Finding 1172494 (2025-002)

Finding: Item 2025-002 – USDA Commodities Distributed Significant Deficiency Federal Program – Food Distribution Cluster AL Number – 10.569 Federal Award Numbers – 72208 Federal Award Year – June 30, 2023 Federal Agency – U.S. Department of Agriculture Pass-Through Entity – Oklahoma Department of Human Services Criteria: Accurate and complete records must be maintained with respect to the receipt, distribution/use, and inventory of USDA Foods, including end products processed from USDA Foods in TEFAP. Failure to maintain records required by 7 CFR section 250.19 is considered prima facie evidence of improper distribution or loss of USDA Foods, and the agency processor or entity is liable for the value of the food or replacement of the food in kind (7 CFR sections 250.16 and 250.19(a)). Condition/context: The Organization was unable to provide documentation supporting the precise value and quantity of USDA commodities distributed during June 2025. As a result, the initial financial statements and Schedule of Expenditures of Federal Awards (SEFA) included estimated June 2025 amounts derived from an allocation of combined June and July 2025 distribution data. Subsequent to the initial reporting, management obtained third party documentation supporting June 2025 USDA commodity activity and recorded adjusting journal entries to accurately reflect the June distribution amounts and the related impact to the SEFA. Based on the corrected information, no questioned costs are associated with this condition. Cause: A ransomware attack in June 2025 destroyed supporting documentation needed to determine the actual value of USDA commodities distributed for the specified month. Effect: The Organization included estimated, instead of actual, June 2025 amounts derived from an allocation of combined June and July 2025 distribution data. Questioned cost: Not applicable. Repeat finding: Not applicable. Recommendation: The Organization should implement IT security measures, including offsite backups and disaster recovery testing, to ensure critical compliance documentation is preserved and accessible in the event of a system failure or cyberattack. View of responsible officials: Management's response is reported in "Corrective Action Plan" at the end of this report.