Institutional Federal Compliance Report 2021

STATE OF NEW YORK

Schedule of Findings and Questioned Costs

March 31, 2019

Federal Agency:

United States Department of Agriculture

Federal Program:

Special Supplemental Nutrition for Women, Infants and Children (10.557)

Federal Award Numbers:

201817W100644, 201818W100644, 201918W100644, and 201919W100644

Federal Award Years:

2018 and 2019

State Agency:

Department of Health

Reference:

2019-028

Criteria Title 2 U.S. Code of Federal Regulations Part 200 (2 CFR 200), Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Audits , section 200.303(a) states the nonfederal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the nonfederal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. Additionally, 2 CFR 200.514(c)(4) also states when internal control over some or all of the compliance requirements for a major program are likely to be ineffective in preventing or detecting noncompliance, the planning and performing of testing described in paragraph (c)(3) of this section are not required for those compliance requirements. However, the auditor must report a significant deficiency or material weakness in accordance with section 200.516, respectively, assess the related control risk at the maximum, and consider whether additional compliance tests are required because of ineffective internal control. Condition During our testwork, as a result of the deficiencies identified in the general information technology control (GITC) environment over the Department of Health’s (the Department’s) benefit payment application (NYWIC) application, we were unable to perform adequate procedures to satisfy ourselves that allowability and eligibility controls over beneficiary payments within NYWIC were operating effectively. Specifically, the following matters were identified: • The engagement team was unable to obtain systematic evidence to support the timely removal of access from NYWIC for terminated users. • Management did not complete an annual user access review for the period; therefore, the engagement team was unable to test the design and operating effectiveness of the control. • For 3 out of a sample of 15 daily backup/batch jobs selected, evidence was not retained during the period to evidence successful monitoring and completion of the backup jobs. Cause The condition found is due to the Department’s general information technology controls over logical access. Given that the NYWIC system was implemented during the State fiscal year 2018–19, a user access review had not been completed for the period under audit to ensure that all users within the system were appropriate authorized with the appropriate access provisions. Additionally, due to system limitations, management was

80

(Continued)