Institutional Federal Compliance Report 2021

2019-003

Finding: Insufficient level of monitoring of the service organization associated with the Electronic Benefit Transfer (EBT) process

Severity of Control Deficiency: Significant Deficiency (Unremediated as of March 31, 2019)

Background

In accordance with the State’s Treasury State Agreement, the funding technique for the Supplemental Nutrition Assistance Program is “Actual Clearance, ZBA - Same Day Payment.” The Office of Temporary and Disability Assistance (the Office or OTDA) relies upon a third party contractor to ensure the funding technique for the Supplemental Nutrition Assistance Program is met. For the year ended June 30, 2018, the contractor had a Service Organization Control 1 Report (SOC1 report) issued associated with the Electronic Benefit Transfer (EBT) process, including settlement of funds. The report issued had a qualified opinion related to two control objectives. The first control objective was “Controls provide reasonable assurance that logical access to programs, data, and computer resources relevant to user entities’ internal controls over financial reporting is restricted to authorized and appropriate users and such users are restricted to performing authorized and appropriate actions.” The second control objective was “Controls provide reasonable assurance that the settlement of funds to EBT providers is executed timely and accurately.” Management had not ensured there were compensating controls to address the deviations noted or assess the impact to their reliance upon their contractor’s performance of these procedures. Additionally, the Office had not determined whether they had effective Complementary User Entity Controls (CUECs) in place to allow for reliance upon the associated control objectives identified within the SOC1 report. The June 30, 2018 end date of the SOC1 report results in 9 months in which the Office cannot place reliance upon these controls if deemed effective. Lastly, management’s policies and procedures did not address the Office’s requirement to address the CUECs and deficiencies within the SOC1 report. The breakdown in internal controls is due to a change in management responsible for the review of the EBT process and their review not being completed sufficiently to identify the lack of controls in the two control objectives listed above. Further, due to the change, management was not ensuring CUECs at the Office were being performed to ensure reliance upon the control objectives outlined in the SOC1 report if determined to be effective. This relates to a lack of policies and procedures to ensure that a proper review is performed associated with the reliance upon the third party contractor’s procedures and controls. Failure to appropriately review the SOC1 report and assess the impact to reliance upon the third party contractor’s procedures could result in inaccurate reporting of Public Welfare Expenditures in the State’s basic financial statements, and noncompliance with the Treasury State Agreement, program laws, regulations, and terms and conditions of Federal awards. Additionally, failure to ensure management has the appropriate CUECs would result in the SOC1 report being reliable as the services provided by the third party were designed with the assumption the listed controls would be implemented by the user entity. The application of these controls is deemed necessary to achieve the control objectives identified in the report. Observations Risk

Recommendations

We recommend the Office review their policies and procedures to ensure it includes appropriate review of SOC1 reports relied upon for compliance, including ensuring effective CUECs are in place as required by the service organization to achieve the control objectives.