Finding Text
Criteria: 2 CFR 200.514 of the uniform guidance requires entities to have internal controls in place to monitor that expenditures are only for allowable activities and that services charged to the federal award are allowable per the applicable cost principles. In addition, a fundamental concept in a good system of internal controls is the segregation of duties; segregating access, custody, and authorization of transactions. These controls aid in mitigating risk in monitoring. Condition and context: Through inquiry and internal control testing, it was noted that the employees outside of the HR department have access to employee information within the system. This includes potential access to pay rates and other protected information inside the system. Payroll costs represent the majority of federal award expenditures for the medical center. Questioned costs: none. Cause/Effect: No questioned costs or errors were identified during testing of the award expenditures, however, the lack of separation of duties related to access to employee information and pay rates within the system increases the risk of unallowable costs being charged to the federal program. Repeat finding: yes; refer to finding 2021-003. Recommendation: With the implementation of a new system, we recommend that user access for management and staff be limited to their assigned duties. Until such systems are finalized and placed in service, periodic reviews of employee information and transactions should be performed. Any and all unauthorized changes should be documented and evidence should be retained in a secure location. View of responsible officials and corrective action plan: Management should fully integrate new system (Microsoft Dynamics-GP) by the end of this fiscal year. The new system will have the capability to limit user access according to assigned duties.