Finding Text
Information on the federal program:Federal Grantor: Department of Homeland SecurityAssistance Listing No.: 97.036, COVID-19 Disaster Grants ? Public Assistance (Presidentially Declared Disasters) (FEMA)Pass-Through Entity: Indiana State Department of HealthPass-Through Award Numbers: PA-06-IN-4515-PW-00292(432), PA-05-IN-4515-PW-00396(473), PA-05-IN-4515-PW-00463(556)Award Period of Performance: 01/20/2020?03/02/2022Criteria or Specific Requirement (Including Statutory, Regulatory, or Other Citation):Section 200.303 of the Uniform Guidance states the following regarding internal control: ?The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework?, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).?Per the FEMA Project Worksheet Report #334659-292, under the Subgrant Conditions section, bullet point 1, ?As described in Title 2 Code of Federal Regulations (C.F.R.) ? 200.333, financial records, supporting documents, statistical records and all other non-Federal entity records pertinent to a Federal award must be retained for a period of three (3) years from the date of submission of the final expenditure report or, for Federal awards that are renewed quarterly or annually, from the date of the submission of the quarterly or annual financial report, respectively, as reported to the Federal awarding agency or pass-through entity in the case of a subrecipient.?Condition:The Corporation did not retain supporting documentation over its review and approval of FEMA federal expenditures. The inventory system that tracked personal protective equipment (PPE) and drugs was unable to be relied upon due to limitation of testing underlying application controls.The Corporation recorded FEMA expenditures based on the number of units of the PPE used during the period of performance outlined in the project worksheet. The information used to develop the federal expenditures in the schedule of expenditures of federal awards was developed from the Corporation?s inventory management system. Management did not retain supporting documentation over the information technology general controls; therefore, the information from the inventory management system cannot be relied on.Cause:Management designed a process to accumulate and review expenditures related to the FEMA; however, they did not retain supporting documentation to evidence that the internal review was sufficiently designed and operating effectively throughout the process.Management did not retain supporting documentation over the information technology general controls; therefore, the information from the inventory management system cannot be relied on.Questioned costs:None.Context:All expenditures related to FEMA were approved by the procurement department and coded to COVID-19 cost centers. The Corporation developed protocols of what expenses should be charged to the COVID-19 cost centers and communicated these protocols throughout the Corporation to ensure costs were being appropriately recorded. Management then developed a process to review the costs in the COVID-19 cost centers to determine which ones were applicable to FEMA. However, management did not maintain evidence supporting the review and approval of expenses under FEMA.The Corporation?s FEMA project worksheet included six categories of PPE which included the total invoice amount and units purchased. The Corporation then analyzed the units of PPE used for each of the six categories of PPE to support that the PPE outlined in the project worksheet was used and, therefore, properly expensed to FEMA. We selected a sample of 25 invoices across the six categories of PPE to support the invoice amount and units purchased. We then agreed the number of units used to the Corporation?s inventory management system reports for the six PPE categories. However, we could not rely on the inventory reports as were unable to test the information technology general controls over the Corporation?s inventory system in which the supplies and drugs were being accounted for.Total FEMA federal expenditures for Assistance Listing 97.036 totaled $21,034,701 for the year ended December 31, 2022.Effect or potential effect:The amounts submitted for reimbursement and the reports submitted could be inaccurate or incomplete.The units of PPE used per the inventory management reports may be inaccurate or incomplete.Identification as a repeat finding, if applicable:No.Recommendation:The Corporation should design and implement internal controls that are sufficiently precise and require supporting documentation be retained over the review and approval of the expenses.The Corporation should retain evidence of internal controls related to access and change management over the report. Management should implement a quality review process over the inventory reports.Views of Responsible Officials:The Corporation agrees with the finding and has developed a plan to correct the finding. In September 2022, the Corporation had implemented the following changes, which we believe address future internal control considerations should the program be reinstated. The below controls additionally address the need to properly maintain evidence of controls.The below procedures were added to the grant checklist which is required on all grants applied for by the Corporation?s entities. Responsible parties are required to document all procedures and sign off on these procedures. The requirements formalize reporting and data management procedures, which include proper management approval and retention of these records. The grant checklist is additionally approved by the grant applicant and Vice President or Executive Director overseeing the grant.Grant Checklist Items Initials and Date Completed CommentsDetermine required data requests in order to support this grant:? All data requests should list required data fields and constraints and must be reviewed and approved by management.? Detail sample review of the results must be performed to validate the accuracy and completeness of data and that report results meet the grant requirements.? Report access should be restricted to approved users or report results must be validated to approved constraints.Documentation of these procedures must be retained with management sign off and readily available upon request.Grants in excess of $187,500 require review by a Finance or Internal Audit representative to verify that appropriate procedures are in place for documentation of controls on reporting and data management.