Institutional Federal Compliance Report 2021

STATE OF NEW YORK

Schedule of Findings and Questioned Costs

March 31, 2019

Condition In accordance with the State’s Treasury-State Agreement, the funding technique for the Special Supplemental Nutrition for Women, Infants and Children Program (the Program) is “Post-Issuance.” The Department of Health (the Department) relies upon a third-party contractor to ensure the funding technique for the Program is met. The Department also relies upon the third-party contractor reports for completion of the required monthly reporting of actual food expenditures. For the contractor’s year ended June 30, 2018, the contractor had a Service Organization Control 1 Report (SOC 1 report) issued associated with the Electronic Benefit Transfer (EBT) process, including settlement of funds. The report issued had a qualified opinion related to two control objectives. The first control objective was: “Controls provide reasonable assurance that logical access to programs, data, and computer resources relevant to user entities’ internal controls over financial reporting is restricted to authorized and appropriate users and such users are restricted to performing authorized and appropriate actions.” The second control objective was: “Controls provide reasonable assurance that the settlement of funds to WIC retailers is executed timely and accurately.” Management had not ensured there were compensating controls to address the deviations noted or assess the impact to their reliance upon its contractor’s performance of these procedures. Additionally, the Department had not determined whether they had effective Complementary User Entity Controls (CUECs) in place to allow for reliance upon the associated control objectives identified within the SOC 1 report. The June 30, 2018 end date of the SOC 1 report results in nine months in which the Department cannot place reliance upon these controls if deemed effective. Lastly, management’s policies and procedures did not address the Departments’ requirement to address the CUECs and deficiencies within the SOC 1 report. Cause The condition is due to the Department’s lack of policies and internal controls over the review of the EBT process. Further, the lack of policies and internal controls was not ensuring CUECs at the Department were being performed to ensure reliance upon the control objectives outlined in the contractors SOC 1 report of the third party vendor if determined to be effective. Possible Asserted Effect Failure to appropriately review the contractor’s SOC 1 report and assess the impact to reliance upon the third party contractor’s procedures could result in noncompliance with the Treasury State Agreement, program laws, regulations, and terms and conditions of Federal awards. Additionally, failure to ensure management has the appropriate CUECs would result in the contractor’s SOC 1 report being reliable as the services provided by the third party were designed with the assumption the listed controls would be implemented by the user entity. The application of these controls is deemed necessary to achieve the control objectives identified in the report. Questioned Costs Cannot be determined Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample.

78

(Continued)