CORRECTIVE ACTION PLAN Oversight Agency for Audit: U.S. Department of Education The City of Quincy, Massachusetts respectfully submits the following corrective action plan for the year ended June 30, 2024. Name and address of independent public accounting firm: CBIZ CPAs P.C. 53 State Street, 17ᵗʰ Floor Boston, MA 02109 Audit period: July 1, 2023 through June 30, 2024 The finding from the June 30, 2024, schedule of findings and questioned costs is discussed below. The finding is numbered consistently with the number assigned in the schedule. Financial Statement Finding Finding 2024-001: Certain Department Expenditures Exceeding Appropriated Amounts – General Fund – Significant Deficiency Condition: During 2024, it was noted that expenditures in the public safety and education functions exceeded the amounts appropriated by the City Council for the fiscal year. Criteria: Massachusetts general law prohibits the City from incurring liabilities in excess of appropriations in each department with certain specific exceptions, such as snow and ice removal costs, state and county charges, and debt service. Prudent budgetary control and monitoring are essential to ensure compliance with such requirements. Cause: The overspending of these appropriations occurred due to an inadequate internal control system to ensure timely budget amendments. Effect: Overspending appropriations in the General Fund constitutes noncompliance with state law and exposes the City to potential fiscal consequences, as the state may require the City to raise such deficits in the subsequent fiscal year. It may also indicate a weakness in the City's internal controls over budgetary compliance. Recommendation: We recommend that City management strengthen internal controls over budgetary compliance. Management should strengthen its’ procedures throughout the year to monitor budget-to-actual expenditures and ensure timely action, such as requesting formal budget amendments when actual expenditures approach or exceed authorized appropriations. Views of Responsible Officials: The Municipal Finance Office will be implementing procedures to ensure that the Municipal Finance Office and relevant department heads document reviews of budget to actual reports monthly throughout the year, with increased review intervals during June. The purpose of this increased monitoring is to ensure that potential budgetary appropriation deficits are identified in a timelier manner that will allow for any necessary budgetary amendments to be approved by the City Council. Finding 2024-002: Information Technology Controls in Financial Statements – Significant Deficiency Condition: During 2024, we noted the following deficiencies relating to information technology controls in the financial statement reporting process: • User Access Mirroring: When new users are provisioned in the accounting system, access rights are often “mirrored” from existing users without sufficient review of job responsibilities. This practice results in users receiving access to system functions beyond what is necessary for their roles and may compromise segregation of duties. • Privileged Access: A review of privileged user listings indicated access accounts with no exclusionary parameters. • Inadequate Controls Over System Upgrades: When implementing accounting system upgrades, controls over change management including testing, documentation, and approval, were not adequately designed or consistently applied. Instances were noted where upgrades were implemented without thorough pre-deployment testing and formal approval from finance or IT management. Criteria: Best practices and standards for internal control require: • Role-based access provisioning aligned with users’ responsibilities and effective segregation of duties. • The use of exclusionary parameters enhances the ability to monitor system access for unauthorized access. • Robust change management controls over system upgrades, including testing, documentation, and management approval, to ensure system integrity and minimize the risk of errors or unauthorized changes impacting financial reporting. Cause: These deficiencies appear to result from a lack of formalized policies and procedures for user access provisioning and for managing and documenting accounting system upgrades. Effect: The deficiencies increase the risk of: • Unauthorized access or inappropriate transactions due to excessive or incompatible user rights, undermining segregation of duties and accountability. • Errors, omissions, or unauthorized changes introduced during system upgrades, potentially affecting the integrity and accuracy of financial data and financial statement preparation. Recommendation: We recommend that City management: • Implement procedures to provision user access based on individual roles and responsibilities, with documented review and approval to ensure segregation of duties is maintained. This should be evidenced by written approval that is approved by Municipal Finance and Information Technology office. • Enhance the current process of implementing accounting system upgrades, including requirements for comprehensive pre-deployment testing, clear documentation, and explicit written approval from the Municipal Finance Office and the Information Technology office, prior to going “live” with the upgrade. • Periodically review system access and upgrade processes to ensure ongoing compliance with internal control standards. Views of Responsible Officials: The City will keep these recommendations in mind as it works to upgrade its already existing best practice IT control environment. Finding and Questioned Costs – Major Federal Program Audit Criteria or Specific Requirement: Uniform Guidance section 2 CFR § 200.430(g) requires non- Federal entities to maintain records that accurately reflect the work performed by employees whose salaries are charged, in whole or in part, to Federal awards. For employees working on a single Federal program, semi-annual certifications are required to document time and effort. Condition and Context: During testing of 40 payroll transactions for employees charged to the Special Education program, the City was unable to provide semi-annual certifications supporting that salaries and wages were properly allocated to the grant. Cause: The City did not have adequate procedures in place to ensure that required time and effort certifications were retained and readily available for payroll charged to Federal awards. Effect or Potential Effect: Failure to maintain required time and effort documentation resulted in the questioned costs documented below. Questioned costs are reported as follows: AL Number: 84.027 Name of Federal Program or Cluster: Special Education Cluster Questioned Costs: $2,572,675 Recommendation: We recommend the City establish and implement procedures to ensure that semiannual certifications are completed, maintained, and reviewed for all personnel whose salaries are charged to Federal awards. Views of Responsible Officials: This is a questioned cost due to the School Department not having completed certain administrative paperwork, required by grant regulations. We have implemented procedures during FY2025 to address this matter. The required paperwork will be retained on file going forward.