Institutional Federal Compliance Report 2021

STATE OF NEW YORK

Schedule of Findings and Questioned Costs

March 31, 2019

Federal Agency:

United States Department of Agriculture

Federal Program:

SNAP Cluster (10.551 and 10.561)

Federal Award Numbers:

2014IS802644, 2015IS802644, 201616S802644, 201717S802644, and 201818S802644

Federal Award Years:

2015, 2016, 2017, and 2018

State Agency:

Office of Temporary and Disability Assistance

Reference:

2019-007

Criteria Title 7 U.S. Code of Federal Regulations Part 274 (7 CFR 274), Issuance and Use of Program Benefits , section 274.2(a), states each State agency is responsible for the timely and accurate issuance of benefits to certified eligible households, including EBT system compliance with the expedited service benefit delivery standard and the normal application processing standards, as prescribed by these regulations. Additionally, 7 CFR 274.1(d)(1) states any assignment of issuance functions shall clearly delineate the responsibilities of both parties. The State agency remains responsible, regardless of any agreements to the contrary, for ensuring that assigned duties are carried out in accordance with these regulations. In addition, the State agency is strictly liable to FNS for all losses of benefits, even if those losses are the result of the performance of issuance, security, or accountability duties by another party. Lastly, Title 2 U.S. Code of Federal Regulations Part 200 (2 CFR 200), Uniform Administrative Requirements, Cost Principles, and Audit Requirements , section 200.303(a) states that nonfederal entity must establish and maintain effective internal controls over the Federal award that provides reasonable assurance that the nonfederal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). COSO Internal Control Integrated Framework – 2013 states that for outsourced service providers “while these external parties execute activities for or on behalf of the organization, management cannot abdicate its responsibility to manage the associated risks. It must implement a program to evaluate those activities performed by others on their behalf to assess the effectiveness of the system of internal control over the activities performed by outsourced service providers.” Condition For the year ended June 30, 2018, the Office of Temporary and Disability Assistance’s (the Office) third-party contractor had a Service Organization Control 1 Report (SOC 1 report) issued associated with the Electronic Benefit Transfer (EBT) process, including settlement of funds. The report issued had a qualified opinion related to two control objectives. The first control objective was: “Controls provide reasonable assurance that logical access to programs, data, and computer resources relevant to user entities’ internal controls over financial reporting is restricted to authorized and appropriate users and such users are restricted to performing authorized and appropriate actions.” The second control objective was: “Controls provide reasonable

23

(Continued)