Finding Text
2024-012 Federal Agencies: U.S. Department of Agriculture Federal Program Names: The Child Nutrition Cluster: National School Lunch Program Summer Food Service Program Child and Adult Care Food Program Assistance Listing Numbers: 10.555 10.559 10.558 Pass-Through Agency: Commonwealth of Pennsylvania, Department of Education Pass-Through Number: 359-46-477-8 Award Period: July 1, 2023 through June 30, 2024 Type of Finding: • Material Weakness in Internal Control over Compliance Criteria: The United States Government Accountability Office's Standards for Internal Control in the Federal Government, commonly known as the "Green Book," sets standards for an effective internal control system and concepts of the Green Book can be applied to non-profit entities. Green Book Principle 11 - Design Activities for the Information System, section 11.01 states, in part: Management should design the entity's information system and related control activities to achieve objectives and respond to risks. The following attributes contribute to the design, implementation, and operating effectiveness of this principle: • Design of the Entity's Information System • Design of Appropriate Types of Control Activities • Design of Information Technology Infrastructure • Design of Security Management • Design of Information Technology Acquisition, Development, and Maintenance Condition: Based on the Commonwealth of Pennsylvania, Office of the Budget, Bureau of Audits (Commonwealth) review of CBS Food Program's financial accounting system, it was noted that the Food Program utilizes QuickBooks software for their accounting system. Based on inquiry with CBS Food Program management, we determined internal controls connected with their QuickBooks accounting software were insufficient in the following areas: • User Access Management: Formal written policies or procedures have not been developed and implemented related to access authorization, access monitoring, and removal of system access. Additionally, certain functions are not properly segregated as users have access to perform both input and authorization of transactions. • Input Management: Formal written policies or procedures to ensure information input into QuickBooks is appropriate and accurate have not been developed and implemented. • Change Control Management: A formal written change management policy for QuickBooks Accounting System has not been developed and implemented including requirements that system security updates are implemented timely. • Backup and Recovery: A formal written policy for regular backup and recovery testing has not been developed and implemented. Questioned Costs: None Cause: The CBS Food Program's lack of policies and procedures over QuickBooks may be due to inadequate resources, insufficient information technology governance, and/or a lack of awareness of information technology control requirements. Additionally, the CBS Food Program management may not place adequate focus on enforcing information technology control measures as part of the overall control environment. Effect: The lack of established and documented controls over QuickBooks increases the risk of unauthorized access, system disruption, and data loss. Additionally, without a written disaster recovery plan the Food Program is exposed to increased risks of prolonged downtime in the event of a disaster or system failure. These weaknesses may compromise the confidentiality, integrity, and availability of critical data. Recommendation: We recommend that CBS Food Program develop and implement comprehensive written internal control policies and procedures connected with their QuickBooks Accounting System. This should include: • Development and utilization of an Accounting Manual which includes an outline of CBS Food Program's accounting rules, procedures, and guidelines. • Access control policies and procedures to ensure that user access to QuickBooks is appropriate, regularly reviewed and promptly revoked upon termination or when otherwise merited. • A formal written change management policy for QuickBooks should be developed and implemented including requirements that systems security updates are implemented timely. • A disaster recovery plan and procedures to perform periodic testing to ensure that plans are functional and mitigate the risk of extended downtime. This process should also include regular review of backup records to ensure they are appropriately created and maintained. Views of Responsible Officers and Corrective Action Plan: Please refer to Community Benefit Solutions dba CBS Food Program’s Corrective Action Plan.