Recurring Findings

Public Health: Recurring Significant Internal Control Deficiencies
Federal Program Issue First Year Reported
Department's Assertion Page Number
WIC (Supplemental Nutrition Program) During our audit for fiscal year 2012–13, we reported the information technology (IT) controls over logical access for the Integrated Statewide Information System (ISIS) were not properly designed and implemented. In fiscal year 2013–14, we also found certain IT controls over logical access were not properly designed and implemented. Public Health utilizes ISIS to determine eligibility for WIC participants as well as to monitor and report issuance and redemption of food vouchers. IT general controls should be properly designed and operating effectively to help ensure application controls unction properly. Specifically, we identified the following: • Public Health granted an unapproved level of access to two of 25 users tested. • Public Health did not properly terminate access to ISIS for 10 of the 377 individuals with access to ISIS that had been terminated and, therefore, should no longer have access to the system. • Public Health did not formally document the annual user access review. Additionally, this review does not include a review of users’ key roles and permissions. 2012-13
Public Health concurs with the findings. Public Health/WIC Division will issue a policy and procedure memo to reiterate existing instructions to WIC local agency contractors regarding the responsibilities of the local agencies to ensure ISIS user account security. These instructions will include the appropriate level of access to ISIS, removal of ISIS access to staff who have changed jobs or are no longer employed with the local agency, creation of reports to identify ISIS users for monthly reconciliation, and refreshing of instructions for ISIS password requirements. In addition, Public Health/WIC Division will update its semi-annual reporting template to require local agency contractors to verify that they have reviewed ISIS access and that access has been removed for terminated staff. Public Health/WIC Division will review monthly ISIS reports and verify that state staff identified still engage in activities that require ISIS access as part of their essential functions. Public Health/WIC will incorporate ISIS access verification as part of the exit process for terminated state employees. Public Health/WIC will also participate in the annual user account review by verifying state staff’s key roles and permissions with Public Health/WIC management in order to ensure appropriate levels of access. 22
HIV Care Formula Grants During our fiscal year 2012-13 audit, we reported that Public Health did not have adequate controls over subawards. Public Health did not properly communicate the Catalog of Federal Domestic Assistance (CFDA) title and number for the nine subrecipients tested. Public Health is in the process of notifying subrecipients of the CFDA title and number, but again did not communicate this information during fiscal year 2013-14. Failure to properly communicate award information increases the risk that subrecipients may inappropriately spend federal funds or fail to comply with federal regulations, including OMB Circular A-133 audit requirements. Public Health passed through $23.8 million to subrecipients during fiscal year 2013-14. N/A
Public Health agrees with the recommendation for State Fiscal Year 2013-14 and will immediately implement policies and procedures to communicate the CFDA title and number to subrecipients. Public Health will immediately communicate the CFDA number and title via email and Management Memo issued to subrecipients and is processing amended contracts with an effective date of April 1, 2015, which is in State Fiscal Year 2014-15. Public Health will display the CFDA title and number on the amended contract scopes of work and have notified OA contract processing staff that inclusion of the CFDA number and title is standard practice. Public Health is amending contracts with an effective date of April 1, 2015 and thereafter to display the CFDA number and title in the scope of work. Public Health did fail to implement part of it’s the corrective action plan. The steps taken by Public Health were: 1. CDPH did not immediately communicate CFDA number and title through informal written communication, but is doing so now; 2. immediately revised Public Health contract policies and procedures to include the CDFA number and title in the scope of work; and, 3. developed a formal implementation plan that was initiated through Management Memos and review of Contracts Management Unit subject memo and contract amendments. Public Health was unable to change existing contracts in place during State Fiscal Year 2013-14 due to time needed to amend contracts. However, Public Health took the above steps to implement the corrective action plan that resulted in contract amendments for State Fiscal Year 2014-15, which have an effective start date of April 1, 2015. 78