Finding 572175 (2024-003)

CORRECTIVE ACTION PLAN July 17, 2025 Health Resources and Services Administration Jewish Child Care Association of New York (d/b/a JCCA) and Affiliated Organization respectfully submits the following corrective action plan for the year ended June 30, 2024. ____________________________________________________________________________________ CohnReznick LLP 1301 Avenue of the Americas New York, NY 10019 Audit Period: June 30, 2024 The findings from the June 30, 2024 schedule of findings and questioned costs are discussed below. The findings are numbered consistently with the number assigned in the schedule. FINDINGS – FINANCIAL STATEMENT FINDINGS Finding 2024-001 – Account Analyses MATERIAL WEAKNESS Recommendation We recommend that the Agency implement policies, procedures and controls to ensure that all accounting records are analyzed and reconciled on a monthly basis. In addition, the Agency should follow the policies and procedures for the proper and timely review of all journal entries. The personnel reviewing the journal entries should agree the journal entries to the source documents or underlying support and should document his or her review of the journal entry. Action Taken Management of the Agency is in agreement with this finding. The Agency experienced turnover in key positions of the finance department and therefore they have outsourced their finance function to BTQ Financial from the end of November. BTQ is focusing on the implementation of reconciling the accounts on a more routine and timelier basis which is consistent with financial policies and procedures of the Agency. Revised Policy and Procedures that incorporate this finding will be in place by 8/1/2025. Finding 2024-002 – Information Technology – General Control Activities SIGNIFICANT DEFICIENCY Recommendation We recommend the Agency follow their policy for password age. We also recommend that the Agency enable multi-factor authentication. Lastly, we recommend the Agency perform a risk assessment over the information technology environment. We recommend a written risk assessment and penetration test to be performed annually and vulnerability scans to be performed quarterly. Action Taken Password policy had been updated with stricter complexity and retention requirements, aligning to or exceeding best practices. Multi-Factor Authentication (MFA) had been implemented on all VPN and remote access to JCCA resources. HIPAA Risk Assessment will be completed by July 31, 2025. A SOCaaS (Security Operation Center as a Service) with continuous internal and external vulnerability scanning and assessment will be implemented by July 25,2025. A contract to purchase network security and email security solutions was signed and will be implemented in October 2025. Penetration testing is planned for Q1 2026 after all the mentioned security enhancements are in place. FINDINGS – FEDERAL AWARDS PROGRAM AUDIT U.S. Department of Health and Human Services, Unaccompanied Alien Children Program (Assistance Listing Number 93.676), FAIN # 90ZU0385, 90ZU0603, 90ZU0567, and 90ZU0536, for FY 2024 - Significant Deficiency Finding 2024-003 – Procurement, Suspension and Debarment Recommendation We recommend that the Agency train its personnel in relation to the exclusion screening and proper documentation thereof and that the Agency conduct regular reviews to ensure the completeness of exclusion search documentation. Action Taken As per the Purchasing policy, new vendors are sanctioned by the Purchasing department prior to the creation of a purchase order. Compliance conducts a monthly sanction review of all vendors. Sanction checks have now been completed for the vendors previously missed, and we have strengthened internal controls to ensure all newly added vendors are screened moving forward. In addition, employees whose salaries are charged to federal grants are also subject to suspension and debarment checks. JCCA ensures to actively conduct these checks in compliance with federal regulations. U.S. Department of Health and Human Services, Unaccompanied Alien Children Program (Assistance Listing Number 93.676), FAIN # 90ZU0385, 90ZU0603, 90ZU0567, and 90ZU0536, for FY 2024 - Significant Deficiency Finding 2024-004 – Activities Allowed or Unallowed, Allowable Costs/Cost Principles Recommendation We recommend that the Agency strengthen their internal control policies and procedures to ensure that the allocations per the time and effort attestation forms agree with the amount charged to the grant per the general ledger. Action Taken We acknowledge the recommendation and recognize the importance of aligning time and effort attestations with the amounts charged to grants in the general ledger. We ensure that any changes to employee allocations are reflected timely in our payroll and accounting systems to maintain consistency between documentation and financial records. Additionally, we are reviewing our internal controls and procedures to identify any process gaps and reinforce communication between HR, Payroll, and Finance teams. Going forward, we will enhance oversight to ensure that updates related to employee funding sources are promptly recorded, which will help maintain accurate grant reporting and compliance with applicable regulations The anticipated completion date of this action is August 1, 2025. If the Health Resources and Services Administration has questions regarding this plan, please call Kenneth Shieh, Chief Administrative Officer at (718) 747-4367. Sincerely yours, Signature:  Name: Kenneth Shieh Title: Chief Administrative Officer