oversight

Single Audit of the Commonwealth of Virginia for the Fiscal Year Ended June 30, 2019

Published by the Social Security Administration, Office of Inspector General on 2020-03-30.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

     Management Advisory Report



 Single Audit of the Commonwealth
of Virginia for the Fiscal Year Ended
            June 30, 2019




       A-77-20-00002 | March 2020
Single Audit of the Commonwealth of Virginia for the Fiscal
Year Ended June 30, 2019
A-77-20-00002
March 2020                                                                 Office of Audit Report Summary

Objective                                   Findings

To report internal control weaknesses,      DARS did not have documentation that management reviewed the
noncompliance issues, and                   fee schedule used to pay consultative examination providers.
unallowable costs identified in the         Further, DARS did not have documentation that management
single audit to the Social Security         reviewed consultative examination providers to ensure they were
Administration (SSA) for resolution         not suspended or debarred from participating in Federal programs.
action.                                     The corrective action outlined plans for training to ensure staff
                                            properly documents management reviews.
Background
                                            In addition, the single audit reported DARS did not ensure a third-
A single audit is an organization-wide      party service provider who managed and maintained an outsourced
financial statement and Federal awards      information technology system had a secure environment to protect
audit of a non-Federal entity that          its sensitive and mission-critical data. The corrective action plan
expends $750,000 or more in Federal         indicated DARS will require that third-party service providers
funds in 1 year. The audit is intended      annually submit system and organizational control reports.
to assure the Government that a non-
Federal entity has adequate internal        Recommendations
controls in place and is generally in
compliance with program                     We recommend SSA confirm DARS:
requirements. Non-Federal entities
typically include State and local           1. Established appropriate procedures to document required
governments, Indian tribes,                    management reviews of consultative examination providers.
universities, and nonprofit
                                            2. Implemented reviews of third-party service providers’ system
organizations.
                                               and organizational control reports to ensure protection of
The Virginia Auditor of Public                 sensitive data.
Accounts conducted the single audit of
the Commonwealth of Virginia. SSA
is responsible for resolving single audit
findings related to its disability
programs. The Department of Health
and Human Resources is the Virginia
Disability Determination Services’
parent agency. The Department for
Aging and Rehabilitation Services
(DARS), within the Department of
Health and Human Resources,
oversees the Virginia Disability
Determination Services, which
performs disability determinations for
SSA programs.
MEMORANDUM


Date:      March 30, 2020                                                            Refer To:

To:        Trae Sommer
           Director
           Audit Liaison Staff
From:      Assistant Inspector General for Audit
Subject:   Single Audit of the Commonwealth of Virginia for the Fiscal Year Ended June 30, 2019
           (A-77-20-00002)

           This report presents the Social Security Administration’s (SSA) portion of the single audit of the
           Commonwealth of Virginia for the Fiscal Year ended June 30, 2019. 1 The Virginia Auditor of
           Public Accounts conducted the audit. Our objective was to report internal control weaknesses,
           noncompliance issues, and unallowable costs identified in the single audit to SSA for resolution
           action.

           BACKGROUND
           A single audit is an organization-wide financial statement and Federal awards audit of a non-
           Federal entity that expends $750,000 or more in Federal funds in 1 year. The audit is intended to
           assure the Government that a non-Federal entity has adequate internal controls in place and is
           generally in compliance with program requirements. Non-Federal entities typically include State
           and local governments, Indian tribes, universities, and nonprofit organizations.

           For single audit purposes, the Office of Management and Budget assigns Federal programs a
           Catalog of Federal Domestic Assistance (CFDA) number. CFDA number 96 identifies SSA’s
           Disability Insurance and Supplemental Security Income programs. SSA is responsible for
           resolving single audit findings reported under this CFDA number.

           The Department of Health and Human Resources is the Virginia Disability Determination
           Services’ parent agency. The Department for Aging and Rehabilitation Services (DARS), within
           the Department of Health and Human Resources, provides and advocates for resources and
           services to improve the employments, quality of life, security, and independence of older
           Virginians, Virginians with disabilities, and their families.




           1
            Virginia Auditor of Public Accounts, Commonwealth of Virginia Single Audit Report for the Year Ended June 30,
           2019 (February 7, 2020).
Page 2 - Trae Sommer

Within DARS, the Virginia Disability Determination Services performs disability determinations
under SSA’s Disability Insurance and Supplemental Security Income programs in accordance
with Federal regulations. SSA reimburses the disability determination services for 100 percent
of allowable costs.

RESULTS
DARS did not have documentation that management reviewed the fee schedule used to pay
consultative examination providers for medical evidence used in performing SSA disability
determinations. Further, DARS did not have documentation that management reviewed
consultative examination providers to ensure they were not suspended or debarred from
participating in Federal programs. 2 As stated in the report, “A lack of review increases the risk
of inaccurate reporting, incorrect payment rates, improper payments and further instances of
noncompliance.” The corrective action outlined plans for staff training to ensure staff properly
documents management reviews. We recommend SSA confirm DARS established appropriate
procedures to document required management reviews of consultative examination providers.

In addition, the single audit reported DARS did not ensure a third-party service provider who
managed and maintained an outsourced information technology (IT) system has a secure
environment to protect its sensitive and mission-critical data. 3 As stated in the report “Without
gaining assurance over third-party service providers’ IT environments, [DARS] cannot validate
the effectiveness of the third-party’s IT controls. This risks . . . the potential compromise of
sensitive data.”

The corrective action plan indicated DARS will require that third-party service providers
annually submit system and organizational control reports. We recommend SSA confirm DARS
implemented reviews of third-party service providers’ system and organizational control reports
to ensure it protects sensitive data.

The Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal
Awards requires that Federal awarding agencies issue a management decision on findings within
6 months of acceptance of the audit report by the Federal Audit Clearinghouse. The Federal
Audit Clearinghouse accepted the single audit of the Commonwealth of Virginia on
March 10, 2020.




2
    See Footnote 1, finding 2019-107.
3
    See Footnote 1, finding 2019-108.
Page 3 - Trae Sommer

Please send copies of the final Audit Clearance Document to OIG.Audit.Kansas.City@ssa.gov.
If you have questions, contact OIG.Audit.Kansas.City@ssa.gov.




                                            Rona Lawson

Attachment
                                           MISSION
By conducting independent and objective audits, evaluations, and investigations, the Office of
the Inspector General (OIG) inspires public confidence in the integrity and security of the Social
Security Administration’s (SSA) programs and operations and protects them against fraud,
waste, and abuse. We provide timely, useful, and reliable information and advice to
Administration officials, Congress, and the public.

                                   CONNECT WITH US
The OIG Website (oig.ssa.gov) gives you access to a wealth of information about OIG. On our
Website, you can report fraud as well as find the following.
   •   OIG news                                  In addition, we provide these avenues of
   •   audit reports
                                                 communication through our social media
                                                 channels.
   •   investigative summaries
   •   Semiannual Reports to Congress               Watch us on YouTube
   •   fraud advisories                             Like us on Facebook
   •   press releases
                                                    Follow us on Twitter
   •   congressional testimony
   •   an interactive blog, “Beyond The             Subscribe to our RSS feeds or email updates
       Numbers” where we welcome your
       comments


                          OBTAIN COPIES OF AUDIT REPORTS
To obtain copies of our reports, visit our Website at oig.ssa.gov/audits-and-investigations/audit-
reports/all. For notification of newly released reports, sign up for e-updates at oig.ssa.gov/e-
updates.

                          REPORT FRAUD, WASTE, AND ABUSE
To report fraud, waste, and abuse, contact the Office of the Inspector General via
   Website:        oig.ssa.gov/report-fraud-waste-or-abuse
   Mail:           Social Security Fraud Hotline
                   P.O. Box 17785
                   Baltimore, Maryland 21235
   FAX:            410-597-0118
   Telephone:      1-800-269-0271 from 10:00 a.m. to 4:00 p.m. Eastern Standard Time
   TTY:            1-866-501-2101 for the deaf or hard of hearing