were not fully implemented during the current period relate to user provisioning, user termination, user access reviews and change management processes. As a result, Banner ITGCs and, therefore, Banner application controls, cannot be relied upon in the period of audit. Cause: Management did not appropriately implement Logical Access and Change Management controls for the period under audit. Effect or potential effect: There is a risk the data relevant to the Student Financial Assistance Cluster program stored within the Banner student financial aid system may be inappropriately created or modified. Effective testing of the required logical access controls is to support effective ITGCs over the Banner application. As a result, the Banner application cannot be relied on for the audit period. Questioned costs: None. Context: Procedures over the Banner application were performed during FY23 to determine if controls were in place and operating as designed. We noted the following: • User provisioning documentation was not consistently retained for three of four samples. Documentation for the fourth sample did not include enough information to support that the access requested is what was provisioned. • Access terminations were not consistently removed from the application timely, though active directory access was removed. • Through review of the semi-annual access review in September, the removals (or modifications) of six of six users were not completed following the conclusion of the user access review. a. The review is sent to each user and there is no overall, independent review of all user’s access by an overseer / manager. b. There was no review evidence for three of 44 accounts with access to Banner. • Documentation evidencing testing or approval for three of six patches applied to production was not retained or available. Total expenditures for the Student Financial Assistance Cluster were $6,709,387 for the year ended December 31, 2023. Identification as a repeat finding, if applicable: This is a partial repeat of finding 2022-002 from the prior year. Recommendation: Management should enhance the user access review, user provisioning, user termination and change management controls, and retain documentation of the operation of controls. Views of responsible officials: BJC agrees with the findings as reported. GSON is committed to complying with program requirements and meeting program objectives as defined in Section 200.303(a) of the Uniform Guidance, regarding auditee internal controls. To facilitate these requirements, GSON has instituted the following controls: • Establishment of a formal provisioning and deprovisioning process for Banner system access. • Refinements to formal access review process to include an independent review of system access, as well as an overseer or manager approval. • Establishment of a formal testing process for Banner system patches or updates to include review from key functional areas within GSON.

Categories

Matching / Level of Effort / Earmarking Student Financial Aid Allowable Costs / Cost Principles

Other Findings in this Audit

  • 498851 2023-001
    Material Weakness Repeat
  • 498852 2023-001
    Material Weakness Repeat
  • 498853 2023-003
    Material Weakness
  • 498854 2023-003
    Material Weakness
  • 498855 2023-002
    Material Weakness Repeat
  • 498856 2023-002
    Material Weakness Repeat
  • 1075293 2023-001
    Material Weakness Repeat
  • 1075295 2023-003
    Material Weakness
  • 1075296 2023-003
    Material Weakness
  • 1075297 2023-002
    Material Weakness Repeat
  • 1075298 2023-002
    Material Weakness Repeat

Programs in Audit

ALN Program Name Expenditures
93.498 Covid-19 Provider Relief Fund and American Rescue Plan (arp) Rural Distribution $15.87M
84.268 Federal Direct Student Loans $5.82M
97.036 Covid-19 Disaster Grants - Public Assistance (presidentially Declared Disasters) $3.36M
93.399 Cancer Control $1.03M
84.063 Federal Pell Grant Program $766,487
93.493 Congressional Directives $575,440
93.788 Opioid Str $473,845
93.889 National Bioterrorism Hospital Preparedness Program $457,610
21.027 Covid-19 Coronavirus State and Local Fiscal Recovery Funds $252,140
84.007 Federal Supplemental Educational Opportunity Grants $116,890
93.898 Cancer Prevention and Control Programs for State, Territorial and Tribal Organizations $97,837
93.153 Coordinated Services and Access to Research for Women, Infants, Children, and Youth $90,382
93.395 Cancer Treatment Research $67,893
84.425 Covid-19 Education Stabilization Fund $58,704
93.124 Nurse Anesthetist Traineeship $57,038
16.582 Crime Victim Assistance/discretionary Grants $28,887
93.173 Research Related to Deafness and Communication Disorders $12,155
93.671 Covid-19 Family Violence Prevention and Services/domestic Violence Shelter and Supportive Services $12,152
93.558 Temporary Assistance for Needy Families $12,128
93.732 Covid-19 Mental and Behavioral Health Education and Training Grants $10,237
93.393 Cancer Cause and Prevention Research $8,941
93.397 Cancer Centers Support Grants $3,800
93.671 Family Violence Prevention and Services/domestic Violence Shelter and Supportive Services $2,034
84.033 Federal Work-Study Program $1,943