Unemployment Insurance |
During our audit for fiscal year 2011–12, we reported that information technology controls over logical access and change management for the Accounting and Compliance Enterprise System (ACES) were not properly designed or operating effectively. EDD uses ACES to calculate tax liabilities and process tax payment information and experience ratings for employers. In fiscal year 2012–13, we also found certain information technology controls over logical access and change management within ACES were not properly designed or operating effectively. We found the following: • 23 of 32 terminated employees’ system access was not deactivated timely from ACES or the system’s Active Directory. • 14 of 65 system changes tested were not properly approved prior to implementation. • Six employees had access to approve and promote code changes to the staging environment, which does not promote proper segregation of duties. Failure to maintain adequate information technology controls over logical access and change management could result in inaccurate or incomplete calculations of tax liabilities and processing of tax payment information and experience ratings. |
2011-12 |
The EDD concurs with the recommendation. The EDD will address timely deactivation of terminated employees. The EDD has modified the instructions for the ACES access activation and deactivation request to address the identified deficiencies and is working to modify its Appointment/Separation Checklist (DE 7411) to include a step for notifying the proper unit of user terminations. The EDD ACES reminds managers and external agency single point of contacts quarterly to timely submit a security case or e-mail request whenever a user transfers or separates. The EDD ACES modified the quarterly process to automatically deactivate users with 90 days or more of inactivity to a nightly process in March 2013. In September 2013, ACES began receiving the Monthly Separation Reports from EDD’s Human Resource Services Division in order to deactivate separated employees in a more timely manner. In response to the 14 out of 65 changes not being recorded in the Change Control Board (CCB) meeting minutes, it appears that seven are identified as prior to EDD implementing a process change on August 23, 2012, of recording the reviewed and approved changes in the CCB meeting minutes. Of the remaining seven Solution Request Managers, three were service pack component migrations, and four changes resulted from developers and business analysts errors in labeling the changes such that those changes did not go before the CCB for approval. The EDD will continue to work with its developers and business analysts to ensure changes are properly labeled and all changes requiring CCB approval are properly reviewed. The EDD will work to improve change control for ACES. All code changes made through the Solution Request Manager must go through multiple levels of approval, including the CCB, before being migrated into production. As an added security measure, the software used for the ACES code migration prevents any code changes once it enters the staging environment. Additional steps have been taken to improve documentation of changes approved by the CCB. Notes are added to each item (migration or task) that has been approved by CCB. The CCB meeting minutes contain a record of all migrations or tasks discussed and approved in the CCB, including those that are being pulled back from migration. Segregation of duties is handled systematically as shown above but also procedurally. The EDD has policies in place to address the ability of a lead programmer to approve his/her own code changes. All lead developers have the ability to approve standard changes for their team members. However, the team leads cannot approve their own changes; instead they have to seek approval for their programming changes via their counterpart lead or by the application architects. The application architects and the infrastructure architect will seek approval from each other ensuring that they will not approve their own changes. In addition, the Business Analyst needs to review, test, and approve the migration. Finally, EDD will reevaluate its business practices relating to how employees are deactivated from Active Directory. This evaluation will focus on identifying potential changes in EDD policies, procedures, and systems that will result in terminated employees being deactivated from the system within an acceptable time period. |
59 |
WIA Youth Activities |
During our audit for fiscal year 2011–12, we reported that EDD did not have a process in place to comply with reporting requirements of the Federal Funding Accountability Transparency Act (FFATA) for the WIA Cluster. In fiscal year 2012-13, EDD made a good faith effort to report information for one subrecipient in the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). However, the subrecipient was not yet listed in FSRS. EDD was not aware that it could report information for other subrecipients who were listed within FSRS, and as a result, did not report required information for 39 of 40 subgrants tested. Failure to implement adequate processes and controls over FFATA reporting increases when the subaward information is not reported in accordance with federal requirements. |
2011-12 |
The EDD concurs with the recommendation. The EDD had taken immediate action to correct the original deficiency from the audit for State Fiscal Year 2011-12. The EDD issued Workforce Services Directive 12-11, “FFATA Compensation Data Reporting Requirements,” in January 2013 that provided guidance to federally funded sub-awardees and subcontractors on FFATA reporting requirements. The EDD received confirmation of successful submission of the Program Year (PY) 2011-12 FFATA on September 26, 2013, and of the PY 2012-13 FFATA report on September 30, 2013. The EDD is currently inputting FFATA information for PY 2013-14. The EDD has effectively addressed this finding. |
57 |
WIA Youth Activities |
During our audit for fiscal year 2011–12, we reported that EDD did not have adequate controls to issue management decisions on findings reported in subrecipient OMB Circular A-133 reports within six months after receipt of the audit report. In fiscal year 2012–13, we tested four of 11 audit reports with WIA Cluster findings and found one in which the management decision was not issued within six months of receipt of the subrecipient’s OMB Circular A-133 report. Failure to issue management decisions in a timely manner may result in delays in recovery of questioned costs and proper corrective action. |
2011-12 |
The EDD concurs with the recommendation. The EDD implemented its corrective action plan stated in the auditor’s report issued in March 2013. The incident involving the one management decision letter noted in the current year audit that was issued subsequent to the six-month requirement occurred prior to EDD implementing corrective actions in March 2013. The EDD continues using online automated tools to track the status of management decision letters and send automated alerts to keep the decision process on schedule. |
55 |
WIA Youth Activities |
During our audit for fiscal year 2011–12, we reported that EDD did not properly obtain DUNS numbers from its subrecipients prior to awarding WIA Cluster funds. In response to our finding, EDD implemented policies to obtain DUNS numbers prior to issuing new subgrants. However, in fiscal year 2012–13, our testwork found that EDD did not obtain DUNS numbers prior to issuing 32 of 40 subgrants tested. Failure to obtain the DUNS numbers prior to awarding funds increases the risk that EDD may not properly report subaward information to the federal government. |
2011-12 |
The EDD concurs with the recommendation. The EDD took action to correct the deficiency on February 4, 2013, by revising the Subgrantee Tax Identification form which is sent out for completion with all bilateral (new) subgrant packages to include a request for the DUNS number. The EDD determined that the 32 subgrant awards found to be non-compliant with the DUNS number requirement were funded prior to the February 4, 2013 corrective action implementation date. The EDD also determined that those subgrant awards found compliant were funded after the corrective actions were implemented and the DUNS numbers were obtained from the subrecipients prior to awarding WIA funds. The EDD maintains a complete list of DUNS numbers in the Financial Management Unit share drive and has placed a hard copy of the DUNS numbers list in each funding binder since February 4, 2013. The EDD has effectively addressed this finding. |
56 |
Workforce Investment Act Adult Program |
During our audit for fiscal year 2011–12, we reported that EDD did not have a process in place to comply with reporting requirements of the Federal Funding Accountability Transparency Act (FFATA) for the WIA Cluster. In fiscal year 2012-13, EDD made a good faith effort to report information for one subrecipient in the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). However, the subrecipient was not yet listed in FSRS. EDD was not aware that it could report information for other subrecipients who were listed within FSRS, and as a result, did not report required information for 39 of 40 subgrants tested. Failure to implement adequate processes and controls over FFATA reporting increases when the subaward information is not reported in accordance with federal requirements. |
2011-12 |
The EDD concurs with the recommendation. The EDD had taken immediate action to correct the original deficiency from the audit for State Fiscal Year 2011-12. The EDD issued Workforce Services Directive 12-11, “FFATA Compensation Data Reporting Requirements,” in January 2013 that provided guidance to federally funded sub-awardees and subcontractors on FFATA reporting requirements. The EDD received confirmation of successful submission of the Program Year (PY) 2011-12 FFATA on September 26, 2013, and of the PY 2012-13 FFATA report on September 30, 2013. The EDD is currently inputting FFATA information for PY 2013-14. The EDD has effectively addressed this finding. |
57 |
Workforce Investment Act Adult Program |
During our audit for fiscal year 2011–12, we reported that EDD did not have adequate controls to issue management decisions on findings reported in subrecipient OMB Circular A-133 reports within six months after receipt of the audit report. In fiscal year 2012–13, we tested four of 11 audit reports with WIA Cluster findings and found one in which the management decision was not issued within six months of receipt of the subrecipient’s OMB Circular A-133 report. Failure to issue management decisions in a timely manner may result in delays in recovery of questioned costs and proper corrective action. |
2011-12 |
The EDD concurs with the recommendation. The EDD implemented its corrective action plan stated in the auditor’s report issued in March 2013. The incident involving the one management decision letter noted in the current year audit that was issued subsequent to the six-month requirement occurred prior to EDD implementing corrective actions in March 2013. The EDD continues using online automated tools to track the status of management decision letters and send automated alerts to keep the decision process on schedule. |
55 |
Workforce Investment Act Adult Program |
During our audit for fiscal year 2011–12, we reported that EDD did not properly obtain DUNS numbers from its subrecipients prior to awarding WIA Cluster funds. In response to our finding, EDD implemented policies to obtain DUNS numbers prior to issuing new subgrants. However, in fiscal year 2012–13, our testwork found that EDD did not obtain DUNS numbers prior to issuing 32 of 40 subgrants tested. Failure to obtain the DUNS numbers prior to awarding funds increases the risk that EDD may not properly report subaward information to the federal government. |
2011-12 |
The EDD concurs with the recommendation. The EDD took action to correct the deficiency on February 4, 2013, by revising the Subgrantee Tax Identification form which is sent out for completion with all bilateral (new) subgrant packages to include a request for the DUNS number. The EDD determined that the 32 subgrant awards found to be non-compliant with the DUNS number requirement were funded prior to the February 4, 2013 corrective action implementation date. The EDD also determined that those subgrant awards found compliant were funded after the corrective actions were implemented and the DUNS numbers were obtained from the subrecipients prior to awarding WIA funds. The EDD maintains a complete list of DUNS numbers in the Financial Management Unit share drive and has placed a hard copy of the DUNS numbers list in each funding binder since February 4, 2013. The EDD has effectively addressed this finding. |
56 |
Workforce Investment Act Cluster |
During our audit for fiscal year 2011–12, we reported that EDD did not have a process in place to comply with reporting requirements of the Federal Funding Accountability Transparency Act (FFATA) for the WIA Cluster. In fiscal year 2012-13, EDD made a good faith effort to report information for one subrecipient in the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). However, the subrecipient was not yet listed in FSRS. EDD was not aware that it could report information for other subrecipients who were listed within FSRS, and as a result, did not report required information for 39 of 40 subgrants tested. Failure to implement adequate processes and controls over FFATA reporting increases when the subaward information is not reported in accordance with federal requirements. |
2011-12 |
The EDD concurs with the recommendation. The EDD had taken immediate action to correct the original deficiency from the audit for State Fiscal Year 2011-12. The EDD issued Workforce Services Directive 12-11, “FFATA Compensation Data Reporting Requirements,” in January 2013 that provided guidance to federally funded sub-awardees and subcontractors on FFATA reporting requirements. The EDD received confirmation of successful submission of the Program Year (PY) 2011-12 FFATA on September 26, 2013, and of the PY 2012-13 FFATA report on September 30, 2013. The EDD is currently inputting FFATA information for PY 2013-14. The EDD has effectively addressed this finding. |
57 |
Workforce Investment Act Cluster |
During our audit for fiscal year 2011–12, we reported that EDD did not have adequate controls to issue management decisions on findings reported in subrecipient OMB Circular A-133 reports within six months after receipt of the audit report. In fiscal year 2012–13, we tested four of 11 audit reports with WIA Cluster findings and found one in which the management decision was not issued within six months of receipt of the subrecipient’s OMB Circular A-133 report. Failure to issue management decisions in a timely manner may result in delays in recovery of questioned costs and proper corrective action. |
2011-12 |
The EDD concurs with the recommendation. The EDD implemented its corrective action plan stated in the auditor’s report issued in March 2013. The incident involving the one management decision letter noted in the current year audit that was issued subsequent to the six-month requirement occurred prior to EDD implementing corrective actions in March 2013. The EDD continues using online automated tools to track the status of management decision letters and send automated alerts to keep the decision process on schedule. |
55 |
Workforce Investment Act Cluster |
During our audit for fiscal year 2011–12, we reported that EDD did not properly obtain DUNS numbers from its subrecipients prior to awarding WIA Cluster funds. In response to our finding, EDD implemented policies to obtain DUNS numbers prior to issuing new subgrants. However, in fiscal year 2012–13, our testwork found that EDD did not obtain DUNS numbers prior to issuing 32 of 40 subgrants tested. Failure to obtain the DUNS numbers prior to awarding funds increases the risk that EDD may not properly report subaward information to the federal government. |
2011-12 |
The EDD concurs with the recommendation. The EDD took action to correct the deficiency on February 4, 2013, by revising the Subgrantee Tax Identification form which is sent out for completion with all bilateral (new) subgrant packages to include a request for the DUNS number. The EDD determined that the 32 subgrant awards found to be non-compliant with the DUNS number requirement were funded prior to the February 4, 2013 corrective action implementation date. The EDD also determined that those subgrant awards found compliant were funded after the corrective actions were implemented and the DUNS numbers were obtained from the subrecipients prior to awarding WIA funds. The EDD maintains a complete list of DUNS numbers in the Financial Management Unit share drive and has placed a hard copy of the DUNS numbers list in each funding binder since February 4, 2013. The EDD has effectively addressed this finding. |
56 |