State Audit Uncovers Issues: Auditor General

By Daniel H. Trafford, Legislative Press Bureau

STATE HOUSE — The annual Single Audit of the State of Rhode Island for the fiscal year ending June 30, 2017 resulted in 79 findings and recommendations related to many of the state’s key financial operations and the administration of federal programs.

The auditors reported multiple instances of material noncompliance with federal program requirements which largely stemmed from the ineffective operation of the RIBridges computer system. That system is used to administer multiple human service programs such as Medicaid, the Supplemental Nutrition Assistance Program (SNAP) and the Temporary Assistance for Needy Families Program (TANF).

The Single Audit Report, prepared by Auditor General Dennis E. Hoyle, was released today by the Joint Committee on Legislative Services. The Single Audit Report is required by both state and federal law as a condition of continued federal assistance. (The state’s fiscal 2017 audited financial statements were available in January).

The State’s fiscal 2017 expenditures of federal awards totaled $4.9 billion (including component units) under a wide variety of more than 450 individual programs. Federal assistance consists of both direct cash and noncash awards (e.g., loan guarantee programs and donated food and vaccines). Many programs are jointly financed with federal and state funding.

Of the findings reported by the auditors, 43 relate to federal programs and 36 to the state’s controls over financial reporting and information technology.

Financial Statement related findings — the auditors again reported that the State lacks a strategic plan to (1) coordinate needed replacements/enhancements to its key statewide financial systems and (2) ensure that critical legacy financial systems, such as the payroll system, which pose a business continuity risk, will be available to support State operations. Without a comprehensive plan, there is substantial risk that the intended integration of various components may not be achieved. The auditors reported that the State has already experienced such integration issues and halted work on a time and effort reporting system due to an inability to integrate with other state systems. $2 million was expended on that project to date — $1.1 million to the software vendor and $900,000 for internally allocated personnel costs.

The complexity of Medicaid program operations adds to the challenge of accurately accounting for all Medicaid program related financial activity within the State’s financial statements. Program changes relating to Affordable Care Act (ACA) provisions, complications relating to the state’s implementation of RIBridges, and various state initiatives that have changed how services are delivered and providers are reimbursed have added to the program’s financial complexity and weakened overall controls over program operations.

The auditors recommended further segregating duties within the Office of the General Treasurer, enhancing statewide accounting controls over receivables and assigning responsibility for monitoring the investment activity and other compliance aspects of funds on deposit with a fiscal agent (trustee) to the Office of the General Treasurer.

Overall, the auditors noted that the state has not sufficiently addressed information technology (IT) security risks, an increasing concern given the state’s complex computing environment. The auditors found that software updates were not installed timely for the RIFANS accounting system which resulted in increased security risk and uncorrected software functionality issues identified by the software developer.

The state needs to ensure its IT security policies and procedures are current, well communicated and complied with. Assessments of compliance for all critical IT applications have not been performed — systems deemed to pose the most significant operational risk must be prioritized. The auditors reported that the state did not perform tests of its disaster recovery plan during fiscal years 2015, 2016 and 2017. Testing ensures that all mission critical systems can be restored should a disaster disable or suspend operations.

The state does not follow uniform enterprise-wide program change control procedures for the various IT applications operating within state government. This increases the risk that unauthorized or inappropriate changes could be made to IT applications without detection.

Implementation of a new Taxation IT system (STAARS) presented issues impacting financial reporting due to processing timeframes for tax returns held in suspense which complicated financial reporting estimates due to the uncertain effect of returns that had not fully processed at June 30, 2017.

The auditors recommended that control procedures be improved to accumulate the data needed to disclose tax abatement agreements and taxes foregone because of those agreements by deriving such information from the Division of Taxation’s STAARS system. Such disclosures were newly required in the fiscal 2017 financial statements.

The Division of Taxation can enhance policies and operating procedures to restrict access to personally identifiable information and to ensure the effectiveness of the business continuity plan. Critical Division of Taxation back-up data files are not stored off-site — a recommended disaster recovery best practice.

The Department of Transportation’s (RIDOT) use of multiple systems to meet its operational and financial reporting objectives results in unnecessary complexity and control weaknesses since these systems were never designed to share data.

Federal Program Findings - the auditors reported significant compliance challenges for its largest human service programs related to the RIBridges integrated eligibility system implementation. The auditors’ findings reflect RIBridges functionality and its impact on the State’s compliance during fiscal 2017.

Due to the limited operation and effectiveness of eligibility controls for Medicaid and the Children’s Health Insurance Program (CHIP) during fiscal 2017, the auditors found that the State did not comply with the Medicaid and CHIP program eligibility requirements – specifically those requiring annual redeterminations for recipient eligibility and the validation of key eligibility data elements through the use of electronic interfaces designed within RIBridges.

Data discrepancies continue to exist between the systems used to determine Medicaid and CHIP eligibility (RIBridges) and the claims/capitation payment system (MMIS). As of June 30, 2017, the MMIS reported 16,000 recipients more than RIBridges. The auditors reported that this resulted in duplicate capitation payments being made to managed care organizations.

The effectiveness of the Medicaid Eligibility Quality Control (MEQC) program is diminished by RIBridges functional limitations. A significant volume of systemic issues identified by MEQC processes are pending corrective action in RIBridges.

Delays in the enrollment of Medicaid eligible newborns within RIBridges resulted in significant and related delays in provider claims adjudication and payments to managed care organizations (MCOs). The Executive Office of Health and Human Services (EOHHS) advanced $6.5 million to MCOs covering newborns at June 30, 2017 whose eligibility was still pending. The MCOs were due capitation of approximately $12.4 million at June 30, 2017 for coverage provided to newborns since birth — $6.5 million in advance payments were made for such amounts.

In many instances, particularly for Medicaid applicants requiring long-term care services and supports, the state is not complying with timely determination of eligibility requirements. These delays in determining eligibility required advances to long-term care service providers. EOHHS made advances totaling $12.5 million to nursing home providers between September 2016 and January 2017 for patients with pending Medicaid eligibility. These advances were federally reimbursed but were questioned by the auditors because eligibility had not been established. Additional nursing home advances of approximately $48 million were made during fiscal 2017 but have not been federally reimbursed pending eligibility confirmation. The nursing home advances remain outstanding.

EOHHS lacks strong oversight procedures regarding fiscal monitoring and contract settlement for its managed care organizations (MCOs) – the auditors recommended more stringent audit and financial monitoring procedures be employed.

The auditors found that, due to the limited operation and effectiveness of RIBridges, the state did not comply with TANF eligibility requirements during fiscal 2017. Further, the state did not comply with the Income Eligibility and Verification System requirements upon implementation of RIBridges.

Implementation of RIBridges also affected the availability and reliability of data needed to prepare timely and accurate federal reports. Employment and career advisors were not prompted to update/develop new work participation plans for clients upon the expiration of an existing plan.

For SNAP, the auditors reported that RIBridges does not currently meet all the functional requirements of an automated data processing system as outlined in federal SNAP regulations. The system is also not producing reports to allow daily reconciliation of electronic benefits authorized and disbursed and to ensure accurate and timely completion of other federal reports for the SNAP program.

For the Child Care Assistance Program, the auditors found that RIBridges lacked effective income validation controls during fiscal 2017 which impacted program eligibility determinations and the amount of required parent cost-sharing amounts. RIBridges was not consistently calculating correct cost-sharing amounts for both parents and providers, which required supplemental payments to childcare providers. Financial reports were not filed during fiscal year 2017 for the Child Care and Development Fund (CCDF) Cluster Program.

The auditors recommended that the Department of Human Services (DHS) improve controls to ensure compliance with the period of performance requirement for the Low Income Home Energy Assistance Program and to improve related federal reporting for such requirements. Approximately $3 million of program expenditures were applied to grant awards that may have lapsed due to not spending or obligating awarded amounts within the required timeframes.

For the Community Development Block Grant, the auditors recommended the Office of Housing and Community Development improve its monitoring of subrecipients and enhance procedures to comply with cash management and reporting requirements.

Unemployment Insurance — The Department of Labor and Training did not make the necessary changes to its system to allow for the imposition of penalties on overpayments due to fraud, and to prohibit relief from charges to an employer’s Unemployment Compensation account when the overpayment was the result of the employer’s failure to respond timely or adequately to a request for information.

The auditors recommended that RIDOT should further enhance its quality assurance program to ensure that required materials tests are performed and documented consistent with Highway Planning and Construction program requirements and RIDOT policy.

Management’s response and planned corrective actions are included within the Single Audit Report. A Summary Schedule of Prior Audit Findings, which reports the status of findings from prior audits, is also included.

The State’s Single Audit Report was submitted to a federal clearinghouse for such reports — this data is then made available to all federal funding agencies. The Single Audit Report and related Audit Summary are available on the Auditor General’s website – www.oag.ri.gov