Institutional Federal Compliance Report 2021

STATE OF NEW YORK

Schedule of Findings and Questioned Costs

March 31, 2019

assurance that the settlement of funds to EBT providers is executed timely and accurately.” Management had not ensured there were compensating controls to address the deviations noted or assess the impact to their reliance upon their contractor’s performance of these procedures. Additionally, the Office had not determined whether they had effective Complementary User Entity Controls (CUECs) in place to allow for reliance upon the associated control objectives identified within the SOC 1 report. For the year ended July 31, 2019, the report issued had a qualified opinion related to four control objectives, including the two control objectives identified above. The first of the new control objectives associated with the qualified opinion was: “Controls provide reasonable assurance that network infrastructure relevant to users entities’ internal controls over financial reporting is configured as authorized to protect administered systems from unauthorized access.” The second of the new control objectives was: “Controls provide reasonable assurance that application and system processing relevant to user entities’ internal controls over financial reporting are executed in a complete, accurate, and timely manner and deviations, problems, and errors that may affect user entities’ internal controls over financial reporting are identified, tracked, recorded, and resolved in a complete, accurate, and timely manner.” Management had not ensured there were compensating controls to address the deviations noted or assess the impact to their reliance upon their contractor’s performance of these procedures. Additionally, the Office had not determined whether they had effective CUECs in place to allow for reliance upon the associated control objectives identified within the SOC 1 report. Lastly, management’s policies and procedures did not address the Office’s requirement to address the CUECs and deficiencies within the SOC 1 report. Cause The condition is due to a change in management responsible for the review of the EBT process and their review not being completed sufficiently to identify the lack of controls in the four control objectives listed above. Further, due to the change, management was not ensuring CUECs at the Office were being performed to ensure reliance upon the control objectives outlined in the SOC 1 report if determined to be effective. This relates to a lack of policies and procedures to ensure that a proper review is performed associated with the reliance upon the third-party contractor’s procedures and controls. Possible Asserted Effect Failure to appropriately review the SOC 1 report and assess the impact to reliance upon the third-party contractor’s procedures could result in noncompliance with the Treasury State Agreement, program laws, regulations, and terms and conditions of Federal awards. Additionally, failure to ensure management has the appropriate CUECs would result in the SOC 1 report being reliable as the services provided by the third party were designed with the assumption the listed controls would be implemented by the user entity. The application of these controls is deemed necessary to achieve the control objectives identified in the report. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend the Office review its policies and procedures to ensure it includes appropriate review of SOC 1 reports relied upon for compliance, including ensuring effective CUECs are in place as required by the service organization to achieve the control objectives.

24

(Continued)